From 33783f250ef9ae8e6ef791c59e57b4c5f1b70e53 Mon Sep 17 00:00:00 2001 From: Rhys Weatherley Date: Sat, 14 Mar 2020 15:17:26 +1000 Subject: [PATCH] rhys --- ace/Implementations/crypto_aead/aceae128v1/rhys/ace.c | 339 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ace/Implementations/crypto_aead/aceae128v1/rhys/ace.h | 197 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ace/Implementations/crypto_aead/aceae128v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ace/Implementations/crypto_aead/aceae128v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ace/Implementations/crypto_aead/aceae128v1/rhys/api.h | 5 +++++ ace/Implementations/crypto_aead/aceae128v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-light.c | 408 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-light.h | 169 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ace/Implementations/crypto_aead/aceae128v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/rhys/api.h | 5 +++++ ascon/Implementations/crypto_aead/ascon128av12/rhys/ascon128.c | 383 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/rhys/ascon128.h | 408 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-ascon.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-ascon.h | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/rhys/api.h | 5 +++++ ascon/Implementations/crypto_aead/ascon128v12/rhys/ascon128.c | 383 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/rhys/ascon128.h | 408 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-ascon.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-ascon.h | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/rhys/api.h | 5 +++++ ascon/Implementations/crypto_aead/ascon80pqv12/rhys/ascon128.c | 383 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/rhys/ascon128.h | 408 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-ascon.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-ascon.h | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet128chamv1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet128chamv1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet128chamv1/rhys/api.h | 5 +++++ comet/Implementations/crypto_aead/comet128chamv1/rhys/comet.c | 607 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet128chamv1/rhys/comet.h | 274 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet128chamv1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-cham.c | 134 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-cham.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet64chamv1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet64chamv1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet64chamv1/rhys/api.h | 5 +++++ comet/Implementations/crypto_aead/comet64chamv1/rhys/comet.c | 607 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet64chamv1/rhys/comet.h | 274 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet64chamv1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-cham.c | 134 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-cham.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet64speckv1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet64speckv1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet64speckv1/rhys/api.h | 5 +++++ comet/Implementations/crypto_aead/comet64speckv1/rhys/comet.c | 607 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet64speckv1/rhys/comet.h | 274 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet64speckv1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-cham.c | 134 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-cham.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ drygascon/Implementations/crypto_aead/drygascon128/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ drygascon/Implementations/crypto_aead/drygascon128/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ drygascon/Implementations/crypto_aead/drygascon128/rhys/api.h | 5 +++++ drygascon/Implementations/crypto_aead/drygascon128/rhys/drygascon.c | 421 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ drygascon/Implementations/crypto_aead/drygascon128/rhys/drygascon.h | 264 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ drygascon/Implementations/crypto_aead/drygascon128/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-drysponge.c | 600 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-drysponge.h | 345 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ drygascon/Implementations/crypto_aead/drygascon256/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ drygascon/Implementations/crypto_aead/drygascon256/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ drygascon/Implementations/crypto_aead/drygascon256/rhys/api.h | 5 +++++ drygascon/Implementations/crypto_aead/drygascon256/rhys/drygascon.c | 421 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ drygascon/Implementations/crypto_aead/drygascon256/rhys/drygascon.h | 264 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ drygascon/Implementations/crypto_aead/drygascon256/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-drysponge.c | 600 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-drysponge.h | 345 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant160v1/LWC_AEAD_KAT_128_96.txt | 7623 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant160v1/ref/LWC_AEAD_KAT_128_96.txt | 7623 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- elephant/Implementations/crypto_aead/elephant160v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant160v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant160v1/rhys/api.h | 5 +++++ elephant/Implementations/crypto_aead/elephant160v1/rhys/elephant.c | 881 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant160v1/rhys/elephant.h | 291 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant160v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-keccak.c | 204 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-keccak.h | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-spongent.c | 346 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-spongent.h | 91 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant176v1/LWC_AEAD_KAT_128_96.txt | 7623 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant176v1/ref/LWC_AEAD_KAT_128_96.txt | 7623 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- elephant/Implementations/crypto_aead/elephant176v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant176v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant176v1/rhys/api.h | 5 +++++ elephant/Implementations/crypto_aead/elephant176v1/rhys/elephant.c | 881 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant176v1/rhys/elephant.h | 291 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant176v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-keccak.c | 204 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-keccak.h | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-spongent.c | 346 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-spongent.h | 91 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant200v1/LWC_AEAD_KAT_128_96.txt | 7623 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant200v1/ref/LWC_AEAD_KAT_128_96.txt | 7623 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- elephant/Implementations/crypto_aead/elephant200v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant200v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant200v1/rhys/api.h | 5 +++++ elephant/Implementations/crypto_aead/elephant200v1/rhys/elephant.c | 881 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant200v1/rhys/elephant.h | 291 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant200v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-keccak.c | 204 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-keccak.h | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-spongent.c | 346 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-spongent.h | 91 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ estate/Implementations/crypto_aead/estatetwegift128v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ estate/Implementations/crypto_aead/estatetwegift128v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ estate/Implementations/crypto_aead/estatetwegift128v1/rhys/api.h | 5 +++++ estate/Implementations/crypto_aead/estatetwegift128v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ estate/Implementations/crypto_aead/estatetwegift128v1/rhys/estate.c | 196 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ estate/Implementations/crypto_aead/estatetwegift128v1/rhys/estate.h | 137 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128.c | 849 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128.h | 229 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/api.h | 5 +++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/forkae.c | 140 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/forkae.h | 551 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-forkae-paef.h | 273 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-forkae-saef.h | 251 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-forkskinny.c | 988 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-forkskinny.h | 141 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-skinnyutil.h | 328 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/api.h | 5 +++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/forkae.c | 140 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/forkae.h | 551 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-forkae-paef.h | 273 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-forkae-saef.h | 251 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-forkskinny.c | 988 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-forkskinny.h | 141 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-skinnyutil.h | 328 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/api.h | 5 +++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/forkae.c | 140 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/forkae.h | 551 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-forkae-paef.h | 273 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-forkae-saef.h | 251 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-forkskinny.c | 988 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-forkskinny.h | 141 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-skinnyutil.h | 328 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/api.h | 5 +++++ forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/forkae.c | 140 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/forkae.h | 551 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-forkae-paef.h | 273 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-forkae-saef.h | 251 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-forkskinny.c | 988 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-forkskinny.h | 141 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-skinnyutil.h | 328 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/api.h | 5 +++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/forkae.c | 140 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/forkae.h | 551 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-forkae-paef.h | 273 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-forkae-saef.h | 251 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-forkskinny.c | 988 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-forkskinny.h | 141 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-skinnyutil.h | 328 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/api.h | 5 +++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/forkae.c | 140 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/forkae.h | 551 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-forkae-paef.h | 273 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-forkae-saef.h | 251 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-forkskinny.c | 988 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-forkskinny.h | 141 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-skinnyutil.h | 328 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/api.h | 5 +++++ gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/gift-cofb.c | 407 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/gift-cofb.h | 127 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128.c | 849 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128.h | 229 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ gimli/Implementations/crypto_aead/gimli24v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ gimli/Implementations/crypto_aead/gimli24v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ gimli/Implementations/crypto_aead/gimli24v1/rhys/api.h | 5 +++++ gimli/Implementations/crypto_aead/gimli24v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ gimli/Implementations/crypto_aead/gimli24v1/rhys/gimli24.c | 330 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ gimli/Implementations/crypto_aead/gimli24v1/rhys/gimli24.h | 220 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-gimli24.c | 138 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-gimli24.h | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ grain-128aead/Implementations/crypto_aead/grain128aead/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ grain-128aead/Implementations/crypto_aead/grain128aead/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ grain-128aead/Implementations/crypto_aead/grain128aead/rhys/api.h | 5 +++++ grain-128aead/Implementations/crypto_aead/grain128aead/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ grain-128aead/Implementations/crypto_aead/grain128aead/rhys/grain128.c | 151 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ grain-128aead/Implementations/crypto_aead/grain128aead/rhys/grain128.h | 125 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ grain-128aead/Implementations/crypto_aead/grain128aead/rhys/internal-grain128.c | 411 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ grain-128aead/Implementations/crypto_aead/grain128aead/rhys/internal-grain128.h | 113 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ grain-128aead/Implementations/crypto_aead/grain128aead/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ hyena/Implementations/crypto_aead/hyenav1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ hyena/Implementations/crypto_aead/hyenav1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ hyena/Implementations/crypto_aead/hyenav1/rhys/api.h | 5 +++++ hyena/Implementations/crypto_aead/hyenav1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ hyena/Implementations/crypto_aead/hyenav1/rhys/hyena.c | 283 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ hyena/Implementations/crypto_aead/hyenav1/rhys/hyena.h | 126 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128.c | 849 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128.h | 229 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ hyena/Implementations/crypto_aead/hyenav1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128av20/LWC_AEAD_KAT_128_128.txt | 7623 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128av20/ref/LWC_AEAD_KAT_128_128.txt | 7623 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- isap/Implementations/crypto_aead/isapa128av20/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128av20/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128av20/rhys/api.h | 5 +++++ isap/Implementations/crypto_aead/isapa128av20/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128av20/rhys/internal-ascon.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128av20/rhys/internal-ascon.h | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128av20/rhys/internal-isap.h | 249 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak.c | 204 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak.h | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128av20/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128av20/rhys/isap.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128av20/rhys/isap.h | 330 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128v20/LWC_AEAD_KAT_128_128.txt | 7623 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128v20/ref/LWC_AEAD_KAT_128_128.txt | 7623 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- isap/Implementations/crypto_aead/isapa128v20/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128v20/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128v20/rhys/api.h | 5 +++++ isap/Implementations/crypto_aead/isapa128v20/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128v20/rhys/internal-ascon.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128v20/rhys/internal-ascon.h | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128v20/rhys/internal-isap.h | 249 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak.c | 204 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak.h | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128v20/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128v20/rhys/isap.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapa128v20/rhys/isap.h | 330 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128av20/LWC_AEAD_KAT_128_128.txt | 7623 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128av20/ref/LWC_AEAD_KAT_128_128.txt | 7623 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- isap/Implementations/crypto_aead/isapk128av20/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128av20/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128av20/rhys/api.h | 5 +++++ isap/Implementations/crypto_aead/isapk128av20/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128av20/rhys/internal-ascon.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128av20/rhys/internal-ascon.h | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128av20/rhys/internal-isap.h | 249 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak.c | 204 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak.h | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128av20/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128av20/rhys/isap.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128av20/rhys/isap.h | 330 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128v20/LWC_AEAD_KAT_128_128.txt | 7623 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128v20/ref/LWC_AEAD_KAT_128_128.txt | 7623 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- isap/Implementations/crypto_aead/isapk128v20/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128v20/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128v20/rhys/api.h | 5 +++++ isap/Implementations/crypto_aead/isapk128v20/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128v20/rhys/internal-ascon.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128v20/rhys/internal-ascon.h | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128v20/rhys/internal-isap.h | 249 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak.c | 204 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak.h | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128v20/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128v20/rhys/isap.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ isap/Implementations/crypto_aead/isapk128v20/rhys/isap.h | 330 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot128v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot128v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot128v1/rhys/api.h | 5 +++++ knot/Implementations/crypto_aead/knot128v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot.c | 297 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot.h | 130 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot128v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot128v1/rhys/knot-aead.c | 503 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot128v1/rhys/knot.h | 459 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot128v2/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot128v2/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot128v2/rhys/api.h | 5 +++++ knot/Implementations/crypto_aead/knot128v2/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot.c | 297 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot.h | 130 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot128v2/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot128v2/rhys/knot-aead.c | 503 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot128v2/rhys/knot.h | 459 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot192/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot192/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot192/rhys/api.h | 5 +++++ knot/Implementations/crypto_aead/knot192/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot192/rhys/internal-knot.c | 297 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot192/rhys/internal-knot.h | 130 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot192/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot192/rhys/knot-aead.c | 503 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot192/rhys/knot.h | 459 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot256/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot256/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot256/rhys/api.h | 5 +++++ knot/Implementations/crypto_aead/knot256/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot256/rhys/internal-knot.c | 297 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot256/rhys/internal-knot.h | 130 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot256/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot256/rhys/knot-aead.c | 503 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ knot/Implementations/crypto_aead/knot256/rhys/knot.h | 459 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/api.h | 5 +++++ lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64.c | 745 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64.h | 194 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/lotus-locus.c | 436 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/lotus-locus.h | 223 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/api.h | 5 +++++ lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64.c | 745 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64.h | 194 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/lotus-locus.c | 436 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/lotus-locus.h | 223 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ orange/Implementations/crypto_aead/orangezestv1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ orange/Implementations/crypto_aead/orangezestv1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ orange/Implementations/crypto_aead/orangezestv1/rhys/api.h | 5 +++++ orange/Implementations/crypto_aead/orangezestv1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ orange/Implementations/crypto_aead/orangezestv1/rhys/internal-photon256.c | 479 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ orange/Implementations/crypto_aead/orangezestv1/rhys/internal-photon256.h | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ orange/Implementations/crypto_aead/orangezestv1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ orange/Implementations/crypto_aead/orangezestv1/rhys/orange.c | 384 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ orange/Implementations/crypto_aead/orangezestv1/rhys/orange.h | 153 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ oribatida/Implementations/crypto_aead/oribatida192v12/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ oribatida/Implementations/crypto_aead/oribatida192v12/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ oribatida/Implementations/crypto_aead/oribatida192v12/rhys/api.h | 5 +++++ oribatida/Implementations/crypto_aead/oribatida192v12/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-simp.c | 168 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-simp.h | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ oribatida/Implementations/crypto_aead/oribatida192v12/rhys/oribatida.c | 480 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ oribatida/Implementations/crypto_aead/oribatida192v12/rhys/oribatida.h | 212 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ oribatida/Implementations/crypto_aead/oribatida256v12/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ oribatida/Implementations/crypto_aead/oribatida256v12/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ oribatida/Implementations/crypto_aead/oribatida256v12/rhys/api.h | 5 +++++ oribatida/Implementations/crypto_aead/oribatida256v12/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-simp.c | 168 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-simp.h | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ oribatida/Implementations/crypto_aead/oribatida256v12/rhys/oribatida.c | 480 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ oribatida/Implementations/crypto_aead/oribatida256v12/rhys/oribatida.h | 212 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/api.h | 5 +++++ photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/internal-photon256.c | 479 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/internal-photon256.h | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/photon-beetle.c | 451 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/photon-beetle.h | 224 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/api.h | 5 +++++ photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/internal-photon256.c | 479 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/internal-photon256.h | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/photon-beetle.c | 451 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/photon-beetle.h | 224 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/api.h | 5 +++++ pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-ocb.h | 335 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-pyjamask.c | 305 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-pyjamask.h | 215 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/pyjamask-128.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/pyjamask.h | 335 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/api.h | 5 +++++ pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-ocb.h | 335 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-pyjamask.c | 305 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-pyjamask.h | 215 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/pyjamask-96.c | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/pyjamask.h | 335 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm1v12/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm1v12/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm1v12/rhys/api.h | 5 +++++ romulus/Implementations/crypto_aead/romulusm1v12/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm1v12/rhys/internal-skinny128.c | 811 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm1v12/rhys/internal-skinny128.h | 315 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm1v12/rhys/internal-skinnyutil.h | 328 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm1v12/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm1v12/rhys/romulus.c | 1963 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm1v12/rhys/romulus.h | 476 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm2v12/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm2v12/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm2v12/rhys/api.h | 5 +++++ romulus/Implementations/crypto_aead/romulusm2v12/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm2v12/rhys/internal-skinny128.c | 811 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm2v12/rhys/internal-skinny128.h | 315 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm2v12/rhys/internal-skinnyutil.h | 328 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm2v12/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm2v12/rhys/romulus.c | 1963 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm2v12/rhys/romulus.h | 476 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm3v12/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm3v12/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm3v12/rhys/api.h | 5 +++++ romulus/Implementations/crypto_aead/romulusm3v12/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm3v12/rhys/internal-skinny128.c | 811 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm3v12/rhys/internal-skinny128.h | 315 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm3v12/rhys/internal-skinnyutil.h | 328 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm3v12/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm3v12/rhys/romulus.c | 1963 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusm3v12/rhys/romulus.h | 476 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn1v12/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn1v12/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn1v12/rhys/api.h | 5 +++++ romulus/Implementations/crypto_aead/romulusn1v12/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn1v12/rhys/internal-skinny128.c | 811 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn1v12/rhys/internal-skinny128.h | 315 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn1v12/rhys/internal-skinnyutil.h | 328 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn1v12/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn1v12/rhys/romulus.c | 1963 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn1v12/rhys/romulus.h | 476 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn2v12/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn2v12/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn2v12/rhys/api.h | 5 +++++ romulus/Implementations/crypto_aead/romulusn2v12/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn2v12/rhys/internal-skinny128.c | 811 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn2v12/rhys/internal-skinny128.h | 315 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn2v12/rhys/internal-skinnyutil.h | 328 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn2v12/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn2v12/rhys/romulus.c | 1963 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn2v12/rhys/romulus.h | 476 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn3v12/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn3v12/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn3v12/rhys/api.h | 5 +++++ romulus/Implementations/crypto_aead/romulusn3v12/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn3v12/rhys/internal-skinny128.c | 811 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn3v12/rhys/internal-skinny128.h | 315 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn3v12/rhys/internal-skinnyutil.h | 328 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn3v12/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn3v12/rhys/romulus.c | 1963 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ romulus/Implementations/crypto_aead/romulusn3v12/rhys/romulus.h | 476 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/api.h | 5 +++++ saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/saturnin.c | 781 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/saturnin.h | 270 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ saturnin/Implementations/crypto_aead/saturninshortv2/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ saturnin/Implementations/crypto_aead/saturninshortv2/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ saturnin/Implementations/crypto_aead/saturninshortv2/rhys/api.h | 5 +++++ saturnin/Implementations/crypto_aead/saturninshortv2/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ saturnin/Implementations/crypto_aead/saturninshortv2/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ saturnin/Implementations/crypto_aead/saturninshortv2/rhys/saturnin.c | 781 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ saturnin/Implementations/crypto_aead/saturninshortv2/rhys/saturnin.h | 270 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/api.h | 5 +++++ skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinny128.c | 811 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinny128.h | 315 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinnyutil.h | 328 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/skinny-aead.c | 803 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/skinny-aead.h | 518 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/api.h | 5 +++++ skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinny128.c | 811 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinny128.h | 315 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinnyutil.h | 328 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/skinny-aead.c | 803 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/skinny-aead.h | 518 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/api.h | 5 +++++ skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128.c | 811 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128.h | 315 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinnyutil.h | 328 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/skinny-aead.c | 803 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/skinny-aead.h | 518 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/api.h | 5 +++++ skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128.c | 811 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128.h | 315 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinnyutil.h | 328 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/skinny-aead.c | 803 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/skinny-aead.h | 518 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/api.h | 5 +++++ skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128.c | 811 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128.h | 315 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinnyutil.h | 328 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/skinny-aead.c | 803 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/skinny-aead.h | 518 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/api.h | 5 +++++ skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128.c | 811 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128.h | 315 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinnyutil.h | 328 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/skinny-aead.c | 803 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/skinny-aead.h | 518 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/api.h | 5 +++++ sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-sparkle.c | 366 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-sparkle.h | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/sparkle.c | 1123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/sparkle.h | 515 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/api.h | 5 +++++ sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-sparkle.c | 366 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-sparkle.h | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/sparkle.c | 1123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/sparkle.h | 515 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/api.h | 5 +++++ sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-sparkle.c | 366 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-sparkle.h | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/sparkle.c | 1123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/sparkle.h | 515 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/api.h | 5 +++++ sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-sparkle.c | 366 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-sparkle.h | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/sparkle.c | 1123 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/sparkle.h | 515 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spix/Implementations/crypto_aead/spix128v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spix/Implementations/crypto_aead/spix128v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spix/Implementations/crypto_aead/spix128v1/rhys/api.h | 5 +++++ spix/Implementations/crypto_aead/spix128v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-light.c | 408 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-light.h | 169 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spix/Implementations/crypto_aead/spix128v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spix/Implementations/crypto_aead/spix128v1/rhys/spix.c | 211 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spix/Implementations/crypto_aead/spix128v1/rhys/spix.h | 126 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/api.h | 5 +++++ spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-light.c | 408 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-light.h | 169 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/spoc.c | 406 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/spoc.h | 204 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/api.h | 5 +++++ spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-light.c | 408 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-light.h | 169 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/spoc.c | 406 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/spoc.h | 204 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128mu384v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128mu384v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128mu384v1/rhys/api.h | 5 +++++ spook/Implementations/crypto_aead/spook128mu384v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128mu384v1/rhys/internal-spook.c | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128mu384v1/rhys/internal-spook.h | 146 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128mu384v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128mu384v1/rhys/spook.c | 552 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128mu384v1/rhys/spook.h | 344 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128mu512v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128mu512v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128mu512v1/rhys/api.h | 5 +++++ spook/Implementations/crypto_aead/spook128mu512v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128mu512v1/rhys/internal-spook.c | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128mu512v1/rhys/internal-spook.h | 146 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128mu512v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128mu512v1/rhys/spook.c | 552 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128mu512v1/rhys/spook.h | 344 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128su384v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128su384v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128su384v1/rhys/api.h | 5 +++++ spook/Implementations/crypto_aead/spook128su384v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128su384v1/rhys/internal-spook.c | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128su384v1/rhys/internal-spook.h | 146 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128su384v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128su384v1/rhys/spook.c | 552 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128su384v1/rhys/spook.h | 344 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128su512v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128su512v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128su512v1/rhys/api.h | 5 +++++ spook/Implementations/crypto_aead/spook128su512v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128su512v1/rhys/internal-spook.c | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128su512v1/rhys/internal-spook.h | 146 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128su512v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128su512v1/rhys/spook.c | 552 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ spook/Implementations/crypto_aead/spook128su512v1/rhys/spook.h | 344 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ subterranean/Implementations/crypto_aead/subterraneanv1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ subterranean/Implementations/crypto_aead/subterraneanv1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ subterranean/Implementations/crypto_aead/subterraneanv1/rhys/api.h | 5 +++++ subterranean/Implementations/crypto_aead/subterraneanv1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ subterranean/Implementations/crypto_aead/subterraneanv1/rhys/internal-subterranean.c | 441 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ subterranean/Implementations/crypto_aead/subterraneanv1/rhys/internal-subterranean.h | 144 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ subterranean/Implementations/crypto_aead/subterraneanv1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ subterranean/Implementations/crypto_aead/subterraneanv1/rhys/subterranean.c | 228 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ subterranean/Implementations/crypto_aead/subterraneanv1/rhys/subterranean.h | 200 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/api.h | 5 +++++ sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128.c | 849 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128.h | 229 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/sundae-gift.c | 358 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/sundae-gift.h | 341 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/api.h | 5 +++++ sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128.c | 849 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128.h | 229 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/sundae-gift.c | 358 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/sundae-gift.h | 341 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/api.h | 5 +++++ sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128.c | 849 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128.h | 229 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/sundae-gift.c | 358 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/sundae-gift.h | 341 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/api.h | 5 +++++ sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128.c | 849 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128.h | 229 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/sundae-gift.c | 358 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/sundae-gift.h | 341 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/api.h | 5 +++++ tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-tinyjambu.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-tinyjambu.h | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/tinyjambu.c | 487 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/tinyjambu.h | 270 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/api.h | 5 +++++ tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-tinyjambu.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-tinyjambu.h | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/tinyjambu.c | 487 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/tinyjambu.h | 270 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/api.h | 5 +++++ tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-tinyjambu.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-tinyjambu.h | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/tinyjambu.c | 487 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/tinyjambu.h | 270 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ wage/Implementations/crypto_aead/wageae128v1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ wage/Implementations/crypto_aead/wageae128v1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ wage/Implementations/crypto_aead/wageae128v1/rhys/api.h | 5 +++++ wage/Implementations/crypto_aead/wageae128v1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ wage/Implementations/crypto_aead/wageae128v1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ wage/Implementations/crypto_aead/wageae128v1/rhys/internal-wage.c | 512 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ wage/Implementations/crypto_aead/wageae128v1/rhys/internal-wage.h | 117 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ wage/Implementations/crypto_aead/wageae128v1/rhys/wage.c | 168 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ wage/Implementations/crypto_aead/wageae128v1/rhys/wage.h | 127 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/aead-common.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/aead-common.h | 256 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/api.h | 5 +++++ xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/encrypt.c | 26 ++++++++++++++++++++++++++ xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-util.h | 557 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-xoodoo.c | 162 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-xoodoo.h | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/xoodyak.c | 321 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/xoodyak.h | 226 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 735 files changed, 253761 insertions(+), 53361 deletions(-) create mode 100644 ace/Implementations/crypto_aead/aceae128v1/rhys/ace.c create mode 100644 ace/Implementations/crypto_aead/aceae128v1/rhys/ace.h create mode 100644 ace/Implementations/crypto_aead/aceae128v1/rhys/aead-common.c create mode 100644 ace/Implementations/crypto_aead/aceae128v1/rhys/aead-common.h create mode 100644 ace/Implementations/crypto_aead/aceae128v1/rhys/api.h create mode 100644 ace/Implementations/crypto_aead/aceae128v1/rhys/encrypt.c create mode 100644 ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-light.c create mode 100644 ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-light.h create mode 100644 ace/Implementations/crypto_aead/aceae128v1/rhys/internal-util.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/rhys/aead-common.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/rhys/aead-common.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/rhys/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/rhys/ascon128.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/rhys/ascon128.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/rhys/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-ascon.c create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-util.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/rhys/aead-common.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/rhys/aead-common.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/rhys/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/rhys/ascon128.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/rhys/ascon128.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/rhys/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-ascon.c create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-util.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/rhys/aead-common.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/rhys/aead-common.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/rhys/api.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/rhys/ascon128.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/rhys/ascon128.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/rhys/encrypt.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-ascon.c create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-ascon.h create mode 100644 ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-util.h create mode 100644 comet/Implementations/crypto_aead/comet128chamv1/rhys/aead-common.c create mode 100644 comet/Implementations/crypto_aead/comet128chamv1/rhys/aead-common.h create mode 100644 comet/Implementations/crypto_aead/comet128chamv1/rhys/api.h create mode 100644 comet/Implementations/crypto_aead/comet128chamv1/rhys/comet.c create mode 100644 comet/Implementations/crypto_aead/comet128chamv1/rhys/comet.h create mode 100644 comet/Implementations/crypto_aead/comet128chamv1/rhys/encrypt.c create mode 100644 comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-cham.c create mode 100644 comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-cham.h create mode 100644 comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-util.h create mode 100644 comet/Implementations/crypto_aead/comet64chamv1/rhys/aead-common.c create mode 100644 comet/Implementations/crypto_aead/comet64chamv1/rhys/aead-common.h create mode 100644 comet/Implementations/crypto_aead/comet64chamv1/rhys/api.h create mode 100644 comet/Implementations/crypto_aead/comet64chamv1/rhys/comet.c create mode 100644 comet/Implementations/crypto_aead/comet64chamv1/rhys/comet.h create mode 100644 comet/Implementations/crypto_aead/comet64chamv1/rhys/encrypt.c create mode 100644 comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-cham.c create mode 100644 comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-cham.h create mode 100644 comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-util.h create mode 100644 comet/Implementations/crypto_aead/comet64speckv1/rhys/aead-common.c create mode 100644 comet/Implementations/crypto_aead/comet64speckv1/rhys/aead-common.h create mode 100644 comet/Implementations/crypto_aead/comet64speckv1/rhys/api.h create mode 100644 comet/Implementations/crypto_aead/comet64speckv1/rhys/comet.c create mode 100644 comet/Implementations/crypto_aead/comet64speckv1/rhys/comet.h create mode 100644 comet/Implementations/crypto_aead/comet64speckv1/rhys/encrypt.c create mode 100644 comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-cham.c create mode 100644 comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-cham.h create mode 100644 comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-util.h create mode 100644 drygascon/Implementations/crypto_aead/drygascon128/rhys/aead-common.c create mode 100644 drygascon/Implementations/crypto_aead/drygascon128/rhys/aead-common.h create mode 100644 drygascon/Implementations/crypto_aead/drygascon128/rhys/api.h create mode 100644 drygascon/Implementations/crypto_aead/drygascon128/rhys/drygascon.c create mode 100644 drygascon/Implementations/crypto_aead/drygascon128/rhys/drygascon.h create mode 100644 drygascon/Implementations/crypto_aead/drygascon128/rhys/encrypt.c create mode 100644 drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-drysponge.c create mode 100644 drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-drysponge.h create mode 100644 drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-util.h create mode 100644 drygascon/Implementations/crypto_aead/drygascon256/rhys/aead-common.c create mode 100644 drygascon/Implementations/crypto_aead/drygascon256/rhys/aead-common.h create mode 100644 drygascon/Implementations/crypto_aead/drygascon256/rhys/api.h create mode 100644 drygascon/Implementations/crypto_aead/drygascon256/rhys/drygascon.c create mode 100644 drygascon/Implementations/crypto_aead/drygascon256/rhys/drygascon.h create mode 100644 drygascon/Implementations/crypto_aead/drygascon256/rhys/encrypt.c create mode 100644 drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-drysponge.c create mode 100644 drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-drysponge.h create mode 100644 drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-util.h create mode 100644 elephant/Implementations/crypto_aead/elephant160v1/LWC_AEAD_KAT_128_96.txt delete mode 100644 elephant/Implementations/crypto_aead/elephant160v1/ref/LWC_AEAD_KAT_128_96.txt create mode 100644 elephant/Implementations/crypto_aead/elephant160v1/rhys/aead-common.c create mode 100644 elephant/Implementations/crypto_aead/elephant160v1/rhys/aead-common.h create mode 100644 elephant/Implementations/crypto_aead/elephant160v1/rhys/api.h create mode 100644 elephant/Implementations/crypto_aead/elephant160v1/rhys/elephant.c create mode 100644 elephant/Implementations/crypto_aead/elephant160v1/rhys/elephant.h create mode 100644 elephant/Implementations/crypto_aead/elephant160v1/rhys/encrypt.c create mode 100644 elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-keccak.c create mode 100644 elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-keccak.h create mode 100644 elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-spongent.c create mode 100644 elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-spongent.h create mode 100644 elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-util.h create mode 100644 elephant/Implementations/crypto_aead/elephant176v1/LWC_AEAD_KAT_128_96.txt delete mode 100644 elephant/Implementations/crypto_aead/elephant176v1/ref/LWC_AEAD_KAT_128_96.txt create mode 100644 elephant/Implementations/crypto_aead/elephant176v1/rhys/aead-common.c create mode 100644 elephant/Implementations/crypto_aead/elephant176v1/rhys/aead-common.h create mode 100644 elephant/Implementations/crypto_aead/elephant176v1/rhys/api.h create mode 100644 elephant/Implementations/crypto_aead/elephant176v1/rhys/elephant.c create mode 100644 elephant/Implementations/crypto_aead/elephant176v1/rhys/elephant.h create mode 100644 elephant/Implementations/crypto_aead/elephant176v1/rhys/encrypt.c create mode 100644 elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-keccak.c create mode 100644 elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-keccak.h create mode 100644 elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-spongent.c create mode 100644 elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-spongent.h create mode 100644 elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-util.h create mode 100644 elephant/Implementations/crypto_aead/elephant200v1/LWC_AEAD_KAT_128_96.txt delete mode 100644 elephant/Implementations/crypto_aead/elephant200v1/ref/LWC_AEAD_KAT_128_96.txt create mode 100644 elephant/Implementations/crypto_aead/elephant200v1/rhys/aead-common.c create mode 100644 elephant/Implementations/crypto_aead/elephant200v1/rhys/aead-common.h create mode 100644 elephant/Implementations/crypto_aead/elephant200v1/rhys/api.h create mode 100644 elephant/Implementations/crypto_aead/elephant200v1/rhys/elephant.c create mode 100644 elephant/Implementations/crypto_aead/elephant200v1/rhys/elephant.h create mode 100644 elephant/Implementations/crypto_aead/elephant200v1/rhys/encrypt.c create mode 100644 elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-keccak.c create mode 100644 elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-keccak.h create mode 100644 elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-spongent.c create mode 100644 elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-spongent.h create mode 100644 elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-util.h create mode 100644 estate/Implementations/crypto_aead/estatetwegift128v1/rhys/aead-common.c create mode 100644 estate/Implementations/crypto_aead/estatetwegift128v1/rhys/aead-common.h create mode 100644 estate/Implementations/crypto_aead/estatetwegift128v1/rhys/api.h create mode 100644 estate/Implementations/crypto_aead/estatetwegift128v1/rhys/encrypt.c create mode 100644 estate/Implementations/crypto_aead/estatetwegift128v1/rhys/estate.c create mode 100644 estate/Implementations/crypto_aead/estatetwegift128v1/rhys/estate.h create mode 100644 estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128.c create mode 100644 estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128.h create mode 100644 estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-util.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/aead-common.c create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/aead-common.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/api.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/encrypt.c create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/forkae.c create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/forkae.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-forkae-paef.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-forkae-saef.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-forkskinny.c create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-forkskinny.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-skinnyutil.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-util.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/aead-common.c create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/aead-common.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/api.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/encrypt.c create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/forkae.c create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/forkae.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-forkae-paef.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-forkae-saef.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-forkskinny.c create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-forkskinny.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-skinnyutil.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-util.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/aead-common.c create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/aead-common.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/api.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/encrypt.c create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/forkae.c create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/forkae.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-forkae-paef.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-forkae-saef.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-forkskinny.c create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-forkskinny.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-skinnyutil.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-util.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/aead-common.c create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/aead-common.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/api.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/encrypt.c create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/forkae.c create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/forkae.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-forkae-paef.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-forkae-saef.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-forkskinny.c create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-forkskinny.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-skinnyutil.h create mode 100644 forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-util.h create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/aead-common.c create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/aead-common.h create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/api.h create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/encrypt.c create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/forkae.c create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/forkae.h create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-forkae-paef.h create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-forkae-saef.h create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-forkskinny.c create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-forkskinny.h create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-skinnyutil.h create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-util.h create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/aead-common.c create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/aead-common.h create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/api.h create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/encrypt.c create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/forkae.c create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/forkae.h create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-forkae-paef.h create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-forkae-saef.h create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-forkskinny.c create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-forkskinny.h create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-skinnyutil.h create mode 100644 forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-util.h create mode 100644 gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/aead-common.c create mode 100644 gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/aead-common.h create mode 100644 gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/api.h create mode 100644 gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/encrypt.c create mode 100644 gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/gift-cofb.c create mode 100644 gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/gift-cofb.h create mode 100644 gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128.c create mode 100644 gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128.h create mode 100644 gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-util.h create mode 100644 gimli/Implementations/crypto_aead/gimli24v1/rhys/aead-common.c create mode 100644 gimli/Implementations/crypto_aead/gimli24v1/rhys/aead-common.h create mode 100644 gimli/Implementations/crypto_aead/gimli24v1/rhys/api.h create mode 100644 gimli/Implementations/crypto_aead/gimli24v1/rhys/encrypt.c create mode 100644 gimli/Implementations/crypto_aead/gimli24v1/rhys/gimli24.c create mode 100644 gimli/Implementations/crypto_aead/gimli24v1/rhys/gimli24.h create mode 100644 gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-gimli24.c create mode 100644 gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-gimli24.h create mode 100644 gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-util.h create mode 100644 grain-128aead/Implementations/crypto_aead/grain128aead/rhys/aead-common.c create mode 100644 grain-128aead/Implementations/crypto_aead/grain128aead/rhys/aead-common.h create mode 100644 grain-128aead/Implementations/crypto_aead/grain128aead/rhys/api.h create mode 100644 grain-128aead/Implementations/crypto_aead/grain128aead/rhys/encrypt.c create mode 100644 grain-128aead/Implementations/crypto_aead/grain128aead/rhys/grain128.c create mode 100644 grain-128aead/Implementations/crypto_aead/grain128aead/rhys/grain128.h create mode 100644 grain-128aead/Implementations/crypto_aead/grain128aead/rhys/internal-grain128.c create mode 100644 grain-128aead/Implementations/crypto_aead/grain128aead/rhys/internal-grain128.h create mode 100644 grain-128aead/Implementations/crypto_aead/grain128aead/rhys/internal-util.h create mode 100644 hyena/Implementations/crypto_aead/hyenav1/rhys/aead-common.c create mode 100644 hyena/Implementations/crypto_aead/hyenav1/rhys/aead-common.h create mode 100644 hyena/Implementations/crypto_aead/hyenav1/rhys/api.h create mode 100644 hyena/Implementations/crypto_aead/hyenav1/rhys/encrypt.c create mode 100644 hyena/Implementations/crypto_aead/hyenav1/rhys/hyena.c create mode 100644 hyena/Implementations/crypto_aead/hyenav1/rhys/hyena.h create mode 100644 hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128.c create mode 100644 hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128.h create mode 100644 hyena/Implementations/crypto_aead/hyenav1/rhys/internal-util.h create mode 100644 isap/Implementations/crypto_aead/isapa128av20/LWC_AEAD_KAT_128_128.txt delete mode 100644 isap/Implementations/crypto_aead/isapa128av20/ref/LWC_AEAD_KAT_128_128.txt create mode 100644 isap/Implementations/crypto_aead/isapa128av20/rhys/aead-common.c create mode 100644 isap/Implementations/crypto_aead/isapa128av20/rhys/aead-common.h create mode 100644 isap/Implementations/crypto_aead/isapa128av20/rhys/api.h create mode 100644 isap/Implementations/crypto_aead/isapa128av20/rhys/encrypt.c create mode 100644 isap/Implementations/crypto_aead/isapa128av20/rhys/internal-ascon.c create mode 100644 isap/Implementations/crypto_aead/isapa128av20/rhys/internal-ascon.h create mode 100644 isap/Implementations/crypto_aead/isapa128av20/rhys/internal-isap.h create mode 100644 isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak.c create mode 100644 isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak.h create mode 100644 isap/Implementations/crypto_aead/isapa128av20/rhys/internal-util.h create mode 100644 isap/Implementations/crypto_aead/isapa128av20/rhys/isap.c create mode 100644 isap/Implementations/crypto_aead/isapa128av20/rhys/isap.h create mode 100644 isap/Implementations/crypto_aead/isapa128v20/LWC_AEAD_KAT_128_128.txt delete mode 100644 isap/Implementations/crypto_aead/isapa128v20/ref/LWC_AEAD_KAT_128_128.txt create mode 100644 isap/Implementations/crypto_aead/isapa128v20/rhys/aead-common.c create mode 100644 isap/Implementations/crypto_aead/isapa128v20/rhys/aead-common.h create mode 100644 isap/Implementations/crypto_aead/isapa128v20/rhys/api.h create mode 100644 isap/Implementations/crypto_aead/isapa128v20/rhys/encrypt.c create mode 100644 isap/Implementations/crypto_aead/isapa128v20/rhys/internal-ascon.c create mode 100644 isap/Implementations/crypto_aead/isapa128v20/rhys/internal-ascon.h create mode 100644 isap/Implementations/crypto_aead/isapa128v20/rhys/internal-isap.h create mode 100644 isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak.c create mode 100644 isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak.h create mode 100644 isap/Implementations/crypto_aead/isapa128v20/rhys/internal-util.h create mode 100644 isap/Implementations/crypto_aead/isapa128v20/rhys/isap.c create mode 100644 isap/Implementations/crypto_aead/isapa128v20/rhys/isap.h create mode 100644 isap/Implementations/crypto_aead/isapk128av20/LWC_AEAD_KAT_128_128.txt delete mode 100644 isap/Implementations/crypto_aead/isapk128av20/ref/LWC_AEAD_KAT_128_128.txt create mode 100644 isap/Implementations/crypto_aead/isapk128av20/rhys/aead-common.c create mode 100644 isap/Implementations/crypto_aead/isapk128av20/rhys/aead-common.h create mode 100644 isap/Implementations/crypto_aead/isapk128av20/rhys/api.h create mode 100644 isap/Implementations/crypto_aead/isapk128av20/rhys/encrypt.c create mode 100644 isap/Implementations/crypto_aead/isapk128av20/rhys/internal-ascon.c create mode 100644 isap/Implementations/crypto_aead/isapk128av20/rhys/internal-ascon.h create mode 100644 isap/Implementations/crypto_aead/isapk128av20/rhys/internal-isap.h create mode 100644 isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak.c create mode 100644 isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak.h create mode 100644 isap/Implementations/crypto_aead/isapk128av20/rhys/internal-util.h create mode 100644 isap/Implementations/crypto_aead/isapk128av20/rhys/isap.c create mode 100644 isap/Implementations/crypto_aead/isapk128av20/rhys/isap.h create mode 100644 isap/Implementations/crypto_aead/isapk128v20/LWC_AEAD_KAT_128_128.txt delete mode 100644 isap/Implementations/crypto_aead/isapk128v20/ref/LWC_AEAD_KAT_128_128.txt create mode 100644 isap/Implementations/crypto_aead/isapk128v20/rhys/aead-common.c create mode 100644 isap/Implementations/crypto_aead/isapk128v20/rhys/aead-common.h create mode 100644 isap/Implementations/crypto_aead/isapk128v20/rhys/api.h create mode 100644 isap/Implementations/crypto_aead/isapk128v20/rhys/encrypt.c create mode 100644 isap/Implementations/crypto_aead/isapk128v20/rhys/internal-ascon.c create mode 100644 isap/Implementations/crypto_aead/isapk128v20/rhys/internal-ascon.h create mode 100644 isap/Implementations/crypto_aead/isapk128v20/rhys/internal-isap.h create mode 100644 isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak.c create mode 100644 isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak.h create mode 100644 isap/Implementations/crypto_aead/isapk128v20/rhys/internal-util.h create mode 100644 isap/Implementations/crypto_aead/isapk128v20/rhys/isap.c create mode 100644 isap/Implementations/crypto_aead/isapk128v20/rhys/isap.h create mode 100644 knot/Implementations/crypto_aead/knot128v1/rhys/aead-common.c create mode 100644 knot/Implementations/crypto_aead/knot128v1/rhys/aead-common.h create mode 100644 knot/Implementations/crypto_aead/knot128v1/rhys/api.h create mode 100644 knot/Implementations/crypto_aead/knot128v1/rhys/encrypt.c create mode 100644 knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot.c create mode 100644 knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot.h create mode 100644 knot/Implementations/crypto_aead/knot128v1/rhys/internal-util.h create mode 100644 knot/Implementations/crypto_aead/knot128v1/rhys/knot-aead.c create mode 100644 knot/Implementations/crypto_aead/knot128v1/rhys/knot.h create mode 100644 knot/Implementations/crypto_aead/knot128v2/rhys/aead-common.c create mode 100644 knot/Implementations/crypto_aead/knot128v2/rhys/aead-common.h create mode 100644 knot/Implementations/crypto_aead/knot128v2/rhys/api.h create mode 100644 knot/Implementations/crypto_aead/knot128v2/rhys/encrypt.c create mode 100644 knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot.c create mode 100644 knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot.h create mode 100644 knot/Implementations/crypto_aead/knot128v2/rhys/internal-util.h create mode 100644 knot/Implementations/crypto_aead/knot128v2/rhys/knot-aead.c create mode 100644 knot/Implementations/crypto_aead/knot128v2/rhys/knot.h create mode 100644 knot/Implementations/crypto_aead/knot192/rhys/aead-common.c create mode 100644 knot/Implementations/crypto_aead/knot192/rhys/aead-common.h create mode 100644 knot/Implementations/crypto_aead/knot192/rhys/api.h create mode 100644 knot/Implementations/crypto_aead/knot192/rhys/encrypt.c create mode 100644 knot/Implementations/crypto_aead/knot192/rhys/internal-knot.c create mode 100644 knot/Implementations/crypto_aead/knot192/rhys/internal-knot.h create mode 100644 knot/Implementations/crypto_aead/knot192/rhys/internal-util.h create mode 100644 knot/Implementations/crypto_aead/knot192/rhys/knot-aead.c create mode 100644 knot/Implementations/crypto_aead/knot192/rhys/knot.h create mode 100644 knot/Implementations/crypto_aead/knot256/rhys/aead-common.c create mode 100644 knot/Implementations/crypto_aead/knot256/rhys/aead-common.h create mode 100644 knot/Implementations/crypto_aead/knot256/rhys/api.h create mode 100644 knot/Implementations/crypto_aead/knot256/rhys/encrypt.c create mode 100644 knot/Implementations/crypto_aead/knot256/rhys/internal-knot.c create mode 100644 knot/Implementations/crypto_aead/knot256/rhys/internal-knot.h create mode 100644 knot/Implementations/crypto_aead/knot256/rhys/internal-util.h create mode 100644 knot/Implementations/crypto_aead/knot256/rhys/knot-aead.c create mode 100644 knot/Implementations/crypto_aead/knot256/rhys/knot.h create mode 100644 lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/aead-common.c create mode 100644 lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/aead-common.h create mode 100644 lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/api.h create mode 100644 lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/encrypt.c create mode 100644 lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64.c create mode 100644 lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64.h create mode 100644 lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-util.h create mode 100644 lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/lotus-locus.c create mode 100644 lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/lotus-locus.h create mode 100644 lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/aead-common.c create mode 100644 lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/aead-common.h create mode 100644 lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/api.h create mode 100644 lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/encrypt.c create mode 100644 lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64.c create mode 100644 lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64.h create mode 100644 lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-util.h create mode 100644 lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/lotus-locus.c create mode 100644 lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/lotus-locus.h create mode 100644 orange/Implementations/crypto_aead/orangezestv1/rhys/aead-common.c create mode 100644 orange/Implementations/crypto_aead/orangezestv1/rhys/aead-common.h create mode 100644 orange/Implementations/crypto_aead/orangezestv1/rhys/api.h create mode 100644 orange/Implementations/crypto_aead/orangezestv1/rhys/encrypt.c create mode 100644 orange/Implementations/crypto_aead/orangezestv1/rhys/internal-photon256.c create mode 100644 orange/Implementations/crypto_aead/orangezestv1/rhys/internal-photon256.h create mode 100644 orange/Implementations/crypto_aead/orangezestv1/rhys/internal-util.h create mode 100644 orange/Implementations/crypto_aead/orangezestv1/rhys/orange.c create mode 100644 orange/Implementations/crypto_aead/orangezestv1/rhys/orange.h create mode 100644 oribatida/Implementations/crypto_aead/oribatida192v12/rhys/aead-common.c create mode 100644 oribatida/Implementations/crypto_aead/oribatida192v12/rhys/aead-common.h create mode 100644 oribatida/Implementations/crypto_aead/oribatida192v12/rhys/api.h create mode 100644 oribatida/Implementations/crypto_aead/oribatida192v12/rhys/encrypt.c create mode 100644 oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-simp.c create mode 100644 oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-simp.h create mode 100644 oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-util.h create mode 100644 oribatida/Implementations/crypto_aead/oribatida192v12/rhys/oribatida.c create mode 100644 oribatida/Implementations/crypto_aead/oribatida192v12/rhys/oribatida.h create mode 100644 oribatida/Implementations/crypto_aead/oribatida256v12/rhys/aead-common.c create mode 100644 oribatida/Implementations/crypto_aead/oribatida256v12/rhys/aead-common.h create mode 100644 oribatida/Implementations/crypto_aead/oribatida256v12/rhys/api.h create mode 100644 oribatida/Implementations/crypto_aead/oribatida256v12/rhys/encrypt.c create mode 100644 oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-simp.c create mode 100644 oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-simp.h create mode 100644 oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-util.h create mode 100644 oribatida/Implementations/crypto_aead/oribatida256v12/rhys/oribatida.c create mode 100644 oribatida/Implementations/crypto_aead/oribatida256v12/rhys/oribatida.h create mode 100644 photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/aead-common.c create mode 100644 photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/aead-common.h create mode 100644 photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/api.h create mode 100644 photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/encrypt.c create mode 100644 photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/internal-photon256.c create mode 100644 photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/internal-photon256.h create mode 100644 photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/internal-util.h create mode 100644 photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/photon-beetle.c create mode 100644 photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/photon-beetle.h create mode 100644 photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/aead-common.c create mode 100644 photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/aead-common.h create mode 100644 photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/api.h create mode 100644 photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/encrypt.c create mode 100644 photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/internal-photon256.c create mode 100644 photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/internal-photon256.h create mode 100644 photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/internal-util.h create mode 100644 photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/photon-beetle.c create mode 100644 photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/photon-beetle.h create mode 100644 pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/aead-common.c create mode 100644 pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/aead-common.h create mode 100644 pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/api.h create mode 100644 pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/encrypt.c create mode 100644 pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-ocb.h create mode 100644 pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-pyjamask.c create mode 100644 pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-pyjamask.h create mode 100644 pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-util.h create mode 100644 pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/pyjamask-128.c create mode 100644 pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/pyjamask.h create mode 100644 pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/aead-common.c create mode 100644 pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/aead-common.h create mode 100644 pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/api.h create mode 100644 pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/encrypt.c create mode 100644 pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-ocb.h create mode 100644 pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-pyjamask.c create mode 100644 pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-pyjamask.h create mode 100644 pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-util.h create mode 100644 pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/pyjamask-96.c create mode 100644 pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/pyjamask.h create mode 100644 romulus/Implementations/crypto_aead/romulusm1v12/rhys/aead-common.c create mode 100644 romulus/Implementations/crypto_aead/romulusm1v12/rhys/aead-common.h create mode 100644 romulus/Implementations/crypto_aead/romulusm1v12/rhys/api.h create mode 100644 romulus/Implementations/crypto_aead/romulusm1v12/rhys/encrypt.c create mode 100644 romulus/Implementations/crypto_aead/romulusm1v12/rhys/internal-skinny128.c create mode 100644 romulus/Implementations/crypto_aead/romulusm1v12/rhys/internal-skinny128.h create mode 100644 romulus/Implementations/crypto_aead/romulusm1v12/rhys/internal-skinnyutil.h create mode 100644 romulus/Implementations/crypto_aead/romulusm1v12/rhys/internal-util.h create mode 100644 romulus/Implementations/crypto_aead/romulusm1v12/rhys/romulus.c create mode 100644 romulus/Implementations/crypto_aead/romulusm1v12/rhys/romulus.h create mode 100644 romulus/Implementations/crypto_aead/romulusm2v12/rhys/aead-common.c create mode 100644 romulus/Implementations/crypto_aead/romulusm2v12/rhys/aead-common.h create mode 100644 romulus/Implementations/crypto_aead/romulusm2v12/rhys/api.h create mode 100644 romulus/Implementations/crypto_aead/romulusm2v12/rhys/encrypt.c create mode 100644 romulus/Implementations/crypto_aead/romulusm2v12/rhys/internal-skinny128.c create mode 100644 romulus/Implementations/crypto_aead/romulusm2v12/rhys/internal-skinny128.h create mode 100644 romulus/Implementations/crypto_aead/romulusm2v12/rhys/internal-skinnyutil.h create mode 100644 romulus/Implementations/crypto_aead/romulusm2v12/rhys/internal-util.h create mode 100644 romulus/Implementations/crypto_aead/romulusm2v12/rhys/romulus.c create mode 100644 romulus/Implementations/crypto_aead/romulusm2v12/rhys/romulus.h create mode 100644 romulus/Implementations/crypto_aead/romulusm3v12/rhys/aead-common.c create mode 100644 romulus/Implementations/crypto_aead/romulusm3v12/rhys/aead-common.h create mode 100644 romulus/Implementations/crypto_aead/romulusm3v12/rhys/api.h create mode 100644 romulus/Implementations/crypto_aead/romulusm3v12/rhys/encrypt.c create mode 100644 romulus/Implementations/crypto_aead/romulusm3v12/rhys/internal-skinny128.c create mode 100644 romulus/Implementations/crypto_aead/romulusm3v12/rhys/internal-skinny128.h create mode 100644 romulus/Implementations/crypto_aead/romulusm3v12/rhys/internal-skinnyutil.h create mode 100644 romulus/Implementations/crypto_aead/romulusm3v12/rhys/internal-util.h create mode 100644 romulus/Implementations/crypto_aead/romulusm3v12/rhys/romulus.c create mode 100644 romulus/Implementations/crypto_aead/romulusm3v12/rhys/romulus.h create mode 100644 romulus/Implementations/crypto_aead/romulusn1v12/rhys/aead-common.c create mode 100644 romulus/Implementations/crypto_aead/romulusn1v12/rhys/aead-common.h create mode 100644 romulus/Implementations/crypto_aead/romulusn1v12/rhys/api.h create mode 100644 romulus/Implementations/crypto_aead/romulusn1v12/rhys/encrypt.c create mode 100644 romulus/Implementations/crypto_aead/romulusn1v12/rhys/internal-skinny128.c create mode 100644 romulus/Implementations/crypto_aead/romulusn1v12/rhys/internal-skinny128.h create mode 100644 romulus/Implementations/crypto_aead/romulusn1v12/rhys/internal-skinnyutil.h create mode 100644 romulus/Implementations/crypto_aead/romulusn1v12/rhys/internal-util.h create mode 100644 romulus/Implementations/crypto_aead/romulusn1v12/rhys/romulus.c create mode 100644 romulus/Implementations/crypto_aead/romulusn1v12/rhys/romulus.h create mode 100644 romulus/Implementations/crypto_aead/romulusn2v12/rhys/aead-common.c create mode 100644 romulus/Implementations/crypto_aead/romulusn2v12/rhys/aead-common.h create mode 100644 romulus/Implementations/crypto_aead/romulusn2v12/rhys/api.h create mode 100644 romulus/Implementations/crypto_aead/romulusn2v12/rhys/encrypt.c create mode 100644 romulus/Implementations/crypto_aead/romulusn2v12/rhys/internal-skinny128.c create mode 100644 romulus/Implementations/crypto_aead/romulusn2v12/rhys/internal-skinny128.h create mode 100644 romulus/Implementations/crypto_aead/romulusn2v12/rhys/internal-skinnyutil.h create mode 100644 romulus/Implementations/crypto_aead/romulusn2v12/rhys/internal-util.h create mode 100644 romulus/Implementations/crypto_aead/romulusn2v12/rhys/romulus.c create mode 100644 romulus/Implementations/crypto_aead/romulusn2v12/rhys/romulus.h create mode 100644 romulus/Implementations/crypto_aead/romulusn3v12/rhys/aead-common.c create mode 100644 romulus/Implementations/crypto_aead/romulusn3v12/rhys/aead-common.h create mode 100644 romulus/Implementations/crypto_aead/romulusn3v12/rhys/api.h create mode 100644 romulus/Implementations/crypto_aead/romulusn3v12/rhys/encrypt.c create mode 100644 romulus/Implementations/crypto_aead/romulusn3v12/rhys/internal-skinny128.c create mode 100644 romulus/Implementations/crypto_aead/romulusn3v12/rhys/internal-skinny128.h create mode 100644 romulus/Implementations/crypto_aead/romulusn3v12/rhys/internal-skinnyutil.h create mode 100644 romulus/Implementations/crypto_aead/romulusn3v12/rhys/internal-util.h create mode 100644 romulus/Implementations/crypto_aead/romulusn3v12/rhys/romulus.c create mode 100644 romulus/Implementations/crypto_aead/romulusn3v12/rhys/romulus.h create mode 100644 saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/aead-common.c create mode 100644 saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/aead-common.h create mode 100644 saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/api.h create mode 100644 saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/encrypt.c create mode 100644 saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/internal-util.h create mode 100644 saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/saturnin.c create mode 100644 saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/saturnin.h create mode 100644 saturnin/Implementations/crypto_aead/saturninshortv2/rhys/aead-common.c create mode 100644 saturnin/Implementations/crypto_aead/saturninshortv2/rhys/aead-common.h create mode 100644 saturnin/Implementations/crypto_aead/saturninshortv2/rhys/api.h create mode 100644 saturnin/Implementations/crypto_aead/saturninshortv2/rhys/encrypt.c create mode 100644 saturnin/Implementations/crypto_aead/saturninshortv2/rhys/internal-util.h create mode 100644 saturnin/Implementations/crypto_aead/saturninshortv2/rhys/saturnin.c create mode 100644 saturnin/Implementations/crypto_aead/saturninshortv2/rhys/saturnin.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/aead-common.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/aead-common.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/api.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/encrypt.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinny128.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinny128.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinnyutil.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-util.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/skinny-aead.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/skinny-aead.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/aead-common.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/aead-common.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/api.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/encrypt.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinny128.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinny128.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinnyutil.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-util.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/skinny-aead.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/skinny-aead.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/aead-common.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/aead-common.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/api.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/encrypt.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinnyutil.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-util.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/skinny-aead.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/skinny-aead.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/aead-common.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/aead-common.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/api.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/encrypt.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinnyutil.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-util.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/skinny-aead.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/skinny-aead.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/aead-common.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/aead-common.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/api.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/encrypt.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinnyutil.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-util.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/skinny-aead.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/skinny-aead.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/aead-common.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/aead-common.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/api.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/encrypt.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinnyutil.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-util.h create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/skinny-aead.c create mode 100644 skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/skinny-aead.h create mode 100644 sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/aead-common.c create mode 100644 sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/aead-common.h create mode 100644 sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/api.h create mode 100644 sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/encrypt.c create mode 100644 sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-sparkle.c create mode 100644 sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-sparkle.h create mode 100644 sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-util.h create mode 100644 sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/sparkle.c create mode 100644 sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/sparkle.h create mode 100644 sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/aead-common.c create mode 100644 sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/aead-common.h create mode 100644 sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/api.h create mode 100644 sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/encrypt.c create mode 100644 sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-sparkle.c create mode 100644 sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-sparkle.h create mode 100644 sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-util.h create mode 100644 sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/sparkle.c create mode 100644 sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/sparkle.h create mode 100644 sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/aead-common.c create mode 100644 sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/aead-common.h create mode 100644 sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/api.h create mode 100644 sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/encrypt.c create mode 100644 sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-sparkle.c create mode 100644 sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-sparkle.h create mode 100644 sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-util.h create mode 100644 sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/sparkle.c create mode 100644 sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/sparkle.h create mode 100644 sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/aead-common.c create mode 100644 sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/aead-common.h create mode 100644 sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/api.h create mode 100644 sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/encrypt.c create mode 100644 sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-sparkle.c create mode 100644 sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-sparkle.h create mode 100644 sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-util.h create mode 100644 sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/sparkle.c create mode 100644 sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/sparkle.h create mode 100644 spix/Implementations/crypto_aead/spix128v1/rhys/aead-common.c create mode 100644 spix/Implementations/crypto_aead/spix128v1/rhys/aead-common.h create mode 100644 spix/Implementations/crypto_aead/spix128v1/rhys/api.h create mode 100644 spix/Implementations/crypto_aead/spix128v1/rhys/encrypt.c create mode 100644 spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-light.c create mode 100644 spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-light.h create mode 100644 spix/Implementations/crypto_aead/spix128v1/rhys/internal-util.h create mode 100644 spix/Implementations/crypto_aead/spix128v1/rhys/spix.c create mode 100644 spix/Implementations/crypto_aead/spix128v1/rhys/spix.h create mode 100644 spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/aead-common.c create mode 100644 spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/aead-common.h create mode 100644 spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/api.h create mode 100644 spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/encrypt.c create mode 100644 spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-light.c create mode 100644 spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-light.h create mode 100644 spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-util.h create mode 100644 spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/spoc.c create mode 100644 spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/spoc.h create mode 100644 spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/aead-common.c create mode 100644 spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/aead-common.h create mode 100644 spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/api.h create mode 100644 spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/encrypt.c create mode 100644 spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-light.c create mode 100644 spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-light.h create mode 100644 spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-util.h create mode 100644 spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/spoc.c create mode 100644 spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/spoc.h create mode 100644 spook/Implementations/crypto_aead/spook128mu384v1/rhys/aead-common.c create mode 100644 spook/Implementations/crypto_aead/spook128mu384v1/rhys/aead-common.h create mode 100644 spook/Implementations/crypto_aead/spook128mu384v1/rhys/api.h create mode 100644 spook/Implementations/crypto_aead/spook128mu384v1/rhys/encrypt.c create mode 100644 spook/Implementations/crypto_aead/spook128mu384v1/rhys/internal-spook.c create mode 100644 spook/Implementations/crypto_aead/spook128mu384v1/rhys/internal-spook.h create mode 100644 spook/Implementations/crypto_aead/spook128mu384v1/rhys/internal-util.h create mode 100644 spook/Implementations/crypto_aead/spook128mu384v1/rhys/spook.c create mode 100644 spook/Implementations/crypto_aead/spook128mu384v1/rhys/spook.h create mode 100644 spook/Implementations/crypto_aead/spook128mu512v1/rhys/aead-common.c create mode 100644 spook/Implementations/crypto_aead/spook128mu512v1/rhys/aead-common.h create mode 100644 spook/Implementations/crypto_aead/spook128mu512v1/rhys/api.h create mode 100644 spook/Implementations/crypto_aead/spook128mu512v1/rhys/encrypt.c create mode 100644 spook/Implementations/crypto_aead/spook128mu512v1/rhys/internal-spook.c create mode 100644 spook/Implementations/crypto_aead/spook128mu512v1/rhys/internal-spook.h create mode 100644 spook/Implementations/crypto_aead/spook128mu512v1/rhys/internal-util.h create mode 100644 spook/Implementations/crypto_aead/spook128mu512v1/rhys/spook.c create mode 100644 spook/Implementations/crypto_aead/spook128mu512v1/rhys/spook.h create mode 100644 spook/Implementations/crypto_aead/spook128su384v1/rhys/aead-common.c create mode 100644 spook/Implementations/crypto_aead/spook128su384v1/rhys/aead-common.h create mode 100644 spook/Implementations/crypto_aead/spook128su384v1/rhys/api.h create mode 100644 spook/Implementations/crypto_aead/spook128su384v1/rhys/encrypt.c create mode 100644 spook/Implementations/crypto_aead/spook128su384v1/rhys/internal-spook.c create mode 100644 spook/Implementations/crypto_aead/spook128su384v1/rhys/internal-spook.h create mode 100644 spook/Implementations/crypto_aead/spook128su384v1/rhys/internal-util.h create mode 100644 spook/Implementations/crypto_aead/spook128su384v1/rhys/spook.c create mode 100644 spook/Implementations/crypto_aead/spook128su384v1/rhys/spook.h create mode 100644 spook/Implementations/crypto_aead/spook128su512v1/rhys/aead-common.c create mode 100644 spook/Implementations/crypto_aead/spook128su512v1/rhys/aead-common.h create mode 100644 spook/Implementations/crypto_aead/spook128su512v1/rhys/api.h create mode 100644 spook/Implementations/crypto_aead/spook128su512v1/rhys/encrypt.c create mode 100644 spook/Implementations/crypto_aead/spook128su512v1/rhys/internal-spook.c create mode 100644 spook/Implementations/crypto_aead/spook128su512v1/rhys/internal-spook.h create mode 100644 spook/Implementations/crypto_aead/spook128su512v1/rhys/internal-util.h create mode 100644 spook/Implementations/crypto_aead/spook128su512v1/rhys/spook.c create mode 100644 spook/Implementations/crypto_aead/spook128su512v1/rhys/spook.h create mode 100644 subterranean/Implementations/crypto_aead/subterraneanv1/rhys/aead-common.c create mode 100644 subterranean/Implementations/crypto_aead/subterraneanv1/rhys/aead-common.h create mode 100644 subterranean/Implementations/crypto_aead/subterraneanv1/rhys/api.h create mode 100644 subterranean/Implementations/crypto_aead/subterraneanv1/rhys/encrypt.c create mode 100644 subterranean/Implementations/crypto_aead/subterraneanv1/rhys/internal-subterranean.c create mode 100644 subterranean/Implementations/crypto_aead/subterraneanv1/rhys/internal-subterranean.h create mode 100644 subterranean/Implementations/crypto_aead/subterraneanv1/rhys/internal-util.h create mode 100644 subterranean/Implementations/crypto_aead/subterraneanv1/rhys/subterranean.c create mode 100644 subterranean/Implementations/crypto_aead/subterraneanv1/rhys/subterranean.h create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/aead-common.c create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/aead-common.h create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/api.h create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/encrypt.c create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128.c create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128.h create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-util.h create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/sundae-gift.c create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/sundae-gift.h create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/aead-common.c create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/aead-common.h create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/api.h create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/encrypt.c create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128.c create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128.h create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-util.h create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/sundae-gift.c create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/sundae-gift.h create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/aead-common.c create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/aead-common.h create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/api.h create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/encrypt.c create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128.c create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128.h create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-util.h create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/sundae-gift.c create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/sundae-gift.h create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/aead-common.c create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/aead-common.h create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/api.h create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/encrypt.c create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128.c create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128.h create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-util.h create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/sundae-gift.c create mode 100644 sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/sundae-gift.h create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/aead-common.c create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/aead-common.h create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/api.h create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/encrypt.c create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-tinyjambu.c create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-tinyjambu.h create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-util.h create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/tinyjambu.c create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/tinyjambu.h create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/aead-common.c create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/aead-common.h create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/api.h create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/encrypt.c create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-tinyjambu.c create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-tinyjambu.h create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-util.h create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/tinyjambu.c create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/tinyjambu.h create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/aead-common.c create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/aead-common.h create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/api.h create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/encrypt.c create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-tinyjambu.c create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-tinyjambu.h create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-util.h create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/tinyjambu.c create mode 100644 tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/tinyjambu.h create mode 100644 wage/Implementations/crypto_aead/wageae128v1/rhys/aead-common.c create mode 100644 wage/Implementations/crypto_aead/wageae128v1/rhys/aead-common.h create mode 100644 wage/Implementations/crypto_aead/wageae128v1/rhys/api.h create mode 100644 wage/Implementations/crypto_aead/wageae128v1/rhys/encrypt.c create mode 100644 wage/Implementations/crypto_aead/wageae128v1/rhys/internal-util.h create mode 100644 wage/Implementations/crypto_aead/wageae128v1/rhys/internal-wage.c create mode 100644 wage/Implementations/crypto_aead/wageae128v1/rhys/internal-wage.h create mode 100644 wage/Implementations/crypto_aead/wageae128v1/rhys/wage.c create mode 100644 wage/Implementations/crypto_aead/wageae128v1/rhys/wage.h create mode 100644 xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/aead-common.c create mode 100644 xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/aead-common.h create mode 100644 xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/api.h create mode 100644 xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/encrypt.c create mode 100644 xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-util.h create mode 100644 xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-xoodoo.c create mode 100644 xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-xoodoo.h create mode 100644 xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/xoodyak.c create mode 100644 xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/xoodyak.h diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys/ace.c b/ace/Implementations/crypto_aead/aceae128v1/rhys/ace.c new file mode 100644 index 0000000..7a68306 --- /dev/null +++ b/ace/Implementations/crypto_aead/aceae128v1/rhys/ace.c @@ -0,0 +1,339 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "ace.h" +#include "internal-sliscp-light.h" +#include "internal-util.h" +#include + +/** + * \brief Size of the state for the internal ACE permutation. + */ +#define ACE_STATE_SIZE SLISCP_LIGHT320_STATE_SIZE + +/** + * \brief Rate for absorbing data into the ACE state and for + * squeezing data out again. + */ +#define ACE_RATE 8 + +aead_cipher_t const ace_cipher = { + "ACE", + ACE_KEY_SIZE, + ACE_NONCE_SIZE, + ACE_TAG_SIZE, + AEAD_FLAG_NONE, + ace_aead_encrypt, + ace_aead_decrypt +}; + +aead_hash_algorithm_t const ace_hash_algorithm = { + "ACE-HASH", + sizeof(ace_hash_state_t), + ACE_HASH_SIZE, + AEAD_FLAG_NONE, + ace_hash, + (aead_hash_init_t)ace_hash_init, + (aead_hash_update_t)ace_hash_update, + (aead_hash_finalize_t)ace_hash_finalize, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/* Indices of where a rate byte is located in the state. We don't + * need this array any more because sliscp_light320_permute() operates + * on byte-swapped states where the rate bytes are contiguous in the + * first 8 bytes */ +/* +static unsigned char const ace_rate_posn[8] = { + 0, 1, 2, 3, 16, 17, 18, 19 +}; +*/ + +/** + * \brief Initializes the ACE state. + * + * \param state ACE permutation state. + * \param k Points to the 128-bit key. + * \param npub Points to the 128-bit nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void ace_init + (unsigned char state[ACE_STATE_SIZE], + const unsigned char *k, const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned temp; + + /* Initialize the state by interleaving the key and nonce */ + memcpy(state, k, 8); + memcpy(state + 8, npub, 8); + memcpy(state + 16, k + 8, 8); + memset(state + 24, 0, 8); + memcpy(state + 32, npub + 8, 8); + + /* Swap some of the state bytes to make the rate bytes contiguous */ + sliscp_light320_swap(state); + + /* Run the permutation to scramble the initial state */ + sliscp_light320_permute(state); + + /* Absorb the key in two further permutation operations */ + lw_xor_block(state, k, 8); + sliscp_light320_permute(state); + lw_xor_block(state, k + 8, 8); + sliscp_light320_permute(state); + + /* Absorb the associated data into the state */ + if (adlen != 0) { + while (adlen >= ACE_RATE) { + lw_xor_block(state, ad, ACE_RATE); + state[ACE_STATE_SIZE - 1] ^= 0x01; /* domain separation */ + sliscp_light320_permute(state); + ad += ACE_RATE; + adlen -= ACE_RATE; + } + temp = (unsigned)adlen; + lw_xor_block(state, ad, temp); + state[temp] ^= 0x80; /* padding */ + state[ACE_STATE_SIZE - 1] ^= 0x01; /* domain separation */ + sliscp_light320_permute(state); + } +} + +/** + * \brief Finalizes the ACE encryption or decryption operation. + * + * \param state ACE permutation state. + * \param k Points to the 128-bit key. + * \param tag Points to the 16 byte buffer to receive the computed tag. + */ +static void ace_finalize + (unsigned char state[ACE_STATE_SIZE], const unsigned char *k, + unsigned char *tag) +{ + /* Absorb the key into the state again */ + lw_xor_block(state, k, 8); + sliscp_light320_permute(state); + lw_xor_block(state, k + 8, 8); + sliscp_light320_permute(state); + + /* Swap the state bytes back to the canonical order */ + sliscp_light320_swap(state); + + /* Copy out the authentication tag */ + memcpy(tag, state, 8); + memcpy(tag + 8, state + 16, 8); +} + +int ace_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[ACE_STATE_SIZE]; + unsigned temp; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ACE_TAG_SIZE; + + /* Initialize the ACE state and absorb the associated data */ + ace_init(state, k, npub, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + while (mlen >= ACE_RATE) { + lw_xor_block_2_dest(c, state, m, ACE_RATE); + state[ACE_STATE_SIZE - 1] ^= 0x02; /* domain separation */ + sliscp_light320_permute(state); + c += ACE_RATE; + m += ACE_RATE; + mlen -= ACE_RATE; + } + temp = (unsigned)mlen; + lw_xor_block_2_dest(c, state, m, temp); + state[temp] ^= 0x80; /* padding */ + state[ACE_STATE_SIZE - 1] ^= 0x02; /* domain separation */ + sliscp_light320_permute(state); + c += mlen; + + /* Generate the authentication tag */ + ace_finalize(state, k, c); + return 0; +} + +int ace_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[ACE_STATE_SIZE]; + unsigned char *mtemp = m; + unsigned temp; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ACE_TAG_SIZE) + return -1; + *mlen = clen - ACE_TAG_SIZE; + + /* Initialize the ACE state and absorb the associated data */ + ace_init(state, k, npub, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ACE_TAG_SIZE; + while (clen >= ACE_RATE) { + lw_xor_block_swap(m, state, c, ACE_RATE); + state[ACE_STATE_SIZE - 1] ^= 0x02; /* domain separation */ + sliscp_light320_permute(state); + c += ACE_RATE; + m += ACE_RATE; + clen -= ACE_RATE; + } + temp = (unsigned)clen; + lw_xor_block_swap(m, state, c, temp); + state[temp] ^= 0x80; /* padding */ + state[ACE_STATE_SIZE - 1] ^= 0x02; /* domain separation */ + sliscp_light320_permute(state); + c += clen; + + /* Finalize the ACE state and compare against the authentication tag */ + ace_finalize(state, k, state); + return aead_check_tag(mtemp, *mlen, state, c, ACE_TAG_SIZE); +} + +/* Pre-hashed version of the ACE-HASH initialization vector */ +static unsigned char const ace_hash_iv[ACE_STATE_SIZE] = { + 0xb9, 0x7d, 0xda, 0x3f, 0x66, 0x2c, 0xd1, 0xa6, + 0x65, 0xd1, 0x80, 0xd6, 0x49, 0xdc, 0xa1, 0x8c, + 0x0c, 0x5f, 0x0e, 0xca, 0x70, 0x37, 0x58, 0x75, + 0x29, 0x7d, 0xb0, 0xb0, 0x72, 0x73, 0xce, 0xa8, + 0x99, 0x71, 0xde, 0x8a, 0x9a, 0x65, 0x72, 0x24 +}; + +int ace_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + unsigned char state[ACE_STATE_SIZE]; + unsigned temp; + + /* Load the initialization vector and hash it, which can be pre-computed */ + /* + memset(state, 0, sizeof(state)); + state[8] = 0x80; + state[9] = 0x40; + state[10] = 0x40; + sliscp_light320_swap(state); + sliscp_light320_permute(state); + */ + memcpy(state, ace_hash_iv, ACE_STATE_SIZE); + + /* Absorb the input data */ + while (inlen >= ACE_RATE) { + lw_xor_block(state, in, ACE_RATE); + sliscp_light320_permute(state); + in += ACE_RATE; + inlen -= ACE_RATE; + } + temp = (unsigned)inlen; + lw_xor_block(state, in, temp); + state[temp] ^= 0x80; /* padding */ + sliscp_light320_permute(state); + + /* Squeeze out the hash value */ + memcpy(out, state, 8); + for (temp = 0; temp < 3; ++temp) { + out += 8; + sliscp_light320_permute(state); + memcpy(out, state, 8); + } + return 0; +} + +void ace_hash_init(ace_hash_state_t *state) +{ + memcpy(state->s.state, ace_hash_iv, ACE_STATE_SIZE); + state->s.count = 0; +} + +void ace_hash_update + (ace_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + unsigned len; + + /* Handle the left-over rate block from last time */ + if (state->s.count != 0) { + len = ACE_RATE - state->s.count; + if (len > inlen) + len = (unsigned)inlen; + lw_xor_block(state->s.state + state->s.count, in, len); + in += len; + inlen -= len; + state->s.count += len; + if (state->s.count >= ACE_RATE) { + sliscp_light320_permute(state->s.state); + state->s.count = 0; + } else { + /* Not enough input data yet to fill up the whole block */ + return; + } + } + + /* Process as many full rate blocks as we can */ + while (inlen >= ACE_RATE) { + lw_xor_block(state->s.state, in, ACE_RATE); + sliscp_light320_permute(state->s.state); + in += ACE_RATE; + inlen -= ACE_RATE; + } + + /* Handle any left-over data */ + len = (unsigned)inlen; + lw_xor_block(state->s.state, in, len); + state->s.count = len; +} + +void ace_hash_finalize(ace_hash_state_t *state, unsigned char *out) +{ + unsigned temp; + + /* Pad and hash the final input block */ + state->s.state[state->s.count] ^= 0x80; + sliscp_light320_permute(state->s.state); + state->s.count = 0; + + /* Squeeze out the hash value */ + memcpy(out, state->s.state, 9); + for (temp = 0; temp < 3; ++temp) { + out += 8; + sliscp_light320_permute(state->s.state); + memcpy(out, state->s.state, 8); + } +} diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys/ace.h b/ace/Implementations/crypto_aead/aceae128v1/rhys/ace.h new file mode 100644 index 0000000..4497927 --- /dev/null +++ b/ace/Implementations/crypto_aead/aceae128v1/rhys/ace.h @@ -0,0 +1,197 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ACE_H +#define LWCRYPTO_ACE_H + +#include "aead-common.h" + +/** + * \file ace.h + * \brief ACE authenticated encryption algorithm. + * + * ACE is an authenticated encryption algorithm with a 128-bit key, + * a 128-bit nonce, and a 128-bit tag. It uses a duplex construction + * on top of a 320-bit permutation. The permutation is a generalised + * version of sLiSCP-light, extended from 256 bits to 320 bits. + * ACE also has a companion hash algorithm with a 256-bit output. + * + * References: https://uwaterloo.ca/communications-security-lab/lwc/ace + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for ACE. + */ +#define ACE_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for ACE. + */ +#define ACE_TAG_SIZE 16 + +/** + * \brief Size of the nonce for ACE. + */ +#define ACE_NONCE_SIZE 16 + +/** + * \brief Size of the hash output for ACE-HASH. + */ +#define ACE_HASH_SIZE 32 + +/** + * \brief Meta-information block for the ACE cipher. + */ +extern aead_cipher_t const ace_cipher; + +/** + * \brief Meta-information block for the ACE-HASH hash algorithm. + */ +extern aead_hash_algorithm_t const ace_hash_algorithm; + +/** + * \brief State information for the ACE-HASH incremental hash mode. + */ +typedef union +{ + struct { + unsigned char state[40]; /**< Current hash state */ + unsigned char count; /**< Number of bytes in the current block */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} ace_hash_state_t; + +/** + * \brief Encrypts and authenticates a packet with ACE. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa ace_aead_decrypt() + */ +int ace_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ACE. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa ace_aead_encrypt() + */ +int ace_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with ACE-HASH to generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * ACE_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int ace_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an ACE-HASH hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa ace_hash_update(), ace_hash_finalize(), ace_hash() + */ +void ace_hash_init(ace_hash_state_t *state); + +/** + * \brief Updates the ACE-HASH state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + * + * \sa ace_hash_init(), ace_hash_finalize() + */ +void ace_hash_update + (ace_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Returns the final hash value from an ACE-HASH hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the 32-byte hash value. + * + * \sa ace_hash_init(), ace_hash_update() + */ +void ace_hash_finalize(ace_hash_state_t *state, unsigned char *out); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys/aead-common.c b/ace/Implementations/crypto_aead/aceae128v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/ace/Implementations/crypto_aead/aceae128v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys/aead-common.h b/ace/Implementations/crypto_aead/aceae128v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/ace/Implementations/crypto_aead/aceae128v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys/api.h b/ace/Implementations/crypto_aead/aceae128v1/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/ace/Implementations/crypto_aead/aceae128v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys/encrypt.c b/ace/Implementations/crypto_aead/aceae128v1/rhys/encrypt.c new file mode 100644 index 0000000..99cb7f3 --- /dev/null +++ b/ace/Implementations/crypto_aead/aceae128v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "ace.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return ace_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return ace_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-light.c b/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-light.c new file mode 100644 index 0000000..69b4519 --- /dev/null +++ b/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-light.c @@ -0,0 +1,408 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-sliscp-light.h" + +/** + * \brief Performs one round of the Simeck-64 block cipher. + * + * \param x Left half of the 64-bit block. + * \param y Right half of the 64-bit block. + */ +#define simeck64_round(x, y) \ + do { \ + (y) ^= (leftRotate5((x)) & (x)) ^ leftRotate1((x)) ^ \ + 0xFFFFFFFEU ^ (_rc & 1); \ + _rc >>= 1; \ + } while (0) + +/** + * \brief Encrypts a 64-bit block with the 8 round version of Simeck-64. + * + * \param x Left half of the 64-bit block. + * \param y Right half of the 64-bit block. + * \param rc Round constants for the 8 rounds, 1 bit per round. + * + * It is assumed that the two halves have already been converted from + * big-endian to host byte order before calling this function. The output + * halves will also be in host byte order. + */ +#define simeck64_box(x, y, rc) \ + do { \ + unsigned char _rc = (rc); \ + simeck64_round(x, y); /* Round 1 */ \ + simeck64_round(y, x); /* Round 2 */ \ + simeck64_round(x, y); /* Round 3 */ \ + simeck64_round(y, x); /* Round 4 */ \ + simeck64_round(x, y); /* Round 5 */ \ + simeck64_round(y, x); /* Round 6 */ \ + simeck64_round(x, y); /* Round 7 */ \ + simeck64_round(y, x); /* Round 8 */ \ + } while (0) + +/* Helper macros for 48-bit left rotations */ +#define leftRotate5_48(x) (((x) << 5) | ((x) >> 19)) +#define leftRotate1_48(x) (((x) << 1) | ((x) >> 23)) + +/** + * \brief Performs one round of the Simeck-48 block cipher. + * + * \param x Left half of the 48-bit block. + * \param y Right half of the 48-bit block. + */ +#define simeck48_round(x, y) \ + do { \ + (y) ^= (leftRotate5_48((x)) & (x)) ^ leftRotate1_48((x)) ^ \ + 0x00FFFFFEU ^ (_rc & 1); \ + (y) &= 0x00FFFFFFU; \ + _rc >>= 1; \ + } while (0) + +/** + * \brief Encrypts a 48-bit block with the 6 round version of Simeck-48. + * + * \param x Left half of the 48-bit block. + * \param y Right half of the 48-bit block. + * \param rc Round constants for the 8 rounds, 1 bit per round. + * + * It is assumed that the two halves have already been converted from + * big-endian to host byte order before calling this function. The output + * halves will also be in host byte order. + */ +#define simeck48_box(x, y, rc) \ + do { \ + unsigned char _rc = (rc); \ + simeck48_round(x, y); /* Round 1 */ \ + simeck48_round(y, x); /* Round 2 */ \ + simeck48_round(x, y); /* Round 3 */ \ + simeck48_round(y, x); /* Round 4 */ \ + simeck48_round(x, y); /* Round 5 */ \ + simeck48_round(y, x); /* Round 6 */ \ + } while (0) + +/* Interleaved rc0, rc1, sc0, and sc1 values for each round */ +static unsigned char const sliscp_light256_RC[18 * 4] = { + 0x0f, 0x47, 0x08, 0x64, 0x04, 0xb2, 0x86, 0x6b, + 0x43, 0xb5, 0xe2, 0x6f, 0xf1, 0x37, 0x89, 0x2c, + 0x44, 0x96, 0xe6, 0xdd, 0x73, 0xee, 0xca, 0x99, + 0xe5, 0x4c, 0x17, 0xea, 0x0b, 0xf5, 0x8e, 0x0f, + 0x47, 0x07, 0x64, 0x04, 0xb2, 0x82, 0x6b, 0x43, + 0xb5, 0xa1, 0x6f, 0xf1, 0x37, 0x78, 0x2c, 0x44, + 0x96, 0xa2, 0xdd, 0x73, 0xee, 0xb9, 0x99, 0xe5, + 0x4c, 0xf2, 0xea, 0x0b, 0xf5, 0x85, 0x0f, 0x47, + 0x07, 0x23, 0x04, 0xb2, 0x82, 0xd9, 0x43, 0xb5 +}; + +void sliscp_light256_permute_spix(unsigned char block[32], unsigned rounds) +{ + const unsigned char *rc = sliscp_light256_RC; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t t0, t1; + + /* Load the block into local state variables */ + x0 = be_load_word32(block); + x1 = be_load_word32(block + 4); + x2 = be_load_word32(block + 8); + x3 = be_load_word32(block + 24); /* Assumes the block is pre-swapped */ + x4 = be_load_word32(block + 16); + x5 = be_load_word32(block + 20); + x6 = be_load_word32(block + 12); + x7 = be_load_word32(block + 28); + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds, rc += 4) { + /* Apply Simeck-64 to two of the 64-bit sub-blocks */ + simeck64_box(x2, x3, rc[0]); + simeck64_box(x6, x7, rc[1]); + + /* Add step constants */ + x0 ^= 0xFFFFFFFFU; + x1 ^= 0xFFFFFF00U ^ rc[2]; + x4 ^= 0xFFFFFFFFU; + x5 ^= 0xFFFFFF00U ^ rc[3]; + + /* Mix the sub-blocks */ + t0 = x0 ^ x2; + t1 = x1 ^ x3; + x0 = x2; + x1 = x3; + x2 = x4 ^ x6; + x3 = x5 ^ x7; + x4 = x6; + x5 = x7; + x6 = t0; + x7 = t1; + } + + /* Store the state back into the block */ + be_store_word32(block, x0); + be_store_word32(block + 4, x1); + be_store_word32(block + 8, x2); + be_store_word32(block + 24, x3); /* Assumes the block is pre-swapped */ + be_store_word32(block + 16, x4); + be_store_word32(block + 20, x5); + be_store_word32(block + 12, x6); + be_store_word32(block + 28, x7); +} + +void sliscp_light256_swap_spix(unsigned char block[32]) +{ + uint32_t t1, t2; + t1 = le_load_word32(block + 12); + t2 = le_load_word32(block + 24); + le_store_word32(block + 24, t1); + le_store_word32(block + 12, t2); +} + +void sliscp_light256_permute_spoc(unsigned char block[32], unsigned rounds) +{ + const unsigned char *rc = sliscp_light256_RC; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t t0, t1; + + /* Load the block into local state variables */ + x0 = be_load_word32(block); + x1 = be_load_word32(block + 4); + x2 = be_load_word32(block + 16); /* Assumes the block is pre-swapped */ + x3 = be_load_word32(block + 20); + x4 = be_load_word32(block + 8); + x5 = be_load_word32(block + 12); + x6 = be_load_word32(block + 24); + x7 = be_load_word32(block + 28); + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds, rc += 4) { + /* Apply Simeck-64 to two of the 64-bit sub-blocks */ + simeck64_box(x2, x3, rc[0]); + simeck64_box(x6, x7, rc[1]); + + /* Add step constants */ + x0 ^= 0xFFFFFFFFU; + x1 ^= 0xFFFFFF00U ^ rc[2]; + x4 ^= 0xFFFFFFFFU; + x5 ^= 0xFFFFFF00U ^ rc[3]; + + /* Mix the sub-blocks */ + t0 = x0 ^ x2; + t1 = x1 ^ x3; + x0 = x2; + x1 = x3; + x2 = x4 ^ x6; + x3 = x5 ^ x7; + x4 = x6; + x5 = x7; + x6 = t0; + x7 = t1; + } + + /* Store the state back into the block */ + be_store_word32(block, x0); + be_store_word32(block + 4, x1); + be_store_word32(block + 16, x2); /* Assumes the block is pre-swapped */ + be_store_word32(block + 20, x3); + be_store_word32(block + 8, x4); + be_store_word32(block + 12, x5); + be_store_word32(block + 24, x6); + be_store_word32(block + 28, x7); +} + +void sliscp_light256_swap_spoc(unsigned char block[32]) +{ + uint64_t t1, t2; + t1 = le_load_word64(block + 8); + t2 = le_load_word64(block + 16); + le_store_word64(block + 16, t1); + le_store_word64(block + 8, t2); +} + +/* Load a big-endian 24-bit word from a byte buffer */ +#define be_load_word24(ptr) \ + ((((uint32_t)((ptr)[0])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[2]))) + +/* Store a big-endian 24-bit word into a byte buffer */ +#define be_store_word24(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 16); \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)_x; \ + } while (0) + +void sliscp_light192_permute(unsigned char block[24]) +{ + /* Interleaved rc0, rc1, sc0, and sc1 values for each round */ + static unsigned char const RC[18 * 4] = { + 0x07, 0x27, 0x08, 0x29, 0x04, 0x34, 0x0c, 0x1d, + 0x06, 0x2e, 0x0a, 0x33, 0x25, 0x19, 0x2f, 0x2a, + 0x17, 0x35, 0x38, 0x1f, 0x1c, 0x0f, 0x24, 0x10, + 0x12, 0x08, 0x36, 0x18, 0x3b, 0x0c, 0x0d, 0x14, + 0x26, 0x0a, 0x2b, 0x1e, 0x15, 0x2f, 0x3e, 0x31, + 0x3f, 0x38, 0x01, 0x09, 0x20, 0x24, 0x21, 0x2d, + 0x30, 0x36, 0x11, 0x1b, 0x28, 0x0d, 0x39, 0x16, + 0x3c, 0x2b, 0x05, 0x3d, 0x22, 0x3e, 0x27, 0x03, + 0x13, 0x01, 0x34, 0x02, 0x1a, 0x21, 0x2e, 0x23 + }; + const unsigned char *rc = RC; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t t0, t1; + unsigned round; + + /* Load the block into local state variables. Each 24-bit block is + * placed into a separate 32-bit word which improves efficiency below */ + x0 = be_load_word24(block); + x1 = be_load_word24(block + 3); + x2 = be_load_word24(block + 6); + x3 = be_load_word24(block + 9); + x4 = be_load_word24(block + 12); + x5 = be_load_word24(block + 15); + x6 = be_load_word24(block + 18); + x7 = be_load_word24(block + 21); + + /* Perform all permutation rounds */ + for (round = 0; round < 18; ++round, rc += 4) { + /* Apply Simeck-48 to two of the 48-bit sub-blocks */ + simeck48_box(x2, x3, rc[0]); + simeck48_box(x6, x7, rc[1]); + + /* Add step constants */ + x0 ^= 0x00FFFFFFU; + x1 ^= 0x00FFFF00U ^ rc[2]; + x4 ^= 0x00FFFFFFU; + x5 ^= 0x00FFFF00U ^ rc[3]; + + /* Mix the sub-blocks */ + t0 = x0 ^ x2; + t1 = x1 ^ x3; + x0 = x2; + x1 = x3; + x2 = x4 ^ x6; + x3 = x5 ^ x7; + x4 = x6; + x5 = x7; + x6 = t0; + x7 = t1; + } + + /* Store the state back into the block */ + be_store_word24(block, x0); + be_store_word24(block + 3, x1); + be_store_word24(block + 6, x2); + be_store_word24(block + 9, x3); + be_store_word24(block + 12, x4); + be_store_word24(block + 15, x5); + be_store_word24(block + 18, x6); + be_store_word24(block + 21, x7); +} + +void sliscp_light320_permute(unsigned char block[40]) +{ + /* Interleaved rc0, rc1, rc2, sc0, sc1, and sc2 values for each round */ + static unsigned char const RC[16 * 6] = { + 0x07, 0x53, 0x43, 0x50, 0x28, 0x14, 0x0a, 0x5d, + 0xe4, 0x5c, 0xae, 0x57, 0x9b, 0x49, 0x5e, 0x91, + 0x48, 0x24, 0xe0, 0x7f, 0xcc, 0x8d, 0xc6, 0x63, + 0xd1, 0xbe, 0x32, 0x53, 0xa9, 0x54, 0x1a, 0x1d, + 0x4e, 0x60, 0x30, 0x18, 0x22, 0x28, 0x75, 0x68, + 0x34, 0x9a, 0xf7, 0x6c, 0x25, 0xe1, 0x70, 0x38, + 0x62, 0x82, 0xfd, 0xf6, 0x7b, 0xbd, 0x96, 0x47, + 0xf9, 0x9d, 0xce, 0x67, 0x71, 0x6b, 0x76, 0x40, + 0x20, 0x10, 0xaa, 0x88, 0xa0, 0x4f, 0x27, 0x13, + 0x2b, 0xdc, 0xb0, 0xbe, 0x5f, 0x2f, 0xe9, 0x8b, + 0x09, 0x5b, 0xad, 0xd6, 0xcf, 0x59, 0x1e, 0xe9, + 0x74, 0xba, 0xb7, 0xc6, 0xad, 0x7f, 0x3f, 0x1f + }; + const unsigned char *rc = RC; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9; + uint32_t t0, t1; + unsigned round; + + /* Load the block into local state variables */ + x0 = be_load_word32(block); + x1 = be_load_word32(block + 16); /* Assumes the block is pre-swapped */ + x2 = be_load_word32(block + 8); + x3 = be_load_word32(block + 12); + x4 = be_load_word32(block + 4); + x5 = be_load_word32(block + 20); + x6 = be_load_word32(block + 24); + x7 = be_load_word32(block + 28); + x8 = be_load_word32(block + 32); + x9 = be_load_word32(block + 36); + + /* Perform all permutation rounds */ + for (round = 0; round < 16; ++round, rc += 6) { + /* Apply Simeck-64 to three of the 64-bit sub-blocks */ + simeck64_box(x0, x1, rc[0]); + simeck64_box(x4, x5, rc[1]); + simeck64_box(x8, x9, rc[2]); + x6 ^= x8; + x7 ^= x9; + x2 ^= x4; + x3 ^= x5; + x8 ^= x0; + x9 ^= x1; + + /* Add step constants */ + x2 ^= 0xFFFFFFFFU; + x3 ^= 0xFFFFFF00U ^ rc[3]; + x6 ^= 0xFFFFFFFFU; + x7 ^= 0xFFFFFF00U ^ rc[4]; + x8 ^= 0xFFFFFFFFU; + x9 ^= 0xFFFFFF00U ^ rc[5]; + + /* Rotate the sub-blocks */ + t0 = x8; + t1 = x9; + x8 = x2; + x9 = x3; + x2 = x4; + x3 = x5; + x4 = x0; + x5 = x1; + x0 = x6; + x1 = x7; + x6 = t0; + x7 = t1; + } + + /* Store the state back into the block */ + be_store_word32(block, x0); + be_store_word32(block + 16, x1); /* Assumes the block is pre-swapped */ + be_store_word32(block + 8, x2); + be_store_word32(block + 12, x3); + be_store_word32(block + 4, x4); + be_store_word32(block + 20, x5); + be_store_word32(block + 24, x6); + be_store_word32(block + 28, x7); + be_store_word32(block + 32, x8); + be_store_word32(block + 36, x9); +} + +void sliscp_light320_swap(unsigned char block[40]) +{ + uint32_t t1, t2; + t1 = le_load_word32(block + 4); + t2 = le_load_word32(block + 16); + le_store_word32(block + 16, t1); + le_store_word32(block + 4, t2); +} diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-light.h b/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-light.h new file mode 100644 index 0000000..fa6b9ba --- /dev/null +++ b/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-light.h @@ -0,0 +1,169 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SLISCP_LIGHT_H +#define LW_INTERNAL_SLISCP_LIGHT_H + +/** + * \file internal-sliscp-light.h + * \brief sLiSCP-light permutation + * + * There are three variants of sLiSCP-light in use in the NIST submissions: + * + * \li sLiSCP-light-256 with a 256-bit block size, used in SPIX and SpoC. + * \li sLiSCP-light-192 with a 192-bit block size, used in SpoC. + * \li sLiSCP-light-320 with a 320-bit block size, used in ACE. + * + * References: https://uwaterloo.ca/communications-security-lab/lwc/ace, + * https://uwaterloo.ca/communications-security-lab/lwc/spix, + * https://uwaterloo.ca/communications-security-lab/lwc/spoc + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the state for sLiSCP-light-256. + */ +#define SLISCP_LIGHT256_STATE_SIZE 32 + +/** + * \brief Size of the state for sLiSCP-light-192. + */ +#define SLISCP_LIGHT192_STATE_SIZE 24 + +/** + * \brief Size of the state for sLiSCP-light-320. + */ +#define SLISCP_LIGHT320_STATE_SIZE 40 + +/** + * \brief Performs the sLiSCP-light permutation on a 256-bit block. + * + * \param block Points to the block to be permuted. + * \param rounds Number of rounds to be performed, usually 9 or 18. + * + * The bytes of the block are assumed to be rearranged to match the + * requirements of the SPIX cipher. SPIX places the rate bytes at + * positions 8, 9, 10, 11, 24, 25, 26, and 27. + * + * This function assumes that bytes 24-27 have been pre-swapped with + * bytes 12-15 so that the rate portion of the state is contiguous. + * + * The sliscp_light256_swap_spix() function can be used to switch + * between the canonical order and the pre-swapped order. + * + * \sa sliscp_light256_swap_spix() + */ +void sliscp_light256_permute_spix(unsigned char block[32], unsigned rounds); + +/** + * \brief Swaps rate bytes in a sLiSCP-light 256-bit block for SPIX. + * + * \param block Points to the block to be rate-swapped. + * + * \sa sliscp_light256_permute_spix() + */ +void sliscp_light256_swap_spix(unsigned char block[32]); + +/** + * \brief Performs the sLiSCP-light permutation on a 256-bit block. + * + * \param block Points to the block to be permuted. + * \param rounds Number of rounds to be performed, usually 9 or 18. + * + * The bytes of the block are assumed to be rearranged to match the + * requirements of the SpoC-128 cipher. SpoC-128 interleaves the + * rate bytes and the mask bytes. This version assumes that the + * rate and mask are in contiguous bytes of the state. + * + * SpoC-128 absorbs bytes using the mask bytes of the state at offsets + * 8, 9, 10, 11, 12, 13, 14, 15, 24, 25, 26, 27, 28, 29, 30, and 31. + * It squeezes bytes using the rate bytes of the state at offsets + * 0, 1, 2, 3, 4, 5, 6, 7, 16, 17, 18, 19, 20, 21, 22, and 23. + * + * This function assumes that bytes 8-15 have been pre-swapped with 16-23 + * so that the rate and mask portions of the state are contiguous. + * + * The sliscp_light256_swap_spoc() function can be used to switch + * between the canonical order and the pre-swapped order. + * + * \sa sliscp_light256_swap_spoc() + */ +void sliscp_light256_permute_spoc(unsigned char block[32], unsigned rounds); + +/** + * \brief Swaps rate bytes in a sLiSCP-light 256-bit block for SpoC-128. + * + * \param block Points to the block to be rate-swapped. + * + * \sa sliscp_light256_permute_spoc() + */ +void sliscp_light256_swap_spoc(unsigned char block[32]); + +/** + * \brief Performs the sLiSCP-light permutation on a 192-bit block. + * + * \param block Points to the block to be permuted. + */ +void sliscp_light192_permute(unsigned char block[24]); + +/** + * \brief Performs the sLiSCP-light permutation on a 320-bit block. + * + * \param block Points to the block to be permuted. + * + * The ACE specification refers to this permutation as "ACE" but that + * can be confused with the name of the AEAD mode so we call this + * permutation "sLiSCP-light-320" instead. + * + * ACE absorbs and squeezes data at the rate bytes 0, 1, 2, 3, 16, 17, 18, 19. + * Efficiency can suffer because of the discontinuity in rate byte positions. + * + * To counteract this, we assume that the input to the permutation has been + * pre-swapped: bytes 4, 5, 6, 7 are swapped with bytes 16, 17, 18, 19 so + * that the rate is contiguous at the start of the state. + * + * The sliscp_light320_swap() function can be used to switch between the + * canonical order and the pre-swapped order. + * + * \sa sliscp_light320_swap() + */ +void sliscp_light320_permute(unsigned char block[40]); + +/** + * \brief Swaps rate bytes in a sLiSCP-light 320-bit block. + * + * \param block Points to the block to be rate-swapped. + * + * \sa sliscp_light320_permute() + */ +void sliscp_light320_swap(unsigned char block[40]); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-util.h b/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys/aead-common.c b/ascon/Implementations/crypto_aead/ascon128av12/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys/aead-common.h b/ascon/Implementations/crypto_aead/ascon128av12/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys/api.h b/ascon/Implementations/crypto_aead/ascon128av12/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys/ascon128.c b/ascon/Implementations/crypto_aead/ascon128av12/rhys/ascon128.c new file mode 100644 index 0000000..80b2e46 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/rhys/ascon128.c @@ -0,0 +1,383 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "ascon128.h" +#include "internal-ascon.h" +#include + +/** + * \brief Initialization vector for ASCON-128. + */ +#define ASCON128_IV 0x80400c0600000000ULL + +/** + * \brief Initialization vector for ASCON-128a. + */ +#define ASCON128a_IV 0x80800c0800000000ULL + +/** + * \brief Initialization vector for ASCON-80pq. + */ +#define ASCON80PQ_IV 0xa0400c06U + +aead_cipher_t const ascon128_cipher = { + "ASCON-128", + ASCON128_KEY_SIZE, + ASCON128_NONCE_SIZE, + ASCON128_TAG_SIZE, + AEAD_FLAG_NONE, + ascon128_aead_encrypt, + ascon128_aead_decrypt +}; + +aead_cipher_t const ascon128a_cipher = { + "ASCON-128a", + ASCON128_KEY_SIZE, + ASCON128_NONCE_SIZE, + ASCON128_TAG_SIZE, + AEAD_FLAG_NONE, + ascon128a_aead_encrypt, + ascon128a_aead_decrypt +}; + +aead_cipher_t const ascon80pq_cipher = { + "ASCON-80pq", + ASCON80PQ_KEY_SIZE, + ASCON80PQ_NONCE_SIZE, + ASCON80PQ_TAG_SIZE, + AEAD_FLAG_NONE, + ascon80pq_aead_encrypt, + ascon80pq_aead_decrypt +}; + +/** + * \brief Absorbs data into an ASCON state. + * + * \param state The state to absorb the data into. + * \param data Points to the data to be absorbed. + * \param len Length of the data to be absorbed. + * \param rate Block rate, which is either 8 or 16. + * \param first_round First round of the permutation to apply each block. + */ +static void ascon_absorb + (ascon_state_t *state, const unsigned char *data, + unsigned long long len, uint8_t rate, uint8_t first_round) +{ + while (len >= rate) { + lw_xor_block(state->B, data, rate); + ascon_permute(state, first_round); + data += rate; + len -= rate; + } + lw_xor_block(state->B, data, (unsigned)len); + state->B[(unsigned)len] ^= 0x80; + ascon_permute(state, first_round); +} + +/** + * \brief Encrypts a block of data with an ASCON state. + * + * \param state The state to encrypt with. + * \param dest Points to the destination buffer. + * \param src Points to the source buffer. + * \param len Length of the data to encrypt from \a src into \a dest. + * \param rate Block rate, which is either 8 or 16. + * \param first_round First round of the permutation to apply each block. + */ +static void ascon_encrypt + (ascon_state_t *state, unsigned char *dest, + const unsigned char *src, unsigned long long len, + uint8_t rate, uint8_t first_round) +{ + while (len >= rate) { + lw_xor_block_2_dest(dest, state->B, src, rate); + ascon_permute(state, first_round); + dest += rate; + src += rate; + len -= rate; + } + lw_xor_block_2_dest(dest, state->B, src, (unsigned)len); + state->B[(unsigned)len] ^= 0x80; +} + +/** + * \brief Decrypts a block of data with an ASCON state. + * + * \param state The state to decrypt with. + * \param dest Points to the destination buffer. + * \param src Points to the source buffer. + * \param len Length of the data to decrypt from \a src into \a dest. + * \param rate Block rate, which is either 8 or 16. + * \param first_round First round of the permutation to apply each block. + */ +static void ascon_decrypt + (ascon_state_t *state, unsigned char *dest, + const unsigned char *src, unsigned long long len, + uint8_t rate, uint8_t first_round) +{ + while (len >= rate) { + lw_xor_block_swap(dest, state->B, src, rate); + ascon_permute(state, first_round); + dest += rate; + src += rate; + len -= rate; + } + lw_xor_block_swap(dest, state->B, src, (unsigned)len); + state->B[(unsigned)len] ^= 0x80; +} + +int ascon128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + ascon_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ASCON128_TAG_SIZE; + + /* Initialize the ASCON state */ + be_store_word64(state.B, ASCON128_IV); + memcpy(state.B + 8, k, ASCON128_KEY_SIZE); + memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); + + /* Absorb the associated data into the state */ + if (adlen > 0) + ascon_absorb(&state, ad, adlen, 8, 6); + + /* Separator between the associated data and the payload */ + state.B[39] ^= 0x01; + + /* Encrypt the plaintext to create the ciphertext */ + ascon_encrypt(&state, c, m, mlen, 8, 6); + + /* Finalize and compute the authentication tag */ + lw_xor_block(state.B + 8, k, ASCON128_KEY_SIZE); + ascon_permute(&state, 0); + lw_xor_block_2_src(c + mlen, state.B + 24, k, 16); + return 0; +} + +int ascon128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + ascon_state_t state; + (void)nsec; + + /* Set the length of the returned plaintext */ + if (clen < ASCON128_TAG_SIZE) + return -1; + *mlen = clen - ASCON128_TAG_SIZE; + + /* Initialize the ASCON state */ + be_store_word64(state.B, ASCON128_IV); + memcpy(state.B + 8, k, ASCON128_KEY_SIZE); + memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); + + /* Absorb the associated data into the state */ + if (adlen > 0) + ascon_absorb(&state, ad, adlen, 8, 6); + + /* Separator between the associated data and the payload */ + state.B[39] ^= 0x01; + + /* Decrypt the ciphertext to create the plaintext */ + ascon_decrypt(&state, m, c, *mlen, 8, 6); + + /* Finalize and check the authentication tag */ + lw_xor_block(state.B + 8, k, ASCON128_KEY_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k, 16); + return aead_check_tag + (m, *mlen, state.B + 24, c + *mlen, ASCON128_TAG_SIZE); +} + +int ascon128a_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + ascon_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ASCON128_TAG_SIZE; + + /* Initialize the ASCON state */ + be_store_word64(state.B, ASCON128a_IV); + memcpy(state.B + 8, k, ASCON128_KEY_SIZE); + memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); + + /* Absorb the associated data into the state */ + if (adlen > 0) + ascon_absorb(&state, ad, adlen, 16, 4); + + /* Separator between the associated data and the payload */ + state.B[39] ^= 0x01; + + /* Encrypt the plaintext to create the ciphertext */ + ascon_encrypt(&state, c, m, mlen, 16, 4); + + /* Finalize and compute the authentication tag */ + lw_xor_block(state.B + 16, k, ASCON128_KEY_SIZE); + ascon_permute(&state, 0); + lw_xor_block_2_src(c + mlen, state.B + 24, k, 16); + return 0; +} + +int ascon128a_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + ascon_state_t state; + (void)nsec; + + /* Set the length of the returned plaintext */ + if (clen < ASCON128_TAG_SIZE) + return -1; + *mlen = clen - ASCON128_TAG_SIZE; + + /* Initialize the ASCON state */ + be_store_word64(state.B, ASCON128a_IV); + memcpy(state.B + 8, k, ASCON128_KEY_SIZE); + memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); + + /* Absorb the associated data into the state */ + if (adlen > 0) + ascon_absorb(&state, ad, adlen, 16, 4); + + /* Separator between the associated data and the payload */ + state.B[39] ^= 0x01; + + /* Decrypt the ciphertext to create the plaintext */ + ascon_decrypt(&state, m, c, *mlen, 16, 4); + + /* Finalize and check the authentication tag */ + lw_xor_block(state.B + 16, k, ASCON128_KEY_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k, 16); + return aead_check_tag + (m, *mlen, state.B + 24, c + *mlen, ASCON128_TAG_SIZE); +} + +int ascon80pq_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + ascon_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ASCON80PQ_TAG_SIZE; + + /* Initialize the ASCON state */ + be_store_word32(state.B, ASCON80PQ_IV); + memcpy(state.B + 4, k, ASCON80PQ_KEY_SIZE); + memcpy(state.B + 24, npub, ASCON80PQ_NONCE_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 20, k, ASCON80PQ_KEY_SIZE); + + /* Absorb the associated data into the state */ + if (adlen > 0) + ascon_absorb(&state, ad, adlen, 8, 6); + + /* Separator between the associated data and the payload */ + state.B[39] ^= 0x01; + + /* Encrypt the plaintext to create the ciphertext */ + ascon_encrypt(&state, c, m, mlen, 8, 6); + + /* Finalize and compute the authentication tag */ + lw_xor_block(state.B + 8, k, ASCON80PQ_KEY_SIZE); + ascon_permute(&state, 0); + lw_xor_block_2_src(c + mlen, state.B + 24, k + 4, 16); + return 0; +} + +int ascon80pq_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + ascon_state_t state; + (void)nsec; + + /* Set the length of the returned plaintext */ + if (clen < ASCON80PQ_TAG_SIZE) + return -1; + *mlen = clen - ASCON80PQ_TAG_SIZE; + + /* Initialize the ASCON state */ + be_store_word32(state.B, ASCON80PQ_IV); + memcpy(state.B + 4, k, ASCON80PQ_KEY_SIZE); + memcpy(state.B + 24, npub, ASCON80PQ_NONCE_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 20, k, ASCON80PQ_KEY_SIZE); + + /* Absorb the associated data into the state */ + if (adlen > 0) + ascon_absorb(&state, ad, adlen, 8, 6); + + /* Separator between the associated data and the payload */ + state.B[39] ^= 0x01; + + /* Decrypt the ciphertext to create the plaintext */ + ascon_decrypt(&state, m, c, *mlen, 8, 6); + + /* Finalize and check the authentication tag */ + lw_xor_block(state.B + 8, k, ASCON80PQ_KEY_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k + 4, 16); + return aead_check_tag + (m, *mlen, state.B + 24, c + *mlen, ASCON80PQ_TAG_SIZE); +} diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys/ascon128.h b/ascon/Implementations/crypto_aead/ascon128av12/rhys/ascon128.h new file mode 100644 index 0000000..fd9db13 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/rhys/ascon128.h @@ -0,0 +1,408 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ASCON_H +#define LWCRYPTO_ASCON_H + +#include "aead-common.h" + +/** + * \file ascon128.h + * \brief ASCON-128 encryption algorithm and related family members. + * + * The ASCON family consists of several related algorithms: + * + * \li ASCON-128 with a 128-bit key, a 128-bit nonce, a 128-bit authentication + * tag, and a block rate of 64 bits. + * \li ASCON-128a with a 128-bit key, a 128-bit nonce, a 128-bit authentication + * tag, and a block rate of 128 bits. This is faster than ASCON-128 but may + * not be as secure. + * \li ASCON-80pq with a 160-bit key, a 128-bit nonce, a 128-bit authentication + * tag, and a block rate of 64 bits. This is similar to ASCON-128 but has a + * 160-bit key instead which may be more resistant against quantum computers. + * \li ASCON-HASH with a 256-bit hash output. + * + * References: https://ascon.iaik.tugraz.at/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for ASCON-128 and ASCON-128a. + */ +#define ASCON128_KEY_SIZE 16 + +/** + * \brief Size of the nonce for ASCON-128 and ASCON-128a. + */ +#define ASCON128_NONCE_SIZE 16 + +/** + * \brief Size of the authentication tag for ASCON-128 and ASCON-128a. + */ +#define ASCON128_TAG_SIZE 16 + +/** + * \brief Size of the key for ASCON-80pq. + */ +#define ASCON80PQ_KEY_SIZE 20 + +/** + * \brief Size of the nonce for ASCON-80pq. + */ +#define ASCON80PQ_NONCE_SIZE 16 + +/** + * \brief Size of the authentication tag for ASCON-80pq. + */ +#define ASCON80PQ_TAG_SIZE 16 + +/** + * \brief Size of the hash output for ASCON-HASH. + */ +#define ASCON_HASH_SIZE 32 + +/** + * \brief State information for ASCON-HASH and ASCON-XOF incremental modes. + */ +typedef union +{ + struct { + unsigned char state[40]; /**< Current hash state */ + unsigned char count; /**< Number of bytes in the current block */ + unsigned char mode; /**< Hash mode: 0 for absorb, 1 for squeeze */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} ascon_hash_state_t; + +/** + * \brief Meta-information block for the ASCON-128 cipher. + */ +extern aead_cipher_t const ascon128_cipher; + +/** + * \brief Meta-information block for the ASCON-128a cipher. + */ +extern aead_cipher_t const ascon128a_cipher; + +/** + * \brief Meta-information block for the ASCON-80pq cipher. + */ +extern aead_cipher_t const ascon80pq_cipher; + +/** + * \brief Meta-information block for the ASCON-HASH algorithm. + */ +extern aead_hash_algorithm_t const ascon_hash_algorithm; + +/** + * \brief Meta-information block for the ASCON-XOF algorithm. + */ +extern aead_hash_algorithm_t const ascon_xof_algorithm; + +/** + * \brief Encrypts and authenticates a packet with ASCON-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa ascon128_aead_decrypt() + */ +int ascon128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ASCON-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa ascon128_aead_encrypt() + */ +int ascon128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with ASCON-128a. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa ascon128a_aead_decrypt() + */ +int ascon128a_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ASCON-128a. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa ascon128a_aead_encrypt() + */ +int ascon128a_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with ASCON-80pq. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 20 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa ascon80pq_aead_decrypt() + */ +int ascon80pq_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ASCON-80pq. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 20 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa ascon80pq_aead_encrypt() + */ +int ascon80pq_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with ASCON-HASH. + * + * \param out Buffer to receive the hash output which must be at least + * ASCON_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + * + * \sa ascon_hash_init(), ascon_hash_absorb(), ascon_hash_squeeze() + */ +int ascon_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an ASCON-HASH hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa ascon_hash_update(), ascon_hash_finalize(), ascon_hash() + */ +void ascon_hash_init(ascon_hash_state_t *state); + +/** + * \brief Updates an ASCON-HASH state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + * + * \sa ascon_hash_init(), ascon_hash_finalize() + */ +void ascon_hash_update + (ascon_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Returns the final hash value from an ASCON-HASH hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the 32-byte hash value. + * + * \sa ascon_hash_init(), ascon_hash_update() + */ +void ascon_hash_finalize + (ascon_hash_state_t *state, unsigned char *out); + +/** + * \brief Hashes a block of input data with ASCON-XOF and generates a + * fixed-length 32 byte output. + * + * \param out Buffer to receive the hash output which must be at least + * ASCON_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + * + * Use ascon_xof_squeeze() instead if you need variable-length XOF ouutput. + * + * \sa ascon_xof_init(), ascon_xof_absorb(), ascon_xof_squeeze() + */ +int ascon_xof + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an ASCON-XOF hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa ascon_xof_absorb(), ascon_xof_squeeze(), ascon_xof() + */ +void ascon_xof_init(ascon_hash_state_t *state); + +/** + * \brief Aborbs more input data into an ASCON-XOF state. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +void ascon_xof_absorb + (ascon_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Squeezes output data from an ASCON-XOF state. + * + * \param state Hash state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + * + * \sa ascon_xof_init(), ascon_xof_update() + */ +void ascon_xof_squeeze + (ascon_hash_state_t *state, unsigned char *out, unsigned long long outlen); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys/encrypt.c b/ascon/Implementations/crypto_aead/ascon128av12/rhys/encrypt.c new file mode 100644 index 0000000..4f35480 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "ascon128.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return ascon128a_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return ascon128a_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-ascon.c b/ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-ascon.c new file mode 100644 index 0000000..12a8ec6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-ascon.c @@ -0,0 +1,76 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-ascon.h" + +void ascon_permute(ascon_state_t *state, uint8_t first_round) +{ + uint64_t t0, t1, t2, t3, t4; +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = be_load_word64(state->B); + uint64_t x1 = be_load_word64(state->B + 8); + uint64_t x2 = be_load_word64(state->B + 16); + uint64_t x3 = be_load_word64(state->B + 24); + uint64_t x4 = be_load_word64(state->B + 32); +#else + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; + uint64_t x4 = state->S[4]; +#endif + while (first_round < 12) { + /* Add the round constant to the state */ + x2 ^= ((0x0F - first_round) << 4) | first_round; + + /* Substitution layer - apply the s-box using bit-slicing + * according to the algorithm recommended in the specification */ + x0 ^= x4; x4 ^= x3; x2 ^= x1; + t0 = ~x0; t1 = ~x1; t2 = ~x2; t3 = ~x3; t4 = ~x4; + t0 &= x1; t1 &= x2; t2 &= x3; t3 &= x4; t4 &= x0; + x0 ^= t1; x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t0; + x1 ^= x0; x0 ^= x4; x3 ^= x2; x2 = ~x2; + + /* Linear diffusion layer */ + x0 ^= rightRotate19_64(x0) ^ rightRotate28_64(x0); + x1 ^= rightRotate61_64(x1) ^ rightRotate39_64(x1); + x2 ^= rightRotate1_64(x2) ^ rightRotate6_64(x2); + x3 ^= rightRotate10_64(x3) ^ rightRotate17_64(x3); + x4 ^= rightRotate7_64(x4) ^ rightRotate41_64(x4); + + /* Move onto the next round */ + ++first_round; + } +#if defined(LW_UTIL_LITTLE_ENDIAN) + be_store_word64(state->B, x0); + be_store_word64(state->B + 8, x1); + be_store_word64(state->B + 16, x2); + be_store_word64(state->B + 24, x3); + be_store_word64(state->B + 32, x4); +#else + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; + state->S[4] = x4; +#endif +} diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-ascon.h b/ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-ascon.h new file mode 100644 index 0000000..d3fa3ca --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-ascon.h @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_ASCON_H +#define LW_INTERNAL_ASCON_H + +#include "internal-util.h" + +/** + * \file internal-ascon.h + * \brief Internal implementation of the ASCON permutation. + * + * References: http://competitions.cr.yp.to/round3/asconv12.pdf, + * http://ascon.iaik.tugraz.at/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Structure of the internal state of the ASCON permutation. + */ +typedef union +{ + uint64_t S[5]; /**< Words of the state */ + uint8_t B[40]; /**< Bytes of the state */ + +} ascon_state_t; + +/** + * \brief Permutes the ASCON state. + * + * \param state The ASCON state to be permuted. + * \param first_round The first round (of 12) to be performed; 0, 4, or 6. + * + * The input and output \a state will be in big-endian byte order. + */ +void ascon_permute(ascon_state_t *state, uint8_t first_round); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-util.h b/ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys/aead-common.c b/ascon/Implementations/crypto_aead/ascon128v12/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys/aead-common.h b/ascon/Implementations/crypto_aead/ascon128v12/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys/api.h b/ascon/Implementations/crypto_aead/ascon128v12/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys/ascon128.c b/ascon/Implementations/crypto_aead/ascon128v12/rhys/ascon128.c new file mode 100644 index 0000000..80b2e46 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/rhys/ascon128.c @@ -0,0 +1,383 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "ascon128.h" +#include "internal-ascon.h" +#include + +/** + * \brief Initialization vector for ASCON-128. + */ +#define ASCON128_IV 0x80400c0600000000ULL + +/** + * \brief Initialization vector for ASCON-128a. + */ +#define ASCON128a_IV 0x80800c0800000000ULL + +/** + * \brief Initialization vector for ASCON-80pq. + */ +#define ASCON80PQ_IV 0xa0400c06U + +aead_cipher_t const ascon128_cipher = { + "ASCON-128", + ASCON128_KEY_SIZE, + ASCON128_NONCE_SIZE, + ASCON128_TAG_SIZE, + AEAD_FLAG_NONE, + ascon128_aead_encrypt, + ascon128_aead_decrypt +}; + +aead_cipher_t const ascon128a_cipher = { + "ASCON-128a", + ASCON128_KEY_SIZE, + ASCON128_NONCE_SIZE, + ASCON128_TAG_SIZE, + AEAD_FLAG_NONE, + ascon128a_aead_encrypt, + ascon128a_aead_decrypt +}; + +aead_cipher_t const ascon80pq_cipher = { + "ASCON-80pq", + ASCON80PQ_KEY_SIZE, + ASCON80PQ_NONCE_SIZE, + ASCON80PQ_TAG_SIZE, + AEAD_FLAG_NONE, + ascon80pq_aead_encrypt, + ascon80pq_aead_decrypt +}; + +/** + * \brief Absorbs data into an ASCON state. + * + * \param state The state to absorb the data into. + * \param data Points to the data to be absorbed. + * \param len Length of the data to be absorbed. + * \param rate Block rate, which is either 8 or 16. + * \param first_round First round of the permutation to apply each block. + */ +static void ascon_absorb + (ascon_state_t *state, const unsigned char *data, + unsigned long long len, uint8_t rate, uint8_t first_round) +{ + while (len >= rate) { + lw_xor_block(state->B, data, rate); + ascon_permute(state, first_round); + data += rate; + len -= rate; + } + lw_xor_block(state->B, data, (unsigned)len); + state->B[(unsigned)len] ^= 0x80; + ascon_permute(state, first_round); +} + +/** + * \brief Encrypts a block of data with an ASCON state. + * + * \param state The state to encrypt with. + * \param dest Points to the destination buffer. + * \param src Points to the source buffer. + * \param len Length of the data to encrypt from \a src into \a dest. + * \param rate Block rate, which is either 8 or 16. + * \param first_round First round of the permutation to apply each block. + */ +static void ascon_encrypt + (ascon_state_t *state, unsigned char *dest, + const unsigned char *src, unsigned long long len, + uint8_t rate, uint8_t first_round) +{ + while (len >= rate) { + lw_xor_block_2_dest(dest, state->B, src, rate); + ascon_permute(state, first_round); + dest += rate; + src += rate; + len -= rate; + } + lw_xor_block_2_dest(dest, state->B, src, (unsigned)len); + state->B[(unsigned)len] ^= 0x80; +} + +/** + * \brief Decrypts a block of data with an ASCON state. + * + * \param state The state to decrypt with. + * \param dest Points to the destination buffer. + * \param src Points to the source buffer. + * \param len Length of the data to decrypt from \a src into \a dest. + * \param rate Block rate, which is either 8 or 16. + * \param first_round First round of the permutation to apply each block. + */ +static void ascon_decrypt + (ascon_state_t *state, unsigned char *dest, + const unsigned char *src, unsigned long long len, + uint8_t rate, uint8_t first_round) +{ + while (len >= rate) { + lw_xor_block_swap(dest, state->B, src, rate); + ascon_permute(state, first_round); + dest += rate; + src += rate; + len -= rate; + } + lw_xor_block_swap(dest, state->B, src, (unsigned)len); + state->B[(unsigned)len] ^= 0x80; +} + +int ascon128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + ascon_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ASCON128_TAG_SIZE; + + /* Initialize the ASCON state */ + be_store_word64(state.B, ASCON128_IV); + memcpy(state.B + 8, k, ASCON128_KEY_SIZE); + memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); + + /* Absorb the associated data into the state */ + if (adlen > 0) + ascon_absorb(&state, ad, adlen, 8, 6); + + /* Separator between the associated data and the payload */ + state.B[39] ^= 0x01; + + /* Encrypt the plaintext to create the ciphertext */ + ascon_encrypt(&state, c, m, mlen, 8, 6); + + /* Finalize and compute the authentication tag */ + lw_xor_block(state.B + 8, k, ASCON128_KEY_SIZE); + ascon_permute(&state, 0); + lw_xor_block_2_src(c + mlen, state.B + 24, k, 16); + return 0; +} + +int ascon128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + ascon_state_t state; + (void)nsec; + + /* Set the length of the returned plaintext */ + if (clen < ASCON128_TAG_SIZE) + return -1; + *mlen = clen - ASCON128_TAG_SIZE; + + /* Initialize the ASCON state */ + be_store_word64(state.B, ASCON128_IV); + memcpy(state.B + 8, k, ASCON128_KEY_SIZE); + memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); + + /* Absorb the associated data into the state */ + if (adlen > 0) + ascon_absorb(&state, ad, adlen, 8, 6); + + /* Separator between the associated data and the payload */ + state.B[39] ^= 0x01; + + /* Decrypt the ciphertext to create the plaintext */ + ascon_decrypt(&state, m, c, *mlen, 8, 6); + + /* Finalize and check the authentication tag */ + lw_xor_block(state.B + 8, k, ASCON128_KEY_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k, 16); + return aead_check_tag + (m, *mlen, state.B + 24, c + *mlen, ASCON128_TAG_SIZE); +} + +int ascon128a_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + ascon_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ASCON128_TAG_SIZE; + + /* Initialize the ASCON state */ + be_store_word64(state.B, ASCON128a_IV); + memcpy(state.B + 8, k, ASCON128_KEY_SIZE); + memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); + + /* Absorb the associated data into the state */ + if (adlen > 0) + ascon_absorb(&state, ad, adlen, 16, 4); + + /* Separator between the associated data and the payload */ + state.B[39] ^= 0x01; + + /* Encrypt the plaintext to create the ciphertext */ + ascon_encrypt(&state, c, m, mlen, 16, 4); + + /* Finalize and compute the authentication tag */ + lw_xor_block(state.B + 16, k, ASCON128_KEY_SIZE); + ascon_permute(&state, 0); + lw_xor_block_2_src(c + mlen, state.B + 24, k, 16); + return 0; +} + +int ascon128a_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + ascon_state_t state; + (void)nsec; + + /* Set the length of the returned plaintext */ + if (clen < ASCON128_TAG_SIZE) + return -1; + *mlen = clen - ASCON128_TAG_SIZE; + + /* Initialize the ASCON state */ + be_store_word64(state.B, ASCON128a_IV); + memcpy(state.B + 8, k, ASCON128_KEY_SIZE); + memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); + + /* Absorb the associated data into the state */ + if (adlen > 0) + ascon_absorb(&state, ad, adlen, 16, 4); + + /* Separator between the associated data and the payload */ + state.B[39] ^= 0x01; + + /* Decrypt the ciphertext to create the plaintext */ + ascon_decrypt(&state, m, c, *mlen, 16, 4); + + /* Finalize and check the authentication tag */ + lw_xor_block(state.B + 16, k, ASCON128_KEY_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k, 16); + return aead_check_tag + (m, *mlen, state.B + 24, c + *mlen, ASCON128_TAG_SIZE); +} + +int ascon80pq_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + ascon_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ASCON80PQ_TAG_SIZE; + + /* Initialize the ASCON state */ + be_store_word32(state.B, ASCON80PQ_IV); + memcpy(state.B + 4, k, ASCON80PQ_KEY_SIZE); + memcpy(state.B + 24, npub, ASCON80PQ_NONCE_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 20, k, ASCON80PQ_KEY_SIZE); + + /* Absorb the associated data into the state */ + if (adlen > 0) + ascon_absorb(&state, ad, adlen, 8, 6); + + /* Separator between the associated data and the payload */ + state.B[39] ^= 0x01; + + /* Encrypt the plaintext to create the ciphertext */ + ascon_encrypt(&state, c, m, mlen, 8, 6); + + /* Finalize and compute the authentication tag */ + lw_xor_block(state.B + 8, k, ASCON80PQ_KEY_SIZE); + ascon_permute(&state, 0); + lw_xor_block_2_src(c + mlen, state.B + 24, k + 4, 16); + return 0; +} + +int ascon80pq_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + ascon_state_t state; + (void)nsec; + + /* Set the length of the returned plaintext */ + if (clen < ASCON80PQ_TAG_SIZE) + return -1; + *mlen = clen - ASCON80PQ_TAG_SIZE; + + /* Initialize the ASCON state */ + be_store_word32(state.B, ASCON80PQ_IV); + memcpy(state.B + 4, k, ASCON80PQ_KEY_SIZE); + memcpy(state.B + 24, npub, ASCON80PQ_NONCE_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 20, k, ASCON80PQ_KEY_SIZE); + + /* Absorb the associated data into the state */ + if (adlen > 0) + ascon_absorb(&state, ad, adlen, 8, 6); + + /* Separator between the associated data and the payload */ + state.B[39] ^= 0x01; + + /* Decrypt the ciphertext to create the plaintext */ + ascon_decrypt(&state, m, c, *mlen, 8, 6); + + /* Finalize and check the authentication tag */ + lw_xor_block(state.B + 8, k, ASCON80PQ_KEY_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k + 4, 16); + return aead_check_tag + (m, *mlen, state.B + 24, c + *mlen, ASCON80PQ_TAG_SIZE); +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys/ascon128.h b/ascon/Implementations/crypto_aead/ascon128v12/rhys/ascon128.h new file mode 100644 index 0000000..fd9db13 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/rhys/ascon128.h @@ -0,0 +1,408 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ASCON_H +#define LWCRYPTO_ASCON_H + +#include "aead-common.h" + +/** + * \file ascon128.h + * \brief ASCON-128 encryption algorithm and related family members. + * + * The ASCON family consists of several related algorithms: + * + * \li ASCON-128 with a 128-bit key, a 128-bit nonce, a 128-bit authentication + * tag, and a block rate of 64 bits. + * \li ASCON-128a with a 128-bit key, a 128-bit nonce, a 128-bit authentication + * tag, and a block rate of 128 bits. This is faster than ASCON-128 but may + * not be as secure. + * \li ASCON-80pq with a 160-bit key, a 128-bit nonce, a 128-bit authentication + * tag, and a block rate of 64 bits. This is similar to ASCON-128 but has a + * 160-bit key instead which may be more resistant against quantum computers. + * \li ASCON-HASH with a 256-bit hash output. + * + * References: https://ascon.iaik.tugraz.at/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for ASCON-128 and ASCON-128a. + */ +#define ASCON128_KEY_SIZE 16 + +/** + * \brief Size of the nonce for ASCON-128 and ASCON-128a. + */ +#define ASCON128_NONCE_SIZE 16 + +/** + * \brief Size of the authentication tag for ASCON-128 and ASCON-128a. + */ +#define ASCON128_TAG_SIZE 16 + +/** + * \brief Size of the key for ASCON-80pq. + */ +#define ASCON80PQ_KEY_SIZE 20 + +/** + * \brief Size of the nonce for ASCON-80pq. + */ +#define ASCON80PQ_NONCE_SIZE 16 + +/** + * \brief Size of the authentication tag for ASCON-80pq. + */ +#define ASCON80PQ_TAG_SIZE 16 + +/** + * \brief Size of the hash output for ASCON-HASH. + */ +#define ASCON_HASH_SIZE 32 + +/** + * \brief State information for ASCON-HASH and ASCON-XOF incremental modes. + */ +typedef union +{ + struct { + unsigned char state[40]; /**< Current hash state */ + unsigned char count; /**< Number of bytes in the current block */ + unsigned char mode; /**< Hash mode: 0 for absorb, 1 for squeeze */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} ascon_hash_state_t; + +/** + * \brief Meta-information block for the ASCON-128 cipher. + */ +extern aead_cipher_t const ascon128_cipher; + +/** + * \brief Meta-information block for the ASCON-128a cipher. + */ +extern aead_cipher_t const ascon128a_cipher; + +/** + * \brief Meta-information block for the ASCON-80pq cipher. + */ +extern aead_cipher_t const ascon80pq_cipher; + +/** + * \brief Meta-information block for the ASCON-HASH algorithm. + */ +extern aead_hash_algorithm_t const ascon_hash_algorithm; + +/** + * \brief Meta-information block for the ASCON-XOF algorithm. + */ +extern aead_hash_algorithm_t const ascon_xof_algorithm; + +/** + * \brief Encrypts and authenticates a packet with ASCON-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa ascon128_aead_decrypt() + */ +int ascon128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ASCON-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa ascon128_aead_encrypt() + */ +int ascon128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with ASCON-128a. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa ascon128a_aead_decrypt() + */ +int ascon128a_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ASCON-128a. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa ascon128a_aead_encrypt() + */ +int ascon128a_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with ASCON-80pq. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 20 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa ascon80pq_aead_decrypt() + */ +int ascon80pq_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ASCON-80pq. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 20 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa ascon80pq_aead_encrypt() + */ +int ascon80pq_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with ASCON-HASH. + * + * \param out Buffer to receive the hash output which must be at least + * ASCON_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + * + * \sa ascon_hash_init(), ascon_hash_absorb(), ascon_hash_squeeze() + */ +int ascon_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an ASCON-HASH hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa ascon_hash_update(), ascon_hash_finalize(), ascon_hash() + */ +void ascon_hash_init(ascon_hash_state_t *state); + +/** + * \brief Updates an ASCON-HASH state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + * + * \sa ascon_hash_init(), ascon_hash_finalize() + */ +void ascon_hash_update + (ascon_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Returns the final hash value from an ASCON-HASH hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the 32-byte hash value. + * + * \sa ascon_hash_init(), ascon_hash_update() + */ +void ascon_hash_finalize + (ascon_hash_state_t *state, unsigned char *out); + +/** + * \brief Hashes a block of input data with ASCON-XOF and generates a + * fixed-length 32 byte output. + * + * \param out Buffer to receive the hash output which must be at least + * ASCON_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + * + * Use ascon_xof_squeeze() instead if you need variable-length XOF ouutput. + * + * \sa ascon_xof_init(), ascon_xof_absorb(), ascon_xof_squeeze() + */ +int ascon_xof + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an ASCON-XOF hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa ascon_xof_absorb(), ascon_xof_squeeze(), ascon_xof() + */ +void ascon_xof_init(ascon_hash_state_t *state); + +/** + * \brief Aborbs more input data into an ASCON-XOF state. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +void ascon_xof_absorb + (ascon_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Squeezes output data from an ASCON-XOF state. + * + * \param state Hash state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + * + * \sa ascon_xof_init(), ascon_xof_update() + */ +void ascon_xof_squeeze + (ascon_hash_state_t *state, unsigned char *out, unsigned long long outlen); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys/encrypt.c b/ascon/Implementations/crypto_aead/ascon128v12/rhys/encrypt.c new file mode 100644 index 0000000..f32284a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "ascon128.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return ascon128_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return ascon128_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-ascon.c b/ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-ascon.c new file mode 100644 index 0000000..12a8ec6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-ascon.c @@ -0,0 +1,76 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-ascon.h" + +void ascon_permute(ascon_state_t *state, uint8_t first_round) +{ + uint64_t t0, t1, t2, t3, t4; +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = be_load_word64(state->B); + uint64_t x1 = be_load_word64(state->B + 8); + uint64_t x2 = be_load_word64(state->B + 16); + uint64_t x3 = be_load_word64(state->B + 24); + uint64_t x4 = be_load_word64(state->B + 32); +#else + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; + uint64_t x4 = state->S[4]; +#endif + while (first_round < 12) { + /* Add the round constant to the state */ + x2 ^= ((0x0F - first_round) << 4) | first_round; + + /* Substitution layer - apply the s-box using bit-slicing + * according to the algorithm recommended in the specification */ + x0 ^= x4; x4 ^= x3; x2 ^= x1; + t0 = ~x0; t1 = ~x1; t2 = ~x2; t3 = ~x3; t4 = ~x4; + t0 &= x1; t1 &= x2; t2 &= x3; t3 &= x4; t4 &= x0; + x0 ^= t1; x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t0; + x1 ^= x0; x0 ^= x4; x3 ^= x2; x2 = ~x2; + + /* Linear diffusion layer */ + x0 ^= rightRotate19_64(x0) ^ rightRotate28_64(x0); + x1 ^= rightRotate61_64(x1) ^ rightRotate39_64(x1); + x2 ^= rightRotate1_64(x2) ^ rightRotate6_64(x2); + x3 ^= rightRotate10_64(x3) ^ rightRotate17_64(x3); + x4 ^= rightRotate7_64(x4) ^ rightRotate41_64(x4); + + /* Move onto the next round */ + ++first_round; + } +#if defined(LW_UTIL_LITTLE_ENDIAN) + be_store_word64(state->B, x0); + be_store_word64(state->B + 8, x1); + be_store_word64(state->B + 16, x2); + be_store_word64(state->B + 24, x3); + be_store_word64(state->B + 32, x4); +#else + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; + state->S[4] = x4; +#endif +} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-ascon.h b/ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-ascon.h new file mode 100644 index 0000000..d3fa3ca --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-ascon.h @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_ASCON_H +#define LW_INTERNAL_ASCON_H + +#include "internal-util.h" + +/** + * \file internal-ascon.h + * \brief Internal implementation of the ASCON permutation. + * + * References: http://competitions.cr.yp.to/round3/asconv12.pdf, + * http://ascon.iaik.tugraz.at/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Structure of the internal state of the ASCON permutation. + */ +typedef union +{ + uint64_t S[5]; /**< Words of the state */ + uint8_t B[40]; /**< Bytes of the state */ + +} ascon_state_t; + +/** + * \brief Permutes the ASCON state. + * + * \param state The ASCON state to be permuted. + * \param first_round The first round (of 12) to be performed; 0, 4, or 6. + * + * The input and output \a state will be in big-endian byte order. + */ +void ascon_permute(ascon_state_t *state, uint8_t first_round); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-util.h b/ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/aead-common.c b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/aead-common.h b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/api.h new file mode 100644 index 0000000..f99b349 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 20 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/ascon128.c b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/ascon128.c new file mode 100644 index 0000000..80b2e46 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/ascon128.c @@ -0,0 +1,383 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "ascon128.h" +#include "internal-ascon.h" +#include + +/** + * \brief Initialization vector for ASCON-128. + */ +#define ASCON128_IV 0x80400c0600000000ULL + +/** + * \brief Initialization vector for ASCON-128a. + */ +#define ASCON128a_IV 0x80800c0800000000ULL + +/** + * \brief Initialization vector for ASCON-80pq. + */ +#define ASCON80PQ_IV 0xa0400c06U + +aead_cipher_t const ascon128_cipher = { + "ASCON-128", + ASCON128_KEY_SIZE, + ASCON128_NONCE_SIZE, + ASCON128_TAG_SIZE, + AEAD_FLAG_NONE, + ascon128_aead_encrypt, + ascon128_aead_decrypt +}; + +aead_cipher_t const ascon128a_cipher = { + "ASCON-128a", + ASCON128_KEY_SIZE, + ASCON128_NONCE_SIZE, + ASCON128_TAG_SIZE, + AEAD_FLAG_NONE, + ascon128a_aead_encrypt, + ascon128a_aead_decrypt +}; + +aead_cipher_t const ascon80pq_cipher = { + "ASCON-80pq", + ASCON80PQ_KEY_SIZE, + ASCON80PQ_NONCE_SIZE, + ASCON80PQ_TAG_SIZE, + AEAD_FLAG_NONE, + ascon80pq_aead_encrypt, + ascon80pq_aead_decrypt +}; + +/** + * \brief Absorbs data into an ASCON state. + * + * \param state The state to absorb the data into. + * \param data Points to the data to be absorbed. + * \param len Length of the data to be absorbed. + * \param rate Block rate, which is either 8 or 16. + * \param first_round First round of the permutation to apply each block. + */ +static void ascon_absorb + (ascon_state_t *state, const unsigned char *data, + unsigned long long len, uint8_t rate, uint8_t first_round) +{ + while (len >= rate) { + lw_xor_block(state->B, data, rate); + ascon_permute(state, first_round); + data += rate; + len -= rate; + } + lw_xor_block(state->B, data, (unsigned)len); + state->B[(unsigned)len] ^= 0x80; + ascon_permute(state, first_round); +} + +/** + * \brief Encrypts a block of data with an ASCON state. + * + * \param state The state to encrypt with. + * \param dest Points to the destination buffer. + * \param src Points to the source buffer. + * \param len Length of the data to encrypt from \a src into \a dest. + * \param rate Block rate, which is either 8 or 16. + * \param first_round First round of the permutation to apply each block. + */ +static void ascon_encrypt + (ascon_state_t *state, unsigned char *dest, + const unsigned char *src, unsigned long long len, + uint8_t rate, uint8_t first_round) +{ + while (len >= rate) { + lw_xor_block_2_dest(dest, state->B, src, rate); + ascon_permute(state, first_round); + dest += rate; + src += rate; + len -= rate; + } + lw_xor_block_2_dest(dest, state->B, src, (unsigned)len); + state->B[(unsigned)len] ^= 0x80; +} + +/** + * \brief Decrypts a block of data with an ASCON state. + * + * \param state The state to decrypt with. + * \param dest Points to the destination buffer. + * \param src Points to the source buffer. + * \param len Length of the data to decrypt from \a src into \a dest. + * \param rate Block rate, which is either 8 or 16. + * \param first_round First round of the permutation to apply each block. + */ +static void ascon_decrypt + (ascon_state_t *state, unsigned char *dest, + const unsigned char *src, unsigned long long len, + uint8_t rate, uint8_t first_round) +{ + while (len >= rate) { + lw_xor_block_swap(dest, state->B, src, rate); + ascon_permute(state, first_round); + dest += rate; + src += rate; + len -= rate; + } + lw_xor_block_swap(dest, state->B, src, (unsigned)len); + state->B[(unsigned)len] ^= 0x80; +} + +int ascon128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + ascon_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ASCON128_TAG_SIZE; + + /* Initialize the ASCON state */ + be_store_word64(state.B, ASCON128_IV); + memcpy(state.B + 8, k, ASCON128_KEY_SIZE); + memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); + + /* Absorb the associated data into the state */ + if (adlen > 0) + ascon_absorb(&state, ad, adlen, 8, 6); + + /* Separator between the associated data and the payload */ + state.B[39] ^= 0x01; + + /* Encrypt the plaintext to create the ciphertext */ + ascon_encrypt(&state, c, m, mlen, 8, 6); + + /* Finalize and compute the authentication tag */ + lw_xor_block(state.B + 8, k, ASCON128_KEY_SIZE); + ascon_permute(&state, 0); + lw_xor_block_2_src(c + mlen, state.B + 24, k, 16); + return 0; +} + +int ascon128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + ascon_state_t state; + (void)nsec; + + /* Set the length of the returned plaintext */ + if (clen < ASCON128_TAG_SIZE) + return -1; + *mlen = clen - ASCON128_TAG_SIZE; + + /* Initialize the ASCON state */ + be_store_word64(state.B, ASCON128_IV); + memcpy(state.B + 8, k, ASCON128_KEY_SIZE); + memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); + + /* Absorb the associated data into the state */ + if (adlen > 0) + ascon_absorb(&state, ad, adlen, 8, 6); + + /* Separator between the associated data and the payload */ + state.B[39] ^= 0x01; + + /* Decrypt the ciphertext to create the plaintext */ + ascon_decrypt(&state, m, c, *mlen, 8, 6); + + /* Finalize and check the authentication tag */ + lw_xor_block(state.B + 8, k, ASCON128_KEY_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k, 16); + return aead_check_tag + (m, *mlen, state.B + 24, c + *mlen, ASCON128_TAG_SIZE); +} + +int ascon128a_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + ascon_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ASCON128_TAG_SIZE; + + /* Initialize the ASCON state */ + be_store_word64(state.B, ASCON128a_IV); + memcpy(state.B + 8, k, ASCON128_KEY_SIZE); + memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); + + /* Absorb the associated data into the state */ + if (adlen > 0) + ascon_absorb(&state, ad, adlen, 16, 4); + + /* Separator between the associated data and the payload */ + state.B[39] ^= 0x01; + + /* Encrypt the plaintext to create the ciphertext */ + ascon_encrypt(&state, c, m, mlen, 16, 4); + + /* Finalize and compute the authentication tag */ + lw_xor_block(state.B + 16, k, ASCON128_KEY_SIZE); + ascon_permute(&state, 0); + lw_xor_block_2_src(c + mlen, state.B + 24, k, 16); + return 0; +} + +int ascon128a_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + ascon_state_t state; + (void)nsec; + + /* Set the length of the returned plaintext */ + if (clen < ASCON128_TAG_SIZE) + return -1; + *mlen = clen - ASCON128_TAG_SIZE; + + /* Initialize the ASCON state */ + be_store_word64(state.B, ASCON128a_IV); + memcpy(state.B + 8, k, ASCON128_KEY_SIZE); + memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); + + /* Absorb the associated data into the state */ + if (adlen > 0) + ascon_absorb(&state, ad, adlen, 16, 4); + + /* Separator between the associated data and the payload */ + state.B[39] ^= 0x01; + + /* Decrypt the ciphertext to create the plaintext */ + ascon_decrypt(&state, m, c, *mlen, 16, 4); + + /* Finalize and check the authentication tag */ + lw_xor_block(state.B + 16, k, ASCON128_KEY_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k, 16); + return aead_check_tag + (m, *mlen, state.B + 24, c + *mlen, ASCON128_TAG_SIZE); +} + +int ascon80pq_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + ascon_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ASCON80PQ_TAG_SIZE; + + /* Initialize the ASCON state */ + be_store_word32(state.B, ASCON80PQ_IV); + memcpy(state.B + 4, k, ASCON80PQ_KEY_SIZE); + memcpy(state.B + 24, npub, ASCON80PQ_NONCE_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 20, k, ASCON80PQ_KEY_SIZE); + + /* Absorb the associated data into the state */ + if (adlen > 0) + ascon_absorb(&state, ad, adlen, 8, 6); + + /* Separator between the associated data and the payload */ + state.B[39] ^= 0x01; + + /* Encrypt the plaintext to create the ciphertext */ + ascon_encrypt(&state, c, m, mlen, 8, 6); + + /* Finalize and compute the authentication tag */ + lw_xor_block(state.B + 8, k, ASCON80PQ_KEY_SIZE); + ascon_permute(&state, 0); + lw_xor_block_2_src(c + mlen, state.B + 24, k + 4, 16); + return 0; +} + +int ascon80pq_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + ascon_state_t state; + (void)nsec; + + /* Set the length of the returned plaintext */ + if (clen < ASCON80PQ_TAG_SIZE) + return -1; + *mlen = clen - ASCON80PQ_TAG_SIZE; + + /* Initialize the ASCON state */ + be_store_word32(state.B, ASCON80PQ_IV); + memcpy(state.B + 4, k, ASCON80PQ_KEY_SIZE); + memcpy(state.B + 24, npub, ASCON80PQ_NONCE_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 20, k, ASCON80PQ_KEY_SIZE); + + /* Absorb the associated data into the state */ + if (adlen > 0) + ascon_absorb(&state, ad, adlen, 8, 6); + + /* Separator between the associated data and the payload */ + state.B[39] ^= 0x01; + + /* Decrypt the ciphertext to create the plaintext */ + ascon_decrypt(&state, m, c, *mlen, 8, 6); + + /* Finalize and check the authentication tag */ + lw_xor_block(state.B + 8, k, ASCON80PQ_KEY_SIZE); + ascon_permute(&state, 0); + lw_xor_block(state.B + 24, k + 4, 16); + return aead_check_tag + (m, *mlen, state.B + 24, c + *mlen, ASCON80PQ_TAG_SIZE); +} diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/ascon128.h b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/ascon128.h new file mode 100644 index 0000000..fd9db13 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/ascon128.h @@ -0,0 +1,408 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ASCON_H +#define LWCRYPTO_ASCON_H + +#include "aead-common.h" + +/** + * \file ascon128.h + * \brief ASCON-128 encryption algorithm and related family members. + * + * The ASCON family consists of several related algorithms: + * + * \li ASCON-128 with a 128-bit key, a 128-bit nonce, a 128-bit authentication + * tag, and a block rate of 64 bits. + * \li ASCON-128a with a 128-bit key, a 128-bit nonce, a 128-bit authentication + * tag, and a block rate of 128 bits. This is faster than ASCON-128 but may + * not be as secure. + * \li ASCON-80pq with a 160-bit key, a 128-bit nonce, a 128-bit authentication + * tag, and a block rate of 64 bits. This is similar to ASCON-128 but has a + * 160-bit key instead which may be more resistant against quantum computers. + * \li ASCON-HASH with a 256-bit hash output. + * + * References: https://ascon.iaik.tugraz.at/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for ASCON-128 and ASCON-128a. + */ +#define ASCON128_KEY_SIZE 16 + +/** + * \brief Size of the nonce for ASCON-128 and ASCON-128a. + */ +#define ASCON128_NONCE_SIZE 16 + +/** + * \brief Size of the authentication tag for ASCON-128 and ASCON-128a. + */ +#define ASCON128_TAG_SIZE 16 + +/** + * \brief Size of the key for ASCON-80pq. + */ +#define ASCON80PQ_KEY_SIZE 20 + +/** + * \brief Size of the nonce for ASCON-80pq. + */ +#define ASCON80PQ_NONCE_SIZE 16 + +/** + * \brief Size of the authentication tag for ASCON-80pq. + */ +#define ASCON80PQ_TAG_SIZE 16 + +/** + * \brief Size of the hash output for ASCON-HASH. + */ +#define ASCON_HASH_SIZE 32 + +/** + * \brief State information for ASCON-HASH and ASCON-XOF incremental modes. + */ +typedef union +{ + struct { + unsigned char state[40]; /**< Current hash state */ + unsigned char count; /**< Number of bytes in the current block */ + unsigned char mode; /**< Hash mode: 0 for absorb, 1 for squeeze */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} ascon_hash_state_t; + +/** + * \brief Meta-information block for the ASCON-128 cipher. + */ +extern aead_cipher_t const ascon128_cipher; + +/** + * \brief Meta-information block for the ASCON-128a cipher. + */ +extern aead_cipher_t const ascon128a_cipher; + +/** + * \brief Meta-information block for the ASCON-80pq cipher. + */ +extern aead_cipher_t const ascon80pq_cipher; + +/** + * \brief Meta-information block for the ASCON-HASH algorithm. + */ +extern aead_hash_algorithm_t const ascon_hash_algorithm; + +/** + * \brief Meta-information block for the ASCON-XOF algorithm. + */ +extern aead_hash_algorithm_t const ascon_xof_algorithm; + +/** + * \brief Encrypts and authenticates a packet with ASCON-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa ascon128_aead_decrypt() + */ +int ascon128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ASCON-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa ascon128_aead_encrypt() + */ +int ascon128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with ASCON-128a. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa ascon128a_aead_decrypt() + */ +int ascon128a_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ASCON-128a. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa ascon128a_aead_encrypt() + */ +int ascon128a_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with ASCON-80pq. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 20 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa ascon80pq_aead_decrypt() + */ +int ascon80pq_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ASCON-80pq. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 20 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa ascon80pq_aead_encrypt() + */ +int ascon80pq_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with ASCON-HASH. + * + * \param out Buffer to receive the hash output which must be at least + * ASCON_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + * + * \sa ascon_hash_init(), ascon_hash_absorb(), ascon_hash_squeeze() + */ +int ascon_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an ASCON-HASH hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa ascon_hash_update(), ascon_hash_finalize(), ascon_hash() + */ +void ascon_hash_init(ascon_hash_state_t *state); + +/** + * \brief Updates an ASCON-HASH state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + * + * \sa ascon_hash_init(), ascon_hash_finalize() + */ +void ascon_hash_update + (ascon_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Returns the final hash value from an ASCON-HASH hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the 32-byte hash value. + * + * \sa ascon_hash_init(), ascon_hash_update() + */ +void ascon_hash_finalize + (ascon_hash_state_t *state, unsigned char *out); + +/** + * \brief Hashes a block of input data with ASCON-XOF and generates a + * fixed-length 32 byte output. + * + * \param out Buffer to receive the hash output which must be at least + * ASCON_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + * + * Use ascon_xof_squeeze() instead if you need variable-length XOF ouutput. + * + * \sa ascon_xof_init(), ascon_xof_absorb(), ascon_xof_squeeze() + */ +int ascon_xof + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an ASCON-XOF hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa ascon_xof_absorb(), ascon_xof_squeeze(), ascon_xof() + */ +void ascon_xof_init(ascon_hash_state_t *state); + +/** + * \brief Aborbs more input data into an ASCON-XOF state. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +void ascon_xof_absorb + (ascon_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Squeezes output data from an ASCON-XOF state. + * + * \param state Hash state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + * + * \sa ascon_xof_init(), ascon_xof_update() + */ +void ascon_xof_squeeze + (ascon_hash_state_t *state, unsigned char *out, unsigned long long outlen); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/encrypt.c new file mode 100644 index 0000000..08b7dc9 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "ascon128.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return ascon80pq_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return ascon80pq_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-ascon.c b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-ascon.c new file mode 100644 index 0000000..12a8ec6 --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-ascon.c @@ -0,0 +1,76 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-ascon.h" + +void ascon_permute(ascon_state_t *state, uint8_t first_round) +{ + uint64_t t0, t1, t2, t3, t4; +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = be_load_word64(state->B); + uint64_t x1 = be_load_word64(state->B + 8); + uint64_t x2 = be_load_word64(state->B + 16); + uint64_t x3 = be_load_word64(state->B + 24); + uint64_t x4 = be_load_word64(state->B + 32); +#else + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; + uint64_t x4 = state->S[4]; +#endif + while (first_round < 12) { + /* Add the round constant to the state */ + x2 ^= ((0x0F - first_round) << 4) | first_round; + + /* Substitution layer - apply the s-box using bit-slicing + * according to the algorithm recommended in the specification */ + x0 ^= x4; x4 ^= x3; x2 ^= x1; + t0 = ~x0; t1 = ~x1; t2 = ~x2; t3 = ~x3; t4 = ~x4; + t0 &= x1; t1 &= x2; t2 &= x3; t3 &= x4; t4 &= x0; + x0 ^= t1; x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t0; + x1 ^= x0; x0 ^= x4; x3 ^= x2; x2 = ~x2; + + /* Linear diffusion layer */ + x0 ^= rightRotate19_64(x0) ^ rightRotate28_64(x0); + x1 ^= rightRotate61_64(x1) ^ rightRotate39_64(x1); + x2 ^= rightRotate1_64(x2) ^ rightRotate6_64(x2); + x3 ^= rightRotate10_64(x3) ^ rightRotate17_64(x3); + x4 ^= rightRotate7_64(x4) ^ rightRotate41_64(x4); + + /* Move onto the next round */ + ++first_round; + } +#if defined(LW_UTIL_LITTLE_ENDIAN) + be_store_word64(state->B, x0); + be_store_word64(state->B + 8, x1); + be_store_word64(state->B + 16, x2); + be_store_word64(state->B + 24, x3); + be_store_word64(state->B + 32, x4); +#else + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; + state->S[4] = x4; +#endif +} diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-ascon.h b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-ascon.h new file mode 100644 index 0000000..d3fa3ca --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-ascon.h @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_ASCON_H +#define LW_INTERNAL_ASCON_H + +#include "internal-util.h" + +/** + * \file internal-ascon.h + * \brief Internal implementation of the ASCON permutation. + * + * References: http://competitions.cr.yp.to/round3/asconv12.pdf, + * http://ascon.iaik.tugraz.at/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Structure of the internal state of the ASCON permutation. + */ +typedef union +{ + uint64_t S[5]; /**< Words of the state */ + uint8_t B[40]; /**< Bytes of the state */ + +} ascon_state_t; + +/** + * \brief Permutes the ASCON state. + * + * \param state The ASCON state to be permuted. + * \param first_round The first round (of 12) to be performed; 0, 4, or 6. + * + * The input and output \a state will be in big-endian byte order. + */ +void ascon_permute(ascon_state_t *state, uint8_t first_round); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-util.h b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys/aead-common.c b/comet/Implementations/crypto_aead/comet128chamv1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/comet/Implementations/crypto_aead/comet128chamv1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys/aead-common.h b/comet/Implementations/crypto_aead/comet128chamv1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/comet/Implementations/crypto_aead/comet128chamv1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys/api.h b/comet/Implementations/crypto_aead/comet128chamv1/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/comet/Implementations/crypto_aead/comet128chamv1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys/comet.c b/comet/Implementations/crypto_aead/comet128chamv1/rhys/comet.c new file mode 100644 index 0000000..d068de2 --- /dev/null +++ b/comet/Implementations/crypto_aead/comet128chamv1/rhys/comet.c @@ -0,0 +1,607 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "comet.h" +#include "internal-cham.h" +#include "internal-util.h" +#include + +aead_cipher_t const comet_128_cham_cipher = { + "COMET-128_CHAM-128/128", + COMET_KEY_SIZE, + COMET_128_NONCE_SIZE, + COMET_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + comet_128_cham_aead_encrypt, + comet_128_cham_aead_decrypt +}; + +aead_cipher_t const comet_64_cham_cipher = { + "COMET-64_CHAM-64/128", + COMET_KEY_SIZE, + COMET_64_NONCE_SIZE, + COMET_64_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + comet_64_cham_aead_encrypt, + comet_64_cham_aead_decrypt +}; + +aead_cipher_t const comet_64_speck_cipher = { + "COMET-64_SPECK-64/128", + COMET_KEY_SIZE, + COMET_64_NONCE_SIZE, + COMET_64_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + comet_64_speck_aead_encrypt, + comet_64_speck_aead_decrypt +}; + +/** + * \brief Adjusts the Z state to generate the key to use on the next block. + * + * \param Z The Z state to be adjusted. + */ +static void comet_adjust_block_key(unsigned char Z[16]) +{ + /* Doubles the 64-bit prefix to Z in the F(2^64) field */ + unsigned index; + unsigned char mask = (unsigned char)(((signed char)(Z[7])) >> 7); + for (index = 7; index > 0; --index) + Z[index] = (Z[index] << 1) | (Z[index - 1] >> 7); + Z[0] = (Z[0] << 1) ^ (mask & 0x1B); +} + +/* Function prototype for the encrypt function of the underyling cipher */ +typedef void (*comet_encrypt_block_t) + (const unsigned char *key, unsigned char *output, + const unsigned char *input); + +/** + * \brief Processes the associated data for COMET. + * + * \param Y Internal COMET block state of \a block_size bytes in size. + * \param Z Internal COMET key state of 16 bytes in size. + * \param block_size Size of the block for the underlying cipher. + * \param encrypt Encryption function for the underlying cipher. + * \param ad Points to the associated data. + * \param adlen Number of bytes of associated data; must be >= 1. + */ +static void comet_process_ad + (unsigned char *Y, unsigned char Z[16], unsigned block_size, + comet_encrypt_block_t encrypt, const unsigned char *ad, + unsigned long long adlen) +{ + /* Domain separator for associated data */ + Z[15] ^= 0x08; + + /* Process all associated data blocks except the last partial block */ + while (adlen >= block_size) { + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + lw_xor_block(Y, ad, block_size); + ad += block_size; + adlen -= block_size; + } + + /* Pad and process the partial block on the end */ + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + Z[15] ^= 0x10; + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + lw_xor_block(Y, ad, temp); + Y[temp] ^= 0x01; + } +} + +/** + * \brief Shuffles the words in a 128-bit block. + * + * \param out The output block after shuffling. + * \param in The input block to be shuffled. + */ +STATIC_INLINE void comet_shuffle_block_128 + (unsigned char out[16], const unsigned char in[16]) +{ + uint32_t x0, x1, x2, x3; + x0 = le_load_word32(in); + x1 = le_load_word32(in + 4); + x2 = le_load_word32(in + 8); + x3 = le_load_word32(in + 12); + le_store_word32(out, x3); + le_store_word32(out + 4, rightRotate1(x2)); + le_store_word32(out + 8, x0); + le_store_word32(out + 12, x1); +} + +/** + * \brief Shuffles the words in a 64-bit block. + * + * \param out The output block after shuffling. + * \param in The input block to be shuffled. + */ +STATIC_INLINE void comet_shuffle_block_64 + (unsigned char out[8], const unsigned char in[8]) +{ + uint32_t x01 = le_load_word32(in); + uint16_t x2 = ((uint16_t)(in[4])) | (((uint16_t)(in[5])) << 8); + out[0] = in[6]; + out[1] = in[7]; + x2 = (x2 >> 1) | (x2 << 15); + out[2] = (uint8_t)x2; + out[3] = (uint8_t)(x2 >> 8); + le_store_word32(out + 4, x01); +} + +/** + * \brief Encrypts the plaintext with COMET-128 to produce the ciphertext. + * + * \param Y Internal COMET block state of 16 bytes in size. + * \param Z Internal COMET key state of 16 bytes in size. + * \param encrypt Encryption function for the underlying cipher. + * \param c Ciphertext on output. + * \param m Plaintext message on input. + * \param mlen Length of the plaintext message and the ciphertext. + */ +static void comet_encrypt_128 + (unsigned char Y[16], unsigned char Z[16], + comet_encrypt_block_t encrypt, unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char Ys[16]; + + /* Domain separator for payload data */ + Z[15] ^= 0x20; + + /* Process all payload data blocks except the last partial block */ + while (mlen >= 16) { + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_128(Ys, Y); + lw_xor_block(Y, m, 16); + lw_xor_block_2_src(c, m, Ys, 16); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the partial block on the end */ + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + Z[15] ^= 0x40; + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_128(Ys, Y); + lw_xor_block(Y, m, temp); + lw_xor_block_2_src(c, m, Ys, temp); + Y[temp] ^= 0x01; + } +} + +/** + * \brief Encrypts the plaintext with COMET-64 to produce the ciphertext. + * + * \param Y Internal COMET block state of 8 bytes in size. + * \param Z Internal COMET key state of 16 bytes in size. + * \param encrypt Encryption function for the underlying cipher. + * \param c Ciphertext on output. + * \param m Plaintext message on input. + * \param mlen Length of the plaintext message and the ciphertext. + */ +static void comet_encrypt_64 + (unsigned char Y[8], unsigned char Z[16], + comet_encrypt_block_t encrypt, unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char Ys[8]; + + /* Domain separator for payload data */ + Z[15] ^= 0x20; + + /* Process all payload data blocks except the last partial block */ + while (mlen >= 8) { + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_64(Ys, Y); + lw_xor_block(Y, m, 8); + lw_xor_block_2_src(c, m, Ys, 8); + c += 8; + m += 8; + mlen -= 8; + } + + /* Pad and process the partial block on the end */ + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + Z[15] ^= 0x40; + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_64(Ys, Y); + lw_xor_block(Y, m, temp); + lw_xor_block_2_src(c, m, Ys, temp); + Y[temp] ^= 0x01; + } +} + +/** + * \brief Decrypts the ciphertext with COMET-128 to produce the plaintext. + * + * \param Y Internal COMET block state of 16 bytes in size. + * \param Z Internal COMET key state of 16 bytes in size. + * \param encrypt Encryption function for the underlying cipher. + * \param m Plaintext message on output. + * \param c Ciphertext on input. + * \param mlen Length of the plaintext message and the ciphertext. + */ +static void comet_decrypt_128 + (unsigned char Y[16], unsigned char Z[16], + comet_encrypt_block_t encrypt, unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + unsigned char Ys[16]; + + /* Domain separator for payload data */ + Z[15] ^= 0x20; + + /* Process all payload data blocks except the last partial block */ + while (mlen >= 16) { + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_128(Ys, Y); + lw_xor_block_2_src(m, c, Ys, 16); + lw_xor_block(Y, m, 16); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the partial block on the end */ + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + Z[15] ^= 0x40; + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_128(Ys, Y); + lw_xor_block_2_src(m, c, Ys, temp); + lw_xor_block(Y, m, temp); + Y[temp] ^= 0x01; + } +} + +/** + * \brief Decrypts the ciphertext with COMET-64 to produce the plaintext. + * + * \param Y Internal COMET block state of 8 bytes in size. + * \param Z Internal COMET key state of 16 bytes in size. + * \param encrypt Encryption function for the underlying cipher. + * \param m Plaintext message on output. + * \param c Ciphertext on input. + * \param mlen Length of the plaintext message and the ciphertext. + */ +static void comet_decrypt_64 + (unsigned char Y[8], unsigned char Z[16], + comet_encrypt_block_t encrypt, unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + unsigned char Ys[8]; + + /* Domain separator for payload data */ + Z[15] ^= 0x20; + + /* Process all payload data blocks except the last partial block */ + while (mlen >= 8) { + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_64(Ys, Y); + lw_xor_block_2_src(m, c, Ys, 8); + lw_xor_block(Y, m, 8); + c += 8; + m += 8; + mlen -= 8; + } + + /* Pad and process the partial block on the end */ + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + Z[15] ^= 0x40; + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_64(Ys, Y); + lw_xor_block_2_src(m, c, Ys, temp); + lw_xor_block(Y, m, temp); + Y[temp] ^= 0x01; + } +} + +int comet_128_cham_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char Y[16]; + unsigned char Z[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + COMET_128_TAG_SIZE; + + /* Set up the initial state of Y and Z */ + memcpy(Y, k, 16); + cham128_128_encrypt(Y, Z, npub); + + /* Process the associated data */ + if (adlen > 0) + comet_process_ad(Y, Z, 16, cham128_128_encrypt, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + comet_encrypt_128(Y, Z, cham128_128_encrypt, c, m, mlen); + + /* Generate the authentication tag */ + Z[15] ^= 0x80; + comet_adjust_block_key(Z); + cham128_128_encrypt(Z, c + mlen, Y); + return 0; +} + +int comet_128_cham_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char Y[16]; + unsigned char Z[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < COMET_128_TAG_SIZE) + return -1; + *mlen = clen - COMET_128_TAG_SIZE; + + /* Set up the initial state of Y and Z */ + memcpy(Y, k, 16); + cham128_128_encrypt(Y, Z, npub); + + /* Process the associated data */ + if (adlen > 0) + comet_process_ad(Y, Z, 16, cham128_128_encrypt, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + if (clen > COMET_128_TAG_SIZE) + comet_decrypt_128(Y, Z, cham128_128_encrypt, m, c, *mlen); + + /* Check the authentication tag */ + Z[15] ^= 0x80; + comet_adjust_block_key(Z); + cham128_128_encrypt(Z, Y, Y); + return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_128_TAG_SIZE); +} + +int comet_64_cham_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char Y[8]; + unsigned char Z[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + COMET_64_TAG_SIZE; + + /* Set up the initial state of Y and Z */ + memset(Y, 0, 8); + cham64_128_encrypt(k, Y, Y); + memcpy(Z, npub, 15); + Z[15] = 0; + lw_xor_block(Z, k, 16); + + /* Process the associated data */ + if (adlen > 0) + comet_process_ad(Y, Z, 8, cham64_128_encrypt, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + comet_encrypt_64(Y, Z, cham64_128_encrypt, c, m, mlen); + + /* Generate the authentication tag */ + Z[15] ^= 0x80; + comet_adjust_block_key(Z); + cham64_128_encrypt(Z, c + mlen, Y); + return 0; +} + +int comet_64_cham_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char Y[8]; + unsigned char Z[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < COMET_64_TAG_SIZE) + return -1; + *mlen = clen - COMET_64_TAG_SIZE; + + /* Set up the initial state of Y and Z */ + memset(Y, 0, 8); + cham64_128_encrypt(k, Y, Y); + memcpy(Z, npub, 15); + Z[15] = 0; + lw_xor_block(Z, k, 16); + + /* Process the associated data */ + if (adlen > 0) + comet_process_ad(Y, Z, 8, cham64_128_encrypt, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + if (clen > COMET_64_TAG_SIZE) + comet_decrypt_64(Y, Z, cham64_128_encrypt, m, c, *mlen); + + /* Check the authentication tag */ + Z[15] ^= 0x80; + comet_adjust_block_key(Z); + cham64_128_encrypt(Z, Y, Y); + return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_64_TAG_SIZE); +} + +/** + * \brief Encrypts a 64-bit block with SPECK-64-128 in COMET byte order. + * + * \param key Points to the 16 bytes of the key. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * \note This version differs from standard SPECK-64 in that it uses the + * little-endian byte order from the COMET specification which is different + * from the big-endian byte order from the original SPECK paper. + */ +static void speck64_128_comet_encrypt + (const unsigned char *key, unsigned char *output, + const unsigned char *input) +{ + uint32_t l[4]; + uint32_t x, y, s; + uint8_t round; + uint8_t li_in = 0; + uint8_t li_out = 3; + + /* Unpack the key and the input block */ + s = le_load_word32(key); + l[0] = le_load_word32(key + 4); + l[1] = le_load_word32(key + 8); + l[2] = le_load_word32(key + 12); + y = le_load_word32(input); + x = le_load_word32(input + 4); + + /* Perform all encryption rounds except the last */ + for (round = 0; round < 26; ++round) { + /* Perform the round with the current key schedule word */ + x = (rightRotate8(x) + y) ^ s; + y = leftRotate3(y) ^ x; + + /* Calculate the next key schedule word */ + l[li_out] = (s + rightRotate8(l[li_in])) ^ round; + s = leftRotate3(s) ^ l[li_out]; + li_in = (li_in + 1) & 0x03; + li_out = (li_out + 1) & 0x03; + } + + /* Perform the last encryption round and write the result to the output */ + x = (rightRotate8(x) + y) ^ s; + y = leftRotate3(y) ^ x; + le_store_word32(output, y); + le_store_word32(output + 4, x); +} + +int comet_64_speck_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char Y[8]; + unsigned char Z[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + COMET_64_TAG_SIZE; + + /* Set up the initial state of Y and Z */ + memset(Y, 0, 8); + speck64_128_comet_encrypt(k, Y, Y); + memcpy(Z, npub, 15); + Z[15] = 0; + lw_xor_block(Z, k, 16); + + /* Process the associated data */ + if (adlen > 0) + comet_process_ad(Y, Z, 8, speck64_128_comet_encrypt, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + comet_encrypt_64(Y, Z, speck64_128_comet_encrypt, c, m, mlen); + + /* Generate the authentication tag */ + Z[15] ^= 0x80; + comet_adjust_block_key(Z); + speck64_128_comet_encrypt(Z, c + mlen, Y); + return 0; +} + +int comet_64_speck_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char Y[8]; + unsigned char Z[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < COMET_64_TAG_SIZE) + return -1; + *mlen = clen - COMET_64_TAG_SIZE; + + /* Set up the initial state of Y and Z */ + memset(Y, 0, 8); + speck64_128_comet_encrypt(k, Y, Y); + memcpy(Z, npub, 15); + Z[15] = 0; + lw_xor_block(Z, k, 16); + + /* Process the associated data */ + if (adlen > 0) + comet_process_ad(Y, Z, 8, speck64_128_comet_encrypt, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + if (clen > COMET_64_TAG_SIZE) + comet_decrypt_64(Y, Z, speck64_128_comet_encrypt, m, c, *mlen); + + /* Check the authentication tag */ + Z[15] ^= 0x80; + comet_adjust_block_key(Z); + speck64_128_comet_encrypt(Z, Y, Y); + return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_64_TAG_SIZE); +} diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys/comet.h b/comet/Implementations/crypto_aead/comet128chamv1/rhys/comet.h new file mode 100644 index 0000000..d1b24a6 --- /dev/null +++ b/comet/Implementations/crypto_aead/comet128chamv1/rhys/comet.h @@ -0,0 +1,274 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_COMET_H +#define LWCRYPTO_COMET_H + +#include "aead-common.h" + +/** + * \file comet.h + * \brief COMET authenticated encryption algorithm. + * + * COMET is a family of authenticated encryption algorithms that are + * built around an underlying block cipher. This library implements + * three members of the family: + * + * \li COMET-128_CHAM-128/128 which has a 128-bit key, a 128-bit nonce, + * and a 128-bit tag, built around the CHAM-128/128 block cipher. + * \li COMET-64_CHAM-64/128 which has a 128-bit key, a 120-bit nonce, + * and a 64-bit tag, built around the CHAM-64/128 block cipher. + * \li COMET-64_SPECK-64/128 which has a 128-bit key, a 120-bit nonce, + * and a 64-bit tag, built around the SPECK-64/128 block cipher. + * + * There is also another family member that is built around AES but + * this library does not implement that version. + * + * References: https://www.isical.ac.in/~lightweight/comet/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all COMET family members. + */ +#define COMET_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for the 128-bit versions of COMET. + */ +#define COMET_128_TAG_SIZE 16 + +/** + * \brief Size of the authentication tag for the 64-bit versions of COMET. + */ +#define COMET_64_TAG_SIZE 8 + +/** + * \brief Size of the nonce for the 128-bit versions of COMET. + */ +#define COMET_128_NONCE_SIZE 16 + +/** + * \brief Size of the nonce for the 64-bit versions of COMET. + */ +#define COMET_64_NONCE_SIZE 15 + +/** + * \brief Meta-information block for the COMET-128_CHAM-128/128 cipher. + */ +extern aead_cipher_t const comet_128_cham_cipher; + +/** + * \brief Meta-information block for the COMET-64_CHAM-64/128 cipher. + */ +extern aead_cipher_t const comet_64_cham_cipher; + +/** + * \brief Meta-information block for the COMET-64_SPECK-64/128 cipher. + */ +extern aead_cipher_t const comet_64_speck_cipher; + +/** + * \brief Encrypts and authenticates a packet with COMET-128_CHAM-128/128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa comet_128_cham_aead_decrypt() + */ +int comet_128_cham_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with COMET-128_CHAM-128/128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa comet_128_cham_aead_encrypt() + */ +int comet_128_cham_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with COMET-64_CHAM-64/128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa comet_64_cham_aead_decrypt() + */ +int comet_64_cham_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with COMET-64_CHAM-64/128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa comet_64_cham_aead_encrypt() + */ +int comet_64_cham_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with COMET-64_SPECK-64/128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa comet_64_speck_aead_decrypt() + */ +int comet_64_speck_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with COMET-64_SPECK-64/128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa comet_64_speck_aead_encrypt() + */ +int comet_64_speck_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys/encrypt.c b/comet/Implementations/crypto_aead/comet128chamv1/rhys/encrypt.c new file mode 100644 index 0000000..66c5ad7 --- /dev/null +++ b/comet/Implementations/crypto_aead/comet128chamv1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "comet.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return comet_128_cham_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return comet_128_cham_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-cham.c b/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-cham.c new file mode 100644 index 0000000..e097dbd --- /dev/null +++ b/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-cham.c @@ -0,0 +1,134 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-cham.h" +#include "internal-util.h" + +void cham128_128_encrypt + (const unsigned char *key, unsigned char *output, + const unsigned char *input) +{ + uint32_t x0, x1, x2, x3; + uint32_t k[8]; + uint8_t round; + + /* Unpack the key and generate the key schedule */ + k[0] = le_load_word32(key); + k[1] = le_load_word32(key + 4); + k[2] = le_load_word32(key + 8); + k[3] = le_load_word32(key + 12); + k[4] = k[1] ^ leftRotate1(k[1]) ^ leftRotate11(k[1]); + k[5] = k[0] ^ leftRotate1(k[0]) ^ leftRotate11(k[0]); + k[6] = k[3] ^ leftRotate1(k[3]) ^ leftRotate11(k[3]); + k[7] = k[2] ^ leftRotate1(k[2]) ^ leftRotate11(k[2]); + k[0] ^= leftRotate1(k[0]) ^ leftRotate8(k[0]); + k[1] ^= leftRotate1(k[1]) ^ leftRotate8(k[1]); + k[2] ^= leftRotate1(k[2]) ^ leftRotate8(k[2]); + k[3] ^= leftRotate1(k[3]) ^ leftRotate8(k[3]); + + /* Unpack the input block */ + x0 = le_load_word32(input); + x1 = le_load_word32(input + 4); + x2 = le_load_word32(input + 8); + x3 = le_load_word32(input + 12); + + /* Perform the 80 rounds eight at a time */ + for (round = 0; round < 80; round += 8) { + x0 = leftRotate8((x0 ^ round) + (leftRotate1(x1) ^ k[0])); + x1 = leftRotate1((x1 ^ (round + 1)) + (leftRotate8(x2) ^ k[1])); + x2 = leftRotate8((x2 ^ (round + 2)) + (leftRotate1(x3) ^ k[2])); + x3 = leftRotate1((x3 ^ (round + 3)) + (leftRotate8(x0) ^ k[3])); + x0 = leftRotate8((x0 ^ (round + 4)) + (leftRotate1(x1) ^ k[4])); + x1 = leftRotate1((x1 ^ (round + 5)) + (leftRotate8(x2) ^ k[5])); + x2 = leftRotate8((x2 ^ (round + 6)) + (leftRotate1(x3) ^ k[6])); + x3 = leftRotate1((x3 ^ (round + 7)) + (leftRotate8(x0) ^ k[7])); + } + + /* Pack the state into the output block */ + le_store_word32(output, x0); + le_store_word32(output + 4, x1); + le_store_word32(output + 8, x2); + le_store_word32(output + 12, x3); +} + +void cham64_128_encrypt + (const unsigned char *key, unsigned char *output, + const unsigned char *input) +{ + uint16_t x0, x1, x2, x3; + uint16_t k[16]; + uint8_t round; + + /* Unpack the key and generate the key schedule */ + k[0] = le_load_word16(key); + k[1] = le_load_word16(key + 2); + k[2] = le_load_word16(key + 4); + k[3] = le_load_word16(key + 6); + k[4] = le_load_word16(key + 8); + k[5] = le_load_word16(key + 10); + k[6] = le_load_word16(key + 12); + k[7] = le_load_word16(key + 14); + k[8] = k[1] ^ leftRotate1_16(k[1]) ^ leftRotate11_16(k[1]); + k[9] = k[0] ^ leftRotate1_16(k[0]) ^ leftRotate11_16(k[0]); + k[10] = k[3] ^ leftRotate1_16(k[3]) ^ leftRotate11_16(k[3]); + k[11] = k[2] ^ leftRotate1_16(k[2]) ^ leftRotate11_16(k[2]); + k[12] = k[5] ^ leftRotate1_16(k[5]) ^ leftRotate11_16(k[5]); + k[13] = k[4] ^ leftRotate1_16(k[4]) ^ leftRotate11_16(k[4]); + k[14] = k[7] ^ leftRotate1_16(k[7]) ^ leftRotate11_16(k[7]); + k[15] = k[6] ^ leftRotate1_16(k[6]) ^ leftRotate11_16(k[6]); + k[0] ^= leftRotate1_16(k[0]) ^ leftRotate8_16(k[0]); + k[1] ^= leftRotate1_16(k[1]) ^ leftRotate8_16(k[1]); + k[2] ^= leftRotate1_16(k[2]) ^ leftRotate8_16(k[2]); + k[3] ^= leftRotate1_16(k[3]) ^ leftRotate8_16(k[3]); + k[4] ^= leftRotate1_16(k[4]) ^ leftRotate8_16(k[4]); + k[5] ^= leftRotate1_16(k[5]) ^ leftRotate8_16(k[5]); + k[6] ^= leftRotate1_16(k[6]) ^ leftRotate8_16(k[6]); + k[7] ^= leftRotate1_16(k[7]) ^ leftRotate8_16(k[7]); + + /* Unpack the input block */ + x0 = le_load_word16(input); + x1 = le_load_word16(input + 2); + x2 = le_load_word16(input + 4); + x3 = le_load_word16(input + 6); + + /* Perform the 80 rounds four at a time */ + for (round = 0; round < 80; round += 4) { + x0 = leftRotate8_16 + ((x0 ^ round) + + (leftRotate1_16(x1) ^ k[round % 16])); + x1 = leftRotate1_16 + ((x1 ^ (round + 1)) + + (leftRotate8_16(x2) ^ k[(round + 1) % 16])); + x2 = leftRotate8_16 + ((x2 ^ (round + 2)) + + (leftRotate1_16(x3) ^ k[(round + 2) % 16])); + x3 = leftRotate1_16 + ((x3 ^ (round + 3)) + + (leftRotate8_16(x0) ^ k[(round + 3) % 16])); + } + + /* Pack the state into the output block */ + le_store_word16(output, x0); + le_store_word16(output + 2, x1); + le_store_word16(output + 4, x2); + le_store_word16(output + 6, x3); +} diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-cham.h b/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-cham.h new file mode 100644 index 0000000..29d5ccf --- /dev/null +++ b/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-cham.h @@ -0,0 +1,67 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_CHAM_H +#define LW_INTERNAL_CHAM_H + +/** + * \file internal-cham.h + * \brief CHAM block cipher. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts a 128-bit block with CHAM-128-128. + * + * \param key Points to the 16 bytes of the key. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void cham128_128_encrypt + (const unsigned char *key, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 64-bit block with CHAM-64-128. + * + * \param key Points to the 16 bytes of the key. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void cham64_128_encrypt + (const unsigned char *key, unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-util.h b/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys/aead-common.c b/comet/Implementations/crypto_aead/comet64chamv1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/comet/Implementations/crypto_aead/comet64chamv1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys/aead-common.h b/comet/Implementations/crypto_aead/comet64chamv1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/comet/Implementations/crypto_aead/comet64chamv1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys/api.h b/comet/Implementations/crypto_aead/comet64chamv1/rhys/api.h new file mode 100644 index 0000000..9f9959f --- /dev/null +++ b/comet/Implementations/crypto_aead/comet64chamv1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 15 +#define CRYPTO_ABYTES 8 +#define CRYPTO_NOOVERLAP 1 diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys/comet.c b/comet/Implementations/crypto_aead/comet64chamv1/rhys/comet.c new file mode 100644 index 0000000..d068de2 --- /dev/null +++ b/comet/Implementations/crypto_aead/comet64chamv1/rhys/comet.c @@ -0,0 +1,607 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "comet.h" +#include "internal-cham.h" +#include "internal-util.h" +#include + +aead_cipher_t const comet_128_cham_cipher = { + "COMET-128_CHAM-128/128", + COMET_KEY_SIZE, + COMET_128_NONCE_SIZE, + COMET_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + comet_128_cham_aead_encrypt, + comet_128_cham_aead_decrypt +}; + +aead_cipher_t const comet_64_cham_cipher = { + "COMET-64_CHAM-64/128", + COMET_KEY_SIZE, + COMET_64_NONCE_SIZE, + COMET_64_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + comet_64_cham_aead_encrypt, + comet_64_cham_aead_decrypt +}; + +aead_cipher_t const comet_64_speck_cipher = { + "COMET-64_SPECK-64/128", + COMET_KEY_SIZE, + COMET_64_NONCE_SIZE, + COMET_64_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + comet_64_speck_aead_encrypt, + comet_64_speck_aead_decrypt +}; + +/** + * \brief Adjusts the Z state to generate the key to use on the next block. + * + * \param Z The Z state to be adjusted. + */ +static void comet_adjust_block_key(unsigned char Z[16]) +{ + /* Doubles the 64-bit prefix to Z in the F(2^64) field */ + unsigned index; + unsigned char mask = (unsigned char)(((signed char)(Z[7])) >> 7); + for (index = 7; index > 0; --index) + Z[index] = (Z[index] << 1) | (Z[index - 1] >> 7); + Z[0] = (Z[0] << 1) ^ (mask & 0x1B); +} + +/* Function prototype for the encrypt function of the underyling cipher */ +typedef void (*comet_encrypt_block_t) + (const unsigned char *key, unsigned char *output, + const unsigned char *input); + +/** + * \brief Processes the associated data for COMET. + * + * \param Y Internal COMET block state of \a block_size bytes in size. + * \param Z Internal COMET key state of 16 bytes in size. + * \param block_size Size of the block for the underlying cipher. + * \param encrypt Encryption function for the underlying cipher. + * \param ad Points to the associated data. + * \param adlen Number of bytes of associated data; must be >= 1. + */ +static void comet_process_ad + (unsigned char *Y, unsigned char Z[16], unsigned block_size, + comet_encrypt_block_t encrypt, const unsigned char *ad, + unsigned long long adlen) +{ + /* Domain separator for associated data */ + Z[15] ^= 0x08; + + /* Process all associated data blocks except the last partial block */ + while (adlen >= block_size) { + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + lw_xor_block(Y, ad, block_size); + ad += block_size; + adlen -= block_size; + } + + /* Pad and process the partial block on the end */ + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + Z[15] ^= 0x10; + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + lw_xor_block(Y, ad, temp); + Y[temp] ^= 0x01; + } +} + +/** + * \brief Shuffles the words in a 128-bit block. + * + * \param out The output block after shuffling. + * \param in The input block to be shuffled. + */ +STATIC_INLINE void comet_shuffle_block_128 + (unsigned char out[16], const unsigned char in[16]) +{ + uint32_t x0, x1, x2, x3; + x0 = le_load_word32(in); + x1 = le_load_word32(in + 4); + x2 = le_load_word32(in + 8); + x3 = le_load_word32(in + 12); + le_store_word32(out, x3); + le_store_word32(out + 4, rightRotate1(x2)); + le_store_word32(out + 8, x0); + le_store_word32(out + 12, x1); +} + +/** + * \brief Shuffles the words in a 64-bit block. + * + * \param out The output block after shuffling. + * \param in The input block to be shuffled. + */ +STATIC_INLINE void comet_shuffle_block_64 + (unsigned char out[8], const unsigned char in[8]) +{ + uint32_t x01 = le_load_word32(in); + uint16_t x2 = ((uint16_t)(in[4])) | (((uint16_t)(in[5])) << 8); + out[0] = in[6]; + out[1] = in[7]; + x2 = (x2 >> 1) | (x2 << 15); + out[2] = (uint8_t)x2; + out[3] = (uint8_t)(x2 >> 8); + le_store_word32(out + 4, x01); +} + +/** + * \brief Encrypts the plaintext with COMET-128 to produce the ciphertext. + * + * \param Y Internal COMET block state of 16 bytes in size. + * \param Z Internal COMET key state of 16 bytes in size. + * \param encrypt Encryption function for the underlying cipher. + * \param c Ciphertext on output. + * \param m Plaintext message on input. + * \param mlen Length of the plaintext message and the ciphertext. + */ +static void comet_encrypt_128 + (unsigned char Y[16], unsigned char Z[16], + comet_encrypt_block_t encrypt, unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char Ys[16]; + + /* Domain separator for payload data */ + Z[15] ^= 0x20; + + /* Process all payload data blocks except the last partial block */ + while (mlen >= 16) { + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_128(Ys, Y); + lw_xor_block(Y, m, 16); + lw_xor_block_2_src(c, m, Ys, 16); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the partial block on the end */ + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + Z[15] ^= 0x40; + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_128(Ys, Y); + lw_xor_block(Y, m, temp); + lw_xor_block_2_src(c, m, Ys, temp); + Y[temp] ^= 0x01; + } +} + +/** + * \brief Encrypts the plaintext with COMET-64 to produce the ciphertext. + * + * \param Y Internal COMET block state of 8 bytes in size. + * \param Z Internal COMET key state of 16 bytes in size. + * \param encrypt Encryption function for the underlying cipher. + * \param c Ciphertext on output. + * \param m Plaintext message on input. + * \param mlen Length of the plaintext message and the ciphertext. + */ +static void comet_encrypt_64 + (unsigned char Y[8], unsigned char Z[16], + comet_encrypt_block_t encrypt, unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char Ys[8]; + + /* Domain separator for payload data */ + Z[15] ^= 0x20; + + /* Process all payload data blocks except the last partial block */ + while (mlen >= 8) { + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_64(Ys, Y); + lw_xor_block(Y, m, 8); + lw_xor_block_2_src(c, m, Ys, 8); + c += 8; + m += 8; + mlen -= 8; + } + + /* Pad and process the partial block on the end */ + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + Z[15] ^= 0x40; + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_64(Ys, Y); + lw_xor_block(Y, m, temp); + lw_xor_block_2_src(c, m, Ys, temp); + Y[temp] ^= 0x01; + } +} + +/** + * \brief Decrypts the ciphertext with COMET-128 to produce the plaintext. + * + * \param Y Internal COMET block state of 16 bytes in size. + * \param Z Internal COMET key state of 16 bytes in size. + * \param encrypt Encryption function for the underlying cipher. + * \param m Plaintext message on output. + * \param c Ciphertext on input. + * \param mlen Length of the plaintext message and the ciphertext. + */ +static void comet_decrypt_128 + (unsigned char Y[16], unsigned char Z[16], + comet_encrypt_block_t encrypt, unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + unsigned char Ys[16]; + + /* Domain separator for payload data */ + Z[15] ^= 0x20; + + /* Process all payload data blocks except the last partial block */ + while (mlen >= 16) { + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_128(Ys, Y); + lw_xor_block_2_src(m, c, Ys, 16); + lw_xor_block(Y, m, 16); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the partial block on the end */ + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + Z[15] ^= 0x40; + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_128(Ys, Y); + lw_xor_block_2_src(m, c, Ys, temp); + lw_xor_block(Y, m, temp); + Y[temp] ^= 0x01; + } +} + +/** + * \brief Decrypts the ciphertext with COMET-64 to produce the plaintext. + * + * \param Y Internal COMET block state of 8 bytes in size. + * \param Z Internal COMET key state of 16 bytes in size. + * \param encrypt Encryption function for the underlying cipher. + * \param m Plaintext message on output. + * \param c Ciphertext on input. + * \param mlen Length of the plaintext message and the ciphertext. + */ +static void comet_decrypt_64 + (unsigned char Y[8], unsigned char Z[16], + comet_encrypt_block_t encrypt, unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + unsigned char Ys[8]; + + /* Domain separator for payload data */ + Z[15] ^= 0x20; + + /* Process all payload data blocks except the last partial block */ + while (mlen >= 8) { + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_64(Ys, Y); + lw_xor_block_2_src(m, c, Ys, 8); + lw_xor_block(Y, m, 8); + c += 8; + m += 8; + mlen -= 8; + } + + /* Pad and process the partial block on the end */ + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + Z[15] ^= 0x40; + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_64(Ys, Y); + lw_xor_block_2_src(m, c, Ys, temp); + lw_xor_block(Y, m, temp); + Y[temp] ^= 0x01; + } +} + +int comet_128_cham_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char Y[16]; + unsigned char Z[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + COMET_128_TAG_SIZE; + + /* Set up the initial state of Y and Z */ + memcpy(Y, k, 16); + cham128_128_encrypt(Y, Z, npub); + + /* Process the associated data */ + if (adlen > 0) + comet_process_ad(Y, Z, 16, cham128_128_encrypt, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + comet_encrypt_128(Y, Z, cham128_128_encrypt, c, m, mlen); + + /* Generate the authentication tag */ + Z[15] ^= 0x80; + comet_adjust_block_key(Z); + cham128_128_encrypt(Z, c + mlen, Y); + return 0; +} + +int comet_128_cham_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char Y[16]; + unsigned char Z[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < COMET_128_TAG_SIZE) + return -1; + *mlen = clen - COMET_128_TAG_SIZE; + + /* Set up the initial state of Y and Z */ + memcpy(Y, k, 16); + cham128_128_encrypt(Y, Z, npub); + + /* Process the associated data */ + if (adlen > 0) + comet_process_ad(Y, Z, 16, cham128_128_encrypt, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + if (clen > COMET_128_TAG_SIZE) + comet_decrypt_128(Y, Z, cham128_128_encrypt, m, c, *mlen); + + /* Check the authentication tag */ + Z[15] ^= 0x80; + comet_adjust_block_key(Z); + cham128_128_encrypt(Z, Y, Y); + return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_128_TAG_SIZE); +} + +int comet_64_cham_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char Y[8]; + unsigned char Z[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + COMET_64_TAG_SIZE; + + /* Set up the initial state of Y and Z */ + memset(Y, 0, 8); + cham64_128_encrypt(k, Y, Y); + memcpy(Z, npub, 15); + Z[15] = 0; + lw_xor_block(Z, k, 16); + + /* Process the associated data */ + if (adlen > 0) + comet_process_ad(Y, Z, 8, cham64_128_encrypt, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + comet_encrypt_64(Y, Z, cham64_128_encrypt, c, m, mlen); + + /* Generate the authentication tag */ + Z[15] ^= 0x80; + comet_adjust_block_key(Z); + cham64_128_encrypt(Z, c + mlen, Y); + return 0; +} + +int comet_64_cham_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char Y[8]; + unsigned char Z[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < COMET_64_TAG_SIZE) + return -1; + *mlen = clen - COMET_64_TAG_SIZE; + + /* Set up the initial state of Y and Z */ + memset(Y, 0, 8); + cham64_128_encrypt(k, Y, Y); + memcpy(Z, npub, 15); + Z[15] = 0; + lw_xor_block(Z, k, 16); + + /* Process the associated data */ + if (adlen > 0) + comet_process_ad(Y, Z, 8, cham64_128_encrypt, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + if (clen > COMET_64_TAG_SIZE) + comet_decrypt_64(Y, Z, cham64_128_encrypt, m, c, *mlen); + + /* Check the authentication tag */ + Z[15] ^= 0x80; + comet_adjust_block_key(Z); + cham64_128_encrypt(Z, Y, Y); + return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_64_TAG_SIZE); +} + +/** + * \brief Encrypts a 64-bit block with SPECK-64-128 in COMET byte order. + * + * \param key Points to the 16 bytes of the key. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * \note This version differs from standard SPECK-64 in that it uses the + * little-endian byte order from the COMET specification which is different + * from the big-endian byte order from the original SPECK paper. + */ +static void speck64_128_comet_encrypt + (const unsigned char *key, unsigned char *output, + const unsigned char *input) +{ + uint32_t l[4]; + uint32_t x, y, s; + uint8_t round; + uint8_t li_in = 0; + uint8_t li_out = 3; + + /* Unpack the key and the input block */ + s = le_load_word32(key); + l[0] = le_load_word32(key + 4); + l[1] = le_load_word32(key + 8); + l[2] = le_load_word32(key + 12); + y = le_load_word32(input); + x = le_load_word32(input + 4); + + /* Perform all encryption rounds except the last */ + for (round = 0; round < 26; ++round) { + /* Perform the round with the current key schedule word */ + x = (rightRotate8(x) + y) ^ s; + y = leftRotate3(y) ^ x; + + /* Calculate the next key schedule word */ + l[li_out] = (s + rightRotate8(l[li_in])) ^ round; + s = leftRotate3(s) ^ l[li_out]; + li_in = (li_in + 1) & 0x03; + li_out = (li_out + 1) & 0x03; + } + + /* Perform the last encryption round and write the result to the output */ + x = (rightRotate8(x) + y) ^ s; + y = leftRotate3(y) ^ x; + le_store_word32(output, y); + le_store_word32(output + 4, x); +} + +int comet_64_speck_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char Y[8]; + unsigned char Z[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + COMET_64_TAG_SIZE; + + /* Set up the initial state of Y and Z */ + memset(Y, 0, 8); + speck64_128_comet_encrypt(k, Y, Y); + memcpy(Z, npub, 15); + Z[15] = 0; + lw_xor_block(Z, k, 16); + + /* Process the associated data */ + if (adlen > 0) + comet_process_ad(Y, Z, 8, speck64_128_comet_encrypt, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + comet_encrypt_64(Y, Z, speck64_128_comet_encrypt, c, m, mlen); + + /* Generate the authentication tag */ + Z[15] ^= 0x80; + comet_adjust_block_key(Z); + speck64_128_comet_encrypt(Z, c + mlen, Y); + return 0; +} + +int comet_64_speck_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char Y[8]; + unsigned char Z[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < COMET_64_TAG_SIZE) + return -1; + *mlen = clen - COMET_64_TAG_SIZE; + + /* Set up the initial state of Y and Z */ + memset(Y, 0, 8); + speck64_128_comet_encrypt(k, Y, Y); + memcpy(Z, npub, 15); + Z[15] = 0; + lw_xor_block(Z, k, 16); + + /* Process the associated data */ + if (adlen > 0) + comet_process_ad(Y, Z, 8, speck64_128_comet_encrypt, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + if (clen > COMET_64_TAG_SIZE) + comet_decrypt_64(Y, Z, speck64_128_comet_encrypt, m, c, *mlen); + + /* Check the authentication tag */ + Z[15] ^= 0x80; + comet_adjust_block_key(Z); + speck64_128_comet_encrypt(Z, Y, Y); + return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_64_TAG_SIZE); +} diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys/comet.h b/comet/Implementations/crypto_aead/comet64chamv1/rhys/comet.h new file mode 100644 index 0000000..d1b24a6 --- /dev/null +++ b/comet/Implementations/crypto_aead/comet64chamv1/rhys/comet.h @@ -0,0 +1,274 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_COMET_H +#define LWCRYPTO_COMET_H + +#include "aead-common.h" + +/** + * \file comet.h + * \brief COMET authenticated encryption algorithm. + * + * COMET is a family of authenticated encryption algorithms that are + * built around an underlying block cipher. This library implements + * three members of the family: + * + * \li COMET-128_CHAM-128/128 which has a 128-bit key, a 128-bit nonce, + * and a 128-bit tag, built around the CHAM-128/128 block cipher. + * \li COMET-64_CHAM-64/128 which has a 128-bit key, a 120-bit nonce, + * and a 64-bit tag, built around the CHAM-64/128 block cipher. + * \li COMET-64_SPECK-64/128 which has a 128-bit key, a 120-bit nonce, + * and a 64-bit tag, built around the SPECK-64/128 block cipher. + * + * There is also another family member that is built around AES but + * this library does not implement that version. + * + * References: https://www.isical.ac.in/~lightweight/comet/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all COMET family members. + */ +#define COMET_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for the 128-bit versions of COMET. + */ +#define COMET_128_TAG_SIZE 16 + +/** + * \brief Size of the authentication tag for the 64-bit versions of COMET. + */ +#define COMET_64_TAG_SIZE 8 + +/** + * \brief Size of the nonce for the 128-bit versions of COMET. + */ +#define COMET_128_NONCE_SIZE 16 + +/** + * \brief Size of the nonce for the 64-bit versions of COMET. + */ +#define COMET_64_NONCE_SIZE 15 + +/** + * \brief Meta-information block for the COMET-128_CHAM-128/128 cipher. + */ +extern aead_cipher_t const comet_128_cham_cipher; + +/** + * \brief Meta-information block for the COMET-64_CHAM-64/128 cipher. + */ +extern aead_cipher_t const comet_64_cham_cipher; + +/** + * \brief Meta-information block for the COMET-64_SPECK-64/128 cipher. + */ +extern aead_cipher_t const comet_64_speck_cipher; + +/** + * \brief Encrypts and authenticates a packet with COMET-128_CHAM-128/128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa comet_128_cham_aead_decrypt() + */ +int comet_128_cham_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with COMET-128_CHAM-128/128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa comet_128_cham_aead_encrypt() + */ +int comet_128_cham_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with COMET-64_CHAM-64/128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa comet_64_cham_aead_decrypt() + */ +int comet_64_cham_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with COMET-64_CHAM-64/128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa comet_64_cham_aead_encrypt() + */ +int comet_64_cham_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with COMET-64_SPECK-64/128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa comet_64_speck_aead_decrypt() + */ +int comet_64_speck_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with COMET-64_SPECK-64/128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa comet_64_speck_aead_encrypt() + */ +int comet_64_speck_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys/encrypt.c b/comet/Implementations/crypto_aead/comet64chamv1/rhys/encrypt.c new file mode 100644 index 0000000..e832eac --- /dev/null +++ b/comet/Implementations/crypto_aead/comet64chamv1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "comet.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return comet_64_cham_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return comet_64_cham_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-cham.c b/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-cham.c new file mode 100644 index 0000000..e097dbd --- /dev/null +++ b/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-cham.c @@ -0,0 +1,134 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-cham.h" +#include "internal-util.h" + +void cham128_128_encrypt + (const unsigned char *key, unsigned char *output, + const unsigned char *input) +{ + uint32_t x0, x1, x2, x3; + uint32_t k[8]; + uint8_t round; + + /* Unpack the key and generate the key schedule */ + k[0] = le_load_word32(key); + k[1] = le_load_word32(key + 4); + k[2] = le_load_word32(key + 8); + k[3] = le_load_word32(key + 12); + k[4] = k[1] ^ leftRotate1(k[1]) ^ leftRotate11(k[1]); + k[5] = k[0] ^ leftRotate1(k[0]) ^ leftRotate11(k[0]); + k[6] = k[3] ^ leftRotate1(k[3]) ^ leftRotate11(k[3]); + k[7] = k[2] ^ leftRotate1(k[2]) ^ leftRotate11(k[2]); + k[0] ^= leftRotate1(k[0]) ^ leftRotate8(k[0]); + k[1] ^= leftRotate1(k[1]) ^ leftRotate8(k[1]); + k[2] ^= leftRotate1(k[2]) ^ leftRotate8(k[2]); + k[3] ^= leftRotate1(k[3]) ^ leftRotate8(k[3]); + + /* Unpack the input block */ + x0 = le_load_word32(input); + x1 = le_load_word32(input + 4); + x2 = le_load_word32(input + 8); + x3 = le_load_word32(input + 12); + + /* Perform the 80 rounds eight at a time */ + for (round = 0; round < 80; round += 8) { + x0 = leftRotate8((x0 ^ round) + (leftRotate1(x1) ^ k[0])); + x1 = leftRotate1((x1 ^ (round + 1)) + (leftRotate8(x2) ^ k[1])); + x2 = leftRotate8((x2 ^ (round + 2)) + (leftRotate1(x3) ^ k[2])); + x3 = leftRotate1((x3 ^ (round + 3)) + (leftRotate8(x0) ^ k[3])); + x0 = leftRotate8((x0 ^ (round + 4)) + (leftRotate1(x1) ^ k[4])); + x1 = leftRotate1((x1 ^ (round + 5)) + (leftRotate8(x2) ^ k[5])); + x2 = leftRotate8((x2 ^ (round + 6)) + (leftRotate1(x3) ^ k[6])); + x3 = leftRotate1((x3 ^ (round + 7)) + (leftRotate8(x0) ^ k[7])); + } + + /* Pack the state into the output block */ + le_store_word32(output, x0); + le_store_word32(output + 4, x1); + le_store_word32(output + 8, x2); + le_store_word32(output + 12, x3); +} + +void cham64_128_encrypt + (const unsigned char *key, unsigned char *output, + const unsigned char *input) +{ + uint16_t x0, x1, x2, x3; + uint16_t k[16]; + uint8_t round; + + /* Unpack the key and generate the key schedule */ + k[0] = le_load_word16(key); + k[1] = le_load_word16(key + 2); + k[2] = le_load_word16(key + 4); + k[3] = le_load_word16(key + 6); + k[4] = le_load_word16(key + 8); + k[5] = le_load_word16(key + 10); + k[6] = le_load_word16(key + 12); + k[7] = le_load_word16(key + 14); + k[8] = k[1] ^ leftRotate1_16(k[1]) ^ leftRotate11_16(k[1]); + k[9] = k[0] ^ leftRotate1_16(k[0]) ^ leftRotate11_16(k[0]); + k[10] = k[3] ^ leftRotate1_16(k[3]) ^ leftRotate11_16(k[3]); + k[11] = k[2] ^ leftRotate1_16(k[2]) ^ leftRotate11_16(k[2]); + k[12] = k[5] ^ leftRotate1_16(k[5]) ^ leftRotate11_16(k[5]); + k[13] = k[4] ^ leftRotate1_16(k[4]) ^ leftRotate11_16(k[4]); + k[14] = k[7] ^ leftRotate1_16(k[7]) ^ leftRotate11_16(k[7]); + k[15] = k[6] ^ leftRotate1_16(k[6]) ^ leftRotate11_16(k[6]); + k[0] ^= leftRotate1_16(k[0]) ^ leftRotate8_16(k[0]); + k[1] ^= leftRotate1_16(k[1]) ^ leftRotate8_16(k[1]); + k[2] ^= leftRotate1_16(k[2]) ^ leftRotate8_16(k[2]); + k[3] ^= leftRotate1_16(k[3]) ^ leftRotate8_16(k[3]); + k[4] ^= leftRotate1_16(k[4]) ^ leftRotate8_16(k[4]); + k[5] ^= leftRotate1_16(k[5]) ^ leftRotate8_16(k[5]); + k[6] ^= leftRotate1_16(k[6]) ^ leftRotate8_16(k[6]); + k[7] ^= leftRotate1_16(k[7]) ^ leftRotate8_16(k[7]); + + /* Unpack the input block */ + x0 = le_load_word16(input); + x1 = le_load_word16(input + 2); + x2 = le_load_word16(input + 4); + x3 = le_load_word16(input + 6); + + /* Perform the 80 rounds four at a time */ + for (round = 0; round < 80; round += 4) { + x0 = leftRotate8_16 + ((x0 ^ round) + + (leftRotate1_16(x1) ^ k[round % 16])); + x1 = leftRotate1_16 + ((x1 ^ (round + 1)) + + (leftRotate8_16(x2) ^ k[(round + 1) % 16])); + x2 = leftRotate8_16 + ((x2 ^ (round + 2)) + + (leftRotate1_16(x3) ^ k[(round + 2) % 16])); + x3 = leftRotate1_16 + ((x3 ^ (round + 3)) + + (leftRotate8_16(x0) ^ k[(round + 3) % 16])); + } + + /* Pack the state into the output block */ + le_store_word16(output, x0); + le_store_word16(output + 2, x1); + le_store_word16(output + 4, x2); + le_store_word16(output + 6, x3); +} diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-cham.h b/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-cham.h new file mode 100644 index 0000000..29d5ccf --- /dev/null +++ b/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-cham.h @@ -0,0 +1,67 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_CHAM_H +#define LW_INTERNAL_CHAM_H + +/** + * \file internal-cham.h + * \brief CHAM block cipher. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts a 128-bit block with CHAM-128-128. + * + * \param key Points to the 16 bytes of the key. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void cham128_128_encrypt + (const unsigned char *key, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 64-bit block with CHAM-64-128. + * + * \param key Points to the 16 bytes of the key. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void cham64_128_encrypt + (const unsigned char *key, unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-util.h b/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys/aead-common.c b/comet/Implementations/crypto_aead/comet64speckv1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/comet/Implementations/crypto_aead/comet64speckv1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys/aead-common.h b/comet/Implementations/crypto_aead/comet64speckv1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/comet/Implementations/crypto_aead/comet64speckv1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys/api.h b/comet/Implementations/crypto_aead/comet64speckv1/rhys/api.h new file mode 100644 index 0000000..9f9959f --- /dev/null +++ b/comet/Implementations/crypto_aead/comet64speckv1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 15 +#define CRYPTO_ABYTES 8 +#define CRYPTO_NOOVERLAP 1 diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys/comet.c b/comet/Implementations/crypto_aead/comet64speckv1/rhys/comet.c new file mode 100644 index 0000000..d068de2 --- /dev/null +++ b/comet/Implementations/crypto_aead/comet64speckv1/rhys/comet.c @@ -0,0 +1,607 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "comet.h" +#include "internal-cham.h" +#include "internal-util.h" +#include + +aead_cipher_t const comet_128_cham_cipher = { + "COMET-128_CHAM-128/128", + COMET_KEY_SIZE, + COMET_128_NONCE_SIZE, + COMET_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + comet_128_cham_aead_encrypt, + comet_128_cham_aead_decrypt +}; + +aead_cipher_t const comet_64_cham_cipher = { + "COMET-64_CHAM-64/128", + COMET_KEY_SIZE, + COMET_64_NONCE_SIZE, + COMET_64_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + comet_64_cham_aead_encrypt, + comet_64_cham_aead_decrypt +}; + +aead_cipher_t const comet_64_speck_cipher = { + "COMET-64_SPECK-64/128", + COMET_KEY_SIZE, + COMET_64_NONCE_SIZE, + COMET_64_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + comet_64_speck_aead_encrypt, + comet_64_speck_aead_decrypt +}; + +/** + * \brief Adjusts the Z state to generate the key to use on the next block. + * + * \param Z The Z state to be adjusted. + */ +static void comet_adjust_block_key(unsigned char Z[16]) +{ + /* Doubles the 64-bit prefix to Z in the F(2^64) field */ + unsigned index; + unsigned char mask = (unsigned char)(((signed char)(Z[7])) >> 7); + for (index = 7; index > 0; --index) + Z[index] = (Z[index] << 1) | (Z[index - 1] >> 7); + Z[0] = (Z[0] << 1) ^ (mask & 0x1B); +} + +/* Function prototype for the encrypt function of the underyling cipher */ +typedef void (*comet_encrypt_block_t) + (const unsigned char *key, unsigned char *output, + const unsigned char *input); + +/** + * \brief Processes the associated data for COMET. + * + * \param Y Internal COMET block state of \a block_size bytes in size. + * \param Z Internal COMET key state of 16 bytes in size. + * \param block_size Size of the block for the underlying cipher. + * \param encrypt Encryption function for the underlying cipher. + * \param ad Points to the associated data. + * \param adlen Number of bytes of associated data; must be >= 1. + */ +static void comet_process_ad + (unsigned char *Y, unsigned char Z[16], unsigned block_size, + comet_encrypt_block_t encrypt, const unsigned char *ad, + unsigned long long adlen) +{ + /* Domain separator for associated data */ + Z[15] ^= 0x08; + + /* Process all associated data blocks except the last partial block */ + while (adlen >= block_size) { + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + lw_xor_block(Y, ad, block_size); + ad += block_size; + adlen -= block_size; + } + + /* Pad and process the partial block on the end */ + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + Z[15] ^= 0x10; + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + lw_xor_block(Y, ad, temp); + Y[temp] ^= 0x01; + } +} + +/** + * \brief Shuffles the words in a 128-bit block. + * + * \param out The output block after shuffling. + * \param in The input block to be shuffled. + */ +STATIC_INLINE void comet_shuffle_block_128 + (unsigned char out[16], const unsigned char in[16]) +{ + uint32_t x0, x1, x2, x3; + x0 = le_load_word32(in); + x1 = le_load_word32(in + 4); + x2 = le_load_word32(in + 8); + x3 = le_load_word32(in + 12); + le_store_word32(out, x3); + le_store_word32(out + 4, rightRotate1(x2)); + le_store_word32(out + 8, x0); + le_store_word32(out + 12, x1); +} + +/** + * \brief Shuffles the words in a 64-bit block. + * + * \param out The output block after shuffling. + * \param in The input block to be shuffled. + */ +STATIC_INLINE void comet_shuffle_block_64 + (unsigned char out[8], const unsigned char in[8]) +{ + uint32_t x01 = le_load_word32(in); + uint16_t x2 = ((uint16_t)(in[4])) | (((uint16_t)(in[5])) << 8); + out[0] = in[6]; + out[1] = in[7]; + x2 = (x2 >> 1) | (x2 << 15); + out[2] = (uint8_t)x2; + out[3] = (uint8_t)(x2 >> 8); + le_store_word32(out + 4, x01); +} + +/** + * \brief Encrypts the plaintext with COMET-128 to produce the ciphertext. + * + * \param Y Internal COMET block state of 16 bytes in size. + * \param Z Internal COMET key state of 16 bytes in size. + * \param encrypt Encryption function for the underlying cipher. + * \param c Ciphertext on output. + * \param m Plaintext message on input. + * \param mlen Length of the plaintext message and the ciphertext. + */ +static void comet_encrypt_128 + (unsigned char Y[16], unsigned char Z[16], + comet_encrypt_block_t encrypt, unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char Ys[16]; + + /* Domain separator for payload data */ + Z[15] ^= 0x20; + + /* Process all payload data blocks except the last partial block */ + while (mlen >= 16) { + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_128(Ys, Y); + lw_xor_block(Y, m, 16); + lw_xor_block_2_src(c, m, Ys, 16); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the partial block on the end */ + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + Z[15] ^= 0x40; + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_128(Ys, Y); + lw_xor_block(Y, m, temp); + lw_xor_block_2_src(c, m, Ys, temp); + Y[temp] ^= 0x01; + } +} + +/** + * \brief Encrypts the plaintext with COMET-64 to produce the ciphertext. + * + * \param Y Internal COMET block state of 8 bytes in size. + * \param Z Internal COMET key state of 16 bytes in size. + * \param encrypt Encryption function for the underlying cipher. + * \param c Ciphertext on output. + * \param m Plaintext message on input. + * \param mlen Length of the plaintext message and the ciphertext. + */ +static void comet_encrypt_64 + (unsigned char Y[8], unsigned char Z[16], + comet_encrypt_block_t encrypt, unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char Ys[8]; + + /* Domain separator for payload data */ + Z[15] ^= 0x20; + + /* Process all payload data blocks except the last partial block */ + while (mlen >= 8) { + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_64(Ys, Y); + lw_xor_block(Y, m, 8); + lw_xor_block_2_src(c, m, Ys, 8); + c += 8; + m += 8; + mlen -= 8; + } + + /* Pad and process the partial block on the end */ + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + Z[15] ^= 0x40; + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_64(Ys, Y); + lw_xor_block(Y, m, temp); + lw_xor_block_2_src(c, m, Ys, temp); + Y[temp] ^= 0x01; + } +} + +/** + * \brief Decrypts the ciphertext with COMET-128 to produce the plaintext. + * + * \param Y Internal COMET block state of 16 bytes in size. + * \param Z Internal COMET key state of 16 bytes in size. + * \param encrypt Encryption function for the underlying cipher. + * \param m Plaintext message on output. + * \param c Ciphertext on input. + * \param mlen Length of the plaintext message and the ciphertext. + */ +static void comet_decrypt_128 + (unsigned char Y[16], unsigned char Z[16], + comet_encrypt_block_t encrypt, unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + unsigned char Ys[16]; + + /* Domain separator for payload data */ + Z[15] ^= 0x20; + + /* Process all payload data blocks except the last partial block */ + while (mlen >= 16) { + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_128(Ys, Y); + lw_xor_block_2_src(m, c, Ys, 16); + lw_xor_block(Y, m, 16); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the partial block on the end */ + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + Z[15] ^= 0x40; + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_128(Ys, Y); + lw_xor_block_2_src(m, c, Ys, temp); + lw_xor_block(Y, m, temp); + Y[temp] ^= 0x01; + } +} + +/** + * \brief Decrypts the ciphertext with COMET-64 to produce the plaintext. + * + * \param Y Internal COMET block state of 8 bytes in size. + * \param Z Internal COMET key state of 16 bytes in size. + * \param encrypt Encryption function for the underlying cipher. + * \param m Plaintext message on output. + * \param c Ciphertext on input. + * \param mlen Length of the plaintext message and the ciphertext. + */ +static void comet_decrypt_64 + (unsigned char Y[8], unsigned char Z[16], + comet_encrypt_block_t encrypt, unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + unsigned char Ys[8]; + + /* Domain separator for payload data */ + Z[15] ^= 0x20; + + /* Process all payload data blocks except the last partial block */ + while (mlen >= 8) { + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_64(Ys, Y); + lw_xor_block_2_src(m, c, Ys, 8); + lw_xor_block(Y, m, 8); + c += 8; + m += 8; + mlen -= 8; + } + + /* Pad and process the partial block on the end */ + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + Z[15] ^= 0x40; + comet_adjust_block_key(Z); + encrypt(Z, Y, Y); + comet_shuffle_block_64(Ys, Y); + lw_xor_block_2_src(m, c, Ys, temp); + lw_xor_block(Y, m, temp); + Y[temp] ^= 0x01; + } +} + +int comet_128_cham_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char Y[16]; + unsigned char Z[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + COMET_128_TAG_SIZE; + + /* Set up the initial state of Y and Z */ + memcpy(Y, k, 16); + cham128_128_encrypt(Y, Z, npub); + + /* Process the associated data */ + if (adlen > 0) + comet_process_ad(Y, Z, 16, cham128_128_encrypt, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + comet_encrypt_128(Y, Z, cham128_128_encrypt, c, m, mlen); + + /* Generate the authentication tag */ + Z[15] ^= 0x80; + comet_adjust_block_key(Z); + cham128_128_encrypt(Z, c + mlen, Y); + return 0; +} + +int comet_128_cham_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char Y[16]; + unsigned char Z[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < COMET_128_TAG_SIZE) + return -1; + *mlen = clen - COMET_128_TAG_SIZE; + + /* Set up the initial state of Y and Z */ + memcpy(Y, k, 16); + cham128_128_encrypt(Y, Z, npub); + + /* Process the associated data */ + if (adlen > 0) + comet_process_ad(Y, Z, 16, cham128_128_encrypt, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + if (clen > COMET_128_TAG_SIZE) + comet_decrypt_128(Y, Z, cham128_128_encrypt, m, c, *mlen); + + /* Check the authentication tag */ + Z[15] ^= 0x80; + comet_adjust_block_key(Z); + cham128_128_encrypt(Z, Y, Y); + return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_128_TAG_SIZE); +} + +int comet_64_cham_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char Y[8]; + unsigned char Z[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + COMET_64_TAG_SIZE; + + /* Set up the initial state of Y and Z */ + memset(Y, 0, 8); + cham64_128_encrypt(k, Y, Y); + memcpy(Z, npub, 15); + Z[15] = 0; + lw_xor_block(Z, k, 16); + + /* Process the associated data */ + if (adlen > 0) + comet_process_ad(Y, Z, 8, cham64_128_encrypt, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + comet_encrypt_64(Y, Z, cham64_128_encrypt, c, m, mlen); + + /* Generate the authentication tag */ + Z[15] ^= 0x80; + comet_adjust_block_key(Z); + cham64_128_encrypt(Z, c + mlen, Y); + return 0; +} + +int comet_64_cham_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char Y[8]; + unsigned char Z[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < COMET_64_TAG_SIZE) + return -1; + *mlen = clen - COMET_64_TAG_SIZE; + + /* Set up the initial state of Y and Z */ + memset(Y, 0, 8); + cham64_128_encrypt(k, Y, Y); + memcpy(Z, npub, 15); + Z[15] = 0; + lw_xor_block(Z, k, 16); + + /* Process the associated data */ + if (adlen > 0) + comet_process_ad(Y, Z, 8, cham64_128_encrypt, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + if (clen > COMET_64_TAG_SIZE) + comet_decrypt_64(Y, Z, cham64_128_encrypt, m, c, *mlen); + + /* Check the authentication tag */ + Z[15] ^= 0x80; + comet_adjust_block_key(Z); + cham64_128_encrypt(Z, Y, Y); + return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_64_TAG_SIZE); +} + +/** + * \brief Encrypts a 64-bit block with SPECK-64-128 in COMET byte order. + * + * \param key Points to the 16 bytes of the key. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * \note This version differs from standard SPECK-64 in that it uses the + * little-endian byte order from the COMET specification which is different + * from the big-endian byte order from the original SPECK paper. + */ +static void speck64_128_comet_encrypt + (const unsigned char *key, unsigned char *output, + const unsigned char *input) +{ + uint32_t l[4]; + uint32_t x, y, s; + uint8_t round; + uint8_t li_in = 0; + uint8_t li_out = 3; + + /* Unpack the key and the input block */ + s = le_load_word32(key); + l[0] = le_load_word32(key + 4); + l[1] = le_load_word32(key + 8); + l[2] = le_load_word32(key + 12); + y = le_load_word32(input); + x = le_load_word32(input + 4); + + /* Perform all encryption rounds except the last */ + for (round = 0; round < 26; ++round) { + /* Perform the round with the current key schedule word */ + x = (rightRotate8(x) + y) ^ s; + y = leftRotate3(y) ^ x; + + /* Calculate the next key schedule word */ + l[li_out] = (s + rightRotate8(l[li_in])) ^ round; + s = leftRotate3(s) ^ l[li_out]; + li_in = (li_in + 1) & 0x03; + li_out = (li_out + 1) & 0x03; + } + + /* Perform the last encryption round and write the result to the output */ + x = (rightRotate8(x) + y) ^ s; + y = leftRotate3(y) ^ x; + le_store_word32(output, y); + le_store_word32(output + 4, x); +} + +int comet_64_speck_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char Y[8]; + unsigned char Z[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + COMET_64_TAG_SIZE; + + /* Set up the initial state of Y and Z */ + memset(Y, 0, 8); + speck64_128_comet_encrypt(k, Y, Y); + memcpy(Z, npub, 15); + Z[15] = 0; + lw_xor_block(Z, k, 16); + + /* Process the associated data */ + if (adlen > 0) + comet_process_ad(Y, Z, 8, speck64_128_comet_encrypt, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + comet_encrypt_64(Y, Z, speck64_128_comet_encrypt, c, m, mlen); + + /* Generate the authentication tag */ + Z[15] ^= 0x80; + comet_adjust_block_key(Z); + speck64_128_comet_encrypt(Z, c + mlen, Y); + return 0; +} + +int comet_64_speck_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char Y[8]; + unsigned char Z[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < COMET_64_TAG_SIZE) + return -1; + *mlen = clen - COMET_64_TAG_SIZE; + + /* Set up the initial state of Y and Z */ + memset(Y, 0, 8); + speck64_128_comet_encrypt(k, Y, Y); + memcpy(Z, npub, 15); + Z[15] = 0; + lw_xor_block(Z, k, 16); + + /* Process the associated data */ + if (adlen > 0) + comet_process_ad(Y, Z, 8, speck64_128_comet_encrypt, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + if (clen > COMET_64_TAG_SIZE) + comet_decrypt_64(Y, Z, speck64_128_comet_encrypt, m, c, *mlen); + + /* Check the authentication tag */ + Z[15] ^= 0x80; + comet_adjust_block_key(Z); + speck64_128_comet_encrypt(Z, Y, Y); + return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_64_TAG_SIZE); +} diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys/comet.h b/comet/Implementations/crypto_aead/comet64speckv1/rhys/comet.h new file mode 100644 index 0000000..d1b24a6 --- /dev/null +++ b/comet/Implementations/crypto_aead/comet64speckv1/rhys/comet.h @@ -0,0 +1,274 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_COMET_H +#define LWCRYPTO_COMET_H + +#include "aead-common.h" + +/** + * \file comet.h + * \brief COMET authenticated encryption algorithm. + * + * COMET is a family of authenticated encryption algorithms that are + * built around an underlying block cipher. This library implements + * three members of the family: + * + * \li COMET-128_CHAM-128/128 which has a 128-bit key, a 128-bit nonce, + * and a 128-bit tag, built around the CHAM-128/128 block cipher. + * \li COMET-64_CHAM-64/128 which has a 128-bit key, a 120-bit nonce, + * and a 64-bit tag, built around the CHAM-64/128 block cipher. + * \li COMET-64_SPECK-64/128 which has a 128-bit key, a 120-bit nonce, + * and a 64-bit tag, built around the SPECK-64/128 block cipher. + * + * There is also another family member that is built around AES but + * this library does not implement that version. + * + * References: https://www.isical.ac.in/~lightweight/comet/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all COMET family members. + */ +#define COMET_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for the 128-bit versions of COMET. + */ +#define COMET_128_TAG_SIZE 16 + +/** + * \brief Size of the authentication tag for the 64-bit versions of COMET. + */ +#define COMET_64_TAG_SIZE 8 + +/** + * \brief Size of the nonce for the 128-bit versions of COMET. + */ +#define COMET_128_NONCE_SIZE 16 + +/** + * \brief Size of the nonce for the 64-bit versions of COMET. + */ +#define COMET_64_NONCE_SIZE 15 + +/** + * \brief Meta-information block for the COMET-128_CHAM-128/128 cipher. + */ +extern aead_cipher_t const comet_128_cham_cipher; + +/** + * \brief Meta-information block for the COMET-64_CHAM-64/128 cipher. + */ +extern aead_cipher_t const comet_64_cham_cipher; + +/** + * \brief Meta-information block for the COMET-64_SPECK-64/128 cipher. + */ +extern aead_cipher_t const comet_64_speck_cipher; + +/** + * \brief Encrypts and authenticates a packet with COMET-128_CHAM-128/128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa comet_128_cham_aead_decrypt() + */ +int comet_128_cham_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with COMET-128_CHAM-128/128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa comet_128_cham_aead_encrypt() + */ +int comet_128_cham_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with COMET-64_CHAM-64/128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa comet_64_cham_aead_decrypt() + */ +int comet_64_cham_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with COMET-64_CHAM-64/128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa comet_64_cham_aead_encrypt() + */ +int comet_64_cham_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with COMET-64_SPECK-64/128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa comet_64_speck_aead_decrypt() + */ +int comet_64_speck_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with COMET-64_SPECK-64/128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa comet_64_speck_aead_encrypt() + */ +int comet_64_speck_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys/encrypt.c b/comet/Implementations/crypto_aead/comet64speckv1/rhys/encrypt.c new file mode 100644 index 0000000..dc4f508 --- /dev/null +++ b/comet/Implementations/crypto_aead/comet64speckv1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "comet.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return comet_64_speck_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return comet_64_speck_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-cham.c b/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-cham.c new file mode 100644 index 0000000..e097dbd --- /dev/null +++ b/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-cham.c @@ -0,0 +1,134 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-cham.h" +#include "internal-util.h" + +void cham128_128_encrypt + (const unsigned char *key, unsigned char *output, + const unsigned char *input) +{ + uint32_t x0, x1, x2, x3; + uint32_t k[8]; + uint8_t round; + + /* Unpack the key and generate the key schedule */ + k[0] = le_load_word32(key); + k[1] = le_load_word32(key + 4); + k[2] = le_load_word32(key + 8); + k[3] = le_load_word32(key + 12); + k[4] = k[1] ^ leftRotate1(k[1]) ^ leftRotate11(k[1]); + k[5] = k[0] ^ leftRotate1(k[0]) ^ leftRotate11(k[0]); + k[6] = k[3] ^ leftRotate1(k[3]) ^ leftRotate11(k[3]); + k[7] = k[2] ^ leftRotate1(k[2]) ^ leftRotate11(k[2]); + k[0] ^= leftRotate1(k[0]) ^ leftRotate8(k[0]); + k[1] ^= leftRotate1(k[1]) ^ leftRotate8(k[1]); + k[2] ^= leftRotate1(k[2]) ^ leftRotate8(k[2]); + k[3] ^= leftRotate1(k[3]) ^ leftRotate8(k[3]); + + /* Unpack the input block */ + x0 = le_load_word32(input); + x1 = le_load_word32(input + 4); + x2 = le_load_word32(input + 8); + x3 = le_load_word32(input + 12); + + /* Perform the 80 rounds eight at a time */ + for (round = 0; round < 80; round += 8) { + x0 = leftRotate8((x0 ^ round) + (leftRotate1(x1) ^ k[0])); + x1 = leftRotate1((x1 ^ (round + 1)) + (leftRotate8(x2) ^ k[1])); + x2 = leftRotate8((x2 ^ (round + 2)) + (leftRotate1(x3) ^ k[2])); + x3 = leftRotate1((x3 ^ (round + 3)) + (leftRotate8(x0) ^ k[3])); + x0 = leftRotate8((x0 ^ (round + 4)) + (leftRotate1(x1) ^ k[4])); + x1 = leftRotate1((x1 ^ (round + 5)) + (leftRotate8(x2) ^ k[5])); + x2 = leftRotate8((x2 ^ (round + 6)) + (leftRotate1(x3) ^ k[6])); + x3 = leftRotate1((x3 ^ (round + 7)) + (leftRotate8(x0) ^ k[7])); + } + + /* Pack the state into the output block */ + le_store_word32(output, x0); + le_store_word32(output + 4, x1); + le_store_word32(output + 8, x2); + le_store_word32(output + 12, x3); +} + +void cham64_128_encrypt + (const unsigned char *key, unsigned char *output, + const unsigned char *input) +{ + uint16_t x0, x1, x2, x3; + uint16_t k[16]; + uint8_t round; + + /* Unpack the key and generate the key schedule */ + k[0] = le_load_word16(key); + k[1] = le_load_word16(key + 2); + k[2] = le_load_word16(key + 4); + k[3] = le_load_word16(key + 6); + k[4] = le_load_word16(key + 8); + k[5] = le_load_word16(key + 10); + k[6] = le_load_word16(key + 12); + k[7] = le_load_word16(key + 14); + k[8] = k[1] ^ leftRotate1_16(k[1]) ^ leftRotate11_16(k[1]); + k[9] = k[0] ^ leftRotate1_16(k[0]) ^ leftRotate11_16(k[0]); + k[10] = k[3] ^ leftRotate1_16(k[3]) ^ leftRotate11_16(k[3]); + k[11] = k[2] ^ leftRotate1_16(k[2]) ^ leftRotate11_16(k[2]); + k[12] = k[5] ^ leftRotate1_16(k[5]) ^ leftRotate11_16(k[5]); + k[13] = k[4] ^ leftRotate1_16(k[4]) ^ leftRotate11_16(k[4]); + k[14] = k[7] ^ leftRotate1_16(k[7]) ^ leftRotate11_16(k[7]); + k[15] = k[6] ^ leftRotate1_16(k[6]) ^ leftRotate11_16(k[6]); + k[0] ^= leftRotate1_16(k[0]) ^ leftRotate8_16(k[0]); + k[1] ^= leftRotate1_16(k[1]) ^ leftRotate8_16(k[1]); + k[2] ^= leftRotate1_16(k[2]) ^ leftRotate8_16(k[2]); + k[3] ^= leftRotate1_16(k[3]) ^ leftRotate8_16(k[3]); + k[4] ^= leftRotate1_16(k[4]) ^ leftRotate8_16(k[4]); + k[5] ^= leftRotate1_16(k[5]) ^ leftRotate8_16(k[5]); + k[6] ^= leftRotate1_16(k[6]) ^ leftRotate8_16(k[6]); + k[7] ^= leftRotate1_16(k[7]) ^ leftRotate8_16(k[7]); + + /* Unpack the input block */ + x0 = le_load_word16(input); + x1 = le_load_word16(input + 2); + x2 = le_load_word16(input + 4); + x3 = le_load_word16(input + 6); + + /* Perform the 80 rounds four at a time */ + for (round = 0; round < 80; round += 4) { + x0 = leftRotate8_16 + ((x0 ^ round) + + (leftRotate1_16(x1) ^ k[round % 16])); + x1 = leftRotate1_16 + ((x1 ^ (round + 1)) + + (leftRotate8_16(x2) ^ k[(round + 1) % 16])); + x2 = leftRotate8_16 + ((x2 ^ (round + 2)) + + (leftRotate1_16(x3) ^ k[(round + 2) % 16])); + x3 = leftRotate1_16 + ((x3 ^ (round + 3)) + + (leftRotate8_16(x0) ^ k[(round + 3) % 16])); + } + + /* Pack the state into the output block */ + le_store_word16(output, x0); + le_store_word16(output + 2, x1); + le_store_word16(output + 4, x2); + le_store_word16(output + 6, x3); +} diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-cham.h b/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-cham.h new file mode 100644 index 0000000..29d5ccf --- /dev/null +++ b/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-cham.h @@ -0,0 +1,67 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_CHAM_H +#define LW_INTERNAL_CHAM_H + +/** + * \file internal-cham.h + * \brief CHAM block cipher. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts a 128-bit block with CHAM-128-128. + * + * \param key Points to the 16 bytes of the key. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void cham128_128_encrypt + (const unsigned char *key, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 64-bit block with CHAM-64-128. + * + * \param key Points to the 16 bytes of the key. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void cham64_128_encrypt + (const unsigned char *key, unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-util.h b/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys/aead-common.c b/drygascon/Implementations/crypto_aead/drygascon128/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/drygascon/Implementations/crypto_aead/drygascon128/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys/aead-common.h b/drygascon/Implementations/crypto_aead/drygascon128/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/drygascon/Implementations/crypto_aead/drygascon128/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys/api.h b/drygascon/Implementations/crypto_aead/drygascon128/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/drygascon/Implementations/crypto_aead/drygascon128/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys/drygascon.c b/drygascon/Implementations/crypto_aead/drygascon128/rhys/drygascon.c new file mode 100644 index 0000000..e963903 --- /dev/null +++ b/drygascon/Implementations/crypto_aead/drygascon128/rhys/drygascon.c @@ -0,0 +1,421 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "drygascon.h" +#include "internal-drysponge.h" +#include + +aead_cipher_t const drygascon128_cipher = { + "DryGASCON128", + DRYGASCON128_KEY_SIZE, + DRYGASCON128_NONCE_SIZE, + DRYGASCON128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + drygascon128_aead_encrypt, + drygascon128_aead_decrypt +}; + +aead_cipher_t const drygascon256_cipher = { + "DryGASCON256", + DRYGASCON256_KEY_SIZE, + DRYGASCON256_NONCE_SIZE, + DRYGASCON256_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + drygascon256_aead_encrypt, + drygascon256_aead_decrypt +}; + +aead_hash_algorithm_t const drygascon128_hash_algorithm = { + "DryGASCON128-HASH", + sizeof(int), + DRYGASCON128_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + drygascon128_hash, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const drygascon256_hash_algorithm = { + "DryGASCON256-HASH", + sizeof(int), + DRYGASCON256_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + drygascon256_hash, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/** + * \brief Processes associated data for DryGASCON128. + * + * \param state DrySPONGE128 sponge state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data, must not be zero. + * \param finalize Non-zero to finalize packet processing because + * the message is zero-length. + */ +static void drygascon128_process_ad + (drysponge128_state_t *state, const unsigned char *ad, + unsigned long long adlen, int finalize) +{ + /* Process all blocks except the last one */ + while (adlen > DRYSPONGE128_RATE) { + drysponge128_f_absorb(state, ad, DRYSPONGE128_RATE); + drysponge128_g_core(state); + ad += DRYSPONGE128_RATE; + adlen -= DRYSPONGE128_RATE; + } + + /* Process the last block with domain separation and padding */ + state->domain = DRYDOMAIN128_ASSOC_DATA; + if (finalize) + state->domain |= DRYDOMAIN128_FINAL; + if (adlen < DRYSPONGE128_RATE) + state->domain |= DRYDOMAIN128_PADDED; + drysponge128_f_absorb(state, ad, (unsigned)adlen); + drysponge128_g(state); +} + +/** + * \brief Processes associated data for DryGASCON256. + * + * \param state DrySPONGE256 sponge state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data, must not be zero. + * \param finalize Non-zero to finalize packet processing because + * the message is zero-length. + */ +static void drygascon256_process_ad + (drysponge256_state_t *state, const unsigned char *ad, + unsigned long long adlen, int finalize) +{ + /* Process all blocks except the last one */ + while (adlen > DRYSPONGE256_RATE) { + drysponge256_f_absorb(state, ad, DRYSPONGE256_RATE); + drysponge256_g_core(state); + ad += DRYSPONGE256_RATE; + adlen -= DRYSPONGE256_RATE; + } + + /* Process the last block with domain separation and padding */ + state->domain = DRYDOMAIN256_ASSOC_DATA; + if (finalize) + state->domain |= DRYDOMAIN256_FINAL; + if (adlen < DRYSPONGE256_RATE) + state->domain |= DRYDOMAIN256_PADDED; + drysponge256_f_absorb(state, ad, (unsigned)adlen); + drysponge256_g(state); +} + +int drygascon128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + drysponge128_state_t state; + unsigned temp; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + DRYGASCON128_TAG_SIZE; + + /* Initialize the sponge state with the key and nonce */ + drysponge128_setup(&state, k, npub, adlen == 0 && mlen == 0); + + /* Process the associated data */ + if (adlen > 0) + drygascon128_process_ad(&state, ad, adlen, mlen == 0); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + /* Processs all blocks except the last one */ + while (mlen > DRYSPONGE128_RATE) { + drysponge128_f_absorb(&state, m, DRYSPONGE128_RATE); + lw_xor_block_2_src(c, m, state.r.B, DRYSPONGE128_RATE); + drysponge128_g(&state); + c += DRYSPONGE128_RATE; + m += DRYSPONGE128_RATE; + mlen -= DRYSPONGE128_RATE; + } + + /* Process the last block with domain separation and padding */ + state.domain = DRYDOMAIN128_MESSAGE | DRYDOMAIN128_FINAL; + if (mlen < DRYSPONGE128_RATE) + state.domain |= DRYDOMAIN128_PADDED; + temp = (unsigned)mlen; + drysponge128_f_absorb(&state, m, temp); + lw_xor_block_2_src(c, m, state.r.B, temp); + drysponge128_g(&state); + c += temp; + } + + /* Generate the authentication tag */ + memcpy(c, state.r.B, DRYGASCON128_TAG_SIZE); + return 0; +} + +int drygascon128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + drysponge128_state_t state; + unsigned char *mtemp = m; + unsigned temp; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < DRYGASCON128_TAG_SIZE) + return -1; + *mlen = clen - DRYGASCON128_TAG_SIZE; + + /* Initialize the sponge state with the key and nonce */ + clen -= DRYGASCON128_TAG_SIZE; + drysponge128_setup(&state, k, npub, adlen == 0 && clen == 0); + + /* Process the associated data */ + if (adlen > 0) + drygascon128_process_ad(&state, ad, adlen, clen == 0); + + /* Decrypt the ciphertext to produce the plaintext */ + if (clen > 0) { + /* Processs all blocks except the last one */ + while (clen > DRYSPONGE128_RATE) { + lw_xor_block_2_src(m, c, state.r.B, DRYSPONGE128_RATE); + drysponge128_f_absorb(&state, m, DRYSPONGE128_RATE); + drysponge128_g(&state); + c += DRYSPONGE128_RATE; + m += DRYSPONGE128_RATE; + clen -= DRYSPONGE128_RATE; + } + + /* Process the last block with domain separation and padding */ + state.domain = DRYDOMAIN128_MESSAGE | DRYDOMAIN128_FINAL; + if (clen < DRYSPONGE128_RATE) + state.domain |= DRYDOMAIN128_PADDED; + temp = (unsigned)clen; + lw_xor_block_2_src(m, c, state.r.B, temp); + drysponge128_f_absorb(&state, m, temp); + drysponge128_g(&state); + c += temp; + } + + /* Check the authentication tag */ + return aead_check_tag(mtemp, *mlen, state.r.B, c, DRYGASCON128_TAG_SIZE); +} + +int drygascon256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + drysponge256_state_t state; + unsigned temp; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + DRYGASCON256_TAG_SIZE; + + /* Initialize the sponge state with the key and nonce */ + drysponge256_setup(&state, k, npub, adlen == 0 && mlen == 0); + + /* Process the associated data */ + if (adlen > 0) + drygascon256_process_ad(&state, ad, adlen, mlen == 0); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + /* Processs all blocks except the last one */ + while (mlen > DRYSPONGE256_RATE) { + drysponge256_f_absorb(&state, m, DRYSPONGE256_RATE); + lw_xor_block_2_src(c, m, state.r.B, DRYSPONGE256_RATE); + drysponge256_g(&state); + c += DRYSPONGE256_RATE; + m += DRYSPONGE256_RATE; + mlen -= DRYSPONGE256_RATE; + } + + /* Process the last block with domain separation and padding */ + state.domain = DRYDOMAIN256_MESSAGE | DRYDOMAIN256_FINAL; + if (mlen < DRYSPONGE256_RATE) + state.domain |= DRYDOMAIN256_PADDED; + temp = (unsigned)mlen; + drysponge256_f_absorb(&state, m, temp); + lw_xor_block_2_src(c, m, state.r.B, temp); + drysponge256_g(&state); + c += temp; + } + + /* Generate the authentication tag */ + memcpy(c, state.r.B, 16); + drysponge256_g(&state); + memcpy(c + 16, state.r.B, 16); + return 0; +} + +int drygascon256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + drysponge256_state_t state; + unsigned char *mtemp = m; + unsigned temp; + int result; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < DRYGASCON256_TAG_SIZE) + return -1; + *mlen = clen - DRYGASCON256_TAG_SIZE; + + /* Initialize the sponge state with the key and nonce */ + clen -= DRYGASCON256_TAG_SIZE; + drysponge256_setup(&state, k, npub, adlen == 0 && clen == 0); + + /* Process the associated data */ + if (adlen > 0) + drygascon256_process_ad(&state, ad, adlen, clen == 0); + + /* Decrypt the ciphertext to produce the plaintext */ + if (clen > 0) { + /* Processs all blocks except the last one */ + while (clen > DRYSPONGE256_RATE) { + lw_xor_block_2_src(m, c, state.r.B, DRYSPONGE256_RATE); + drysponge256_f_absorb(&state, m, DRYSPONGE256_RATE); + drysponge256_g(&state); + c += DRYSPONGE256_RATE; + m += DRYSPONGE256_RATE; + clen -= DRYSPONGE256_RATE; + } + + /* Process the last block with domain separation and padding */ + state.domain = DRYDOMAIN256_MESSAGE | DRYDOMAIN256_FINAL; + if (clen < DRYSPONGE256_RATE) + state.domain |= DRYDOMAIN256_PADDED; + temp = (unsigned)clen; + lw_xor_block_2_src(m, c, state.r.B, temp); + drysponge256_f_absorb(&state, m, temp); + drysponge256_g(&state); + c += temp; + } + + /* Check the authentication tag which is split into two pieces */ + result = aead_check_tag(0, 0, state.r.B, c, 16); + drysponge256_g(&state); + return aead_check_tag_precheck + (mtemp, *mlen, state.r.B, c + 16, 16, ~result); +} + +/** + * \brief Precomputed initialization vector for DryGASCON128-HASH. + * + * This is the CST_H value from the DryGASCON specification after it + * has been processed by the key setup function for DrySPONGE128. + */ +static unsigned char const drygascon128_hash_init[] = { + /* c */ + 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, + 0x13, 0x19, 0x8a, 0x2e, 0x03, 0x70, 0x73, 0x44, + 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, + 0x13, 0x19, 0x8a, 0x2e, 0x03, 0x70, 0x73, 0x44, + 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, + /* x */ + 0xa4, 0x09, 0x38, 0x22, 0x29, 0x9f, 0x31, 0xd0, + 0x08, 0x2e, 0xfa, 0x98, 0xec, 0x4e, 0x6c, 0x89 +}; + +int drygascon128_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + drysponge128_state_t state; + memcpy(state.c.B, drygascon128_hash_init, sizeof(state.c.B)); + memcpy(state.x.B, drygascon128_hash_init + sizeof(state.c.B), + sizeof(state.x.B)); + state.domain = 0; + state.rounds = DRYSPONGE128_ROUNDS; + drygascon128_process_ad(&state, in, inlen, 1); + memcpy(out, state.r.B, 16); + drysponge128_g(&state); + memcpy(out + 16, state.r.B, 16); + return 0; +} + +/** + * \brief Precomputed initialization vector for DryGASCON256-HASH. + * + * This is the CST_H value from the DryGASCON specification after it + * has been processed by the key setup function for DrySPONGE256. + */ +static unsigned char const drygascon256_hash_init[] = { + /* c */ + 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, + 0x13, 0x19, 0x8a, 0x2e, 0x03, 0x70, 0x73, 0x44, + 0xa4, 0x09, 0x38, 0x22, 0x29, 0x9f, 0x31, 0xd0, + 0x08, 0x2e, 0xfa, 0x98, 0xec, 0x4e, 0x6c, 0x89, + 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, + 0x13, 0x19, 0x8a, 0x2e, 0x03, 0x70, 0x73, 0x44, + 0xa4, 0x09, 0x38, 0x22, 0x29, 0x9f, 0x31, 0xd0, + 0x08, 0x2e, 0xfa, 0x98, 0xec, 0x4e, 0x6c, 0x89, + 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, + /* x */ + 0x45, 0x28, 0x21, 0xe6, 0x38, 0xd0, 0x13, 0x77, + 0xbe, 0x54, 0x66, 0xcf, 0x34, 0xe9, 0x0c, 0x6c +}; + +int drygascon256_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + drysponge256_state_t state; + memcpy(state.c.B, drygascon256_hash_init, sizeof(state.c.B)); + memcpy(state.x.B, drygascon256_hash_init + sizeof(state.c.B), + sizeof(state.x.B)); + state.domain = 0; + state.rounds = DRYSPONGE256_ROUNDS; + drygascon256_process_ad(&state, in, inlen, 1); + memcpy(out, state.r.B, 16); + drysponge256_g(&state); + memcpy(out + 16, state.r.B, 16); + drysponge256_g(&state); + memcpy(out + 32, state.r.B, 16); + drysponge256_g(&state); + memcpy(out + 48, state.r.B, 16); + return 0; +} diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys/drygascon.h b/drygascon/Implementations/crypto_aead/drygascon128/rhys/drygascon.h new file mode 100644 index 0000000..12e18c3 --- /dev/null +++ b/drygascon/Implementations/crypto_aead/drygascon128/rhys/drygascon.h @@ -0,0 +1,264 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_DRYGASCON_H +#define LWCRYPTO_DRYGASCON_H + +#include "aead-common.h" + +/** + * \file drygascon.h + * \brief DryGASCON authenticated encryption algorithm. + * + * DryGASCON is a family of authenticated encryption algorithms based + * around a generalised version of the ASCON permutation. DryGASCON + * is designed to provide some protection against power analysis. + * + * There are four algorithms in the DryGASCON family: + * + * \li DryGASCON128 is an authenticated encryption algorithm with a + * 128-bit key, a 128-bit nonce, and a 128-bit authentication tag. + * \li DryGASCON256 is an authenticated encryption algorithm with a + * 256-bit key, a 128-bit nonce, and a 128-256 authentication tag. + * \li DryGASCON128-HASH is a hash algorithm with a 256-bit output. + * \li DryGASCON256-HASH is a hash algorithm with a 512-bit output. + * + * DryGASCON128 and DryGASCON128-HASH are the primary members of the family. + * + * References: https://github.com/sebastien-riou/DryGASCON + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for DryGASCON128. + */ +#define DRYGASCON128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for DryGASCON128. + */ +#define DRYGASCON128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for DryGASCON128. + */ +#define DRYGASCON128_NONCE_SIZE 16 + +/** + * \brief Size of the hash output for DryGASCON128-HASH. + */ +#define DRYGASCON128_HASH_SIZE 32 + +/** + * \brief Size of the key for DryGASCON256. + */ +#define DRYGASCON256_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for DryGASCON256. + */ +#define DRYGASCON256_TAG_SIZE 32 + +/** + * \brief Size of the nonce for DryGASCON256. + */ +#define DRYGASCON256_NONCE_SIZE 16 + +/** + * \brief Size of the hash output for DryGASCON256-HASH. + */ +#define DRYGASCON256_HASH_SIZE 64 + +/** + * \brief Meta-information block for the DryGASCON128 cipher. + */ +extern aead_cipher_t const drygascon128_cipher; + +/** + * \brief Meta-information block for the DryGASCON256 cipher. + */ +extern aead_cipher_t const drygascon256_cipher; + +/** + * \brief Meta-information block for DryGASCON128-HASH. + */ +extern aead_hash_algorithm_t const drygascon128_hash_algorithm; + +/** + * \brief Meta-information block for DryGASCON256-HASH. + */ +extern aead_hash_algorithm_t const drygascon256_hash_algorithm; + +/** + * \brief Encrypts and authenticates a packet with DryGASCON128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa drygascon128_aead_decrypt() + */ +int drygascon128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with DryGASCON128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa drygascon128_aead_encrypt() + */ +int drygascon128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with DryGASCON256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa drygascon256_aead_decrypt() + */ +int drygascon256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with DryGASCON256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa drygascon256_aead_encrypt() + */ +int drygascon256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with DRYGASCON128. + * + * \param out Buffer to receive the hash output which must be at least + * DRYGASCON128_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int drygascon128_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Hashes a block of input data with DRYGASCON256. + * + * \param out Buffer to receive the hash output which must be at least + * DRYGASCON256_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int drygascon256_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys/encrypt.c b/drygascon/Implementations/crypto_aead/drygascon128/rhys/encrypt.c new file mode 100644 index 0000000..663de84 --- /dev/null +++ b/drygascon/Implementations/crypto_aead/drygascon128/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "drygascon.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return drygascon128_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return drygascon128_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-drysponge.c b/drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-drysponge.c new file mode 100644 index 0000000..67f1b27 --- /dev/null +++ b/drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-drysponge.c @@ -0,0 +1,600 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-drysponge.h" +#include + +/* Right rotations in bit-interleaved format */ +#define intRightRotateEven(x,bits) \ + (__extension__ ({ \ + uint32_t _x0 = (uint32_t)(x); \ + uint32_t _x1 = (uint32_t)((x) >> 32); \ + _x0 = rightRotate(_x0, (bits)); \ + _x1 = rightRotate(_x1, (bits)); \ + _x0 | (((uint64_t)_x1) << 32); \ + })) +#define intRightRotateOdd(x,bits) \ + (__extension__ ({ \ + uint32_t _x0 = (uint32_t)(x); \ + uint32_t _x1 = (uint32_t)((x) >> 32); \ + _x0 = rightRotate(_x0, ((bits) + 1) % 32); \ + _x1 = rightRotate(_x1, (bits)); \ + _x1 | (((uint64_t)_x0) << 32); \ + })) +#define intRightRotate1_64(x) \ + (__extension__ ({ \ + uint32_t _x0 = (uint32_t)(x); \ + uint32_t _x1 = (uint32_t)((x) >> 32); \ + _x0 = rightRotate1(_x0); \ + _x1 | (((uint64_t)_x0) << 32); \ + })) +#define intRightRotate2_64(x) (intRightRotateEven((x), 1)) +#define intRightRotate3_64(x) (intRightRotateOdd((x), 1)) +#define intRightRotate4_64(x) (intRightRotateEven((x), 2)) +#define intRightRotate5_64(x) (intRightRotateOdd((x), 2)) +#define intRightRotate6_64(x) (intRightRotateEven((x), 3)) +#define intRightRotate7_64(x) (intRightRotateOdd((x), 3)) +#define intRightRotate8_64(x) (intRightRotateEven((x), 4)) +#define intRightRotate9_64(x) (intRightRotateOdd((x), 4)) +#define intRightRotate10_64(x) (intRightRotateEven((x), 5)) +#define intRightRotate11_64(x) (intRightRotateOdd((x), 5)) +#define intRightRotate12_64(x) (intRightRotateEven((x), 6)) +#define intRightRotate13_64(x) (intRightRotateOdd((x), 6)) +#define intRightRotate14_64(x) (intRightRotateEven((x), 7)) +#define intRightRotate15_64(x) (intRightRotateOdd((x), 7)) +#define intRightRotate16_64(x) (intRightRotateEven((x), 8)) +#define intRightRotate17_64(x) (intRightRotateOdd((x), 8)) +#define intRightRotate18_64(x) (intRightRotateEven((x), 9)) +#define intRightRotate19_64(x) (intRightRotateOdd((x), 9)) +#define intRightRotate20_64(x) (intRightRotateEven((x), 10)) +#define intRightRotate21_64(x) (intRightRotateOdd((x), 10)) +#define intRightRotate22_64(x) (intRightRotateEven((x), 11)) +#define intRightRotate23_64(x) (intRightRotateOdd((x), 11)) +#define intRightRotate24_64(x) (intRightRotateEven((x), 12)) +#define intRightRotate25_64(x) (intRightRotateOdd((x), 12)) +#define intRightRotate26_64(x) (intRightRotateEven((x), 13)) +#define intRightRotate27_64(x) (intRightRotateOdd((x), 13)) +#define intRightRotate28_64(x) (intRightRotateEven((x), 14)) +#define intRightRotate29_64(x) (intRightRotateOdd((x), 14)) +#define intRightRotate30_64(x) (intRightRotateEven((x), 15)) +#define intRightRotate31_64(x) (intRightRotateOdd((x), 15)) +#define intRightRotate32_64(x) (intRightRotateEven((x), 16)) +#define intRightRotate33_64(x) (intRightRotateOdd((x), 16)) +#define intRightRotate34_64(x) (intRightRotateEven((x), 17)) +#define intRightRotate35_64(x) (intRightRotateOdd((x), 17)) +#define intRightRotate36_64(x) (intRightRotateEven((x), 18)) +#define intRightRotate37_64(x) (intRightRotateOdd((x), 18)) +#define intRightRotate38_64(x) (intRightRotateEven((x), 19)) +#define intRightRotate39_64(x) (intRightRotateOdd((x), 19)) +#define intRightRotate40_64(x) (intRightRotateEven((x), 20)) +#define intRightRotate41_64(x) (intRightRotateOdd((x), 20)) +#define intRightRotate42_64(x) (intRightRotateEven((x), 21)) +#define intRightRotate43_64(x) (intRightRotateOdd((x), 21)) +#define intRightRotate44_64(x) (intRightRotateEven((x), 22)) +#define intRightRotate45_64(x) (intRightRotateOdd((x), 22)) +#define intRightRotate46_64(x) (intRightRotateEven((x), 23)) +#define intRightRotate47_64(x) (intRightRotateOdd((x), 23)) +#define intRightRotate48_64(x) (intRightRotateEven((x), 24)) +#define intRightRotate49_64(x) (intRightRotateOdd((x), 24)) +#define intRightRotate50_64(x) (intRightRotateEven((x), 25)) +#define intRightRotate51_64(x) (intRightRotateOdd((x), 25)) +#define intRightRotate52_64(x) (intRightRotateEven((x), 26)) +#define intRightRotate53_64(x) (intRightRotateOdd((x), 26)) +#define intRightRotate54_64(x) (intRightRotateEven((x), 27)) +#define intRightRotate55_64(x) (intRightRotateOdd((x), 27)) +#define intRightRotate56_64(x) (intRightRotateEven((x), 28)) +#define intRightRotate57_64(x) (intRightRotateOdd((x), 28)) +#define intRightRotate58_64(x) (intRightRotateEven((x), 29)) +#define intRightRotate59_64(x) (intRightRotateOdd((x), 29)) +#define intRightRotate60_64(x) (intRightRotateEven((x), 30)) +#define intRightRotate61_64(x) (intRightRotateOdd((x), 30)) +#define intRightRotate62_64(x) (intRightRotateEven((x), 31)) +#define intRightRotate63_64(x) (intRightRotateOdd((x), 31)) + +void gascon128_core_round(gascon128_state_t *state, uint8_t round) +{ + uint64_t t0, t1, t2, t3, t4; + + /* Load the state into local varaibles */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; + uint64_t x4 = state->S[4]; +#else + uint64_t x0 = le_load_word64(state->B); + uint64_t x1 = le_load_word64(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 16); + uint64_t x3 = le_load_word64(state->B + 24); + uint64_t x4 = le_load_word64(state->B + 32); +#endif + + /* Add the round constant to the middle of the state */ + x2 ^= ((0x0F - round) << 4) | round; + + /* Substitution layer */ + x0 ^= x4; x2 ^= x1; x4 ^= x3; t0 = (~x0) & x1; t1 = (~x1) & x2; + t2 = (~x2) & x3; t3 = (~x3) & x4; t4 = (~x4) & x0; x0 ^= t1; + x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t0; x1 ^= x0; x3 ^= x2; + x0 ^= x4; x2 = ~x2; + + /* Linear diffusion layer */ + x0 ^= intRightRotate19_64(x0) ^ intRightRotate28_64(x0); + x1 ^= intRightRotate61_64(x1) ^ intRightRotate38_64(x1); + x2 ^= intRightRotate1_64(x2) ^ intRightRotate6_64(x2); + x3 ^= intRightRotate10_64(x3) ^ intRightRotate17_64(x3); + x4 ^= intRightRotate7_64(x4) ^ intRightRotate40_64(x4); + + /* Write the local variables back to the state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; + state->S[4] = x4; +#else + le_store_word64(state->B, x0); + le_store_word64(state->B + 8, x1); + le_store_word64(state->B + 16, x2); + le_store_word64(state->B + 24, x3); + le_store_word64(state->B + 32, x4); +#endif +} + +void gascon256_core_round(gascon256_state_t *state, uint8_t round) +{ + uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8; + + /* Load the state into local varaibles */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; + uint64_t x4 = state->S[4]; + uint64_t x5 = state->S[5]; + uint64_t x6 = state->S[6]; + uint64_t x7 = state->S[7]; + uint64_t x8 = state->S[8]; +#else + uint64_t x0 = le_load_word64(state->B); + uint64_t x1 = le_load_word64(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 16); + uint64_t x3 = le_load_word64(state->B + 24); + uint64_t x4 = le_load_word64(state->B + 32); + uint64_t x5 = le_load_word64(state->B + 40); + uint64_t x6 = le_load_word64(state->B + 48); + uint64_t x7 = le_load_word64(state->B + 56); + uint64_t x8 = le_load_word64(state->B + 64); +#endif + + /* Add the round constant to the middle of the state */ + x4 ^= ((0x0F - round) << 4) | round; + + /* Substitution layer */ + x0 ^= x8; x2 ^= x1; x4 ^= x3; x6 ^= x5; x8 ^= x7; t0 = (~x0) & x1; + t1 = (~x1) & x2; t2 = (~x2) & x3; t3 = (~x3) & x4; t4 = (~x4) & x5; + t5 = (~x5) & x6; t6 = (~x6) & x7; t7 = (~x7) & x8; t8 = (~x8) & x0; + x0 ^= t1; x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t5; x5 ^= t6; x6 ^= t7; + x7 ^= t8; x8 ^= t0; x1 ^= x0; x3 ^= x2; x5 ^= x4; x7 ^= x6; x0 ^= x8; + x4 = ~x4; + + /* Linear diffusion layer */ + x0 ^= intRightRotate19_64(x0) ^ intRightRotate28_64(x0); + x1 ^= intRightRotate61_64(x1) ^ intRightRotate38_64(x1); + x2 ^= intRightRotate1_64(x2) ^ intRightRotate6_64(x2); + x3 ^= intRightRotate10_64(x3) ^ intRightRotate17_64(x3); + x4 ^= intRightRotate7_64(x4) ^ intRightRotate40_64(x4); + x5 ^= intRightRotate31_64(x5) ^ intRightRotate26_64(x5); + x6 ^= intRightRotate53_64(x6) ^ intRightRotate58_64(x6); + x7 ^= intRightRotate9_64(x7) ^ intRightRotate46_64(x7); + x8 ^= intRightRotate43_64(x8) ^ intRightRotate50_64(x8); + + /* Write the local variables back to the state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; + state->S[4] = x4; + state->S[5] = x5; + state->S[6] = x6; + state->S[7] = x7; + state->S[8] = x8; +#else + le_store_word64(state->B, x0); + le_store_word64(state->B + 8, x1); + le_store_word64(state->B + 16, x2); + le_store_word64(state->B + 24, x3); + le_store_word64(state->B + 32, x4); + le_store_word64(state->B + 40, x5); + le_store_word64(state->B + 48, x6); + le_store_word64(state->B + 56, x7); + le_store_word64(state->B + 64, x8); +#endif +} + +void drysponge128_g(drysponge128_state_t *state) +{ + unsigned round; + + /* Perform the first round. For each round we XOR the 16 bytes of + * the output data with the first 16 bytes of the state. And then + * XOR with the next 16 bytes of the state, rotated by 4 bytes */ + gascon128_core_round(&(state->c), 0); + state->r.W[0] = state->c.W[0] ^ state->c.W[5]; + state->r.W[1] = state->c.W[1] ^ state->c.W[6]; + state->r.W[2] = state->c.W[2] ^ state->c.W[7]; + state->r.W[3] = state->c.W[3] ^ state->c.W[4]; + + /* Perform the rest of the rounds */ + for (round = 1; round < state->rounds; ++round) { + gascon128_core_round(&(state->c), round); + state->r.W[0] ^= state->c.W[0] ^ state->c.W[5]; + state->r.W[1] ^= state->c.W[1] ^ state->c.W[6]; + state->r.W[2] ^= state->c.W[2] ^ state->c.W[7]; + state->r.W[3] ^= state->c.W[3] ^ state->c.W[4]; + } +} + +void drysponge256_g(drysponge256_state_t *state) +{ + unsigned round; + + /* Perform the first round. For each round we XOR the 16 bytes of + * the output data with the first 16 bytes of the state. And then + * XOR with the next 16 bytes of the state, rotated by 4 bytes. + * And so on for a total of 64 bytes XOR'ed into the output data. */ + gascon256_core_round(&(state->c), 0); + state->r.W[0] = state->c.W[0] ^ state->c.W[5] ^ + state->c.W[10] ^ state->c.W[15]; + state->r.W[1] = state->c.W[1] ^ state->c.W[6] ^ + state->c.W[11] ^ state->c.W[12]; + state->r.W[2] = state->c.W[2] ^ state->c.W[7] ^ + state->c.W[8] ^ state->c.W[13]; + state->r.W[3] = state->c.W[3] ^ state->c.W[4] ^ + state->c.W[9] ^ state->c.W[14]; + + /* Perform the rest of the rounds */ + for (round = 1; round < state->rounds; ++round) { + gascon256_core_round(&(state->c), round); + state->r.W[0] ^= state->c.W[0] ^ state->c.W[5] ^ + state->c.W[10] ^ state->c.W[15]; + state->r.W[1] ^= state->c.W[1] ^ state->c.W[6] ^ + state->c.W[11] ^ state->c.W[12]; + state->r.W[2] ^= state->c.W[2] ^ state->c.W[7] ^ + state->c.W[8] ^ state->c.W[13]; + state->r.W[3] ^= state->c.W[3] ^ state->c.W[4] ^ + state->c.W[9] ^ state->c.W[14]; + } +} + +void drysponge128_g_core(drysponge128_state_t *state) +{ + unsigned round; + for (round = 0; round < state->rounds; ++round) + gascon128_core_round(&(state->c), round); +} + +void drysponge256_g_core(drysponge256_state_t *state) +{ + unsigned round; + for (round = 0; round < state->rounds; ++round) + gascon256_core_round(&(state->c), round); +} + +/** + * \brief Selects an element of x in constant time. + * + * \param x Points to the four elements of x. + * \param index Index of which element to extract between 0 and 3. + * + * \return The selected element of x. + */ +STATIC_INLINE uint32_t drysponge_select_x(const uint32_t x[4], uint8_t index) +{ + /* We need to be careful how we select each element of x because + * we are doing a data-dependent fetch here. Do the fetch in a way + * that should avoid cache timing issues by fetching every element + * of x and masking away the ones we don't want. + * + * There is a possible side channel here with respect to power analysis. + * The "mask" value will be all-ones for the selected index and all-zeroes + * for the other indexes. This may show up as different power consumption + * for the "result ^= x[i] & mask" statement when i is the selected index. + * Such a side channel could in theory allow reading the plaintext input + * to the cipher by analysing the CPU's power consumption. + * + * The DryGASCON specification acknowledges the possibility of plaintext + * recovery in section 7.4. For software mitigation the specification + * suggests randomization of the indexes into c and x and randomization + * of the order of processing words. We aren't doing that here yet. + * Patches welcome to fix this. + */ + uint32_t mask = -((uint32_t)((0x04 - index) >> 2)); + uint32_t result = x[0] & mask; + mask = -((uint32_t)((0x04 - (index ^ 0x01)) >> 2)); + result ^= x[1] & mask; + mask = -((uint32_t)((0x04 - (index ^ 0x02)) >> 2)); + result ^= x[2] & mask; + mask = -((uint32_t)((0x04 - (index ^ 0x03)) >> 2)); + return result ^ (x[3] & mask); +} + +/** + * \brief Mixes a 32-bit value into the DrySPONGE128 state. + * + * \param state DrySPONGE128 state. + * \param data The data to be mixed in the bottom 10 bits. + */ +static void drysponge128_mix_phase_round + (drysponge128_state_t *state, uint32_t data) +{ + /* Mix in elements from x according to the 2-bit indexes in the data */ + state->c.W[0] ^= drysponge_select_x(state->x.W, data & 0x03); + state->c.W[2] ^= drysponge_select_x(state->x.W, (data >> 2) & 0x03); + state->c.W[4] ^= drysponge_select_x(state->x.W, (data >> 4) & 0x03); + state->c.W[6] ^= drysponge_select_x(state->x.W, (data >> 6) & 0x03); + state->c.W[8] ^= drysponge_select_x(state->x.W, (data >> 8) & 0x03); +} + +/** + * \brief Mixes a 32-bit value into the DrySPONGE256 state. + * + * \param state DrySPONGE256 state. + * \param data The data to be mixed in the bottom 18 bits. + */ +static void drysponge256_mix_phase_round + (drysponge256_state_t *state, uint32_t data) +{ + /* Mix in elements from x according to the 2-bit indexes in the data */ + state->c.W[0] ^= drysponge_select_x(state->x.W, data & 0x03); + state->c.W[2] ^= drysponge_select_x(state->x.W, (data >> 2) & 0x03); + state->c.W[4] ^= drysponge_select_x(state->x.W, (data >> 4) & 0x03); + state->c.W[6] ^= drysponge_select_x(state->x.W, (data >> 6) & 0x03); + state->c.W[8] ^= drysponge_select_x(state->x.W, (data >> 8) & 0x03); + state->c.W[10] ^= drysponge_select_x(state->x.W, (data >> 10) & 0x03); + state->c.W[12] ^= drysponge_select_x(state->x.W, (data >> 12) & 0x03); + state->c.W[14] ^= drysponge_select_x(state->x.W, (data >> 14) & 0x03); + state->c.W[16] ^= drysponge_select_x(state->x.W, (data >> 16) & 0x03); +} + +/** + * \brief Mixes an input block into a DrySPONGE128 state. + * + * \param state The DrySPONGE128 state. + * \param data Full rate block containing the input data. + */ +static void drysponge128_mix_phase + (drysponge128_state_t *state, const unsigned char data[DRYSPONGE128_RATE]) +{ + /* Mix 10-bit groups into the output, with the domain + * separator added to the last two groups */ + drysponge128_mix_phase_round + (state, data[0] | (((uint32_t)(data[1])) << 8)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, (data[1] >> 2) | (((uint32_t)(data[2])) << 6)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, (data[2] >> 4) | (((uint32_t)(data[3])) << 4)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, (data[3] >> 6) | (((uint32_t)(data[4])) << 2)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, data[5] | (((uint32_t)(data[6])) << 8)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, (data[6] >> 2) | (((uint32_t)(data[7])) << 6)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, (data[7] >> 4) | (((uint32_t)(data[8])) << 4)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, (data[8] >> 6) | (((uint32_t)(data[9])) << 2)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, data[10] | (((uint32_t)(data[11])) << 8)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, (data[11] >> 2) | (((uint32_t)(data[12])) << 6)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, (data[12] >> 4) | (((uint32_t)(data[13])) << 4)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, ((data[13] >> 6) | (((uint32_t)(data[14])) << 2))); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round(state, data[15] ^ state->domain); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round(state, state->domain >> 10); + + /* Revert to the default domain separator for the next block */ + state->domain = 0; +} + +/** + * \brief Mixes an input block into a DrySPONGE256 state. + * + * \param state The DrySPONGE256 state. + * \param data Full rate block containing the input data. + */ +static void drysponge256_mix_phase + (drysponge256_state_t *state, const unsigned char data[DRYSPONGE256_RATE]) +{ + /* Mix 18-bit groups into the output, with the domain in the last group */ + drysponge256_mix_phase_round + (state, data[0] | (((uint32_t)(data[1])) << 8) | + (((uint32_t)(data[2])) << 16)); + gascon256_core_round(&(state->c), 0); + drysponge256_mix_phase_round + (state, (data[2] >> 2) | (((uint32_t)(data[3])) << 6) | + (((uint32_t)(data[4])) << 14)); + gascon256_core_round(&(state->c), 0); + drysponge256_mix_phase_round + (state, (data[4] >> 4) | (((uint32_t)(data[5])) << 4) | + (((uint32_t)(data[6])) << 12)); + gascon256_core_round(&(state->c), 0); + drysponge256_mix_phase_round + (state, (data[6] >> 6) | (((uint32_t)(data[7])) << 2) | + (((uint32_t)(data[8])) << 10)); + gascon256_core_round(&(state->c), 0); + drysponge256_mix_phase_round + (state, data[9] | (((uint32_t)(data[10])) << 8) | + (((uint32_t)(data[11])) << 16)); + gascon256_core_round(&(state->c), 0); + drysponge256_mix_phase_round + (state, (data[11] >> 2) | (((uint32_t)(data[12])) << 6) | + (((uint32_t)(data[13])) << 14)); + gascon256_core_round(&(state->c), 0); + drysponge256_mix_phase_round + (state, (data[13] >> 4) | (((uint32_t)(data[14])) << 4) | + (((uint32_t)(data[15])) << 12)); + gascon256_core_round(&(state->c), 0); + drysponge256_mix_phase_round + (state, (data[15] >> 6) ^ state->domain); + + /* Revert to the default domain separator for the next block */ + state->domain = 0; +} + +void drysponge128_f_absorb + (drysponge128_state_t *state, const unsigned char *input, unsigned len) +{ + if (len >= DRYSPONGE128_RATE) { + drysponge128_mix_phase(state, input); + } else { + unsigned char padded[DRYSPONGE128_RATE]; + memcpy(padded, input, len); + padded[len] = 0x01; + memset(padded + len + 1, 0, DRYSPONGE128_RATE - len - 1); + drysponge128_mix_phase(state, padded); + } +} + +void drysponge256_f_absorb + (drysponge256_state_t *state, const unsigned char *input, unsigned len) +{ + if (len >= DRYSPONGE256_RATE) { + drysponge256_mix_phase(state, input); + } else { + unsigned char padded[DRYSPONGE256_RATE]; + memcpy(padded, input, len); + padded[len] = 0x01; + memset(padded + len + 1, 0, DRYSPONGE256_RATE - len - 1); + drysponge256_mix_phase(state, padded); + } +} + +/** + * \brief Determine if some of the words of an "x" value are identical. + * + * \param x Points to the "x" buffer to check. + * + * \return Non-zero if some of the words are the same, zero if they are + * distinct from each other. + * + * We try to perform the check in constant time to avoid giving away + * any information about the value of the key. + */ +static int drysponge_x_words_are_same(const uint32_t x[4]) +{ + unsigned i, j; + int result = 0; + for (i = 0; i < 3; ++i) { + for (j = i + 1; j < 4; ++j) { + uint32_t check = x[i] ^ x[j]; + result |= (int)((0x100000000ULL - check) >> 32); + } + } + return result; +} + +void drysponge128_setup + (drysponge128_state_t *state, const unsigned char *key, + const unsigned char *nonce, int final_block) +{ + /* Fill the GASCON-128 state with repeated copies of the key */ + memcpy(state->c.B, key, 16); + memcpy(state->c.B + 16, key, 16); + memcpy(state->c.B + 32, key, 8); + + /* Generate the "x" value for the state. All four words of "x" + * must be unique because they will be used in drysponge_select_x() + * as stand-ins for the bit pairs 00, 01, 10, and 11. + * + * Run the core block operation over and over until "x" is unique. + * Technically the runtime here is key-dependent and not constant. + * If the input key is randomized, this should only take 1 round + * on average so it is "almost constant time". + */ + do { + gascon128_core_round(&(state->c), 0); + } while (drysponge_x_words_are_same(state->c.W)); + memcpy(state->x.W, state->c.W, sizeof(state->x)); + + /* Replace the generated "x" value in the state with the key prefix */ + memcpy(state->c.W, key, sizeof(state->x)); + + /* Absorb the nonce into the state with an increased number of rounds */ + state->rounds = DRYSPONGE128_INIT_ROUNDS; + state->domain = DRYDOMAIN128_NONCE; + if (final_block) + state->domain |= DRYDOMAIN128_FINAL; + drysponge128_f_absorb(state, nonce, 16); + drysponge128_g(state); + + /* Set up the normal number of rounds for future operations */ + state->rounds = DRYSPONGE128_ROUNDS; +} + +void drysponge256_setup + (drysponge256_state_t *state, const unsigned char *key, + const unsigned char *nonce, int final_block) +{ + /* Fill the GASCON-256 state with repeated copies of the key */ + memcpy(state->c.B, key, 32); + memcpy(state->c.B + 32, key, 32); + memcpy(state->c.B + 64, key, 8); + + /* Generate the "x" value for the state */ + do { + gascon256_core_round(&(state->c), 0); + } while (drysponge_x_words_are_same(state->c.W)); + memcpy(state->x.W, state->c.W, sizeof(state->x)); + + /* Replace the generated "x" value in the state with the key prefix */ + memcpy(state->c.W, key, sizeof(state->x)); + + /* Absorb the nonce into the state with an increased number of rounds */ + state->rounds = DRYSPONGE256_INIT_ROUNDS; + state->domain = DRYDOMAIN256_NONCE; + if (final_block) + state->domain |= DRYDOMAIN256_FINAL; + drysponge256_f_absorb(state, nonce, 16); + drysponge256_g(state); + + /* Set up the normal number of rounds for future operations */ + state->rounds = DRYSPONGE256_ROUNDS; +} diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-drysponge.h b/drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-drysponge.h new file mode 100644 index 0000000..05b0c16 --- /dev/null +++ b/drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-drysponge.h @@ -0,0 +1,345 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_DRYSPONGE_H +#define LW_INTERNAL_DRYSPONGE_H + +#include "internal-util.h" + +/** + * \file internal-drysponge.h + * \brief Internal implementation of DrySPONGE for the DryGASCON cipher. + * + * References: https://github.com/sebastien-riou/DryGASCON + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the GASCON-128 permutation state in bytes. + */ +#define GASCON128_STATE_SIZE 40 + +/** + * \brief Size of the GASCON-256 permutation state in bytes. + */ +#define GASCON256_STATE_SIZE 72 + +/** + * \brief Rate of absorption and squeezing for DrySPONGE128. + */ +#define DRYSPONGE128_RATE 16 + +/** + * \brief Rate of absorption and squeezing for DrySPONGE256. + */ +#define DRYSPONGE256_RATE 16 + +/** + * \brief Size of the "x" value for DrySPONGE128. + */ +#define DRYSPONGE128_XSIZE 16 + +/** + * \brief Size of the "x" value for DrySPONGE256. + */ +#define DRYSPONGE256_XSIZE 16 + +/** + * \brief Normal number of rounds for DrySPONGE128 when absorbing + * and squeezing data. + */ +#define DRYSPONGE128_ROUNDS 7 + +/** + * \brief Number of rounds for DrySPONGE128 during initialization. + */ +#define DRYSPONGE128_INIT_ROUNDS 11 + +/** + * \brief Normal number of rounds for DrySPONGE256 when absorbing + * and squeezing data. + */ +#define DRYSPONGE256_ROUNDS 8 + +/** + * \brief Number of rounds for DrySPONGE256 during initialization. + */ +#define DRYSPONGE256_INIT_ROUNDS 12 + +/** + * \brief DrySPONGE128 domain bit for a padded block. + */ +#define DRYDOMAIN128_PADDED (1 << 8) + +/** + * \brief DrySPONGE128 domain bit for a final block. + */ +#define DRYDOMAIN128_FINAL (1 << 9) + +/** + * \brief DrySPONGE128 domain value for processing the nonce. + */ +#define DRYDOMAIN128_NONCE (1 << 10) + +/** + * \brief DrySPONGE128 domain value for processing the associated data. + */ +#define DRYDOMAIN128_ASSOC_DATA (2 << 10) + +/** + * \brief DrySPONGE128 domain value for processing the message. + */ +#define DRYDOMAIN128_MESSAGE (3 << 10) + +/** + * \brief DrySPONGE256 domain bit for a padded block. + */ +#define DRYDOMAIN256_PADDED (1 << 2) + +/** + * \brief DrySPONGE256 domain bit for a final block. + */ +#define DRYDOMAIN256_FINAL (1 << 3) + +/** + * \brief DrySPONGE256 domain value for processing the nonce. + */ +#define DRYDOMAIN256_NONCE (1 << 4) + +/** + * \brief DrySPONGE256 domain value for processing the associated data. + */ +#define DRYDOMAIN256_ASSOC_DATA (2 << 4) + +/** + * \brief DrySPONGE256 domain value for processing the message. + */ +#define DRYDOMAIN256_MESSAGE (3 << 4) + +/** + * \brief Internal state of the GASCON-128 permutation. + */ +typedef union +{ + uint64_t S[GASCON128_STATE_SIZE / 8]; /**< 64-bit words of the state */ + uint32_t W[GASCON128_STATE_SIZE / 4]; /**< 32-bit words of the state */ + uint8_t B[GASCON128_STATE_SIZE]; /**< Bytes of the state */ + +} gascon128_state_t; + +/** + * \brief Internal state of the GASCON-256 permutation. + */ +typedef union +{ + uint64_t S[GASCON256_STATE_SIZE / 8]; /**< 64-bit words of the state */ + uint32_t W[GASCON256_STATE_SIZE / 4]; /**< 32-bit words of the state */ + uint8_t B[GASCON256_STATE_SIZE]; /**< Bytes of the state */ + +} gascon256_state_t; + +/** + * \brief Structure of a rate block for DrySPONGE128. + */ +typedef union +{ + uint64_t S[DRYSPONGE128_RATE / 8]; /**< 64-bit words of the rate */ + uint32_t W[DRYSPONGE128_RATE / 4]; /**< 32-bit words of the rate */ + uint8_t B[DRYSPONGE128_RATE]; /**< Bytes of the rate */ + +} drysponge128_rate_t; + +/** + * \brief Structure of a rate block for DrySPONGE256. + */ +typedef union +{ + uint64_t S[DRYSPONGE256_RATE / 8]; /**< 64-bit words of the rate */ + uint32_t W[DRYSPONGE256_RATE / 4]; /**< 32-bit words of the rate */ + uint8_t B[DRYSPONGE256_RATE]; /**< Bytes of the rate */ + +} drysponge256_rate_t; + +/** + * \brief Structure of the "x" value for DrySPONGE128. + */ +typedef union +{ + uint64_t S[DRYSPONGE128_XSIZE / 8]; /**< 64-bit words of the rate */ + uint32_t W[DRYSPONGE128_XSIZE / 4]; /**< 32-bit words of the rate */ + uint8_t B[DRYSPONGE128_XSIZE]; /**< Bytes of the rate */ + +} drysponge128_x_t; + +/** + * \brief Structure of the "x" value for DrySPONGE256. + */ +typedef union +{ + uint64_t S[DRYSPONGE256_XSIZE / 8]; /**< 64-bit words of the rate */ + uint32_t W[DRYSPONGE256_XSIZE / 4]; /**< 32-bit words of the rate */ + uint8_t B[DRYSPONGE256_XSIZE]; /**< Bytes of the rate */ + +} drysponge256_x_t; + +/** + * \brief Structure of the rolling DrySPONGE128 state. + */ +typedef struct +{ + gascon128_state_t c; /**< GASCON-128 state for the capacity */ + drysponge128_rate_t r; /**< Buffer for a rate block of data */ + drysponge128_x_t x; /**< "x" value for the sponge */ + uint32_t domain; /**< Domain value to mix on next F call */ + uint32_t rounds; /**< Number of rounds for next G call */ + +} drysponge128_state_t; + +/** + * \brief Structure of the rolling DrySPONGE256 state. + */ +typedef struct +{ + gascon256_state_t c; /**< GASCON-256 state for the capacity */ + drysponge256_rate_t r; /**< Buffer for a rate block of data */ + drysponge256_x_t x; /**< "x" value for the sponge */ + uint32_t domain; /**< Domain value to mix on next F call */ + uint32_t rounds; /**< Number of rounds for next G call */ + +} drysponge256_state_t; + +/** + * \brief Permutes the GASCON-128 state using one iteration of CoreRound. + * + * \param state The GASCON-128 state to be permuted. + * \param round The round number. + * + * The input and output \a state will be in little-endian byte order. + */ +void gascon128_core_round(gascon128_state_t *state, uint8_t round); + +/** + * \brief Permutes the GASCON-256 state using one iteration of CoreRound. + * + * \param state The GASCON-256 state to be permuted. + * \param round The round number. + * + * The input and output \a state will be in little-endian byte order. + */ +void gascon256_core_round(gascon256_state_t *state, uint8_t round); + +/** + * \brief Performs the DrySPONGE128 G function which runs the core + * rounds and squeezes data out of the GASGON-128 state. + * + * \param state The DrySPONGE128 state. + * + * The data that is squeezed out will be in state->r on exit. + */ +void drysponge128_g(drysponge128_state_t *state); + +/** + * \brief Performs the DrySPONGE256 G function which runs the core + * rounds and squeezes data out of the GASGON-256 state. + * + * \param state The DrySPONGE256 state. + * + * The data that is squeezed out will be in state->r on exit. + */ +void drysponge256_g(drysponge256_state_t *state); + +/** + * \brief Performs the DrySPONGE128 G function which runs the core + * rounds but does not squeeze out any output. + * + * \param state The DrySPONGE128 state. + */ +void drysponge128_g_core(drysponge128_state_t *state); + +/** + * \brief Performs the DrySPONGE256 G function which runs the core + * rounds but does not squeeze out any output. + * + * \param state The DrySPONGE256 state. + */ +void drysponge256_g_core(drysponge256_state_t *state); + +/** + * \brief Performs the absorption phase of the DrySPONGE128 F function. + * + * \param state The DrySPONGE128 state. + * \param input The block of input data to incorporate into the state. + * \param len The length of the input block, which must be less than + * or equal to DRYSPONGE128_RATE. Smaller input blocks will be padded. + * + * This function must be followed by a call to drysponge128_g() or + * drysponge128_g_core() to perform the full F operation. + */ +void drysponge128_f_absorb + (drysponge128_state_t *state, const unsigned char *input, unsigned len); + +/** + * \brief Performs the absorption phase of the DrySPONGE256 F function. + * + * \param state The DrySPONGE256 state. + * \param input The block of input data to incorporate into the state. + * \param len The length of the input block, which must be less than + * or equal to DRYSPONGE256_RATE. Smaller input blocks will be padded. + * + * This function must be followed by a call to drysponge256_g() or + * drysponge256_g_core() to perform the full F operation. + */ +void drysponge256_f_absorb + (drysponge256_state_t *state, const unsigned char *input, unsigned len); + +/** + * \brief Set up a DrySPONGE128 state to begin encryption or decryption. + * + * \param state The DrySPONGE128 state. + * \param key Points to the 16 bytes of the key. + * \param nonce Points to the 16 bytes of the nonce. + * \param final_block Non-zero if after key setup there will be no more blocks. + */ +void drysponge128_setup + (drysponge128_state_t *state, const unsigned char *key, + const unsigned char *nonce, int final_block); + +/** + * \brief Set up a DrySPONGE256 state to begin encryption or decryption. + * + * \param state The DrySPONGE256 state. + * \param key Points to the 32 bytes of the key. + * \param nonce Points to the 16 bytes of the nonce. + * \param final_block Non-zero if after key setup there will be no more blocks. + */ +void drysponge256_setup + (drysponge256_state_t *state, const unsigned char *key, + const unsigned char *nonce, int final_block); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-util.h b/drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys/aead-common.c b/drygascon/Implementations/crypto_aead/drygascon256/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/drygascon/Implementations/crypto_aead/drygascon256/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys/aead-common.h b/drygascon/Implementations/crypto_aead/drygascon256/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/drygascon/Implementations/crypto_aead/drygascon256/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys/api.h b/drygascon/Implementations/crypto_aead/drygascon256/rhys/api.h new file mode 100644 index 0000000..75fabd7 --- /dev/null +++ b/drygascon/Implementations/crypto_aead/drygascon256/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 32 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 32 +#define CRYPTO_NOOVERLAP 1 diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys/drygascon.c b/drygascon/Implementations/crypto_aead/drygascon256/rhys/drygascon.c new file mode 100644 index 0000000..e963903 --- /dev/null +++ b/drygascon/Implementations/crypto_aead/drygascon256/rhys/drygascon.c @@ -0,0 +1,421 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "drygascon.h" +#include "internal-drysponge.h" +#include + +aead_cipher_t const drygascon128_cipher = { + "DryGASCON128", + DRYGASCON128_KEY_SIZE, + DRYGASCON128_NONCE_SIZE, + DRYGASCON128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + drygascon128_aead_encrypt, + drygascon128_aead_decrypt +}; + +aead_cipher_t const drygascon256_cipher = { + "DryGASCON256", + DRYGASCON256_KEY_SIZE, + DRYGASCON256_NONCE_SIZE, + DRYGASCON256_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + drygascon256_aead_encrypt, + drygascon256_aead_decrypt +}; + +aead_hash_algorithm_t const drygascon128_hash_algorithm = { + "DryGASCON128-HASH", + sizeof(int), + DRYGASCON128_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + drygascon128_hash, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const drygascon256_hash_algorithm = { + "DryGASCON256-HASH", + sizeof(int), + DRYGASCON256_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + drygascon256_hash, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/** + * \brief Processes associated data for DryGASCON128. + * + * \param state DrySPONGE128 sponge state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data, must not be zero. + * \param finalize Non-zero to finalize packet processing because + * the message is zero-length. + */ +static void drygascon128_process_ad + (drysponge128_state_t *state, const unsigned char *ad, + unsigned long long adlen, int finalize) +{ + /* Process all blocks except the last one */ + while (adlen > DRYSPONGE128_RATE) { + drysponge128_f_absorb(state, ad, DRYSPONGE128_RATE); + drysponge128_g_core(state); + ad += DRYSPONGE128_RATE; + adlen -= DRYSPONGE128_RATE; + } + + /* Process the last block with domain separation and padding */ + state->domain = DRYDOMAIN128_ASSOC_DATA; + if (finalize) + state->domain |= DRYDOMAIN128_FINAL; + if (adlen < DRYSPONGE128_RATE) + state->domain |= DRYDOMAIN128_PADDED; + drysponge128_f_absorb(state, ad, (unsigned)adlen); + drysponge128_g(state); +} + +/** + * \brief Processes associated data for DryGASCON256. + * + * \param state DrySPONGE256 sponge state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data, must not be zero. + * \param finalize Non-zero to finalize packet processing because + * the message is zero-length. + */ +static void drygascon256_process_ad + (drysponge256_state_t *state, const unsigned char *ad, + unsigned long long adlen, int finalize) +{ + /* Process all blocks except the last one */ + while (adlen > DRYSPONGE256_RATE) { + drysponge256_f_absorb(state, ad, DRYSPONGE256_RATE); + drysponge256_g_core(state); + ad += DRYSPONGE256_RATE; + adlen -= DRYSPONGE256_RATE; + } + + /* Process the last block with domain separation and padding */ + state->domain = DRYDOMAIN256_ASSOC_DATA; + if (finalize) + state->domain |= DRYDOMAIN256_FINAL; + if (adlen < DRYSPONGE256_RATE) + state->domain |= DRYDOMAIN256_PADDED; + drysponge256_f_absorb(state, ad, (unsigned)adlen); + drysponge256_g(state); +} + +int drygascon128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + drysponge128_state_t state; + unsigned temp; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + DRYGASCON128_TAG_SIZE; + + /* Initialize the sponge state with the key and nonce */ + drysponge128_setup(&state, k, npub, adlen == 0 && mlen == 0); + + /* Process the associated data */ + if (adlen > 0) + drygascon128_process_ad(&state, ad, adlen, mlen == 0); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + /* Processs all blocks except the last one */ + while (mlen > DRYSPONGE128_RATE) { + drysponge128_f_absorb(&state, m, DRYSPONGE128_RATE); + lw_xor_block_2_src(c, m, state.r.B, DRYSPONGE128_RATE); + drysponge128_g(&state); + c += DRYSPONGE128_RATE; + m += DRYSPONGE128_RATE; + mlen -= DRYSPONGE128_RATE; + } + + /* Process the last block with domain separation and padding */ + state.domain = DRYDOMAIN128_MESSAGE | DRYDOMAIN128_FINAL; + if (mlen < DRYSPONGE128_RATE) + state.domain |= DRYDOMAIN128_PADDED; + temp = (unsigned)mlen; + drysponge128_f_absorb(&state, m, temp); + lw_xor_block_2_src(c, m, state.r.B, temp); + drysponge128_g(&state); + c += temp; + } + + /* Generate the authentication tag */ + memcpy(c, state.r.B, DRYGASCON128_TAG_SIZE); + return 0; +} + +int drygascon128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + drysponge128_state_t state; + unsigned char *mtemp = m; + unsigned temp; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < DRYGASCON128_TAG_SIZE) + return -1; + *mlen = clen - DRYGASCON128_TAG_SIZE; + + /* Initialize the sponge state with the key and nonce */ + clen -= DRYGASCON128_TAG_SIZE; + drysponge128_setup(&state, k, npub, adlen == 0 && clen == 0); + + /* Process the associated data */ + if (adlen > 0) + drygascon128_process_ad(&state, ad, adlen, clen == 0); + + /* Decrypt the ciphertext to produce the plaintext */ + if (clen > 0) { + /* Processs all blocks except the last one */ + while (clen > DRYSPONGE128_RATE) { + lw_xor_block_2_src(m, c, state.r.B, DRYSPONGE128_RATE); + drysponge128_f_absorb(&state, m, DRYSPONGE128_RATE); + drysponge128_g(&state); + c += DRYSPONGE128_RATE; + m += DRYSPONGE128_RATE; + clen -= DRYSPONGE128_RATE; + } + + /* Process the last block with domain separation and padding */ + state.domain = DRYDOMAIN128_MESSAGE | DRYDOMAIN128_FINAL; + if (clen < DRYSPONGE128_RATE) + state.domain |= DRYDOMAIN128_PADDED; + temp = (unsigned)clen; + lw_xor_block_2_src(m, c, state.r.B, temp); + drysponge128_f_absorb(&state, m, temp); + drysponge128_g(&state); + c += temp; + } + + /* Check the authentication tag */ + return aead_check_tag(mtemp, *mlen, state.r.B, c, DRYGASCON128_TAG_SIZE); +} + +int drygascon256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + drysponge256_state_t state; + unsigned temp; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + DRYGASCON256_TAG_SIZE; + + /* Initialize the sponge state with the key and nonce */ + drysponge256_setup(&state, k, npub, adlen == 0 && mlen == 0); + + /* Process the associated data */ + if (adlen > 0) + drygascon256_process_ad(&state, ad, adlen, mlen == 0); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + /* Processs all blocks except the last one */ + while (mlen > DRYSPONGE256_RATE) { + drysponge256_f_absorb(&state, m, DRYSPONGE256_RATE); + lw_xor_block_2_src(c, m, state.r.B, DRYSPONGE256_RATE); + drysponge256_g(&state); + c += DRYSPONGE256_RATE; + m += DRYSPONGE256_RATE; + mlen -= DRYSPONGE256_RATE; + } + + /* Process the last block with domain separation and padding */ + state.domain = DRYDOMAIN256_MESSAGE | DRYDOMAIN256_FINAL; + if (mlen < DRYSPONGE256_RATE) + state.domain |= DRYDOMAIN256_PADDED; + temp = (unsigned)mlen; + drysponge256_f_absorb(&state, m, temp); + lw_xor_block_2_src(c, m, state.r.B, temp); + drysponge256_g(&state); + c += temp; + } + + /* Generate the authentication tag */ + memcpy(c, state.r.B, 16); + drysponge256_g(&state); + memcpy(c + 16, state.r.B, 16); + return 0; +} + +int drygascon256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + drysponge256_state_t state; + unsigned char *mtemp = m; + unsigned temp; + int result; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < DRYGASCON256_TAG_SIZE) + return -1; + *mlen = clen - DRYGASCON256_TAG_SIZE; + + /* Initialize the sponge state with the key and nonce */ + clen -= DRYGASCON256_TAG_SIZE; + drysponge256_setup(&state, k, npub, adlen == 0 && clen == 0); + + /* Process the associated data */ + if (adlen > 0) + drygascon256_process_ad(&state, ad, adlen, clen == 0); + + /* Decrypt the ciphertext to produce the plaintext */ + if (clen > 0) { + /* Processs all blocks except the last one */ + while (clen > DRYSPONGE256_RATE) { + lw_xor_block_2_src(m, c, state.r.B, DRYSPONGE256_RATE); + drysponge256_f_absorb(&state, m, DRYSPONGE256_RATE); + drysponge256_g(&state); + c += DRYSPONGE256_RATE; + m += DRYSPONGE256_RATE; + clen -= DRYSPONGE256_RATE; + } + + /* Process the last block with domain separation and padding */ + state.domain = DRYDOMAIN256_MESSAGE | DRYDOMAIN256_FINAL; + if (clen < DRYSPONGE256_RATE) + state.domain |= DRYDOMAIN256_PADDED; + temp = (unsigned)clen; + lw_xor_block_2_src(m, c, state.r.B, temp); + drysponge256_f_absorb(&state, m, temp); + drysponge256_g(&state); + c += temp; + } + + /* Check the authentication tag which is split into two pieces */ + result = aead_check_tag(0, 0, state.r.B, c, 16); + drysponge256_g(&state); + return aead_check_tag_precheck + (mtemp, *mlen, state.r.B, c + 16, 16, ~result); +} + +/** + * \brief Precomputed initialization vector for DryGASCON128-HASH. + * + * This is the CST_H value from the DryGASCON specification after it + * has been processed by the key setup function for DrySPONGE128. + */ +static unsigned char const drygascon128_hash_init[] = { + /* c */ + 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, + 0x13, 0x19, 0x8a, 0x2e, 0x03, 0x70, 0x73, 0x44, + 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, + 0x13, 0x19, 0x8a, 0x2e, 0x03, 0x70, 0x73, 0x44, + 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, + /* x */ + 0xa4, 0x09, 0x38, 0x22, 0x29, 0x9f, 0x31, 0xd0, + 0x08, 0x2e, 0xfa, 0x98, 0xec, 0x4e, 0x6c, 0x89 +}; + +int drygascon128_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + drysponge128_state_t state; + memcpy(state.c.B, drygascon128_hash_init, sizeof(state.c.B)); + memcpy(state.x.B, drygascon128_hash_init + sizeof(state.c.B), + sizeof(state.x.B)); + state.domain = 0; + state.rounds = DRYSPONGE128_ROUNDS; + drygascon128_process_ad(&state, in, inlen, 1); + memcpy(out, state.r.B, 16); + drysponge128_g(&state); + memcpy(out + 16, state.r.B, 16); + return 0; +} + +/** + * \brief Precomputed initialization vector for DryGASCON256-HASH. + * + * This is the CST_H value from the DryGASCON specification after it + * has been processed by the key setup function for DrySPONGE256. + */ +static unsigned char const drygascon256_hash_init[] = { + /* c */ + 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, + 0x13, 0x19, 0x8a, 0x2e, 0x03, 0x70, 0x73, 0x44, + 0xa4, 0x09, 0x38, 0x22, 0x29, 0x9f, 0x31, 0xd0, + 0x08, 0x2e, 0xfa, 0x98, 0xec, 0x4e, 0x6c, 0x89, + 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, + 0x13, 0x19, 0x8a, 0x2e, 0x03, 0x70, 0x73, 0x44, + 0xa4, 0x09, 0x38, 0x22, 0x29, 0x9f, 0x31, 0xd0, + 0x08, 0x2e, 0xfa, 0x98, 0xec, 0x4e, 0x6c, 0x89, + 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, + /* x */ + 0x45, 0x28, 0x21, 0xe6, 0x38, 0xd0, 0x13, 0x77, + 0xbe, 0x54, 0x66, 0xcf, 0x34, 0xe9, 0x0c, 0x6c +}; + +int drygascon256_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + drysponge256_state_t state; + memcpy(state.c.B, drygascon256_hash_init, sizeof(state.c.B)); + memcpy(state.x.B, drygascon256_hash_init + sizeof(state.c.B), + sizeof(state.x.B)); + state.domain = 0; + state.rounds = DRYSPONGE256_ROUNDS; + drygascon256_process_ad(&state, in, inlen, 1); + memcpy(out, state.r.B, 16); + drysponge256_g(&state); + memcpy(out + 16, state.r.B, 16); + drysponge256_g(&state); + memcpy(out + 32, state.r.B, 16); + drysponge256_g(&state); + memcpy(out + 48, state.r.B, 16); + return 0; +} diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys/drygascon.h b/drygascon/Implementations/crypto_aead/drygascon256/rhys/drygascon.h new file mode 100644 index 0000000..12e18c3 --- /dev/null +++ b/drygascon/Implementations/crypto_aead/drygascon256/rhys/drygascon.h @@ -0,0 +1,264 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_DRYGASCON_H +#define LWCRYPTO_DRYGASCON_H + +#include "aead-common.h" + +/** + * \file drygascon.h + * \brief DryGASCON authenticated encryption algorithm. + * + * DryGASCON is a family of authenticated encryption algorithms based + * around a generalised version of the ASCON permutation. DryGASCON + * is designed to provide some protection against power analysis. + * + * There are four algorithms in the DryGASCON family: + * + * \li DryGASCON128 is an authenticated encryption algorithm with a + * 128-bit key, a 128-bit nonce, and a 128-bit authentication tag. + * \li DryGASCON256 is an authenticated encryption algorithm with a + * 256-bit key, a 128-bit nonce, and a 128-256 authentication tag. + * \li DryGASCON128-HASH is a hash algorithm with a 256-bit output. + * \li DryGASCON256-HASH is a hash algorithm with a 512-bit output. + * + * DryGASCON128 and DryGASCON128-HASH are the primary members of the family. + * + * References: https://github.com/sebastien-riou/DryGASCON + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for DryGASCON128. + */ +#define DRYGASCON128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for DryGASCON128. + */ +#define DRYGASCON128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for DryGASCON128. + */ +#define DRYGASCON128_NONCE_SIZE 16 + +/** + * \brief Size of the hash output for DryGASCON128-HASH. + */ +#define DRYGASCON128_HASH_SIZE 32 + +/** + * \brief Size of the key for DryGASCON256. + */ +#define DRYGASCON256_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for DryGASCON256. + */ +#define DRYGASCON256_TAG_SIZE 32 + +/** + * \brief Size of the nonce for DryGASCON256. + */ +#define DRYGASCON256_NONCE_SIZE 16 + +/** + * \brief Size of the hash output for DryGASCON256-HASH. + */ +#define DRYGASCON256_HASH_SIZE 64 + +/** + * \brief Meta-information block for the DryGASCON128 cipher. + */ +extern aead_cipher_t const drygascon128_cipher; + +/** + * \brief Meta-information block for the DryGASCON256 cipher. + */ +extern aead_cipher_t const drygascon256_cipher; + +/** + * \brief Meta-information block for DryGASCON128-HASH. + */ +extern aead_hash_algorithm_t const drygascon128_hash_algorithm; + +/** + * \brief Meta-information block for DryGASCON256-HASH. + */ +extern aead_hash_algorithm_t const drygascon256_hash_algorithm; + +/** + * \brief Encrypts and authenticates a packet with DryGASCON128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa drygascon128_aead_decrypt() + */ +int drygascon128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with DryGASCON128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa drygascon128_aead_encrypt() + */ +int drygascon128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with DryGASCON256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa drygascon256_aead_decrypt() + */ +int drygascon256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with DryGASCON256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa drygascon256_aead_encrypt() + */ +int drygascon256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with DRYGASCON128. + * + * \param out Buffer to receive the hash output which must be at least + * DRYGASCON128_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int drygascon128_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Hashes a block of input data with DRYGASCON256. + * + * \param out Buffer to receive the hash output which must be at least + * DRYGASCON256_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int drygascon256_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys/encrypt.c b/drygascon/Implementations/crypto_aead/drygascon256/rhys/encrypt.c new file mode 100644 index 0000000..9f3c373 --- /dev/null +++ b/drygascon/Implementations/crypto_aead/drygascon256/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "drygascon.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return drygascon256_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return drygascon256_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-drysponge.c b/drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-drysponge.c new file mode 100644 index 0000000..67f1b27 --- /dev/null +++ b/drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-drysponge.c @@ -0,0 +1,600 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-drysponge.h" +#include + +/* Right rotations in bit-interleaved format */ +#define intRightRotateEven(x,bits) \ + (__extension__ ({ \ + uint32_t _x0 = (uint32_t)(x); \ + uint32_t _x1 = (uint32_t)((x) >> 32); \ + _x0 = rightRotate(_x0, (bits)); \ + _x1 = rightRotate(_x1, (bits)); \ + _x0 | (((uint64_t)_x1) << 32); \ + })) +#define intRightRotateOdd(x,bits) \ + (__extension__ ({ \ + uint32_t _x0 = (uint32_t)(x); \ + uint32_t _x1 = (uint32_t)((x) >> 32); \ + _x0 = rightRotate(_x0, ((bits) + 1) % 32); \ + _x1 = rightRotate(_x1, (bits)); \ + _x1 | (((uint64_t)_x0) << 32); \ + })) +#define intRightRotate1_64(x) \ + (__extension__ ({ \ + uint32_t _x0 = (uint32_t)(x); \ + uint32_t _x1 = (uint32_t)((x) >> 32); \ + _x0 = rightRotate1(_x0); \ + _x1 | (((uint64_t)_x0) << 32); \ + })) +#define intRightRotate2_64(x) (intRightRotateEven((x), 1)) +#define intRightRotate3_64(x) (intRightRotateOdd((x), 1)) +#define intRightRotate4_64(x) (intRightRotateEven((x), 2)) +#define intRightRotate5_64(x) (intRightRotateOdd((x), 2)) +#define intRightRotate6_64(x) (intRightRotateEven((x), 3)) +#define intRightRotate7_64(x) (intRightRotateOdd((x), 3)) +#define intRightRotate8_64(x) (intRightRotateEven((x), 4)) +#define intRightRotate9_64(x) (intRightRotateOdd((x), 4)) +#define intRightRotate10_64(x) (intRightRotateEven((x), 5)) +#define intRightRotate11_64(x) (intRightRotateOdd((x), 5)) +#define intRightRotate12_64(x) (intRightRotateEven((x), 6)) +#define intRightRotate13_64(x) (intRightRotateOdd((x), 6)) +#define intRightRotate14_64(x) (intRightRotateEven((x), 7)) +#define intRightRotate15_64(x) (intRightRotateOdd((x), 7)) +#define intRightRotate16_64(x) (intRightRotateEven((x), 8)) +#define intRightRotate17_64(x) (intRightRotateOdd((x), 8)) +#define intRightRotate18_64(x) (intRightRotateEven((x), 9)) +#define intRightRotate19_64(x) (intRightRotateOdd((x), 9)) +#define intRightRotate20_64(x) (intRightRotateEven((x), 10)) +#define intRightRotate21_64(x) (intRightRotateOdd((x), 10)) +#define intRightRotate22_64(x) (intRightRotateEven((x), 11)) +#define intRightRotate23_64(x) (intRightRotateOdd((x), 11)) +#define intRightRotate24_64(x) (intRightRotateEven((x), 12)) +#define intRightRotate25_64(x) (intRightRotateOdd((x), 12)) +#define intRightRotate26_64(x) (intRightRotateEven((x), 13)) +#define intRightRotate27_64(x) (intRightRotateOdd((x), 13)) +#define intRightRotate28_64(x) (intRightRotateEven((x), 14)) +#define intRightRotate29_64(x) (intRightRotateOdd((x), 14)) +#define intRightRotate30_64(x) (intRightRotateEven((x), 15)) +#define intRightRotate31_64(x) (intRightRotateOdd((x), 15)) +#define intRightRotate32_64(x) (intRightRotateEven((x), 16)) +#define intRightRotate33_64(x) (intRightRotateOdd((x), 16)) +#define intRightRotate34_64(x) (intRightRotateEven((x), 17)) +#define intRightRotate35_64(x) (intRightRotateOdd((x), 17)) +#define intRightRotate36_64(x) (intRightRotateEven((x), 18)) +#define intRightRotate37_64(x) (intRightRotateOdd((x), 18)) +#define intRightRotate38_64(x) (intRightRotateEven((x), 19)) +#define intRightRotate39_64(x) (intRightRotateOdd((x), 19)) +#define intRightRotate40_64(x) (intRightRotateEven((x), 20)) +#define intRightRotate41_64(x) (intRightRotateOdd((x), 20)) +#define intRightRotate42_64(x) (intRightRotateEven((x), 21)) +#define intRightRotate43_64(x) (intRightRotateOdd((x), 21)) +#define intRightRotate44_64(x) (intRightRotateEven((x), 22)) +#define intRightRotate45_64(x) (intRightRotateOdd((x), 22)) +#define intRightRotate46_64(x) (intRightRotateEven((x), 23)) +#define intRightRotate47_64(x) (intRightRotateOdd((x), 23)) +#define intRightRotate48_64(x) (intRightRotateEven((x), 24)) +#define intRightRotate49_64(x) (intRightRotateOdd((x), 24)) +#define intRightRotate50_64(x) (intRightRotateEven((x), 25)) +#define intRightRotate51_64(x) (intRightRotateOdd((x), 25)) +#define intRightRotate52_64(x) (intRightRotateEven((x), 26)) +#define intRightRotate53_64(x) (intRightRotateOdd((x), 26)) +#define intRightRotate54_64(x) (intRightRotateEven((x), 27)) +#define intRightRotate55_64(x) (intRightRotateOdd((x), 27)) +#define intRightRotate56_64(x) (intRightRotateEven((x), 28)) +#define intRightRotate57_64(x) (intRightRotateOdd((x), 28)) +#define intRightRotate58_64(x) (intRightRotateEven((x), 29)) +#define intRightRotate59_64(x) (intRightRotateOdd((x), 29)) +#define intRightRotate60_64(x) (intRightRotateEven((x), 30)) +#define intRightRotate61_64(x) (intRightRotateOdd((x), 30)) +#define intRightRotate62_64(x) (intRightRotateEven((x), 31)) +#define intRightRotate63_64(x) (intRightRotateOdd((x), 31)) + +void gascon128_core_round(gascon128_state_t *state, uint8_t round) +{ + uint64_t t0, t1, t2, t3, t4; + + /* Load the state into local varaibles */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; + uint64_t x4 = state->S[4]; +#else + uint64_t x0 = le_load_word64(state->B); + uint64_t x1 = le_load_word64(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 16); + uint64_t x3 = le_load_word64(state->B + 24); + uint64_t x4 = le_load_word64(state->B + 32); +#endif + + /* Add the round constant to the middle of the state */ + x2 ^= ((0x0F - round) << 4) | round; + + /* Substitution layer */ + x0 ^= x4; x2 ^= x1; x4 ^= x3; t0 = (~x0) & x1; t1 = (~x1) & x2; + t2 = (~x2) & x3; t3 = (~x3) & x4; t4 = (~x4) & x0; x0 ^= t1; + x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t0; x1 ^= x0; x3 ^= x2; + x0 ^= x4; x2 = ~x2; + + /* Linear diffusion layer */ + x0 ^= intRightRotate19_64(x0) ^ intRightRotate28_64(x0); + x1 ^= intRightRotate61_64(x1) ^ intRightRotate38_64(x1); + x2 ^= intRightRotate1_64(x2) ^ intRightRotate6_64(x2); + x3 ^= intRightRotate10_64(x3) ^ intRightRotate17_64(x3); + x4 ^= intRightRotate7_64(x4) ^ intRightRotate40_64(x4); + + /* Write the local variables back to the state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; + state->S[4] = x4; +#else + le_store_word64(state->B, x0); + le_store_word64(state->B + 8, x1); + le_store_word64(state->B + 16, x2); + le_store_word64(state->B + 24, x3); + le_store_word64(state->B + 32, x4); +#endif +} + +void gascon256_core_round(gascon256_state_t *state, uint8_t round) +{ + uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8; + + /* Load the state into local varaibles */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; + uint64_t x4 = state->S[4]; + uint64_t x5 = state->S[5]; + uint64_t x6 = state->S[6]; + uint64_t x7 = state->S[7]; + uint64_t x8 = state->S[8]; +#else + uint64_t x0 = le_load_word64(state->B); + uint64_t x1 = le_load_word64(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 16); + uint64_t x3 = le_load_word64(state->B + 24); + uint64_t x4 = le_load_word64(state->B + 32); + uint64_t x5 = le_load_word64(state->B + 40); + uint64_t x6 = le_load_word64(state->B + 48); + uint64_t x7 = le_load_word64(state->B + 56); + uint64_t x8 = le_load_word64(state->B + 64); +#endif + + /* Add the round constant to the middle of the state */ + x4 ^= ((0x0F - round) << 4) | round; + + /* Substitution layer */ + x0 ^= x8; x2 ^= x1; x4 ^= x3; x6 ^= x5; x8 ^= x7; t0 = (~x0) & x1; + t1 = (~x1) & x2; t2 = (~x2) & x3; t3 = (~x3) & x4; t4 = (~x4) & x5; + t5 = (~x5) & x6; t6 = (~x6) & x7; t7 = (~x7) & x8; t8 = (~x8) & x0; + x0 ^= t1; x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t5; x5 ^= t6; x6 ^= t7; + x7 ^= t8; x8 ^= t0; x1 ^= x0; x3 ^= x2; x5 ^= x4; x7 ^= x6; x0 ^= x8; + x4 = ~x4; + + /* Linear diffusion layer */ + x0 ^= intRightRotate19_64(x0) ^ intRightRotate28_64(x0); + x1 ^= intRightRotate61_64(x1) ^ intRightRotate38_64(x1); + x2 ^= intRightRotate1_64(x2) ^ intRightRotate6_64(x2); + x3 ^= intRightRotate10_64(x3) ^ intRightRotate17_64(x3); + x4 ^= intRightRotate7_64(x4) ^ intRightRotate40_64(x4); + x5 ^= intRightRotate31_64(x5) ^ intRightRotate26_64(x5); + x6 ^= intRightRotate53_64(x6) ^ intRightRotate58_64(x6); + x7 ^= intRightRotate9_64(x7) ^ intRightRotate46_64(x7); + x8 ^= intRightRotate43_64(x8) ^ intRightRotate50_64(x8); + + /* Write the local variables back to the state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; + state->S[4] = x4; + state->S[5] = x5; + state->S[6] = x6; + state->S[7] = x7; + state->S[8] = x8; +#else + le_store_word64(state->B, x0); + le_store_word64(state->B + 8, x1); + le_store_word64(state->B + 16, x2); + le_store_word64(state->B + 24, x3); + le_store_word64(state->B + 32, x4); + le_store_word64(state->B + 40, x5); + le_store_word64(state->B + 48, x6); + le_store_word64(state->B + 56, x7); + le_store_word64(state->B + 64, x8); +#endif +} + +void drysponge128_g(drysponge128_state_t *state) +{ + unsigned round; + + /* Perform the first round. For each round we XOR the 16 bytes of + * the output data with the first 16 bytes of the state. And then + * XOR with the next 16 bytes of the state, rotated by 4 bytes */ + gascon128_core_round(&(state->c), 0); + state->r.W[0] = state->c.W[0] ^ state->c.W[5]; + state->r.W[1] = state->c.W[1] ^ state->c.W[6]; + state->r.W[2] = state->c.W[2] ^ state->c.W[7]; + state->r.W[3] = state->c.W[3] ^ state->c.W[4]; + + /* Perform the rest of the rounds */ + for (round = 1; round < state->rounds; ++round) { + gascon128_core_round(&(state->c), round); + state->r.W[0] ^= state->c.W[0] ^ state->c.W[5]; + state->r.W[1] ^= state->c.W[1] ^ state->c.W[6]; + state->r.W[2] ^= state->c.W[2] ^ state->c.W[7]; + state->r.W[3] ^= state->c.W[3] ^ state->c.W[4]; + } +} + +void drysponge256_g(drysponge256_state_t *state) +{ + unsigned round; + + /* Perform the first round. For each round we XOR the 16 bytes of + * the output data with the first 16 bytes of the state. And then + * XOR with the next 16 bytes of the state, rotated by 4 bytes. + * And so on for a total of 64 bytes XOR'ed into the output data. */ + gascon256_core_round(&(state->c), 0); + state->r.W[0] = state->c.W[0] ^ state->c.W[5] ^ + state->c.W[10] ^ state->c.W[15]; + state->r.W[1] = state->c.W[1] ^ state->c.W[6] ^ + state->c.W[11] ^ state->c.W[12]; + state->r.W[2] = state->c.W[2] ^ state->c.W[7] ^ + state->c.W[8] ^ state->c.W[13]; + state->r.W[3] = state->c.W[3] ^ state->c.W[4] ^ + state->c.W[9] ^ state->c.W[14]; + + /* Perform the rest of the rounds */ + for (round = 1; round < state->rounds; ++round) { + gascon256_core_round(&(state->c), round); + state->r.W[0] ^= state->c.W[0] ^ state->c.W[5] ^ + state->c.W[10] ^ state->c.W[15]; + state->r.W[1] ^= state->c.W[1] ^ state->c.W[6] ^ + state->c.W[11] ^ state->c.W[12]; + state->r.W[2] ^= state->c.W[2] ^ state->c.W[7] ^ + state->c.W[8] ^ state->c.W[13]; + state->r.W[3] ^= state->c.W[3] ^ state->c.W[4] ^ + state->c.W[9] ^ state->c.W[14]; + } +} + +void drysponge128_g_core(drysponge128_state_t *state) +{ + unsigned round; + for (round = 0; round < state->rounds; ++round) + gascon128_core_round(&(state->c), round); +} + +void drysponge256_g_core(drysponge256_state_t *state) +{ + unsigned round; + for (round = 0; round < state->rounds; ++round) + gascon256_core_round(&(state->c), round); +} + +/** + * \brief Selects an element of x in constant time. + * + * \param x Points to the four elements of x. + * \param index Index of which element to extract between 0 and 3. + * + * \return The selected element of x. + */ +STATIC_INLINE uint32_t drysponge_select_x(const uint32_t x[4], uint8_t index) +{ + /* We need to be careful how we select each element of x because + * we are doing a data-dependent fetch here. Do the fetch in a way + * that should avoid cache timing issues by fetching every element + * of x and masking away the ones we don't want. + * + * There is a possible side channel here with respect to power analysis. + * The "mask" value will be all-ones for the selected index and all-zeroes + * for the other indexes. This may show up as different power consumption + * for the "result ^= x[i] & mask" statement when i is the selected index. + * Such a side channel could in theory allow reading the plaintext input + * to the cipher by analysing the CPU's power consumption. + * + * The DryGASCON specification acknowledges the possibility of plaintext + * recovery in section 7.4. For software mitigation the specification + * suggests randomization of the indexes into c and x and randomization + * of the order of processing words. We aren't doing that here yet. + * Patches welcome to fix this. + */ + uint32_t mask = -((uint32_t)((0x04 - index) >> 2)); + uint32_t result = x[0] & mask; + mask = -((uint32_t)((0x04 - (index ^ 0x01)) >> 2)); + result ^= x[1] & mask; + mask = -((uint32_t)((0x04 - (index ^ 0x02)) >> 2)); + result ^= x[2] & mask; + mask = -((uint32_t)((0x04 - (index ^ 0x03)) >> 2)); + return result ^ (x[3] & mask); +} + +/** + * \brief Mixes a 32-bit value into the DrySPONGE128 state. + * + * \param state DrySPONGE128 state. + * \param data The data to be mixed in the bottom 10 bits. + */ +static void drysponge128_mix_phase_round + (drysponge128_state_t *state, uint32_t data) +{ + /* Mix in elements from x according to the 2-bit indexes in the data */ + state->c.W[0] ^= drysponge_select_x(state->x.W, data & 0x03); + state->c.W[2] ^= drysponge_select_x(state->x.W, (data >> 2) & 0x03); + state->c.W[4] ^= drysponge_select_x(state->x.W, (data >> 4) & 0x03); + state->c.W[6] ^= drysponge_select_x(state->x.W, (data >> 6) & 0x03); + state->c.W[8] ^= drysponge_select_x(state->x.W, (data >> 8) & 0x03); +} + +/** + * \brief Mixes a 32-bit value into the DrySPONGE256 state. + * + * \param state DrySPONGE256 state. + * \param data The data to be mixed in the bottom 18 bits. + */ +static void drysponge256_mix_phase_round + (drysponge256_state_t *state, uint32_t data) +{ + /* Mix in elements from x according to the 2-bit indexes in the data */ + state->c.W[0] ^= drysponge_select_x(state->x.W, data & 0x03); + state->c.W[2] ^= drysponge_select_x(state->x.W, (data >> 2) & 0x03); + state->c.W[4] ^= drysponge_select_x(state->x.W, (data >> 4) & 0x03); + state->c.W[6] ^= drysponge_select_x(state->x.W, (data >> 6) & 0x03); + state->c.W[8] ^= drysponge_select_x(state->x.W, (data >> 8) & 0x03); + state->c.W[10] ^= drysponge_select_x(state->x.W, (data >> 10) & 0x03); + state->c.W[12] ^= drysponge_select_x(state->x.W, (data >> 12) & 0x03); + state->c.W[14] ^= drysponge_select_x(state->x.W, (data >> 14) & 0x03); + state->c.W[16] ^= drysponge_select_x(state->x.W, (data >> 16) & 0x03); +} + +/** + * \brief Mixes an input block into a DrySPONGE128 state. + * + * \param state The DrySPONGE128 state. + * \param data Full rate block containing the input data. + */ +static void drysponge128_mix_phase + (drysponge128_state_t *state, const unsigned char data[DRYSPONGE128_RATE]) +{ + /* Mix 10-bit groups into the output, with the domain + * separator added to the last two groups */ + drysponge128_mix_phase_round + (state, data[0] | (((uint32_t)(data[1])) << 8)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, (data[1] >> 2) | (((uint32_t)(data[2])) << 6)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, (data[2] >> 4) | (((uint32_t)(data[3])) << 4)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, (data[3] >> 6) | (((uint32_t)(data[4])) << 2)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, data[5] | (((uint32_t)(data[6])) << 8)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, (data[6] >> 2) | (((uint32_t)(data[7])) << 6)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, (data[7] >> 4) | (((uint32_t)(data[8])) << 4)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, (data[8] >> 6) | (((uint32_t)(data[9])) << 2)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, data[10] | (((uint32_t)(data[11])) << 8)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, (data[11] >> 2) | (((uint32_t)(data[12])) << 6)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, (data[12] >> 4) | (((uint32_t)(data[13])) << 4)); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round + (state, ((data[13] >> 6) | (((uint32_t)(data[14])) << 2))); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round(state, data[15] ^ state->domain); + gascon128_core_round(&(state->c), 0); + drysponge128_mix_phase_round(state, state->domain >> 10); + + /* Revert to the default domain separator for the next block */ + state->domain = 0; +} + +/** + * \brief Mixes an input block into a DrySPONGE256 state. + * + * \param state The DrySPONGE256 state. + * \param data Full rate block containing the input data. + */ +static void drysponge256_mix_phase + (drysponge256_state_t *state, const unsigned char data[DRYSPONGE256_RATE]) +{ + /* Mix 18-bit groups into the output, with the domain in the last group */ + drysponge256_mix_phase_round + (state, data[0] | (((uint32_t)(data[1])) << 8) | + (((uint32_t)(data[2])) << 16)); + gascon256_core_round(&(state->c), 0); + drysponge256_mix_phase_round + (state, (data[2] >> 2) | (((uint32_t)(data[3])) << 6) | + (((uint32_t)(data[4])) << 14)); + gascon256_core_round(&(state->c), 0); + drysponge256_mix_phase_round + (state, (data[4] >> 4) | (((uint32_t)(data[5])) << 4) | + (((uint32_t)(data[6])) << 12)); + gascon256_core_round(&(state->c), 0); + drysponge256_mix_phase_round + (state, (data[6] >> 6) | (((uint32_t)(data[7])) << 2) | + (((uint32_t)(data[8])) << 10)); + gascon256_core_round(&(state->c), 0); + drysponge256_mix_phase_round + (state, data[9] | (((uint32_t)(data[10])) << 8) | + (((uint32_t)(data[11])) << 16)); + gascon256_core_round(&(state->c), 0); + drysponge256_mix_phase_round + (state, (data[11] >> 2) | (((uint32_t)(data[12])) << 6) | + (((uint32_t)(data[13])) << 14)); + gascon256_core_round(&(state->c), 0); + drysponge256_mix_phase_round + (state, (data[13] >> 4) | (((uint32_t)(data[14])) << 4) | + (((uint32_t)(data[15])) << 12)); + gascon256_core_round(&(state->c), 0); + drysponge256_mix_phase_round + (state, (data[15] >> 6) ^ state->domain); + + /* Revert to the default domain separator for the next block */ + state->domain = 0; +} + +void drysponge128_f_absorb + (drysponge128_state_t *state, const unsigned char *input, unsigned len) +{ + if (len >= DRYSPONGE128_RATE) { + drysponge128_mix_phase(state, input); + } else { + unsigned char padded[DRYSPONGE128_RATE]; + memcpy(padded, input, len); + padded[len] = 0x01; + memset(padded + len + 1, 0, DRYSPONGE128_RATE - len - 1); + drysponge128_mix_phase(state, padded); + } +} + +void drysponge256_f_absorb + (drysponge256_state_t *state, const unsigned char *input, unsigned len) +{ + if (len >= DRYSPONGE256_RATE) { + drysponge256_mix_phase(state, input); + } else { + unsigned char padded[DRYSPONGE256_RATE]; + memcpy(padded, input, len); + padded[len] = 0x01; + memset(padded + len + 1, 0, DRYSPONGE256_RATE - len - 1); + drysponge256_mix_phase(state, padded); + } +} + +/** + * \brief Determine if some of the words of an "x" value are identical. + * + * \param x Points to the "x" buffer to check. + * + * \return Non-zero if some of the words are the same, zero if they are + * distinct from each other. + * + * We try to perform the check in constant time to avoid giving away + * any information about the value of the key. + */ +static int drysponge_x_words_are_same(const uint32_t x[4]) +{ + unsigned i, j; + int result = 0; + for (i = 0; i < 3; ++i) { + for (j = i + 1; j < 4; ++j) { + uint32_t check = x[i] ^ x[j]; + result |= (int)((0x100000000ULL - check) >> 32); + } + } + return result; +} + +void drysponge128_setup + (drysponge128_state_t *state, const unsigned char *key, + const unsigned char *nonce, int final_block) +{ + /* Fill the GASCON-128 state with repeated copies of the key */ + memcpy(state->c.B, key, 16); + memcpy(state->c.B + 16, key, 16); + memcpy(state->c.B + 32, key, 8); + + /* Generate the "x" value for the state. All four words of "x" + * must be unique because they will be used in drysponge_select_x() + * as stand-ins for the bit pairs 00, 01, 10, and 11. + * + * Run the core block operation over and over until "x" is unique. + * Technically the runtime here is key-dependent and not constant. + * If the input key is randomized, this should only take 1 round + * on average so it is "almost constant time". + */ + do { + gascon128_core_round(&(state->c), 0); + } while (drysponge_x_words_are_same(state->c.W)); + memcpy(state->x.W, state->c.W, sizeof(state->x)); + + /* Replace the generated "x" value in the state with the key prefix */ + memcpy(state->c.W, key, sizeof(state->x)); + + /* Absorb the nonce into the state with an increased number of rounds */ + state->rounds = DRYSPONGE128_INIT_ROUNDS; + state->domain = DRYDOMAIN128_NONCE; + if (final_block) + state->domain |= DRYDOMAIN128_FINAL; + drysponge128_f_absorb(state, nonce, 16); + drysponge128_g(state); + + /* Set up the normal number of rounds for future operations */ + state->rounds = DRYSPONGE128_ROUNDS; +} + +void drysponge256_setup + (drysponge256_state_t *state, const unsigned char *key, + const unsigned char *nonce, int final_block) +{ + /* Fill the GASCON-256 state with repeated copies of the key */ + memcpy(state->c.B, key, 32); + memcpy(state->c.B + 32, key, 32); + memcpy(state->c.B + 64, key, 8); + + /* Generate the "x" value for the state */ + do { + gascon256_core_round(&(state->c), 0); + } while (drysponge_x_words_are_same(state->c.W)); + memcpy(state->x.W, state->c.W, sizeof(state->x)); + + /* Replace the generated "x" value in the state with the key prefix */ + memcpy(state->c.W, key, sizeof(state->x)); + + /* Absorb the nonce into the state with an increased number of rounds */ + state->rounds = DRYSPONGE256_INIT_ROUNDS; + state->domain = DRYDOMAIN256_NONCE; + if (final_block) + state->domain |= DRYDOMAIN256_FINAL; + drysponge256_f_absorb(state, nonce, 16); + drysponge256_g(state); + + /* Set up the normal number of rounds for future operations */ + state->rounds = DRYSPONGE256_ROUNDS; +} diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-drysponge.h b/drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-drysponge.h new file mode 100644 index 0000000..05b0c16 --- /dev/null +++ b/drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-drysponge.h @@ -0,0 +1,345 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_DRYSPONGE_H +#define LW_INTERNAL_DRYSPONGE_H + +#include "internal-util.h" + +/** + * \file internal-drysponge.h + * \brief Internal implementation of DrySPONGE for the DryGASCON cipher. + * + * References: https://github.com/sebastien-riou/DryGASCON + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the GASCON-128 permutation state in bytes. + */ +#define GASCON128_STATE_SIZE 40 + +/** + * \brief Size of the GASCON-256 permutation state in bytes. + */ +#define GASCON256_STATE_SIZE 72 + +/** + * \brief Rate of absorption and squeezing for DrySPONGE128. + */ +#define DRYSPONGE128_RATE 16 + +/** + * \brief Rate of absorption and squeezing for DrySPONGE256. + */ +#define DRYSPONGE256_RATE 16 + +/** + * \brief Size of the "x" value for DrySPONGE128. + */ +#define DRYSPONGE128_XSIZE 16 + +/** + * \brief Size of the "x" value for DrySPONGE256. + */ +#define DRYSPONGE256_XSIZE 16 + +/** + * \brief Normal number of rounds for DrySPONGE128 when absorbing + * and squeezing data. + */ +#define DRYSPONGE128_ROUNDS 7 + +/** + * \brief Number of rounds for DrySPONGE128 during initialization. + */ +#define DRYSPONGE128_INIT_ROUNDS 11 + +/** + * \brief Normal number of rounds for DrySPONGE256 when absorbing + * and squeezing data. + */ +#define DRYSPONGE256_ROUNDS 8 + +/** + * \brief Number of rounds for DrySPONGE256 during initialization. + */ +#define DRYSPONGE256_INIT_ROUNDS 12 + +/** + * \brief DrySPONGE128 domain bit for a padded block. + */ +#define DRYDOMAIN128_PADDED (1 << 8) + +/** + * \brief DrySPONGE128 domain bit for a final block. + */ +#define DRYDOMAIN128_FINAL (1 << 9) + +/** + * \brief DrySPONGE128 domain value for processing the nonce. + */ +#define DRYDOMAIN128_NONCE (1 << 10) + +/** + * \brief DrySPONGE128 domain value for processing the associated data. + */ +#define DRYDOMAIN128_ASSOC_DATA (2 << 10) + +/** + * \brief DrySPONGE128 domain value for processing the message. + */ +#define DRYDOMAIN128_MESSAGE (3 << 10) + +/** + * \brief DrySPONGE256 domain bit for a padded block. + */ +#define DRYDOMAIN256_PADDED (1 << 2) + +/** + * \brief DrySPONGE256 domain bit for a final block. + */ +#define DRYDOMAIN256_FINAL (1 << 3) + +/** + * \brief DrySPONGE256 domain value for processing the nonce. + */ +#define DRYDOMAIN256_NONCE (1 << 4) + +/** + * \brief DrySPONGE256 domain value for processing the associated data. + */ +#define DRYDOMAIN256_ASSOC_DATA (2 << 4) + +/** + * \brief DrySPONGE256 domain value for processing the message. + */ +#define DRYDOMAIN256_MESSAGE (3 << 4) + +/** + * \brief Internal state of the GASCON-128 permutation. + */ +typedef union +{ + uint64_t S[GASCON128_STATE_SIZE / 8]; /**< 64-bit words of the state */ + uint32_t W[GASCON128_STATE_SIZE / 4]; /**< 32-bit words of the state */ + uint8_t B[GASCON128_STATE_SIZE]; /**< Bytes of the state */ + +} gascon128_state_t; + +/** + * \brief Internal state of the GASCON-256 permutation. + */ +typedef union +{ + uint64_t S[GASCON256_STATE_SIZE / 8]; /**< 64-bit words of the state */ + uint32_t W[GASCON256_STATE_SIZE / 4]; /**< 32-bit words of the state */ + uint8_t B[GASCON256_STATE_SIZE]; /**< Bytes of the state */ + +} gascon256_state_t; + +/** + * \brief Structure of a rate block for DrySPONGE128. + */ +typedef union +{ + uint64_t S[DRYSPONGE128_RATE / 8]; /**< 64-bit words of the rate */ + uint32_t W[DRYSPONGE128_RATE / 4]; /**< 32-bit words of the rate */ + uint8_t B[DRYSPONGE128_RATE]; /**< Bytes of the rate */ + +} drysponge128_rate_t; + +/** + * \brief Structure of a rate block for DrySPONGE256. + */ +typedef union +{ + uint64_t S[DRYSPONGE256_RATE / 8]; /**< 64-bit words of the rate */ + uint32_t W[DRYSPONGE256_RATE / 4]; /**< 32-bit words of the rate */ + uint8_t B[DRYSPONGE256_RATE]; /**< Bytes of the rate */ + +} drysponge256_rate_t; + +/** + * \brief Structure of the "x" value for DrySPONGE128. + */ +typedef union +{ + uint64_t S[DRYSPONGE128_XSIZE / 8]; /**< 64-bit words of the rate */ + uint32_t W[DRYSPONGE128_XSIZE / 4]; /**< 32-bit words of the rate */ + uint8_t B[DRYSPONGE128_XSIZE]; /**< Bytes of the rate */ + +} drysponge128_x_t; + +/** + * \brief Structure of the "x" value for DrySPONGE256. + */ +typedef union +{ + uint64_t S[DRYSPONGE256_XSIZE / 8]; /**< 64-bit words of the rate */ + uint32_t W[DRYSPONGE256_XSIZE / 4]; /**< 32-bit words of the rate */ + uint8_t B[DRYSPONGE256_XSIZE]; /**< Bytes of the rate */ + +} drysponge256_x_t; + +/** + * \brief Structure of the rolling DrySPONGE128 state. + */ +typedef struct +{ + gascon128_state_t c; /**< GASCON-128 state for the capacity */ + drysponge128_rate_t r; /**< Buffer for a rate block of data */ + drysponge128_x_t x; /**< "x" value for the sponge */ + uint32_t domain; /**< Domain value to mix on next F call */ + uint32_t rounds; /**< Number of rounds for next G call */ + +} drysponge128_state_t; + +/** + * \brief Structure of the rolling DrySPONGE256 state. + */ +typedef struct +{ + gascon256_state_t c; /**< GASCON-256 state for the capacity */ + drysponge256_rate_t r; /**< Buffer for a rate block of data */ + drysponge256_x_t x; /**< "x" value for the sponge */ + uint32_t domain; /**< Domain value to mix on next F call */ + uint32_t rounds; /**< Number of rounds for next G call */ + +} drysponge256_state_t; + +/** + * \brief Permutes the GASCON-128 state using one iteration of CoreRound. + * + * \param state The GASCON-128 state to be permuted. + * \param round The round number. + * + * The input and output \a state will be in little-endian byte order. + */ +void gascon128_core_round(gascon128_state_t *state, uint8_t round); + +/** + * \brief Permutes the GASCON-256 state using one iteration of CoreRound. + * + * \param state The GASCON-256 state to be permuted. + * \param round The round number. + * + * The input and output \a state will be in little-endian byte order. + */ +void gascon256_core_round(gascon256_state_t *state, uint8_t round); + +/** + * \brief Performs the DrySPONGE128 G function which runs the core + * rounds and squeezes data out of the GASGON-128 state. + * + * \param state The DrySPONGE128 state. + * + * The data that is squeezed out will be in state->r on exit. + */ +void drysponge128_g(drysponge128_state_t *state); + +/** + * \brief Performs the DrySPONGE256 G function which runs the core + * rounds and squeezes data out of the GASGON-256 state. + * + * \param state The DrySPONGE256 state. + * + * The data that is squeezed out will be in state->r on exit. + */ +void drysponge256_g(drysponge256_state_t *state); + +/** + * \brief Performs the DrySPONGE128 G function which runs the core + * rounds but does not squeeze out any output. + * + * \param state The DrySPONGE128 state. + */ +void drysponge128_g_core(drysponge128_state_t *state); + +/** + * \brief Performs the DrySPONGE256 G function which runs the core + * rounds but does not squeeze out any output. + * + * \param state The DrySPONGE256 state. + */ +void drysponge256_g_core(drysponge256_state_t *state); + +/** + * \brief Performs the absorption phase of the DrySPONGE128 F function. + * + * \param state The DrySPONGE128 state. + * \param input The block of input data to incorporate into the state. + * \param len The length of the input block, which must be less than + * or equal to DRYSPONGE128_RATE. Smaller input blocks will be padded. + * + * This function must be followed by a call to drysponge128_g() or + * drysponge128_g_core() to perform the full F operation. + */ +void drysponge128_f_absorb + (drysponge128_state_t *state, const unsigned char *input, unsigned len); + +/** + * \brief Performs the absorption phase of the DrySPONGE256 F function. + * + * \param state The DrySPONGE256 state. + * \param input The block of input data to incorporate into the state. + * \param len The length of the input block, which must be less than + * or equal to DRYSPONGE256_RATE. Smaller input blocks will be padded. + * + * This function must be followed by a call to drysponge256_g() or + * drysponge256_g_core() to perform the full F operation. + */ +void drysponge256_f_absorb + (drysponge256_state_t *state, const unsigned char *input, unsigned len); + +/** + * \brief Set up a DrySPONGE128 state to begin encryption or decryption. + * + * \param state The DrySPONGE128 state. + * \param key Points to the 16 bytes of the key. + * \param nonce Points to the 16 bytes of the nonce. + * \param final_block Non-zero if after key setup there will be no more blocks. + */ +void drysponge128_setup + (drysponge128_state_t *state, const unsigned char *key, + const unsigned char *nonce, int final_block); + +/** + * \brief Set up a DrySPONGE256 state to begin encryption or decryption. + * + * \param state The DrySPONGE256 state. + * \param key Points to the 32 bytes of the key. + * \param nonce Points to the 16 bytes of the nonce. + * \param final_block Non-zero if after key setup there will be no more blocks. + */ +void drysponge256_setup + (drysponge256_state_t *state, const unsigned char *key, + const unsigned char *nonce, int final_block); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-util.h b/drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant160v1/LWC_AEAD_KAT_128_96.txt b/elephant/Implementations/crypto_aead/elephant160v1/LWC_AEAD_KAT_128_96.txt new file mode 100644 index 0000000..56639af --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant160v1/LWC_AEAD_KAT_128_96.txt @@ -0,0 +1,7623 @@ +Count = 1 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = +CT = 99AD0D35BBB90AA7 + +Count = 2 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 00 +CT = DED044E7EEE9F069 + +Count = 3 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 0001 +CT = 0CC483162FEAB754 + +Count = 4 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102 +CT = 659D3DEAD70D2ABB + +Count = 5 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 00010203 +CT = 0B61EE7AA5D245EF + +Count = 6 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 0001020304 +CT = 916219448C0FD045 + +Count = 7 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405 +CT = 9BACF481DD66D403 + +Count = 8 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 00010203040506 +CT = FDF4E9397191A319 + +Count = 9 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 0001020304050607 +CT = 66D9EE19310BF9AD + +Count = 10 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708 +CT = AE9F9C43A1C1EFC7 + +Count = 11 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 00010203040506070809 +CT = 45C57404B30FB1B7 + +Count = 12 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A +CT = 8A875FE342003DFC + +Count = 13 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B +CT = 7707887E42F415FA + +Count = 14 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C +CT = 2D881B8AB33B8103 + +Count = 15 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D +CT = D1FBA317B0193457 + +Count = 16 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E +CT = 61BC1A89A444FC65 + +Count = 17 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F +CT = 01C0B1B4276BC596 + +Count = 18 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F10 +CT = D5E14C3898B8096C + +Count = 19 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C6546D76A2C45A74 + +Count = 20 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 41C8DF8CEC0BEE0D + +Count = 21 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 013CA534B0F71F22 + +Count = 22 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 3E981A262BEE3450 + +Count = 23 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = E2B9DA22782E4FB3 + +Count = 24 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 7F9D29E4D48E7936 + +Count = 25 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 33CE1CFFADBA0FBD + +Count = 26 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = A5340B87EC01EBF7 + +Count = 27 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 9D53C503D0B9943A + +Count = 28 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = BCAE22FB6B4B0071 + +Count = 29 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = E3F6C5D56FC6B773 + +Count = 30 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75CCE11AB4567088 + +Count = 31 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 51C496EBE32E726D + +Count = 32 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 1BDED7551FA9CA73 + +Count = 33 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 24F760685AC9B843 + +Count = 34 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = +CT = C909DAD7810C416E41 + +Count = 35 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 00 +CT = C94EA79E535911948F + +Count = 36 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 0001 +CT = C99CB359A29812D3B2 + +Count = 37 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102 +CT = C9F5EAE75E60F54E5D + +Count = 38 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 00010203 +CT = C99B1634CE122A2109 + +Count = 39 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 0001020304 +CT = C90115C3F03BF7B4A3 + +Count = 40 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405 +CT = C90BDB2E356A9EB0E5 + +Count = 41 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 00010203040506 +CT = C96D83338DC669C7FF + +Count = 42 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 0001020304050607 +CT = C9F6AE34AD86F39D4B + +Count = 43 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708 +CT = C93EE846F716398B21 + +Count = 44 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 00010203040506070809 +CT = C9D5B2AEB004F7D551 + +Count = 45 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A +CT = C91AF08557F5F8591A + +Count = 46 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B +CT = C9E77052CAF50C711C + +Count = 47 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C +CT = C9BDFFC13E04C3E5E5 + +Count = 48 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D +CT = C9418C79A307E150B1 + +Count = 49 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E +CT = C9F1CBC03D13BC9883 + +Count = 50 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F +CT = C991B76B009093A170 + +Count = 51 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C94596968C2F406D8A + +Count = 52 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C95623B7C2153C3E92 + +Count = 53 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9D1BF05385BF38AEB + +Count = 54 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9914B7F80070F7BC4 + +Count = 55 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9AEEFC0929C1650B6 + +Count = 56 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C972CE0096CFD62B55 + +Count = 57 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9EFEAF35063761DD0 + +Count = 58 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9A3B9C64B1A426B5B + +Count = 59 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C93543D1335BF98F11 + +Count = 60 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C90D241FB76741F0DC + +Count = 61 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C92CD9F84FDCB36497 + +Count = 62 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C973811F61D83ED395 + +Count = 63 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9E5BB3BAE03AE146E + +Count = 64 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9C1B34C5F54D6168B + +Count = 65 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C98BA90DE1A851AE95 + +Count = 66 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9B480BADCED31DCA5 + +Count = 67 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = +CT = C90377F863D1D68B7D47 + +Count = 68 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 00 +CT = C90330852A0383DB8789 + +Count = 69 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 0001 +CT = C903E291EDF242D8C0B4 + +Count = 70 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102 +CT = C9038BC8530EBA3F5D5B + +Count = 71 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 00010203 +CT = C903E534809EC8E0320F + +Count = 72 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 0001020304 +CT = C9037F3777A0E13DA7A5 + +Count = 73 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405 +CT = C90375F99A65B054A3E3 + +Count = 74 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 00010203040506 +CT = C90313A187DD1CA3D4F9 + +Count = 75 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 0001020304050607 +CT = C903888C80FD5C398E4D + +Count = 76 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708 +CT = C90340CAF2A7CCF39827 + +Count = 77 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 00010203040506070809 +CT = C903AB901AE0DE3DC657 + +Count = 78 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A +CT = C90364D231072F324A1C + +Count = 79 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B +CT = C9039952E69A2FC6621A + +Count = 80 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C +CT = C903C3DD756EDE09F6E3 + +Count = 81 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D +CT = C9033FAECDF3DD2B43B7 + +Count = 82 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E +CT = C9038FE9746DC9768B85 + +Count = 83 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F +CT = C903EF95DF504A59B276 + +Count = 84 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9033BB422DCF58A7E8C + +Count = 85 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C90328010392CFF62D94 + +Count = 86 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C903AF9DB168813999ED + +Count = 87 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C903EF69CBD0DDC568C2 + +Count = 88 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C903D0CD74C246DC43B0 + +Count = 89 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9030CECB4C6151C3853 + +Count = 90 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C90391C84700B9BC0ED6 + +Count = 91 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C903DD9B721BC088785D + +Count = 92 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034B61656381339C17 + +Count = 93 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9037306ABE7BD8BE3DA + +Count = 94 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C90352FB4C1F06797791 + +Count = 95 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9030DA3AB3102F4C093 + +Count = 96 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9039B998FFED9640768 + +Count = 97 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C903BF91F80F8E1C058D + +Count = 98 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C903F58BB9B1729BBD93 + +Count = 99 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C903CAA20E8C37FBCFA3 + +Count = 100 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = +CT = C9034AEE97703E68E1AFAD + +Count = 101 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 00 +CT = C9034AA9EA39EC3DB15563 + +Count = 102 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 0001 +CT = C9034A7BFEFE1DFCB2125E + +Count = 103 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102 +CT = C9034A12A740E104558FB1 + +Count = 104 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 00010203 +CT = C9034A7C5B9371768AE0E5 + +Count = 105 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 0001020304 +CT = C9034AE658644F5F57754F + +Count = 106 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405 +CT = C9034AEC96898A0E3E7109 + +Count = 107 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 00010203040506 +CT = C9034A8ACE9432A2C90613 + +Count = 108 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 0001020304050607 +CT = C9034A11E39312E2535CA7 + +Count = 109 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708 +CT = C9034AD9A5E14872994ACD + +Count = 110 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 00010203040506070809 +CT = C9034A32FF090F605714BD + +Count = 111 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A +CT = C9034AFDBD22E8915898F6 + +Count = 112 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B +CT = C9034A003DF57591ACB0F0 + +Count = 113 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C +CT = C9034A5AB2668160632409 + +Count = 114 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D +CT = C9034AA6C1DE1C6341915D + +Count = 115 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E +CT = C9034A16866782771C596F + +Count = 116 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A76FACCBFF433609C + +Count = 117 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034AA2DB31334BE0AC66 + +Count = 118 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034AB16E107D719CFF7E + +Count = 119 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A36F2A2873F534B07 + +Count = 120 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A7606D83F63AFBA28 + +Count = 121 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A49A2672DF8B6915A + +Count = 122 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A9583A729AB76EAB9 + +Count = 123 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A08A754EF07D6DC3C + +Count = 124 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A44F461F47EE2AAB7 + +Count = 125 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034AD20E768C3F594EFD + +Count = 126 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034AEA69B80803E13130 + +Count = 127 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034ACB945FF0B813A57B + +Count = 128 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A94CCB8DEBC9E1279 + +Count = 129 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A02F69C11670ED582 + +Count = 130 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A26FEEBE03076D767 + +Count = 131 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A6CE4AA5ECCF16F79 + +Count = 132 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A53CD1D6389911D49 + +Count = 133 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = +CT = C9034A2FC5C3528515B7D64B + +Count = 134 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 00 +CT = C9034A2F82BE1B5740E72C85 + +Count = 135 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 0001 +CT = C9034A2F50AADCA681E46BB8 + +Count = 136 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102 +CT = C9034A2F39F3625A7903F657 + +Count = 137 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 00010203 +CT = C9034A2F570FB1CA0BDC9903 + +Count = 138 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 0001020304 +CT = C9034A2FCD0C46F422010CA9 + +Count = 139 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405 +CT = C9034A2FC7C2AB31736808EF + +Count = 140 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 00010203040506 +CT = C9034A2FA19AB689DF9F7FF5 + +Count = 141 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 0001020304050607 +CT = C9034A2F3AB7B1A99F052541 + +Count = 142 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708 +CT = C9034A2FF2F1C3F30FCF332B + +Count = 143 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 00010203040506070809 +CT = C9034A2F19AB2BB41D016D5B + +Count = 144 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A +CT = C9034A2FD6E90053EC0EE110 + +Count = 145 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B +CT = C9034A2F2B69D7CEECFAC916 + +Count = 146 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C +CT = C9034A2F71E6443A1D355DEF + +Count = 147 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D +CT = C9034A2F8D95FCA71E17E8BB + +Count = 148 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F3DD245390A4A2089 + +Count = 149 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F5DAEEE048965197A + +Count = 150 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F898F138836B6D580 + +Count = 151 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F9A3A32C60CCA8698 + +Count = 152 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F1DA6803C420532E1 + +Count = 153 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F5D52FA841EF9C3CE + +Count = 154 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F62F6459685E0E8BC + +Count = 155 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2FBED78592D620935F + +Count = 156 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F23F376547A80A5DA + +Count = 157 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F6FA0434F03B4D351 + +Count = 158 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2FF95A5437420F371B + +Count = 159 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2FC13D9AB37EB748D6 + +Count = 160 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2FE0C07D4BC545DC9D + +Count = 161 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2FBF989A65C1C86B9F + +Count = 162 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F29A2BEAA1A58AC64 + +Count = 163 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F0DAAC95B4D20AE81 + +Count = 164 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F47B088E5B1A7169F + +Count = 165 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F78993FD8F4C764AF + +Count = 166 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = +CT = C9034A2F7FC024F47371011925 + +Count = 167 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 00 +CT = C9034A2F7F8759BDA12451E3EB + +Count = 168 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 0001 +CT = C9034A2F7F554D7A50E552A4D6 + +Count = 169 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102 +CT = C9034A2F7F3C14C4AC1DB53939 + +Count = 170 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 00010203 +CT = C9034A2F7F52E8173C6F6A566D + +Count = 171 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 0001020304 +CT = C9034A2F7FC8EBE00246B7C3C7 + +Count = 172 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405 +CT = C9034A2F7FC2250DC717DEC781 + +Count = 173 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 00010203040506 +CT = C9034A2F7FA47D107FBB29B09B + +Count = 174 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 0001020304050607 +CT = C9034A2F7F3F50175FFBB3EA2F + +Count = 175 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708 +CT = C9034A2F7FF71665056B79FC45 + +Count = 176 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 00010203040506070809 +CT = C9034A2F7F1C4C8D4279B7A235 + +Count = 177 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A +CT = C9034A2F7FD30EA6A588B82E7E + +Count = 178 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B +CT = C9034A2F7F2E8E7138884C0678 + +Count = 179 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C +CT = C9034A2F7F7401E2CC79839281 + +Count = 180 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F88725A517AA127D5 + +Count = 181 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F3835E3CF6EFCEFE7 + +Count = 182 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F584948F2EDD3D614 + +Count = 183 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F8C68B57E52001AEE + +Count = 184 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9FDD9430687C49F6 + +Count = 185 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F184126CA26B3FD8F + +Count = 186 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F58B55C727A4F0CA0 + +Count = 187 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F6711E360E15627D2 + +Count = 188 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7FBB302364B2965C31 + +Count = 189 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F2614D0A21E366AB4 + +Count = 190 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F6A47E5B967021C3F + +Count = 191 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7FFCBDF2C126B9F875 + +Count = 192 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7FC4DA3C451A0187B8 + +Count = 193 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7FE527DBBDA1F313F3 + +Count = 194 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7FBA7F3C93A57EA4F1 + +Count = 195 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F2C45185C7EEE630A + +Count = 196 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F084D6FAD299661EF + +Count = 197 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F42572E13D511D9F1 + +Count = 198 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F7D7E992E9071ABC1 + +Count = 199 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = +CT = C9034A2F7F967A2083CD8D969311 + +Count = 200 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 00 +CT = C9034A2F7F963D5DCA1FD8C669DF + +Count = 201 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 0001 +CT = C9034A2F7F96EF490DEE19C52EE2 + +Count = 202 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102 +CT = C9034A2F7F968610B312E122B30D + +Count = 203 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 00010203 +CT = C9034A2F7F96E8EC608293FDDC59 + +Count = 204 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 0001020304 +CT = C9034A2F7F9672EF97BCBA2049F3 + +Count = 205 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405 +CT = C9034A2F7F9678217A79EB494DB5 + +Count = 206 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 00010203040506 +CT = C9034A2F7F961E7967C147BE3AAF + +Count = 207 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 0001020304050607 +CT = C9034A2F7F96855460E10724601B + +Count = 208 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708 +CT = C9034A2F7F964D1212BB97EE7671 + +Count = 209 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 00010203040506070809 +CT = C9034A2F7F96A648FAFC85202801 + +Count = 210 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A +CT = C9034A2F7F96690AD11B742FA44A + +Count = 211 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B +CT = C9034A2F7F96948A068674DB8C4C + +Count = 212 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C +CT = C9034A2F7F96CE059572851418B5 + +Count = 213 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9632762DEF8636ADE1 + +Count = 214 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9682319471926B65D3 + +Count = 215 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F96E24D3F4C11445C20 + +Count = 216 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F96366CC2C0AE9790DA + +Count = 217 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9625D9E38E94EBC3C2 + +Count = 218 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F96A2455174DA2477BB + +Count = 219 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F96E2B12BCC86D88694 + +Count = 220 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F96DD1594DE1DC1ADE6 + +Count = 221 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F96013454DA4E01D605 + +Count = 222 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F969C10A71CE2A1E080 + +Count = 223 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F96D04392079B95960B + +Count = 224 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9646B9857FDA2E7241 + +Count = 225 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F967EDE4BFBE6960D8C + +Count = 226 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F965F23AC035D6499C7 + +Count = 227 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F96007B4B2D59E92EC5 + +Count = 228 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9696416FE28279E93E + +Count = 229 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F96B2491813D501EBDB + +Count = 230 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F96F85359AD298653C5 + +Count = 231 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F96C77AEE906CE621F5 + +Count = 232 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = +CT = C9034A2F7F9698A8EE4C09EF3E07AF + +Count = 233 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 00 +CT = C9034A2F7F9698EF9305DBBA6EFD61 + +Count = 234 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 0001 +CT = C9034A2F7F96983D87C22A7B6DBA5C + +Count = 235 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102 +CT = C9034A2F7F969854DE7CD6838A27B3 + +Count = 236 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 00010203 +CT = C9034A2F7F96983A22AF46F15548E7 + +Count = 237 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 0001020304 +CT = C9034A2F7F9698A0215878D888DD4D + +Count = 238 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405 +CT = C9034A2F7F9698AAEFB5BD89E1D90B + +Count = 239 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 00010203040506 +CT = C9034A2F7F9698CCB7A8052516AE11 + +Count = 240 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 0001020304050607 +CT = C9034A2F7F9698579AAF25658CF4A5 + +Count = 241 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708 +CT = C9034A2F7F96989FDCDD7FF546E2CF + +Count = 242 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 00010203040506070809 +CT = C9034A2F7F969874863538E788BCBF + +Count = 243 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A +CT = C9034A2F7F9698BBC41EDF168730F4 + +Count = 244 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B +CT = C9034A2F7F96984644C942167318F2 + +Count = 245 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C +CT = C9034A2F7F96981CCB5AB6E7BC8C0B + +Count = 246 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698E0B8E22BE49E395F + +Count = 247 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F969850FF5BB5F0C3F16D + +Count = 248 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F96983083F08873ECC89E + +Count = 249 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698E4A20D04CC3F0464 + +Count = 250 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698F7172C4AF643577C + +Count = 251 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698708B9EB0B88CE305 + +Count = 252 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698307FE408E470122A + +Count = 253 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F96980FDB5B1A7F693958 + +Count = 254 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698D3FA9B1E2CA942BB + +Count = 255 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F96984EDE68D88009743E + +Count = 256 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698028D5DC3F93D02B5 + +Count = 257 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F969894774ABBB886E6FF + +Count = 258 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698AC10843F843E9932 + +Count = 259 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F96988DED63C73FCC0D79 + +Count = 260 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698D2B584E93B41BA7B + +Count = 261 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698448FA026E0D17D80 + +Count = 262 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F96986087D7D7B7A97F65 + +Count = 263 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F96982A9D96694B2EC77B + +Count = 264 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F969815B421540E4EB54B + +Count = 265 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = +CT = C9034A2F7F9698DCFBF9B8E86994F2BE + +Count = 266 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 00 +CT = C9034A2F7F9698DCBC84F13A3CC40870 + +Count = 267 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 0001 +CT = C9034A2F7F9698DC6E9036CBFDC74F4D + +Count = 268 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102 +CT = C9034A2F7F9698DC07C988370520D2A2 + +Count = 269 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 00010203 +CT = C9034A2F7F9698DC69355BA777FFBDF6 + +Count = 270 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 0001020304 +CT = C9034A2F7F9698DCF336AC995E22285C + +Count = 271 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405 +CT = C9034A2F7F9698DCF9F8415C0F4B2C1A + +Count = 272 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 00010203040506 +CT = C9034A2F7F9698DC9FA05CE4A3BC5B00 + +Count = 273 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 0001020304050607 +CT = C9034A2F7F9698DC048D5BC4E32601B4 + +Count = 274 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708 +CT = C9034A2F7F9698DCCCCB299E73EC17DE + +Count = 275 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 00010203040506070809 +CT = C9034A2F7F9698DC2791C1D9612249AE + +Count = 276 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A +CT = C9034A2F7F9698DCE8D3EA3E902DC5E5 + +Count = 277 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DC15533DA390D9EDE3 + +Count = 278 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DC4FDCAE576116791A + +Count = 279 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB3AF16CA6234CC4E + +Count = 280 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DC03E8AF547669047C + +Count = 281 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DC63940469F5463D8F + +Count = 282 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB7B5F9E54A95F175 + +Count = 283 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCA400D8AB70E9A26D + +Count = 284 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DC239C6A513E261614 + +Count = 285 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DC636810E962DAE73B + +Count = 286 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DC5CCCAFFBF9C3CC49 + +Count = 287 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DC80ED6FFFAA03B7AA + +Count = 288 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DC1DC99C3906A3812F + +Count = 289 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DC519AA9227F97F7A4 + +Count = 290 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCC760BE5A3E2C13EE + +Count = 291 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCFF0770DE02946C23 + +Count = 292 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCDEFA9726B966F868 + +Count = 293 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DC81A27008BDEB4F6A + +Count = 294 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DC179854C7667B8891 + +Count = 295 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DC3390233631038A74 + +Count = 296 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DC798A6288CD84326A + +Count = 297 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DC46A3D5B588E4405A + +Count = 298 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = +CT = C9034A2F7F9698DCB420D003C709A0548E + +Count = 299 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 00 +CT = C9034A2F7F9698DCB467AD4A155CF0AE40 + +Count = 300 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 0001 +CT = C9034A2F7F9698DCB4B5B98DE49DF3E97D + +Count = 301 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102 +CT = C9034A2F7F9698DCB4DCE0331865147492 + +Count = 302 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 00010203 +CT = C9034A2F7F9698DCB4B21CE08817CB1BC6 + +Count = 303 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 0001020304 +CT = C9034A2F7F9698DCB4281F17B63E168E6C + +Count = 304 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405 +CT = C9034A2F7F9698DCB422D1FA736F7F8A2A + +Count = 305 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 00010203040506 +CT = C9034A2F7F9698DCB44489E7CBC388FD30 + +Count = 306 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 0001020304050607 +CT = C9034A2F7F9698DCB4DFA4E0EB8312A784 + +Count = 307 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708 +CT = C9034A2F7F9698DCB417E292B113D8B1EE + +Count = 308 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB4FCB87AF60116EF9E + +Count = 309 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB433FA5111F01963D5 + +Count = 310 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB4CE7A868CF0ED4BD3 + +Count = 311 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB494F515780122DF2A + +Count = 312 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB46886ADE502006A7E + +Count = 313 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB4D8C1147B165DA24C + +Count = 314 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB4B8BDBF4695729BBF + +Count = 315 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB46C9C42CA2AA15745 + +Count = 316 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB47F29638410DD045D + +Count = 317 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB4F8B5D17E5E12B024 + +Count = 318 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB4B841ABC602EE410B + +Count = 319 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB487E514D499F76A79 + +Count = 320 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB45BC4D4D0CA37119A + +Count = 321 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB4C6E027166697271F + +Count = 322 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB48AB3120D1FA35194 + +Count = 323 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41C4905755E18B5DE + +Count = 324 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB4242ECBF162A0CA13 + +Count = 325 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB405D32C09D9525E58 + +Count = 326 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB45A8BCB27DDDFE95A + +Count = 327 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB4CCB1EFE8064F2EA1 + +Count = 328 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB4E8B9981951372C44 + +Count = 329 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB4A2A3D9A7ADB0945A + +Count = 330 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB49D8A6E9AE8D0E66A + +Count = 331 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = +CT = C9034A2F7F9698DCB41AB3B568223658767B + +Count = 332 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 00 +CT = C9034A2F7F9698DCB41AF4C821F063088CB5 + +Count = 333 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 0001 +CT = C9034A2F7F9698DCB41A26DCE601A20BCB88 + +Count = 334 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102 +CT = C9034A2F7F9698DCB41A4F8558FD5AEC5667 + +Count = 335 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 00010203 +CT = C9034A2F7F9698DCB41A21798B6D28333933 + +Count = 336 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 0001020304 +CT = C9034A2F7F9698DCB41ABB7A7C5301EEAC99 + +Count = 337 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405 +CT = C9034A2F7F9698DCB41AB1B491965087A8DF + +Count = 338 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 00010203040506 +CT = C9034A2F7F9698DCB41AD7EC8C2EFC70DFC5 + +Count = 339 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41A4CC18B0EBCEA8571 + +Count = 340 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41A8487F9542C20931B + +Count = 341 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41A6FDD11133EEECD6B + +Count = 342 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41AA09F3AF4CFE14120 + +Count = 343 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41A5D1FED69CF156926 + +Count = 344 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41A07907E9D3EDAFDDF + +Count = 345 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41AFBE3C6003DF8488B + +Count = 346 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41A4BA47F9E29A580B9 + +Count = 347 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41A2BD8D4A3AA8AB94A + +Count = 348 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41AFFF9292F155975B0 + +Count = 349 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41AEC4C08612F2526A8 + +Count = 350 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41A6BD0BA9B61EA92D1 + +Count = 351 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41A2B24C0233D1663FE + +Count = 352 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41A14807F31A60F488C + +Count = 353 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41AC8A1BF35F5CF336F + +Count = 354 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41A55854CF3596F05EA + +Count = 355 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41A19D679E8205B7361 + +Count = 356 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41A8F2C6E9061E0972B + +Count = 357 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41AB74BA0145D58E8E6 + +Count = 358 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41A96B647ECE6AA7CAD + +Count = 359 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41AC9EEA0C2E227CBAF + +Count = 360 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41A5FD4840D39B70C54 + +Count = 361 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41A7BDCF3FC6ECF0EB1 + +Count = 362 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41A31C6B2429248B6AF + +Count = 363 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41A0EEF057FD728C49F + +Count = 364 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = +CT = C9034A2F7F9698DCB41ACC7B4D6F307036DB5D + +Count = 365 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 00 +CT = C9034A2F7F9698DCB41ACC3C3026E225662193 + +Count = 366 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 0001 +CT = C9034A2F7F9698DCB41ACCEE24E113E46566AE + +Count = 367 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102 +CT = C9034A2F7F9698DCB41ACC877D5FEF1C82FB41 + +Count = 368 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCE9818C7F6E5D9415 + +Count = 369 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACC73827B41478001BF + +Count = 370 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACC794C968416E905F9 + +Count = 371 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACC1F148B3CBA1E72E3 + +Count = 372 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACC84398C1CFA842857 + +Count = 373 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACC4C7FFE466A4E3E3D + +Count = 374 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCA72516017880604D + +Count = 375 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACC68673DE6898FEC06 + +Count = 376 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACC95E7EA7B897BC400 + +Count = 377 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCF68798F78B450F9 + +Count = 378 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACC331BC1127B96E5AD + +Count = 379 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACC835C788C6FCB2D9F + +Count = 380 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCE320D3B1ECE4146C + +Count = 381 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACC37012E3D5337D896 + +Count = 382 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACC24B40F73694B8B8E + +Count = 383 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCA328BD8927843FF7 + +Count = 384 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCE3DCC7317B78CED8 + +Count = 385 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCDC787823E061E5AA + +Count = 386 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACC0059B827B3A19E49 + +Count = 387 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACC9D7D4BE11F01A8CC + +Count = 388 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCD12E7EFA6635DE47 + +Count = 389 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACC47D46982278E3A0D + +Count = 390 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACC7FB3A7061B3645C0 + +Count = 391 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACC5E4E40FEA0C4D18B + +Count = 392 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACC0116A7D0A4496689 + +Count = 393 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACC972C831F7FD9A172 + +Count = 394 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCB324F4EE28A1A397 + +Count = 395 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCF93EB550D4261B89 + +Count = 396 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCC617026D914669B9 + +Count = 397 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = +CT = C9034A2F7F9698DCB41ACCCF2C8E9DBEE8D05718 + +Count = 398 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 00 +CT = C9034A2F7F9698DCB41ACCCF6BF3D46CBD80ADD6 + +Count = 399 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFB9E7139D7C83EAEB + +Count = 400 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFD0BEAD6184647704 + +Count = 401 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBE427EF1F6BB1850 + +Count = 402 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCF244189CFDF668DFA + +Count = 403 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCF2E8F640A8E0F89BC + +Count = 404 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCF48D779B222F8FEA6 + +Count = 405 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFD3FA7E926262A412 + +Count = 406 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCF1BBC0CC8F2A8B278 + +Count = 407 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFF0E6E48FE066EC08 + +Count = 408 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCF3FA4CF6811696043 + +Count = 409 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFC22418F5119D4845 + +Count = 410 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCF98AB8B01E052DCBC + +Count = 411 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCF64D8339CE37069E8 + +Count = 412 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFD49F8A02F72DA1DA + +Count = 413 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFB4E3213F74029829 + +Count = 414 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCF60C2DCB3CBD154D3 + +Count = 415 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCF7377FDFDF1AD07CB + +Count = 416 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFF4EB4F07BF62B3B2 + +Count = 417 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFB41F35BFE39E429D + +Count = 418 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCF8BBB8AAD788769EF + +Count = 419 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCF579A4AA92B47120C + +Count = 420 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFCABEB96F87E72489 + +Count = 421 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCF86ED8C74FED35202 + +Count = 422 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCF10179B0CBF68B648 + +Count = 423 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCF2870558883D0C985 + +Count = 424 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCF098DB27038225DCE + +Count = 425 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCF56D5555E3CAFEACC + +Count = 426 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFC0EF7191E73F2D37 + +Count = 427 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFE4E70660B0472FD2 + +Count = 428 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFAEFD47DE4CC097CC + +Count = 429 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCF91D4F0E309A0E5FC + +Count = 430 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = +CT = C9034A2F7F9698DCB41ACCCFBF8457B65D560FE10C + +Count = 431 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 00 +CT = C9034A2F7F9698DCB41ACCCFBFC32AFF8F035F1BC2 + +Count = 432 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFBF113E387EC25C5CFF + +Count = 433 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFBF786786823ABBC110 + +Count = 434 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBF169B55124864AE44 + +Count = 435 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCFBF8C98A22C61B93BEE + +Count = 436 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCFBF86564FE930D03FA8 + +Count = 437 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCFBFE00E52519C2748B2 + +Count = 438 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFBF7B235571DCBD1206 + +Count = 439 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCFBFB365272B4C77046C + +Count = 440 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFBF583FCF6C5EB95A1C + +Count = 441 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCFBF977DE48BAFB6D657 + +Count = 442 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFBF6AFD3316AF42FE51 + +Count = 443 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCFBF3072A0E25E8D6AA8 + +Count = 444 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCFBFCC01187F5DAFDFFC + +Count = 445 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFBF7C46A1E149F217CE + +Count = 446 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFBF1C3A0ADCCADD2E3D + +Count = 447 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCFBFC81BF750750EE2C7 + +Count = 448 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCFBFDBAED61E4F72B1DF + +Count = 449 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFBF5C3264E401BD05A6 + +Count = 450 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFBF1CC61E5C5D41F489 + +Count = 451 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCFBF2362A14EC658DFFB + +Count = 452 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCFBFFF43614A9598A418 + +Count = 453 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFBF6267928C3938929D + +Count = 454 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCFBF2E34A797400CE416 + +Count = 455 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCFBFB8CEB0EF01B7005C + +Count = 456 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCFBF80A97E6B3D0F7F91 + +Count = 457 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCFBFA154999386FDEBDA + +Count = 458 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCFBFFE0C7EBD82705CD8 + +Count = 459 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFBF68365A7259E09B23 + +Count = 460 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFBF4C3E2D830E9899C6 + +Count = 461 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFBF06246C3DF21F21D8 + +Count = 462 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCFBF390DDB00B77F53E8 + +Count = 463 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = +CT = C9034A2F7F9698DCB41ACCCFBF54A818514739035C87 + +Count = 464 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 00 +CT = C9034A2F7F9698DCB41ACCCFBF54EF6518956C53A649 + +Count = 465 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFBF543D71DF64AD50E174 + +Count = 466 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFBF545428619855B77C9B + +Count = 467 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBF543AD4B208276813CF + +Count = 468 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCFBF54A0D745360EB58665 + +Count = 469 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCFBF54AA19A8F35FDC8223 + +Count = 470 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCFBF54CC41B54BF32BF539 + +Count = 471 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFBF54576CB26BB3B1AF8D + +Count = 472 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCFBF549F2AC031237BB9E7 + +Count = 473 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFBF547470287631B5E797 + +Count = 474 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCFBF54BB320391C0BA6BDC + +Count = 475 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFBF5446B2D40CC04E43DA + +Count = 476 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCFBF541C3D47F83181D723 + +Count = 477 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCFBF54E04EFF6532A36277 + +Count = 478 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFBF54500946FB26FEAA45 + +Count = 479 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFBF543075EDC6A5D193B6 + +Count = 480 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCFBF54E454104A1A025F4C + +Count = 481 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCFBF54F7E13104207E0C54 + +Count = 482 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFBF54707D83FE6EB1B82D + +Count = 483 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFBF543089F946324D4902 + +Count = 484 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCFBF540F2D4654A9546270 + +Count = 485 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCFBF54D30C8650FA941993 + +Count = 486 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFBF544E28759656342F16 + +Count = 487 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCFBF54027B408D2F00599D + +Count = 488 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCFBF54948157F56EBBBDD7 + +Count = 489 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCFBF54ACE699715203C21A + +Count = 490 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCFBF548D1B7E89E9F15651 + +Count = 491 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCFBF54D24399A7ED7CE153 + +Count = 492 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFBF544479BD6836EC26A8 + +Count = 493 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFBF546071CA996194244D + +Count = 494 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFBF542A6B8B279D139C53 + +Count = 495 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCFBF5415423C1AD873EE63 + +Count = 496 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = +CT = C9034A2F7F9698DCB41ACCCFBF549B3902278F177E5A48 + +Count = 497 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 00 +CT = C9034A2F7F9698DCB41ACCCFBF549B7E7F6E5D422EA086 + +Count = 498 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFBF549BAC6BA9AC832DE7BB + +Count = 499 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFBF549BC53217507BCA7A54 + +Count = 500 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBF549BABCEC4C009151500 + +Count = 501 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCFBF549B31CD33FE20C880AA + +Count = 502 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCFBF549B3B03DE3B71A184EC + +Count = 503 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCFBF549B5D5BC383DD56F3F6 + +Count = 504 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFBF549BC676C4A39DCCA942 + +Count = 505 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCFBF549B0E30B6F90D06BF28 + +Count = 506 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFBF549BE56A5EBE1FC8E158 + +Count = 507 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCFBF549B2A287559EEC76D13 + +Count = 508 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFBF549BD7A8A2C4EE334515 + +Count = 509 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCFBF549B8D2731301FFCD1EC + +Count = 510 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCFBF549B715489AD1CDE64B8 + +Count = 511 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFBF549BC11330330883AC8A + +Count = 512 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFBF549BA16F9B0E8BAC9579 + +Count = 513 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCFBF549B754E6682347F5983 + +Count = 514 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCFBF549B66FB47CC0E030A9B + +Count = 515 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFBF549BE167F53640CCBEE2 + +Count = 516 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFBF549BA1938F8E1C304FCD + +Count = 517 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCFBF549B9E37309C872964BF + +Count = 518 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCFBF549B4216F098D4E91F5C + +Count = 519 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFBF549BDF32035E784929D9 + +Count = 520 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCFBF549B93613645017D5F52 + +Count = 521 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCFBF549B059B213D40C6BB18 + +Count = 522 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCFBF549B3DFCEFB97C7EC4D5 + +Count = 523 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCFBF549B1C010841C78C509E + +Count = 524 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCFBF549B4359EF6FC301E79C + +Count = 525 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFBF549BD563CBA018912067 + +Count = 526 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFBF549BF16BBC514FE92282 + +Count = 527 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFBF549BBB71FDEFB36E9A9C + +Count = 528 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCFBF549B84584AD2F60EE8AC + +Count = 529 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = +CT = C9034A2F7F9698DCB41ACCCFBF549BF7C152A8863B472BE1 + +Count = 530 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 00 +CT = C9034A2F7F9698DCB41ACCCFBF549BF7862FE1546E17D12F + +Count = 531 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFBF549BF7543B26A5AF149612 + +Count = 532 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFBF549BF73D62985957F30BFD + +Count = 533 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBF549BF7539E4BC9252C64A9 + +Count = 534 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCFBF549BF7C99DBCF70CF1F103 + +Count = 535 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCFBF549BF7C35351325D98F545 + +Count = 536 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCFBF549BF7A50B4C8AF16F825F + +Count = 537 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFBF549BF73E264BAAB1F5D8EB + +Count = 538 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCFBF549BF7F66039F0213FCE81 + +Count = 539 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFBF549BF71D3AD1B733F190F1 + +Count = 540 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCFBF549BF7D278FA50C2FE1CBA + +Count = 541 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFBF549BF72FF82DCDC20A34BC + +Count = 542 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCFBF549BF77577BE3933C5A045 + +Count = 543 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCFBF549BF7890406A430E71511 + +Count = 544 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFBF549BF73943BF3A24BADD23 + +Count = 545 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFBF549BF7593F1407A795E4D0 + +Count = 546 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCFBF549BF78D1EE98B1846282A + +Count = 547 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCFBF549BF79EABC8C5223A7B32 + +Count = 548 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFBF549BF719377A3F6CF5CF4B + +Count = 549 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFBF549BF759C3008730093E64 + +Count = 550 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCFBF549BF76667BF95AB101516 + +Count = 551 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCFBF549BF7BA467F91F8D06EF5 + +Count = 552 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFBF549BF727628C5754705870 + +Count = 553 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCFBF549BF76B31B94C2D442EFB + +Count = 554 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCFBF549BF7FDCBAE346CFFCAB1 + +Count = 555 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCFBF549BF7C5AC60B05047B57C + +Count = 556 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCFBF549BF7E4518748EBB52137 + +Count = 557 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCFBF549BF7BB096066EF389635 + +Count = 558 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFBF549BF72D3344A934A851CE + +Count = 559 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFBF549BF7093B335863D0532B + +Count = 560 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFBF549BF7432172E69F57EB35 + +Count = 561 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCFBF549BF77C08C5DBDA379905 + +Count = 562 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = +CT = C9034A2F7F9698DCB41ACCCFBF549BF747203F1717E3077918 + +Count = 563 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00 +CT = C9034A2F7F9698DCB41ACCCFBF549BF74767425EC5B65783D6 + +Count = 564 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747B55699347754C4EB + +Count = 565 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747DC0F27C88FB35904 + +Count = 566 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747B2F3F458FD6C3650 + +Count = 567 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCFBF549BF74728F00366D4B1A3FA + +Count = 568 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747223EEEA385D8A7BC + +Count = 569 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCFBF549BF7474466F31B292FD0A6 + +Count = 570 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747DF4BF43B69B58A12 + +Count = 571 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747170D8661F97F9C78 + +Count = 572 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747FC576E26EBB1C208 + +Count = 573 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747331545C11ABE4E43 + +Count = 574 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747CE95925C1A4A6645 + +Count = 575 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747941A01A8EB85F2BC + +Count = 576 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCFBF549BF7476869B935E8A747E8 + +Count = 577 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D82E00ABFCFA8FDA + +Count = 578 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747B852AB967FD5B629 + +Count = 579 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCFBF549BF7476C73561AC0067AD3 + +Count = 580 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCFBF549BF7477FC67754FA7A29CB + +Count = 581 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747F85AC5AEB4B59DB2 + +Count = 582 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747B8AEBF16E8496C9D + +Count = 583 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747870A0004735047EF + +Count = 584 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCFBF549BF7475B2BC00020903C0C + +Count = 585 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747C60F33C68C300A89 + +Count = 586 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCFBF549BF7478A5C06DDF5047C02 + +Count = 587 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCFBF549BF7471CA611A5B4BF9848 + +Count = 588 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCFBF549BF74724C1DF218807E785 + +Count = 589 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747053C38D933F573CE + +Count = 590 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCFBF549BF7475A64DFF73778C4CC + +Count = 591 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747CC5EFB38ECE80337 + +Count = 592 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747E8568CC9BB9001D2 + +Count = 593 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747A24CCD774717B9CC + +Count = 594 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCFBF549BF7479D657A4A0277CBFC + +Count = 595 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2B9A41F13A77A3797 + +Count = 596 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2FED956C1F22ACD59 + +Count = 597 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D22CCD913033298A64 + +Count = 598 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D245942FCCCBCE178B + +Count = 599 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D22B68FC5CB91178DF + +Count = 600 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2B16B0B6290CCED75 + +Count = 601 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2BBA5E6A7C1A5E933 + +Count = 602 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2DDFDFB1F6D529E29 + +Count = 603 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246D0FC3F2DC8C49D + +Count = 604 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D28E968E65BD02D2F7 + +Count = 605 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D265CC6622AFCC8C87 + +Count = 606 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2AA8E4DC55EC300CC + +Count = 607 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2570E9A585E3728CA + +Count = 608 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D20D8109ACAFF8BC33 + +Count = 609 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2F1F2B131ACDA0967 + +Count = 610 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D241B508AFB887C155 + +Count = 611 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D221C9A3923BA8F8A6 + +Count = 612 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2F5E85E1E847B345C + +Count = 613 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2E65D7F50BE076744 + +Count = 614 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D261C1CDAAF0C8D33D + +Count = 615 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D22135B712AC342212 + +Count = 616 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D21E910800372D0960 + +Count = 617 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2C2B0C80464ED7283 + +Count = 618 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D25F943BC2C84D4406 + +Count = 619 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D213C70ED9B179328D + +Count = 620 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2853D19A1F0C2D6C7 + +Count = 621 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2BD5AD725CC7AA90A + +Count = 622 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D29CA730DD77883D41 + +Count = 623 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2C3FFD7F373058A43 + +Count = 624 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D255C5F33CA8954DB8 + +Count = 625 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D271CD84CDFFED4F5D + +Count = 626 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D23BD7C573036AF743 + +Count = 627 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D204FE724E460A8573 + +Count = 628 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2463BBD4C88B61D2014 + +Count = 629 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2467CC0055AE34DDADA + +Count = 630 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246AED4C2AB224E9DE7 + +Count = 631 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246C78D7C57DAA90008 + +Count = 632 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A971AFC7A8766F5C + +Count = 633 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246337258F981ABFAF6 + +Count = 634 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D24639BCB53CD0C2FEB0 + +Count = 635 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2465FE4A8847C3589AA + +Count = 636 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246C4C9AFA43CAFD31E + +Count = 637 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2460C8FDDFEAC65C574 + +Count = 638 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246E7D535B9BEAB9B04 + +Count = 639 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D24628971E5E4FA4174F + +Count = 640 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246D517C9C34F503F49 + +Count = 641 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2468F985A37BE9FABB0 + +Count = 642 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D24673EBE2AABDBD1EE4 + +Count = 643 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246C3AC5B34A9E0D6D6 + +Count = 644 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A3D0F0092ACFEF25 + +Count = 645 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D24677F10D85951C23DF + +Count = 646 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D24664442CCBAF6070C7 + +Count = 647 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246E3D89E31E1AFC4BE + +Count = 648 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A32CE489BD533591 + +Count = 649 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2469C885B9B264A1EE3 + +Count = 650 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D24640A99B9F758A6500 + +Count = 651 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246DD8D6859D92A5385 + +Count = 652 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D24691DE5D42A01E250E + +Count = 653 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D24607244A3AE1A5C144 + +Count = 654 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2463F4384BEDD1DBE89 + +Count = 655 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2461EBE634666EF2AC2 + +Count = 656 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D24641E6846862629DC0 + +Count = 657 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246D7DCA0A7B9F25A3B + +Count = 658 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246F3D4D756EE8A58DE + +Count = 659 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246B9CE96E8120DE0C0 + +Count = 660 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D24686E721D5576D92F0 + +Count = 661 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8350157EBDEE09FD2 + +Count = 662 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8727C1E398BB0651C + +Count = 663 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8A068D9C84AB32221 + +Count = 664 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8C9316734B254BFCE + +Count = 665 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8A7CDB4A4C08BD09A + +Count = 666 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A83DCE439AE9564530 + +Count = 667 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A83700AE5FB83F4176 + +Count = 668 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A85158B3E714C8366C + +Count = 669 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8CA75B4C754526CD8 + +Count = 670 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A80233C69DC4987AB2 + +Count = 671 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8E9692EDAD65624C2 + +Count = 672 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8262B053D2759A889 + +Count = 673 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8DBABD2A027AD808F + +Count = 674 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A881244154D6621476 + +Count = 675 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A87D57F9C9D540A122 + +Count = 676 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8CD104057C11D6910 + +Count = 677 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8AD6CEB6A423250E3 + +Count = 678 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8794D16E6FDE19C19 + +Count = 679 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86AF837A8C79DCF01 + +Count = 680 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8ED64855289527B78 + +Count = 681 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8AD90FFEAD5AE8A57 + +Count = 682 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8923440F84EB7A125 + +Count = 683 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A84E1580FC1D77DAC6 + +Count = 684 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8D331733AB1D7EC43 + +Count = 685 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A89F624621C8E39AC8 + +Count = 686 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A80998515989587E82 + +Count = 687 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A831FF9FDDB5E0014F + +Count = 688 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8100278250E129504 + +Count = 689 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A84F5A9F0B0A9F2206 + +Count = 690 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8D960BBC4D10FE5FD + +Count = 691 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8FD68CC358677E718 + +Count = 692 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8B7728D8B7AF05F06 + +Count = 693 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8885B3AB63F902D36 + +Count = 694 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86815CB8F49FB3DD784 + +Count = 695 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86852B6C69BAE6D2D4A + +Count = 696 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86880A2016A6F6E6A77 + +Count = 697 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868E9FBBF969789F798 + +Count = 698 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86887076C06E55698CC + +Count = 699 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8681D049B38CC8B0D66 + +Count = 700 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86817CA76FD9DE20920 + +Count = 701 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86871926B4531157E3A + +Count = 702 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868EABF6C65718F248E + +Count = 703 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86822F91E3FE14532E4 + +Count = 704 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868C9A3F678F38B6C94 + +Count = 705 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86806E1DD9F0284E0DF + +Count = 706 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FB610A020270C8D9 + +Count = 707 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868A1EE99F6F3BF5C20 + +Count = 708 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8685D9D216BF09DE974 + +Count = 709 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868EDDA98F5E4C02146 + +Count = 710 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8688DA633C867EF18B5 + +Count = 711 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8685987CE44D83CD44F + +Count = 712 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8684A32EF0AE2408757 + +Count = 713 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868CDAE5DF0AC8F332E + +Count = 714 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8688D5A2748F073C201 + +Count = 715 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868B2FE985A6B6AE973 + +Count = 716 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8686EDF585E38AA9290 + +Count = 717 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868F3FBAB98940AA415 + +Count = 718 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868BFA89E83ED3ED29E + +Count = 719 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868295289FBAC8536D4 + +Count = 720 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8681135477F903D4919 + +Count = 721 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86830C8A0872BCFDD52 + +Count = 722 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8686F9047A92F426A50 + +Count = 723 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868F9AA6366F4D2ADAB + +Count = 724 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868DDA21497A3AAAF4E + +Count = 725 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86897B855295F2D1750 + +Count = 726 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868A891E2141A4D6560 + +Count = 727 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA5E43CB493E81906A + +Count = 728 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA193E829B6BD16AA4 + +Count = 729 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FACB2A456AAAD22D99 + +Count = 730 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAA273FB965235B076 + +Count = 731 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FACC8F280620EADF22 + +Count = 732 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA568CDF3809374A88 + +Count = 733 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA5C4232FD585E4ECE + +Count = 734 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA3A1A2F45F4A939D4 + +Count = 735 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAA1372865B4336360 + +Count = 736 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA69715A3F24F9750A + +Count = 737 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA822BB27836372B7A + +Count = 738 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA4D69999FC738A731 + +Count = 739 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAB0E94E02C7CC8F37 + +Count = 740 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAEA66DDF636031BCE + +Count = 741 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA1615656B3521AE9A + +Count = 742 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAA652DCF5217C66A8 + +Count = 743 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAC62E77C8A2535F5B + +Count = 744 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA120F8A441D8093A1 + +Count = 745 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA01BAAB0A27FCC0B9 + +Count = 746 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA862619F0693374C0 + +Count = 747 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAC6D2634835CF85EF + +Count = 748 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAF976DC5AAED6AE9D + +Count = 749 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA25571C5EFD16D57E + +Count = 750 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAB873EF9851B6E3FB + +Count = 751 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAF420DA8328829570 + +Count = 752 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA62DACDFB6939713A + +Count = 753 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA5ABD037F55810EF7 + +Count = 754 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA7B40E487EE739ABC + +Count = 755 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA241803A9EAFE2DBE + +Count = 756 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAB2222766316EEA45 + +Count = 757 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA962A50976616E8A0 + +Count = 758 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FADC3011299A9150BE + +Count = 759 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAE319A614DFF1228E + +Count = 760 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0EA3280659BC62EF69 + +Count = 761 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0EE4554F8BE93215A7 + +Count = 762 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E3641887A2831529A + +Count = 763 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E5F183686D0D6CF75 + +Count = 764 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E31E4E516A209A021 + +Count = 765 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0EABE712288BD4358B + +Count = 766 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0EA129FFEDDABD31CD + +Count = 767 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0EC771E255764A46D7 + +Count = 768 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E5C5CE57536D01C63 + +Count = 769 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E941A972FA61A0A09 + +Count = 770 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E7F407F68B4D45479 + +Count = 771 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0EB002548F45DBD832 + +Count = 772 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E4D828312452FF034 + +Count = 773 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E170D10E6B4E064CD + +Count = 774 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0EEB7EA87BB7C2D199 + +Count = 775 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E5B3911E5A39F19AB + +Count = 776 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E3B45BAD820B02058 + +Count = 777 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0EEF6447549F63ECA2 + +Count = 778 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0EFCD1661AA51FBFBA + +Count = 779 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E7B4DD4E0EBD00BC3 + +Count = 780 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E3BB9AE58B72CFAEC + +Count = 781 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E041D114A2C35D19E + +Count = 782 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0ED83CD14E7FF5AA7D + +Count = 783 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E45182288D3559CF8 + +Count = 784 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E094B1793AA61EA73 + +Count = 785 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E9FB100EBEBDA0E39 + +Count = 786 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0EA7D6CE6FD76271F4 + +Count = 787 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E862B29976C90E5BF + +Count = 788 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0ED973CEB9681D52BD + +Count = 789 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E4F49EA76B38D9546 + +Count = 790 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E6B419D87E4F597A3 + +Count = 791 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E215BDC3918722FBD + +Count = 792 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E1E726B045D125D8D + +Count = 793 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E760709018E833F1F5E + +Count = 794 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E764074485CD66FE590 + +Count = 795 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E7692608FAD176CA2AD + +Count = 796 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76FB393151EF8B3F42 + +Count = 797 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E7695C5E2C19D545016 + +Count = 798 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E760FC615FFB489C5BC + +Count = 799 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E760508F83AE5E0C1FA + +Count = 800 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E766350E5824917B6E0 + +Count = 801 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76F87DE2A2098DEC54 + +Count = 802 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76303B90F89947FA3E + +Count = 803 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76DB6178BF8B89A44E + +Count = 804 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76142353587A862805 + +Count = 805 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76E9A384C57A720003 + +Count = 806 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76B32C17318BBD94FA + +Count = 807 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E764F5FAFAC889F21AE + +Count = 808 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76FF1816329CC2E99C + +Count = 809 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E769F64BD0F1FEDD06F + +Count = 810 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E764B454083A03E1C95 + +Count = 811 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E7658F061CD9A424F8D + +Count = 812 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76DF6CD337D48DFBF4 + +Count = 813 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E769F98A98F88710ADB + +Count = 814 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76A03C169D136821A9 + +Count = 815 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E767C1DD69940A85A4A + +Count = 816 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76E139255FEC086CCF + +Count = 817 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76AD6A1044953C1A44 + +Count = 818 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E763B90073CD487FE0E + +Count = 819 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E7603F7C9B8E83F81C3 + +Count = 820 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76220A2E4053CD1588 + +Count = 821 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E767D52C96E5740A28A + +Count = 822 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EB68EDA18CD06571 + +Count = 823 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76CF609A50DBA86794 + +Count = 824 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76857ADBEE272FDF8A + +Count = 825 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76BA536CD3624FADBA + +Count = 826 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDD3F2C499CD01E93B + +Count = 827 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED948F8D4B985113F5 + +Count = 828 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED469B4ABA595254C8 + +Count = 829 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED2FC2F446A1B5C927 + +Count = 830 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED413E27D6D36AA673 + +Count = 831 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDDB3DD0E8FAB733D9 + +Count = 832 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDD1F33D2DABDE379F + +Count = 833 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDB7AB209507294085 + +Count = 834 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED2C8627B547B31A31 + +Count = 835 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDE4C055EFD7790C5B + +Count = 836 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED0F9ABDA8C5B7522B + +Count = 837 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDC0D8964F34B8DE60 + +Count = 838 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED3D5841D2344CF666 + +Count = 839 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED67D7D226C583629F + +Count = 840 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED9BA46ABBC6A1D7CB + +Count = 841 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED2BE3D325D2FC1FF9 + +Count = 842 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED4B9F781851D3260A + +Count = 843 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED9FBE8594EE00EAF0 + +Count = 844 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED8C0BA4DAD47CB9E8 + +Count = 845 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED0B9716209AB30D91 + +Count = 846 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED4B636C98C64FFCBE + +Count = 847 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED74C7D38A5D56D7CC + +Count = 848 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDA8E6138E0E96AC2F + +Count = 849 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED35C2E048A2369AAA + +Count = 850 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED7991D553DB02EC21 + +Count = 851 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDEF6BC22B9AB9086B + +Count = 852 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDD70C0CAFA60177A6 + +Count = 853 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDF6F1EB571DF3E3ED + +Count = 854 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDA9A90C79197E54EF + +Count = 855 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED3F9328B6C2EE9314 + +Count = 856 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED1B9B5F47959691F1 + +Count = 857 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED51811EF9691129EF + +Count = 858 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED6EA8A9C42C715BDF + +Count = 859 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27D60699C08C473E80 + +Count = 860 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27917BD012D917C44E + +Count = 861 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27436F17E318148373 + +Count = 862 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED272A36A91FE0F31E9C + +Count = 863 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED2744CA7A8F922C71C8 + +Count = 864 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27DEC98DB1BBF1E462 + +Count = 865 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27D4076074EA98E024 + +Count = 866 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27B25F7DCC466F973E + +Count = 867 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED2729727AEC06F5CD8A + +Count = 868 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27E13408B6963FDBE0 + +Count = 869 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED270A6EE0F184F18590 + +Count = 870 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27C52CCB1675FE09DB + +Count = 871 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED2738AC1C8B750A21DD + +Count = 872 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED2762238F7F84C5B524 + +Count = 873 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED279E5037E287E70070 + +Count = 874 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED272E178E7C93BAC842 + +Count = 875 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED274E6B25411095F1B1 + +Count = 876 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED279A4AD8CDAF463D4B + +Count = 877 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED2789FFF983953A6E53 + +Count = 878 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED270E634B79DBF5DA2A + +Count = 879 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED274E9731C187092B05 + +Count = 880 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED2771338ED31C100077 + +Count = 881 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27AD124ED74FD07B94 + +Count = 882 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED273036BD11E3704D11 + +Count = 883 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED277C65880A9A443B9A + +Count = 884 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27EA9F9F72DBFFDFD0 + +Count = 885 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27D2F851F6E747A01D + +Count = 886 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27F305B60E5CB53456 + +Count = 887 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27AC5D512058388354 + +Count = 888 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED273A6775EF83A844AF + +Count = 889 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED271E6F021ED4D0464A + +Count = 890 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27547543A02857FE54 + +Count = 891 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED276B5CF49D6D378C64 + +Count = 892 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA1D22EF9650CACD9F + +Count = 893 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA5A5FA644059A3751 + +Count = 894 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA884B61B5C499706C + +Count = 895 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAE112DF493C7EED83 + +Count = 896 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA8FEE0CD94EA182D7 + +Count = 897 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA15EDFBE7677C177D + +Count = 898 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA1F2316223615133B + +Count = 899 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA797B0B9A9AE26421 + +Count = 900 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAE2560CBADA783E95 + +Count = 901 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA2A107EE04AB228FF + +Count = 902 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAC14A96A7587C768F + +Count = 903 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0E08BD40A973FAC4 + +Count = 904 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAF3886ADDA987D2C2 + +Count = 905 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAA907F9295848463B + +Count = 906 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA557441B45B6AF36F + +Count = 907 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAE533F82A4F373B5D + +Count = 908 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA854F5317CC1802AE + +Count = 909 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA516EAE9B73CBCE54 + +Count = 910 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA42DB8FD549B79D4C + +Count = 911 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAC5473D2F07782935 + +Count = 912 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA85B347975B84D81A + +Count = 913 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FABA17F885C09DF368 + +Count = 914 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA66363881935D888B + +Count = 915 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAFB12CB473FFDBE0E + +Count = 916 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAB741FE5C46C9C885 + +Count = 917 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA21BBE92407722CCF + +Count = 918 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA19DC27A03BCA5302 + +Count = 919 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA3821C0588038C749 + +Count = 920 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA6779277684B5704B + +Count = 921 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAF14303B95F25B7B0 + +Count = 922 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAD54B7448085DB555 + +Count = 923 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA9F5135F6F4DA0D4B + +Count = 924 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAA07882CBB1BA7F7B + +Count = 925 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CF4E2AF1AD60EDADD + +Count = 926 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CB39FE6C8835E2013 + +Count = 927 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C618B2139425D672E + +Count = 928 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C08D29FC5BABAFAC1 + +Count = 929 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C662E4C55C8659595 + +Count = 930 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CFC2DBB6BE1B8003F + +Count = 931 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CF6E356AEB0D10479 + +Count = 932 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C90BB4B161C267363 + +Count = 933 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C0B964C365CBC29D7 + +Count = 934 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CC3D03E6CCC763FBD + +Count = 935 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C288AD62BDEB861CD + +Count = 936 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CE7C8FDCC2FB7ED86 + +Count = 937 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C1A482A512F43C580 + +Count = 938 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C40C7B9A5DE8C5179 + +Count = 939 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CBCB40138DDAEE42D + +Count = 940 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C0CF3B8A6C9F32C1F + +Count = 941 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C6C8F139B4ADC15EC + +Count = 942 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CB8AEEE17F50FD916 + +Count = 943 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CAB1BCF59CF738A0E + +Count = 944 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2C877DA381BC3E77 + +Count = 945 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C6C73071BDD40CF58 + +Count = 946 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C53D7B8094659E42A + +Count = 947 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C8FF6780D15999FC9 + +Count = 948 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C12D28BCBB939A94C + +Count = 949 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C5E81BED0C00DDFC7 + +Count = 950 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CC87BA9A881B63B8D + +Count = 951 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CF01C672CBD0E4440 + +Count = 952 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CD1E180D406FCD00B + +Count = 953 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C8EB967FA02716709 + +Count = 954 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C18834335D9E1A0F2 + +Count = 955 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C3C8B34C48E99A217 + +Count = 956 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C7691757A721E1A09 + +Count = 957 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C49B8C247377E6839 + +Count = 958 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E593E87D00022ED24 + +Count = 959 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E1E43CE02557217EA + +Count = 960 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2ECC5709F3947150D7 + +Count = 961 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EA50EB70F6C96CD38 + +Count = 962 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2ECBF2649F1E49A26C + +Count = 963 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E51F193A1379437C6 + +Count = 964 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E5B3F7E6466FD3380 + +Count = 965 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3D6763DCCA0A449A + +Count = 966 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EA64A64FC8A901E2E + +Count = 967 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E6E0C16A61A5A0844 + +Count = 968 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E8556FEE108945634 + +Count = 969 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E4A14D506F99BDA7F + +Count = 970 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EB794029BF96FF279 + +Count = 971 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EED1B916F08A06680 + +Count = 972 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E116829F20B82D3D4 + +Count = 973 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EA12F906C1FDF1BE6 + +Count = 974 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EC1533B519CF02215 + +Count = 975 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E1572C6DD2323EEEF + +Count = 976 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E06C7E793195FBDF7 + +Count = 977 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E815B55695790098E + +Count = 978 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EC1AF2FD10B6CF8A1 + +Count = 979 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EFE0B90C39075D3D3 + +Count = 980 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E222A50C7C3B5A830 + +Count = 981 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EBF0EA3016F159EB5 + +Count = 982 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EF35D961A1621E83E + +Count = 983 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E65A78162579A0C74 + +Count = 984 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E5DC04FE66B2273B9 + +Count = 985 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E7C3DA81ED0D0E7F2 + +Count = 986 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E23654F30D45D50F0 + +Count = 987 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EB55F6BFF0FCD970B + +Count = 988 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E91571C0E58B595EE + +Count = 989 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EDB4D5DB0A4322DF0 + +Count = 990 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EE464EA8DE1525FC0 + +Count = 991 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E335955C32AF45527B3 + +Count = 992 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E331E288AF8A105DD7D + +Count = 993 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33CC3C4D0960069A40 + +Count = 994 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33A565F3F598E107AF + +Count = 995 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33CB992065EA3E68FB + +Count = 996 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33519AD75BC3E3FD51 + +Count = 997 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E335B543A9E928AF917 + +Count = 998 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E333D0C27263E7D8E0D + +Count = 999 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33A62120067EE7D4B9 + +Count = 1000 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E336E67525CEE2DC2D3 + +Count = 1001 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33853DBA1BFCE39CA3 + +Count = 1002 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E334A7F91FC0DEC10E8 + +Count = 1003 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33B7FF46610D1838EE + +Count = 1004 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33ED70D595FCD7AC17 + +Count = 1005 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3311036D08FFF51943 + +Count = 1006 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33A144D496EBA8D171 + +Count = 1007 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33C1387FAB6887E882 + +Count = 1008 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3315198227D7542478 + +Count = 1009 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3306ACA369ED287760 + +Count = 1010 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3381301193A3E7C319 + +Count = 1011 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33C1C46B2BFF1B3236 + +Count = 1012 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33FE60D43964021944 + +Count = 1013 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E332241143D37C262A7 + +Count = 1014 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33BF65E7FB9B625422 + +Count = 1015 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33F336D2E0E25622A9 + +Count = 1016 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365CCC598A3EDC6E3 + +Count = 1017 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E335DAB0B1C9F55B92E + +Count = 1018 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E337C56ECE424A72D65 + +Count = 1019 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33230E0BCA202A9A67 + +Count = 1020 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33B5342F05FBBA5D9C + +Count = 1021 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33913C58F4ACC25F79 + +Count = 1022 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33DB26194A5045E767 + +Count = 1023 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33E40FAE7715259557 + +Count = 1024 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E336519FC5173FEE9AC46 + +Count = 1025 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33655E8118A1ABB95688 + +Count = 1026 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33658C95DF506ABA11B5 + +Count = 1027 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365E5CC61AC925D8C5A + +Count = 1028 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33658B30B23CE082E30E + +Count = 1029 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E336511334502C95F76A4 + +Count = 1030 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33651BFDA8C7983672E2 + +Count = 1031 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33657DA5B57F34C105F8 + +Count = 1032 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365E688B25F745B5F4C + +Count = 1033 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33652ECEC005E4914926 + +Count = 1034 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365C5942842F65F1756 + +Count = 1035 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33650AD603A507509B1D + +Count = 1036 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365F756D43807A4B31B + +Count = 1037 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365ADD947CCF66B27E2 + +Count = 1038 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E336551AAFF51F54992B6 + +Count = 1039 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365E1ED46CFE1145A84 + +Count = 1040 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33658191EDF2623B6377 + +Count = 1041 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E336555B0107EDDE8AF8D + +Count = 1042 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E336546053130E794FC95 + +Count = 1043 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365C19983CAA95B48EC + +Count = 1044 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365816DF972F5A7B9C3 + +Count = 1045 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365BEC946606EBE92B1 + +Count = 1046 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E336562E886643D7EE952 + +Count = 1047 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365FFCC75A291DEDFD7 + +Count = 1048 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365B39F40B9E8EAA95C + +Count = 1049 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365256557C1A9514D16 + +Count = 1050 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33651D02994595E932DB + +Count = 1051 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33653CFF7EBD2E1BA690 + +Count = 1052 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E336563A799932A961192 + +Count = 1053 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365F59DBD5CF106D669 + +Count = 1054 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365D195CAADA67ED48C + +Count = 1055 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33659B8F8B135AF96C92 + +Count = 1056 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365A4A63C2E1F991EA2 + +Count = 1057 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EBF84220B134F3973 + +Count = 1058 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EF8F96BD9461FC3BD + +Count = 1059 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E2AEDAC28871C8480 + +Count = 1060 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E43B412D47FFB196F + +Count = 1061 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E2D48C1440D24763B + +Count = 1062 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001020304 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EB74B367A24F9E391 + +Count = 1063 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EBD85DBBF7590E7D7 + +Count = 1064 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203040506 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EDBDDC607D96790CD + +Count = 1065 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001020304050607 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E40F0C12799FDCA79 + +Count = 1066 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E88B6B37D0937DC13 + +Count = 1067 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203040506070809 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E63EC5B3A1BF98263 + +Count = 1068 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EACAE70DDEAF60E28 + +Count = 1069 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E512EA740EA02262E + +Count = 1070 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E0BA134B41BCDB2D7 + +Count = 1071 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EF7D28C2918EF0783 + +Count = 1072 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E479535B70CB2CFB1 + +Count = 1073 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E27E99E8A8F9DF642 + +Count = 1074 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EF3C86306304E3AB8 + +Count = 1075 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EE07D42480A3269A0 + +Count = 1076 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E67E1F0B244FDDDD9 + +Count = 1077 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E27158A0A18012CF6 + +Count = 1078 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E18B1351883180784 + +Count = 1079 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EC490F51CD0D87C67 + +Count = 1080 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E59B406DA7C784AE2 + +Count = 1081 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E15E733C1054C3C69 + +Count = 1082 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E831D24B944F7D823 + +Count = 1083 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EBB7AEA3D784FA7EE + +Count = 1084 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E9A870DC5C3BD33A5 + +Count = 1085 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EC5DFEAEBC73084A7 + +Count = 1086 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E53E5CE241CA0435C + +Count = 1087 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E77EDB9D54BD841B9 + +Count = 1088 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E3DF7F86BB75FF9A7 + +Count = 1089 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E02DE4F56F23F8B97 + diff --git a/elephant/Implementations/crypto_aead/elephant160v1/ref/LWC_AEAD_KAT_128_96.txt b/elephant/Implementations/crypto_aead/elephant160v1/ref/LWC_AEAD_KAT_128_96.txt deleted file mode 100644 index 0c5a5a2..0000000 --- a/elephant/Implementations/crypto_aead/elephant160v1/ref/LWC_AEAD_KAT_128_96.txt +++ /dev/null @@ -1,7623 +0,0 @@ -Count = 1 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = -CT = 99AD0D35BBB90AA7 - -Count = 2 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00 -CT = DED044E7EEE9F069 - -Count = 3 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001 -CT = 0CC483162FEAB754 - -Count = 4 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102 -CT = 659D3DEAD70D2ABB - -Count = 5 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203 -CT = 0B61EE7AA5D245EF - -Count = 6 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001020304 -CT = 916219448C0FD045 - -Count = 7 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405 -CT = 9BACF481DD66D403 - -Count = 8 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203040506 -CT = FDF4E9397191A319 - -Count = 9 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001020304050607 -CT = 66D9EE19310BF9AD - -Count = 10 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708 -CT = AE9F9C43A1C1EFC7 - -Count = 11 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203040506070809 -CT = 45C57404B30FB1B7 - -Count = 12 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A -CT = 8A875FE342003DFC - -Count = 13 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B -CT = 7707887E42F415FA - -Count = 14 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C -CT = 2D881B8AB33B8103 - -Count = 15 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D -CT = D1FBA317B0193457 - -Count = 16 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E -CT = 61BC1A89A444FC65 - -Count = 17 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F -CT = 01C0B1B4276BC596 - -Count = 18 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10 -CT = D5E14C3898B8096C - -Count = 19 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C6546D76A2C45A74 - -Count = 20 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 41C8DF8CEC0BEE0D - -Count = 21 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 013CA534B0F71F22 - -Count = 22 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 3E981A262BEE3450 - -Count = 23 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = E2B9DA22782E4FB3 - -Count = 24 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 7F9D29E4D48E7936 - -Count = 25 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 33CE1CFFADBA0FBD - -Count = 26 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5340B87EC01EBF7 - -Count = 27 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 9D53C503D0B9943A - -Count = 28 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BCAE22FB6B4B0071 - -Count = 29 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = E3F6C5D56FC6B773 - -Count = 30 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75CCE11AB4567088 - -Count = 31 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 51C496EBE32E726D - -Count = 32 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 1BDED7551FA9CA73 - -Count = 33 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 24F760685AC9B843 - -Count = 34 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = -CT = C909DAD7810C416E41 - -Count = 35 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00 -CT = C94EA79E535911948F - -Count = 36 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001 -CT = C99CB359A29812D3B2 - -Count = 37 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102 -CT = C9F5EAE75E60F54E5D - -Count = 38 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203 -CT = C99B1634CE122A2109 - -Count = 39 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001020304 -CT = C90115C3F03BF7B4A3 - -Count = 40 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405 -CT = C90BDB2E356A9EB0E5 - -Count = 41 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203040506 -CT = C96D83338DC669C7FF - -Count = 42 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001020304050607 -CT = C9F6AE34AD86F39D4B - -Count = 43 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708 -CT = C93EE846F716398B21 - -Count = 44 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203040506070809 -CT = C9D5B2AEB004F7D551 - -Count = 45 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A -CT = C91AF08557F5F8591A - -Count = 46 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B -CT = C9E77052CAF50C711C - -Count = 47 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C -CT = C9BDFFC13E04C3E5E5 - -Count = 48 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D -CT = C9418C79A307E150B1 - -Count = 49 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E -CT = C9F1CBC03D13BC9883 - -Count = 50 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F -CT = C991B76B009093A170 - -Count = 51 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C94596968C2F406D8A - -Count = 52 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C95623B7C2153C3E92 - -Count = 53 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9D1BF05385BF38AEB - -Count = 54 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9914B7F80070F7BC4 - -Count = 55 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9AEEFC0929C1650B6 - -Count = 56 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C972CE0096CFD62B55 - -Count = 57 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9EFEAF35063761DD0 - -Count = 58 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9A3B9C64B1A426B5B - -Count = 59 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C93543D1335BF98F11 - -Count = 60 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C90D241FB76741F0DC - -Count = 61 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C92CD9F84FDCB36497 - -Count = 62 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C973811F61D83ED395 - -Count = 63 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9E5BB3BAE03AE146E - -Count = 64 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9C1B34C5F54D6168B - -Count = 65 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C98BA90DE1A851AE95 - -Count = 66 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9B480BADCED31DCA5 - -Count = 67 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = -CT = C90377F863D1D68B7D47 - -Count = 68 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00 -CT = C90330852A0383DB8789 - -Count = 69 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001 -CT = C903E291EDF242D8C0B4 - -Count = 70 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102 -CT = C9038BC8530EBA3F5D5B - -Count = 71 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203 -CT = C903E534809EC8E0320F - -Count = 72 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001020304 -CT = C9037F3777A0E13DA7A5 - -Count = 73 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405 -CT = C90375F99A65B054A3E3 - -Count = 74 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203040506 -CT = C90313A187DD1CA3D4F9 - -Count = 75 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001020304050607 -CT = C903888C80FD5C398E4D - -Count = 76 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708 -CT = C90340CAF2A7CCF39827 - -Count = 77 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203040506070809 -CT = C903AB901AE0DE3DC657 - -Count = 78 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A -CT = C90364D231072F324A1C - -Count = 79 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B -CT = C9039952E69A2FC6621A - -Count = 80 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C -CT = C903C3DD756EDE09F6E3 - -Count = 81 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D -CT = C9033FAECDF3DD2B43B7 - -Count = 82 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E -CT = C9038FE9746DC9768B85 - -Count = 83 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F -CT = C903EF95DF504A59B276 - -Count = 84 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9033BB422DCF58A7E8C - -Count = 85 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C90328010392CFF62D94 - -Count = 86 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C903AF9DB168813999ED - -Count = 87 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C903EF69CBD0DDC568C2 - -Count = 88 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C903D0CD74C246DC43B0 - -Count = 89 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9030CECB4C6151C3853 - -Count = 90 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C90391C84700B9BC0ED6 - -Count = 91 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C903DD9B721BC088785D - -Count = 92 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034B61656381339C17 - -Count = 93 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9037306ABE7BD8BE3DA - -Count = 94 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C90352FB4C1F06797791 - -Count = 95 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9030DA3AB3102F4C093 - -Count = 96 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9039B998FFED9640768 - -Count = 97 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C903BF91F80F8E1C058D - -Count = 98 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C903F58BB9B1729BBD93 - -Count = 99 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C903CAA20E8C37FBCFA3 - -Count = 100 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = -CT = C9034AEE97703E68E1AFAD - -Count = 101 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00 -CT = C9034AA9EA39EC3DB15563 - -Count = 102 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001 -CT = C9034A7BFEFE1DFCB2125E - -Count = 103 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102 -CT = C9034A12A740E104558FB1 - -Count = 104 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203 -CT = C9034A7C5B9371768AE0E5 - -Count = 105 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001020304 -CT = C9034AE658644F5F57754F - -Count = 106 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405 -CT = C9034AEC96898A0E3E7109 - -Count = 107 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203040506 -CT = C9034A8ACE9432A2C90613 - -Count = 108 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001020304050607 -CT = C9034A11E39312E2535CA7 - -Count = 109 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708 -CT = C9034AD9A5E14872994ACD - -Count = 110 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203040506070809 -CT = C9034A32FF090F605714BD - -Count = 111 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A -CT = C9034AFDBD22E8915898F6 - -Count = 112 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B -CT = C9034A003DF57591ACB0F0 - -Count = 113 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C -CT = C9034A5AB2668160632409 - -Count = 114 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D -CT = C9034AA6C1DE1C6341915D - -Count = 115 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E -CT = C9034A16866782771C596F - -Count = 116 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A76FACCBFF433609C - -Count = 117 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034AA2DB31334BE0AC66 - -Count = 118 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034AB16E107D719CFF7E - -Count = 119 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A36F2A2873F534B07 - -Count = 120 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A7606D83F63AFBA28 - -Count = 121 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A49A2672DF8B6915A - -Count = 122 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A9583A729AB76EAB9 - -Count = 123 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A08A754EF07D6DC3C - -Count = 124 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A44F461F47EE2AAB7 - -Count = 125 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034AD20E768C3F594EFD - -Count = 126 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034AEA69B80803E13130 - -Count = 127 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034ACB945FF0B813A57B - -Count = 128 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A94CCB8DEBC9E1279 - -Count = 129 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A02F69C11670ED582 - -Count = 130 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A26FEEBE03076D767 - -Count = 131 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A6CE4AA5ECCF16F79 - -Count = 132 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A53CD1D6389911D49 - -Count = 133 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = -CT = C9034A2FC5C3528515B7D64B - -Count = 134 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00 -CT = C9034A2F82BE1B5740E72C85 - -Count = 135 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001 -CT = C9034A2F50AADCA681E46BB8 - -Count = 136 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102 -CT = C9034A2F39F3625A7903F657 - -Count = 137 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203 -CT = C9034A2F570FB1CA0BDC9903 - -Count = 138 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001020304 -CT = C9034A2FCD0C46F422010CA9 - -Count = 139 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405 -CT = C9034A2FC7C2AB31736808EF - -Count = 140 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203040506 -CT = C9034A2FA19AB689DF9F7FF5 - -Count = 141 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001020304050607 -CT = C9034A2F3AB7B1A99F052541 - -Count = 142 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708 -CT = C9034A2FF2F1C3F30FCF332B - -Count = 143 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203040506070809 -CT = C9034A2F19AB2BB41D016D5B - -Count = 144 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A -CT = C9034A2FD6E90053EC0EE110 - -Count = 145 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B -CT = C9034A2F2B69D7CEECFAC916 - -Count = 146 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C -CT = C9034A2F71E6443A1D355DEF - -Count = 147 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D -CT = C9034A2F8D95FCA71E17E8BB - -Count = 148 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F3DD245390A4A2089 - -Count = 149 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F5DAEEE048965197A - -Count = 150 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F898F138836B6D580 - -Count = 151 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F9A3A32C60CCA8698 - -Count = 152 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F1DA6803C420532E1 - -Count = 153 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F5D52FA841EF9C3CE - -Count = 154 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F62F6459685E0E8BC - -Count = 155 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2FBED78592D620935F - -Count = 156 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F23F376547A80A5DA - -Count = 157 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F6FA0434F03B4D351 - -Count = 158 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2FF95A5437420F371B - -Count = 159 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2FC13D9AB37EB748D6 - -Count = 160 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2FE0C07D4BC545DC9D - -Count = 161 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2FBF989A65C1C86B9F - -Count = 162 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F29A2BEAA1A58AC64 - -Count = 163 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F0DAAC95B4D20AE81 - -Count = 164 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F47B088E5B1A7169F - -Count = 165 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F78993FD8F4C764AF - -Count = 166 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = -CT = C9034A2F7FC024F47371011925 - -Count = 167 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00 -CT = C9034A2F7F8759BDA12451E3EB - -Count = 168 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001 -CT = C9034A2F7F554D7A50E552A4D6 - -Count = 169 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102 -CT = C9034A2F7F3C14C4AC1DB53939 - -Count = 170 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203 -CT = C9034A2F7F52E8173C6F6A566D - -Count = 171 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001020304 -CT = C9034A2F7FC8EBE00246B7C3C7 - -Count = 172 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405 -CT = C9034A2F7FC2250DC717DEC781 - -Count = 173 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203040506 -CT = C9034A2F7FA47D107FBB29B09B - -Count = 174 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001020304050607 -CT = C9034A2F7F3F50175FFBB3EA2F - -Count = 175 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708 -CT = C9034A2F7FF71665056B79FC45 - -Count = 176 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203040506070809 -CT = C9034A2F7F1C4C8D4279B7A235 - -Count = 177 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A -CT = C9034A2F7FD30EA6A588B82E7E - -Count = 178 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B -CT = C9034A2F7F2E8E7138884C0678 - -Count = 179 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C -CT = C9034A2F7F7401E2CC79839281 - -Count = 180 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F88725A517AA127D5 - -Count = 181 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F3835E3CF6EFCEFE7 - -Count = 182 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F584948F2EDD3D614 - -Count = 183 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F8C68B57E52001AEE - -Count = 184 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9FDD9430687C49F6 - -Count = 185 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F184126CA26B3FD8F - -Count = 186 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F58B55C727A4F0CA0 - -Count = 187 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F6711E360E15627D2 - -Count = 188 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7FBB302364B2965C31 - -Count = 189 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F2614D0A21E366AB4 - -Count = 190 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F6A47E5B967021C3F - -Count = 191 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7FFCBDF2C126B9F875 - -Count = 192 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7FC4DA3C451A0187B8 - -Count = 193 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7FE527DBBDA1F313F3 - -Count = 194 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7FBA7F3C93A57EA4F1 - -Count = 195 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F2C45185C7EEE630A - -Count = 196 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F084D6FAD299661EF - -Count = 197 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F42572E13D511D9F1 - -Count = 198 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F7D7E992E9071ABC1 - -Count = 199 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = -CT = C9034A2F7F967A2083CD8D969311 - -Count = 200 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00 -CT = C9034A2F7F963D5DCA1FD8C669DF - -Count = 201 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001 -CT = C9034A2F7F96EF490DEE19C52EE2 - -Count = 202 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102 -CT = C9034A2F7F968610B312E122B30D - -Count = 203 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203 -CT = C9034A2F7F96E8EC608293FDDC59 - -Count = 204 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001020304 -CT = C9034A2F7F9672EF97BCBA2049F3 - -Count = 205 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405 -CT = C9034A2F7F9678217A79EB494DB5 - -Count = 206 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203040506 -CT = C9034A2F7F961E7967C147BE3AAF - -Count = 207 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001020304050607 -CT = C9034A2F7F96855460E10724601B - -Count = 208 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708 -CT = C9034A2F7F964D1212BB97EE7671 - -Count = 209 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203040506070809 -CT = C9034A2F7F96A648FAFC85202801 - -Count = 210 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A -CT = C9034A2F7F96690AD11B742FA44A - -Count = 211 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B -CT = C9034A2F7F96948A068674DB8C4C - -Count = 212 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C -CT = C9034A2F7F96CE059572851418B5 - -Count = 213 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9632762DEF8636ADE1 - -Count = 214 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9682319471926B65D3 - -Count = 215 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F96E24D3F4C11445C20 - -Count = 216 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F96366CC2C0AE9790DA - -Count = 217 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9625D9E38E94EBC3C2 - -Count = 218 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F96A2455174DA2477BB - -Count = 219 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F96E2B12BCC86D88694 - -Count = 220 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F96DD1594DE1DC1ADE6 - -Count = 221 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F96013454DA4E01D605 - -Count = 222 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F969C10A71CE2A1E080 - -Count = 223 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F96D04392079B95960B - -Count = 224 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9646B9857FDA2E7241 - -Count = 225 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F967EDE4BFBE6960D8C - -Count = 226 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F965F23AC035D6499C7 - -Count = 227 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F96007B4B2D59E92EC5 - -Count = 228 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9696416FE28279E93E - -Count = 229 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F96B2491813D501EBDB - -Count = 230 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F96F85359AD298653C5 - -Count = 231 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F96C77AEE906CE621F5 - -Count = 232 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = -CT = C9034A2F7F9698A8EE4C09EF3E07AF - -Count = 233 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00 -CT = C9034A2F7F9698EF9305DBBA6EFD61 - -Count = 234 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001 -CT = C9034A2F7F96983D87C22A7B6DBA5C - -Count = 235 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102 -CT = C9034A2F7F969854DE7CD6838A27B3 - -Count = 236 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203 -CT = C9034A2F7F96983A22AF46F15548E7 - -Count = 237 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001020304 -CT = C9034A2F7F9698A0215878D888DD4D - -Count = 238 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405 -CT = C9034A2F7F9698AAEFB5BD89E1D90B - -Count = 239 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203040506 -CT = C9034A2F7F9698CCB7A8052516AE11 - -Count = 240 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001020304050607 -CT = C9034A2F7F9698579AAF25658CF4A5 - -Count = 241 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708 -CT = C9034A2F7F96989FDCDD7FF546E2CF - -Count = 242 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203040506070809 -CT = C9034A2F7F969874863538E788BCBF - -Count = 243 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A -CT = C9034A2F7F9698BBC41EDF168730F4 - -Count = 244 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B -CT = C9034A2F7F96984644C942167318F2 - -Count = 245 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C -CT = C9034A2F7F96981CCB5AB6E7BC8C0B - -Count = 246 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698E0B8E22BE49E395F - -Count = 247 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F969850FF5BB5F0C3F16D - -Count = 248 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F96983083F08873ECC89E - -Count = 249 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698E4A20D04CC3F0464 - -Count = 250 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698F7172C4AF643577C - -Count = 251 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698708B9EB0B88CE305 - -Count = 252 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698307FE408E470122A - -Count = 253 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F96980FDB5B1A7F693958 - -Count = 254 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698D3FA9B1E2CA942BB - -Count = 255 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F96984EDE68D88009743E - -Count = 256 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698028D5DC3F93D02B5 - -Count = 257 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F969894774ABBB886E6FF - -Count = 258 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698AC10843F843E9932 - -Count = 259 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F96988DED63C73FCC0D79 - -Count = 260 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698D2B584E93B41BA7B - -Count = 261 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698448FA026E0D17D80 - -Count = 262 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F96986087D7D7B7A97F65 - -Count = 263 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F96982A9D96694B2EC77B - -Count = 264 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F969815B421540E4EB54B - -Count = 265 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = -CT = C9034A2F7F9698DCFBF9B8E86994F2BE - -Count = 266 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00 -CT = C9034A2F7F9698DCBC84F13A3CC40870 - -Count = 267 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001 -CT = C9034A2F7F9698DC6E9036CBFDC74F4D - -Count = 268 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102 -CT = C9034A2F7F9698DC07C988370520D2A2 - -Count = 269 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203 -CT = C9034A2F7F9698DC69355BA777FFBDF6 - -Count = 270 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001020304 -CT = C9034A2F7F9698DCF336AC995E22285C - -Count = 271 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405 -CT = C9034A2F7F9698DCF9F8415C0F4B2C1A - -Count = 272 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203040506 -CT = C9034A2F7F9698DC9FA05CE4A3BC5B00 - -Count = 273 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001020304050607 -CT = C9034A2F7F9698DC048D5BC4E32601B4 - -Count = 274 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708 -CT = C9034A2F7F9698DCCCCB299E73EC17DE - -Count = 275 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203040506070809 -CT = C9034A2F7F9698DC2791C1D9612249AE - -Count = 276 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A -CT = C9034A2F7F9698DCE8D3EA3E902DC5E5 - -Count = 277 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DC15533DA390D9EDE3 - -Count = 278 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DC4FDCAE576116791A - -Count = 279 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB3AF16CA6234CC4E - -Count = 280 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DC03E8AF547669047C - -Count = 281 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DC63940469F5463D8F - -Count = 282 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB7B5F9E54A95F175 - -Count = 283 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCA400D8AB70E9A26D - -Count = 284 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DC239C6A513E261614 - -Count = 285 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DC636810E962DAE73B - -Count = 286 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DC5CCCAFFBF9C3CC49 - -Count = 287 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DC80ED6FFFAA03B7AA - -Count = 288 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DC1DC99C3906A3812F - -Count = 289 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DC519AA9227F97F7A4 - -Count = 290 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCC760BE5A3E2C13EE - -Count = 291 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCFF0770DE02946C23 - -Count = 292 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCDEFA9726B966F868 - -Count = 293 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DC81A27008BDEB4F6A - -Count = 294 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DC179854C7667B8891 - -Count = 295 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DC3390233631038A74 - -Count = 296 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DC798A6288CD84326A - -Count = 297 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DC46A3D5B588E4405A - -Count = 298 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = -CT = C9034A2F7F9698DCB420D003C709A0548E - -Count = 299 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00 -CT = C9034A2F7F9698DCB467AD4A155CF0AE40 - -Count = 300 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001 -CT = C9034A2F7F9698DCB4B5B98DE49DF3E97D - -Count = 301 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102 -CT = C9034A2F7F9698DCB4DCE0331865147492 - -Count = 302 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203 -CT = C9034A2F7F9698DCB4B21CE08817CB1BC6 - -Count = 303 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001020304 -CT = C9034A2F7F9698DCB4281F17B63E168E6C - -Count = 304 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405 -CT = C9034A2F7F9698DCB422D1FA736F7F8A2A - -Count = 305 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203040506 -CT = C9034A2F7F9698DCB44489E7CBC388FD30 - -Count = 306 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001020304050607 -CT = C9034A2F7F9698DCB4DFA4E0EB8312A784 - -Count = 307 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708 -CT = C9034A2F7F9698DCB417E292B113D8B1EE - -Count = 308 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB4FCB87AF60116EF9E - -Count = 309 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB433FA5111F01963D5 - -Count = 310 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB4CE7A868CF0ED4BD3 - -Count = 311 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB494F515780122DF2A - -Count = 312 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB46886ADE502006A7E - -Count = 313 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB4D8C1147B165DA24C - -Count = 314 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB4B8BDBF4695729BBF - -Count = 315 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB46C9C42CA2AA15745 - -Count = 316 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB47F29638410DD045D - -Count = 317 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB4F8B5D17E5E12B024 - -Count = 318 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB4B841ABC602EE410B - -Count = 319 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB487E514D499F76A79 - -Count = 320 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB45BC4D4D0CA37119A - -Count = 321 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB4C6E027166697271F - -Count = 322 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB48AB3120D1FA35194 - -Count = 323 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41C4905755E18B5DE - -Count = 324 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB4242ECBF162A0CA13 - -Count = 325 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB405D32C09D9525E58 - -Count = 326 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB45A8BCB27DDDFE95A - -Count = 327 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB4CCB1EFE8064F2EA1 - -Count = 328 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB4E8B9981951372C44 - -Count = 329 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB4A2A3D9A7ADB0945A - -Count = 330 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB49D8A6E9AE8D0E66A - -Count = 331 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = -CT = C9034A2F7F9698DCB41AB3B568223658767B - -Count = 332 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00 -CT = C9034A2F7F9698DCB41AF4C821F063088CB5 - -Count = 333 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001 -CT = C9034A2F7F9698DCB41A26DCE601A20BCB88 - -Count = 334 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102 -CT = C9034A2F7F9698DCB41A4F8558FD5AEC5667 - -Count = 335 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203 -CT = C9034A2F7F9698DCB41A21798B6D28333933 - -Count = 336 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001020304 -CT = C9034A2F7F9698DCB41ABB7A7C5301EEAC99 - -Count = 337 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405 -CT = C9034A2F7F9698DCB41AB1B491965087A8DF - -Count = 338 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203040506 -CT = C9034A2F7F9698DCB41AD7EC8C2EFC70DFC5 - -Count = 339 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41A4CC18B0EBCEA8571 - -Count = 340 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41A8487F9542C20931B - -Count = 341 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41A6FDD11133EEECD6B - -Count = 342 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41AA09F3AF4CFE14120 - -Count = 343 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41A5D1FED69CF156926 - -Count = 344 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41A07907E9D3EDAFDDF - -Count = 345 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41AFBE3C6003DF8488B - -Count = 346 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41A4BA47F9E29A580B9 - -Count = 347 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41A2BD8D4A3AA8AB94A - -Count = 348 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41AFFF9292F155975B0 - -Count = 349 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41AEC4C08612F2526A8 - -Count = 350 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41A6BD0BA9B61EA92D1 - -Count = 351 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41A2B24C0233D1663FE - -Count = 352 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41A14807F31A60F488C - -Count = 353 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41AC8A1BF35F5CF336F - -Count = 354 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41A55854CF3596F05EA - -Count = 355 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41A19D679E8205B7361 - -Count = 356 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41A8F2C6E9061E0972B - -Count = 357 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41AB74BA0145D58E8E6 - -Count = 358 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41A96B647ECE6AA7CAD - -Count = 359 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41AC9EEA0C2E227CBAF - -Count = 360 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41A5FD4840D39B70C54 - -Count = 361 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41A7BDCF3FC6ECF0EB1 - -Count = 362 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41A31C6B2429248B6AF - -Count = 363 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41A0EEF057FD728C49F - -Count = 364 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = -CT = C9034A2F7F9698DCB41ACC7B4D6F307036DB5D - -Count = 365 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00 -CT = C9034A2F7F9698DCB41ACC3C3026E225662193 - -Count = 366 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001 -CT = C9034A2F7F9698DCB41ACCEE24E113E46566AE - -Count = 367 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102 -CT = C9034A2F7F9698DCB41ACC877D5FEF1C82FB41 - -Count = 368 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCE9818C7F6E5D9415 - -Count = 369 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACC73827B41478001BF - -Count = 370 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACC794C968416E905F9 - -Count = 371 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACC1F148B3CBA1E72E3 - -Count = 372 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACC84398C1CFA842857 - -Count = 373 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACC4C7FFE466A4E3E3D - -Count = 374 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCA72516017880604D - -Count = 375 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACC68673DE6898FEC06 - -Count = 376 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACC95E7EA7B897BC400 - -Count = 377 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCF68798F78B450F9 - -Count = 378 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACC331BC1127B96E5AD - -Count = 379 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACC835C788C6FCB2D9F - -Count = 380 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCE320D3B1ECE4146C - -Count = 381 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACC37012E3D5337D896 - -Count = 382 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACC24B40F73694B8B8E - -Count = 383 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCA328BD8927843FF7 - -Count = 384 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCE3DCC7317B78CED8 - -Count = 385 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCDC787823E061E5AA - -Count = 386 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACC0059B827B3A19E49 - -Count = 387 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACC9D7D4BE11F01A8CC - -Count = 388 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCD12E7EFA6635DE47 - -Count = 389 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACC47D46982278E3A0D - -Count = 390 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACC7FB3A7061B3645C0 - -Count = 391 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACC5E4E40FEA0C4D18B - -Count = 392 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACC0116A7D0A4496689 - -Count = 393 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACC972C831F7FD9A172 - -Count = 394 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCB324F4EE28A1A397 - -Count = 395 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCF93EB550D4261B89 - -Count = 396 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCC617026D914669B9 - -Count = 397 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = -CT = C9034A2F7F9698DCB41ACCCF2C8E9DBEE8D05718 - -Count = 398 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00 -CT = C9034A2F7F9698DCB41ACCCF6BF3D46CBD80ADD6 - -Count = 399 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFB9E7139D7C83EAEB - -Count = 400 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFD0BEAD6184647704 - -Count = 401 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBE427EF1F6BB1850 - -Count = 402 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCF244189CFDF668DFA - -Count = 403 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCF2E8F640A8E0F89BC - -Count = 404 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCF48D779B222F8FEA6 - -Count = 405 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFD3FA7E926262A412 - -Count = 406 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCF1BBC0CC8F2A8B278 - -Count = 407 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFF0E6E48FE066EC08 - -Count = 408 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCF3FA4CF6811696043 - -Count = 409 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFC22418F5119D4845 - -Count = 410 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCF98AB8B01E052DCBC - -Count = 411 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCF64D8339CE37069E8 - -Count = 412 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFD49F8A02F72DA1DA - -Count = 413 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFB4E3213F74029829 - -Count = 414 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCF60C2DCB3CBD154D3 - -Count = 415 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCF7377FDFDF1AD07CB - -Count = 416 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFF4EB4F07BF62B3B2 - -Count = 417 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFB41F35BFE39E429D - -Count = 418 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCF8BBB8AAD788769EF - -Count = 419 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCF579A4AA92B47120C - -Count = 420 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFCABEB96F87E72489 - -Count = 421 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCF86ED8C74FED35202 - -Count = 422 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCF10179B0CBF68B648 - -Count = 423 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCF2870558883D0C985 - -Count = 424 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCF098DB27038225DCE - -Count = 425 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCF56D5555E3CAFEACC - -Count = 426 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFC0EF7191E73F2D37 - -Count = 427 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFE4E70660B0472FD2 - -Count = 428 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFAEFD47DE4CC097CC - -Count = 429 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCF91D4F0E309A0E5FC - -Count = 430 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = -CT = C9034A2F7F9698DCB41ACCCFBF8457B65D560FE10C - -Count = 431 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00 -CT = C9034A2F7F9698DCB41ACCCFBFC32AFF8F035F1BC2 - -Count = 432 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFBF113E387EC25C5CFF - -Count = 433 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFBF786786823ABBC110 - -Count = 434 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBF169B55124864AE44 - -Count = 435 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCFBF8C98A22C61B93BEE - -Count = 436 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCFBF86564FE930D03FA8 - -Count = 437 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCFBFE00E52519C2748B2 - -Count = 438 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFBF7B235571DCBD1206 - -Count = 439 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCFBFB365272B4C77046C - -Count = 440 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFBF583FCF6C5EB95A1C - -Count = 441 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCFBF977DE48BAFB6D657 - -Count = 442 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFBF6AFD3316AF42FE51 - -Count = 443 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCFBF3072A0E25E8D6AA8 - -Count = 444 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCFBFCC01187F5DAFDFFC - -Count = 445 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFBF7C46A1E149F217CE - -Count = 446 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFBF1C3A0ADCCADD2E3D - -Count = 447 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCFBFC81BF750750EE2C7 - -Count = 448 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCFBFDBAED61E4F72B1DF - -Count = 449 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFBF5C3264E401BD05A6 - -Count = 450 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFBF1CC61E5C5D41F489 - -Count = 451 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCFBF2362A14EC658DFFB - -Count = 452 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCFBFFF43614A9598A418 - -Count = 453 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFBF6267928C3938929D - -Count = 454 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCFBF2E34A797400CE416 - -Count = 455 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCFBFB8CEB0EF01B7005C - -Count = 456 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCFBF80A97E6B3D0F7F91 - -Count = 457 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCFBFA154999386FDEBDA - -Count = 458 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCFBFFE0C7EBD82705CD8 - -Count = 459 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFBF68365A7259E09B23 - -Count = 460 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFBF4C3E2D830E9899C6 - -Count = 461 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFBF06246C3DF21F21D8 - -Count = 462 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCFBF390DDB00B77F53E8 - -Count = 463 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = -CT = C9034A2F7F9698DCB41ACCCFBF54A818514739035C87 - -Count = 464 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00 -CT = C9034A2F7F9698DCB41ACCCFBF54EF6518956C53A649 - -Count = 465 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFBF543D71DF64AD50E174 - -Count = 466 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFBF545428619855B77C9B - -Count = 467 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBF543AD4B208276813CF - -Count = 468 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCFBF54A0D745360EB58665 - -Count = 469 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCFBF54AA19A8F35FDC8223 - -Count = 470 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCFBF54CC41B54BF32BF539 - -Count = 471 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFBF54576CB26BB3B1AF8D - -Count = 472 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCFBF549F2AC031237BB9E7 - -Count = 473 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFBF547470287631B5E797 - -Count = 474 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCFBF54BB320391C0BA6BDC - -Count = 475 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFBF5446B2D40CC04E43DA - -Count = 476 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCFBF541C3D47F83181D723 - -Count = 477 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCFBF54E04EFF6532A36277 - -Count = 478 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFBF54500946FB26FEAA45 - -Count = 479 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFBF543075EDC6A5D193B6 - -Count = 480 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCFBF54E454104A1A025F4C - -Count = 481 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCFBF54F7E13104207E0C54 - -Count = 482 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFBF54707D83FE6EB1B82D - -Count = 483 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFBF543089F946324D4902 - -Count = 484 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCFBF540F2D4654A9546270 - -Count = 485 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCFBF54D30C8650FA941993 - -Count = 486 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFBF544E28759656342F16 - -Count = 487 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCFBF54027B408D2F00599D - -Count = 488 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCFBF54948157F56EBBBDD7 - -Count = 489 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCFBF54ACE699715203C21A - -Count = 490 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCFBF548D1B7E89E9F15651 - -Count = 491 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCFBF54D24399A7ED7CE153 - -Count = 492 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFBF544479BD6836EC26A8 - -Count = 493 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFBF546071CA996194244D - -Count = 494 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFBF542A6B8B279D139C53 - -Count = 495 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCFBF5415423C1AD873EE63 - -Count = 496 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = -CT = C9034A2F7F9698DCB41ACCCFBF549B3902278F177E5A48 - -Count = 497 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00 -CT = C9034A2F7F9698DCB41ACCCFBF549B7E7F6E5D422EA086 - -Count = 498 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFBF549BAC6BA9AC832DE7BB - -Count = 499 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFBF549BC53217507BCA7A54 - -Count = 500 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBF549BABCEC4C009151500 - -Count = 501 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCFBF549B31CD33FE20C880AA - -Count = 502 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCFBF549B3B03DE3B71A184EC - -Count = 503 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCFBF549B5D5BC383DD56F3F6 - -Count = 504 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFBF549BC676C4A39DCCA942 - -Count = 505 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCFBF549B0E30B6F90D06BF28 - -Count = 506 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFBF549BE56A5EBE1FC8E158 - -Count = 507 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCFBF549B2A287559EEC76D13 - -Count = 508 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFBF549BD7A8A2C4EE334515 - -Count = 509 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCFBF549B8D2731301FFCD1EC - -Count = 510 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCFBF549B715489AD1CDE64B8 - -Count = 511 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFBF549BC11330330883AC8A - -Count = 512 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFBF549BA16F9B0E8BAC9579 - -Count = 513 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCFBF549B754E6682347F5983 - -Count = 514 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCFBF549B66FB47CC0E030A9B - -Count = 515 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFBF549BE167F53640CCBEE2 - -Count = 516 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFBF549BA1938F8E1C304FCD - -Count = 517 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCFBF549B9E37309C872964BF - -Count = 518 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCFBF549B4216F098D4E91F5C - -Count = 519 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFBF549BDF32035E784929D9 - -Count = 520 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCFBF549B93613645017D5F52 - -Count = 521 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCFBF549B059B213D40C6BB18 - -Count = 522 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCFBF549B3DFCEFB97C7EC4D5 - -Count = 523 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCFBF549B1C010841C78C509E - -Count = 524 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCFBF549B4359EF6FC301E79C - -Count = 525 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFBF549BD563CBA018912067 - -Count = 526 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFBF549BF16BBC514FE92282 - -Count = 527 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFBF549BBB71FDEFB36E9A9C - -Count = 528 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCFBF549B84584AD2F60EE8AC - -Count = 529 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = -CT = C9034A2F7F9698DCB41ACCCFBF549BF7C152A8863B472BE1 - -Count = 530 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00 -CT = C9034A2F7F9698DCB41ACCCFBF549BF7862FE1546E17D12F - -Count = 531 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFBF549BF7543B26A5AF149612 - -Count = 532 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFBF549BF73D62985957F30BFD - -Count = 533 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBF549BF7539E4BC9252C64A9 - -Count = 534 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCFBF549BF7C99DBCF70CF1F103 - -Count = 535 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCFBF549BF7C35351325D98F545 - -Count = 536 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCFBF549BF7A50B4C8AF16F825F - -Count = 537 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFBF549BF73E264BAAB1F5D8EB - -Count = 538 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCFBF549BF7F66039F0213FCE81 - -Count = 539 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFBF549BF71D3AD1B733F190F1 - -Count = 540 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCFBF549BF7D278FA50C2FE1CBA - -Count = 541 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFBF549BF72FF82DCDC20A34BC - -Count = 542 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCFBF549BF77577BE3933C5A045 - -Count = 543 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCFBF549BF7890406A430E71511 - -Count = 544 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFBF549BF73943BF3A24BADD23 - -Count = 545 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFBF549BF7593F1407A795E4D0 - -Count = 546 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCFBF549BF78D1EE98B1846282A - -Count = 547 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCFBF549BF79EABC8C5223A7B32 - -Count = 548 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFBF549BF719377A3F6CF5CF4B - -Count = 549 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFBF549BF759C3008730093E64 - -Count = 550 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCFBF549BF76667BF95AB101516 - -Count = 551 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCFBF549BF7BA467F91F8D06EF5 - -Count = 552 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFBF549BF727628C5754705870 - -Count = 553 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCFBF549BF76B31B94C2D442EFB - -Count = 554 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCFBF549BF7FDCBAE346CFFCAB1 - -Count = 555 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCFBF549BF7C5AC60B05047B57C - -Count = 556 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCFBF549BF7E4518748EBB52137 - -Count = 557 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCFBF549BF7BB096066EF389635 - -Count = 558 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFBF549BF72D3344A934A851CE - -Count = 559 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFBF549BF7093B335863D0532B - -Count = 560 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFBF549BF7432172E69F57EB35 - -Count = 561 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCFBF549BF77C08C5DBDA379905 - -Count = 562 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = -CT = C9034A2F7F9698DCB41ACCCFBF549BF747203F1717E3077918 - -Count = 563 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00 -CT = C9034A2F7F9698DCB41ACCCFBF549BF74767425EC5B65783D6 - -Count = 564 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747B55699347754C4EB - -Count = 565 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747DC0F27C88FB35904 - -Count = 566 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747B2F3F458FD6C3650 - -Count = 567 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCFBF549BF74728F00366D4B1A3FA - -Count = 568 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747223EEEA385D8A7BC - -Count = 569 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCFBF549BF7474466F31B292FD0A6 - -Count = 570 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747DF4BF43B69B58A12 - -Count = 571 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747170D8661F97F9C78 - -Count = 572 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747FC576E26EBB1C208 - -Count = 573 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747331545C11ABE4E43 - -Count = 574 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747CE95925C1A4A6645 - -Count = 575 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747941A01A8EB85F2BC - -Count = 576 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCFBF549BF7476869B935E8A747E8 - -Count = 577 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D82E00ABFCFA8FDA - -Count = 578 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747B852AB967FD5B629 - -Count = 579 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCFBF549BF7476C73561AC0067AD3 - -Count = 580 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCFBF549BF7477FC67754FA7A29CB - -Count = 581 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747F85AC5AEB4B59DB2 - -Count = 582 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747B8AEBF16E8496C9D - -Count = 583 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747870A0004735047EF - -Count = 584 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCFBF549BF7475B2BC00020903C0C - -Count = 585 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747C60F33C68C300A89 - -Count = 586 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCFBF549BF7478A5C06DDF5047C02 - -Count = 587 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCFBF549BF7471CA611A5B4BF9848 - -Count = 588 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCFBF549BF74724C1DF218807E785 - -Count = 589 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747053C38D933F573CE - -Count = 590 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCFBF549BF7475A64DFF73778C4CC - -Count = 591 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747CC5EFB38ECE80337 - -Count = 592 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747E8568CC9BB9001D2 - -Count = 593 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747A24CCD774717B9CC - -Count = 594 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCFBF549BF7479D657A4A0277CBFC - -Count = 595 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2B9A41F13A77A3797 - -Count = 596 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2FED956C1F22ACD59 - -Count = 597 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D22CCD913033298A64 - -Count = 598 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D245942FCCCBCE178B - -Count = 599 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D22B68FC5CB91178DF - -Count = 600 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2B16B0B6290CCED75 - -Count = 601 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2BBA5E6A7C1A5E933 - -Count = 602 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2DDFDFB1F6D529E29 - -Count = 603 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246D0FC3F2DC8C49D - -Count = 604 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D28E968E65BD02D2F7 - -Count = 605 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D265CC6622AFCC8C87 - -Count = 606 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2AA8E4DC55EC300CC - -Count = 607 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2570E9A585E3728CA - -Count = 608 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D20D8109ACAFF8BC33 - -Count = 609 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2F1F2B131ACDA0967 - -Count = 610 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D241B508AFB887C155 - -Count = 611 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D221C9A3923BA8F8A6 - -Count = 612 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2F5E85E1E847B345C - -Count = 613 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2E65D7F50BE076744 - -Count = 614 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D261C1CDAAF0C8D33D - -Count = 615 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D22135B712AC342212 - -Count = 616 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D21E910800372D0960 - -Count = 617 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2C2B0C80464ED7283 - -Count = 618 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D25F943BC2C84D4406 - -Count = 619 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D213C70ED9B179328D - -Count = 620 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2853D19A1F0C2D6C7 - -Count = 621 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2BD5AD725CC7AA90A - -Count = 622 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D29CA730DD77883D41 - -Count = 623 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2C3FFD7F373058A43 - -Count = 624 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D255C5F33CA8954DB8 - -Count = 625 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D271CD84CDFFED4F5D - -Count = 626 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D23BD7C573036AF743 - -Count = 627 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D204FE724E460A8573 - -Count = 628 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2463BBD4C88B61D2014 - -Count = 629 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2467CC0055AE34DDADA - -Count = 630 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246AED4C2AB224E9DE7 - -Count = 631 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246C78D7C57DAA90008 - -Count = 632 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A971AFC7A8766F5C - -Count = 633 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246337258F981ABFAF6 - -Count = 634 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D24639BCB53CD0C2FEB0 - -Count = 635 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2465FE4A8847C3589AA - -Count = 636 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246C4C9AFA43CAFD31E - -Count = 637 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2460C8FDDFEAC65C574 - -Count = 638 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246E7D535B9BEAB9B04 - -Count = 639 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D24628971E5E4FA4174F - -Count = 640 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246D517C9C34F503F49 - -Count = 641 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2468F985A37BE9FABB0 - -Count = 642 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D24673EBE2AABDBD1EE4 - -Count = 643 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246C3AC5B34A9E0D6D6 - -Count = 644 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A3D0F0092ACFEF25 - -Count = 645 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D24677F10D85951C23DF - -Count = 646 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D24664442CCBAF6070C7 - -Count = 647 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246E3D89E31E1AFC4BE - -Count = 648 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A32CE489BD533591 - -Count = 649 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2469C885B9B264A1EE3 - -Count = 650 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D24640A99B9F758A6500 - -Count = 651 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246DD8D6859D92A5385 - -Count = 652 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D24691DE5D42A01E250E - -Count = 653 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D24607244A3AE1A5C144 - -Count = 654 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2463F4384BEDD1DBE89 - -Count = 655 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D2461EBE634666EF2AC2 - -Count = 656 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D24641E6846862629DC0 - -Count = 657 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246D7DCA0A7B9F25A3B - -Count = 658 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246F3D4D756EE8A58DE - -Count = 659 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246B9CE96E8120DE0C0 - -Count = 660 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D24686E721D5576D92F0 - -Count = 661 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8350157EBDEE09FD2 - -Count = 662 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8727C1E398BB0651C - -Count = 663 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8A068D9C84AB32221 - -Count = 664 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8C9316734B254BFCE - -Count = 665 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8A7CDB4A4C08BD09A - -Count = 666 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A83DCE439AE9564530 - -Count = 667 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A83700AE5FB83F4176 - -Count = 668 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A85158B3E714C8366C - -Count = 669 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8CA75B4C754526CD8 - -Count = 670 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A80233C69DC4987AB2 - -Count = 671 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8E9692EDAD65624C2 - -Count = 672 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8262B053D2759A889 - -Count = 673 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8DBABD2A027AD808F - -Count = 674 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A881244154D6621476 - -Count = 675 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A87D57F9C9D540A122 - -Count = 676 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8CD104057C11D6910 - -Count = 677 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8AD6CEB6A423250E3 - -Count = 678 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8794D16E6FDE19C19 - -Count = 679 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86AF837A8C79DCF01 - -Count = 680 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8ED64855289527B78 - -Count = 681 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8AD90FFEAD5AE8A57 - -Count = 682 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8923440F84EB7A125 - -Count = 683 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A84E1580FC1D77DAC6 - -Count = 684 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8D331733AB1D7EC43 - -Count = 685 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A89F624621C8E39AC8 - -Count = 686 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A80998515989587E82 - -Count = 687 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A831FF9FDDB5E0014F - -Count = 688 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8100278250E129504 - -Count = 689 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A84F5A9F0B0A9F2206 - -Count = 690 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8D960BBC4D10FE5FD - -Count = 691 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8FD68CC358677E718 - -Count = 692 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8B7728D8B7AF05F06 - -Count = 693 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8885B3AB63F902D36 - -Count = 694 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86815CB8F49FB3DD784 - -Count = 695 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86852B6C69BAE6D2D4A - -Count = 696 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86880A2016A6F6E6A77 - -Count = 697 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868E9FBBF969789F798 - -Count = 698 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86887076C06E55698CC - -Count = 699 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8681D049B38CC8B0D66 - -Count = 700 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86817CA76FD9DE20920 - -Count = 701 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86871926B4531157E3A - -Count = 702 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868EABF6C65718F248E - -Count = 703 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86822F91E3FE14532E4 - -Count = 704 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868C9A3F678F38B6C94 - -Count = 705 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86806E1DD9F0284E0DF - -Count = 706 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FB610A020270C8D9 - -Count = 707 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868A1EE99F6F3BF5C20 - -Count = 708 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8685D9D216BF09DE974 - -Count = 709 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868EDDA98F5E4C02146 - -Count = 710 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8688DA633C867EF18B5 - -Count = 711 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8685987CE44D83CD44F - -Count = 712 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8684A32EF0AE2408757 - -Count = 713 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868CDAE5DF0AC8F332E - -Count = 714 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8688D5A2748F073C201 - -Count = 715 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868B2FE985A6B6AE973 - -Count = 716 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8686EDF585E38AA9290 - -Count = 717 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868F3FBAB98940AA415 - -Count = 718 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868BFA89E83ED3ED29E - -Count = 719 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868295289FBAC8536D4 - -Count = 720 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8681135477F903D4919 - -Count = 721 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86830C8A0872BCFDD52 - -Count = 722 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A8686F9047A92F426A50 - -Count = 723 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868F9AA6366F4D2ADAB - -Count = 724 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868DDA21497A3AAAF4E - -Count = 725 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A86897B855295F2D1750 - -Count = 726 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868A891E2141A4D6560 - -Count = 727 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA5E43CB493E81906A - -Count = 728 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA193E829B6BD16AA4 - -Count = 729 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FACB2A456AAAD22D99 - -Count = 730 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAA273FB965235B076 - -Count = 731 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FACC8F280620EADF22 - -Count = 732 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA568CDF3809374A88 - -Count = 733 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA5C4232FD585E4ECE - -Count = 734 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA3A1A2F45F4A939D4 - -Count = 735 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAA1372865B4336360 - -Count = 736 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA69715A3F24F9750A - -Count = 737 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA822BB27836372B7A - -Count = 738 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA4D69999FC738A731 - -Count = 739 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAB0E94E02C7CC8F37 - -Count = 740 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAEA66DDF636031BCE - -Count = 741 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA1615656B3521AE9A - -Count = 742 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAA652DCF5217C66A8 - -Count = 743 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAC62E77C8A2535F5B - -Count = 744 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA120F8A441D8093A1 - -Count = 745 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA01BAAB0A27FCC0B9 - -Count = 746 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA862619F0693374C0 - -Count = 747 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAC6D2634835CF85EF - -Count = 748 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAF976DC5AAED6AE9D - -Count = 749 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA25571C5EFD16D57E - -Count = 750 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAB873EF9851B6E3FB - -Count = 751 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAF420DA8328829570 - -Count = 752 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA62DACDFB6939713A - -Count = 753 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA5ABD037F55810EF7 - -Count = 754 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA7B40E487EE739ABC - -Count = 755 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA241803A9EAFE2DBE - -Count = 756 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAB2222766316EEA45 - -Count = 757 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA962A50976616E8A0 - -Count = 758 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FADC3011299A9150BE - -Count = 759 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FAE319A614DFF1228E - -Count = 760 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0EA3280659BC62EF69 - -Count = 761 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0EE4554F8BE93215A7 - -Count = 762 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E3641887A2831529A - -Count = 763 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E5F183686D0D6CF75 - -Count = 764 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E31E4E516A209A021 - -Count = 765 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0EABE712288BD4358B - -Count = 766 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0EA129FFEDDABD31CD - -Count = 767 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0EC771E255764A46D7 - -Count = 768 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E5C5CE57536D01C63 - -Count = 769 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E941A972FA61A0A09 - -Count = 770 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E7F407F68B4D45479 - -Count = 771 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0EB002548F45DBD832 - -Count = 772 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E4D828312452FF034 - -Count = 773 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E170D10E6B4E064CD - -Count = 774 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0EEB7EA87BB7C2D199 - -Count = 775 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E5B3911E5A39F19AB - -Count = 776 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E3B45BAD820B02058 - -Count = 777 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0EEF6447549F63ECA2 - -Count = 778 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0EFCD1661AA51FBFBA - -Count = 779 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E7B4DD4E0EBD00BC3 - -Count = 780 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E3BB9AE58B72CFAEC - -Count = 781 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E041D114A2C35D19E - -Count = 782 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0ED83CD14E7FF5AA7D - -Count = 783 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E45182288D3559CF8 - -Count = 784 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E094B1793AA61EA73 - -Count = 785 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E9FB100EBEBDA0E39 - -Count = 786 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0EA7D6CE6FD76271F4 - -Count = 787 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E862B29976C90E5BF - -Count = 788 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0ED973CEB9681D52BD - -Count = 789 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E4F49EA76B38D9546 - -Count = 790 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E6B419D87E4F597A3 - -Count = 791 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E215BDC3918722FBD - -Count = 792 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E1E726B045D125D8D - -Count = 793 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E760709018E833F1F5E - -Count = 794 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E764074485CD66FE590 - -Count = 795 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E7692608FAD176CA2AD - -Count = 796 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76FB393151EF8B3F42 - -Count = 797 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E7695C5E2C19D545016 - -Count = 798 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E760FC615FFB489C5BC - -Count = 799 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E760508F83AE5E0C1FA - -Count = 800 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E766350E5824917B6E0 - -Count = 801 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76F87DE2A2098DEC54 - -Count = 802 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76303B90F89947FA3E - -Count = 803 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76DB6178BF8B89A44E - -Count = 804 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76142353587A862805 - -Count = 805 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76E9A384C57A720003 - -Count = 806 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76B32C17318BBD94FA - -Count = 807 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E764F5FAFAC889F21AE - -Count = 808 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76FF1816329CC2E99C - -Count = 809 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E769F64BD0F1FEDD06F - -Count = 810 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E764B454083A03E1C95 - -Count = 811 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E7658F061CD9A424F8D - -Count = 812 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76DF6CD337D48DFBF4 - -Count = 813 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E769F98A98F88710ADB - -Count = 814 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76A03C169D136821A9 - -Count = 815 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E767C1DD69940A85A4A - -Count = 816 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76E139255FEC086CCF - -Count = 817 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76AD6A1044953C1A44 - -Count = 818 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E763B90073CD487FE0E - -Count = 819 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E7603F7C9B8E83F81C3 - -Count = 820 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76220A2E4053CD1588 - -Count = 821 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E767D52C96E5740A28A - -Count = 822 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EB68EDA18CD06571 - -Count = 823 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76CF609A50DBA86794 - -Count = 824 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76857ADBEE272FDF8A - -Count = 825 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76BA536CD3624FADBA - -Count = 826 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDD3F2C499CD01E93B - -Count = 827 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED948F8D4B985113F5 - -Count = 828 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED469B4ABA595254C8 - -Count = 829 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED2FC2F446A1B5C927 - -Count = 830 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED413E27D6D36AA673 - -Count = 831 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDDB3DD0E8FAB733D9 - -Count = 832 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDD1F33D2DABDE379F - -Count = 833 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDB7AB209507294085 - -Count = 834 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED2C8627B547B31A31 - -Count = 835 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDE4C055EFD7790C5B - -Count = 836 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED0F9ABDA8C5B7522B - -Count = 837 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDC0D8964F34B8DE60 - -Count = 838 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED3D5841D2344CF666 - -Count = 839 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED67D7D226C583629F - -Count = 840 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED9BA46ABBC6A1D7CB - -Count = 841 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED2BE3D325D2FC1FF9 - -Count = 842 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED4B9F781851D3260A - -Count = 843 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED9FBE8594EE00EAF0 - -Count = 844 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED8C0BA4DAD47CB9E8 - -Count = 845 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED0B9716209AB30D91 - -Count = 846 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED4B636C98C64FFCBE - -Count = 847 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED74C7D38A5D56D7CC - -Count = 848 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDA8E6138E0E96AC2F - -Count = 849 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED35C2E048A2369AAA - -Count = 850 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED7991D553DB02EC21 - -Count = 851 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDEF6BC22B9AB9086B - -Count = 852 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDD70C0CAFA60177A6 - -Count = 853 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDF6F1EB571DF3E3ED - -Count = 854 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76EDA9A90C79197E54EF - -Count = 855 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED3F9328B6C2EE9314 - -Count = 856 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED1B9B5F47959691F1 - -Count = 857 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED51811EF9691129EF - -Count = 858 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED6EA8A9C42C715BDF - -Count = 859 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27D60699C08C473E80 - -Count = 860 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27917BD012D917C44E - -Count = 861 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27436F17E318148373 - -Count = 862 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED272A36A91FE0F31E9C - -Count = 863 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED2744CA7A8F922C71C8 - -Count = 864 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27DEC98DB1BBF1E462 - -Count = 865 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27D4076074EA98E024 - -Count = 866 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27B25F7DCC466F973E - -Count = 867 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED2729727AEC06F5CD8A - -Count = 868 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27E13408B6963FDBE0 - -Count = 869 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED270A6EE0F184F18590 - -Count = 870 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27C52CCB1675FE09DB - -Count = 871 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED2738AC1C8B750A21DD - -Count = 872 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED2762238F7F84C5B524 - -Count = 873 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED279E5037E287E70070 - -Count = 874 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED272E178E7C93BAC842 - -Count = 875 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED274E6B25411095F1B1 - -Count = 876 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED279A4AD8CDAF463D4B - -Count = 877 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED2789FFF983953A6E53 - -Count = 878 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED270E634B79DBF5DA2A - -Count = 879 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED274E9731C187092B05 - -Count = 880 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED2771338ED31C100077 - -Count = 881 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27AD124ED74FD07B94 - -Count = 882 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED273036BD11E3704D11 - -Count = 883 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED277C65880A9A443B9A - -Count = 884 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27EA9F9F72DBFFDFD0 - -Count = 885 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27D2F851F6E747A01D - -Count = 886 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27F305B60E5CB53456 - -Count = 887 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27AC5D512058388354 - -Count = 888 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED273A6775EF83A844AF - -Count = 889 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED271E6F021ED4D0464A - -Count = 890 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27547543A02857FE54 - -Count = 891 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED276B5CF49D6D378C64 - -Count = 892 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA1D22EF9650CACD9F - -Count = 893 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA5A5FA644059A3751 - -Count = 894 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA884B61B5C499706C - -Count = 895 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAE112DF493C7EED83 - -Count = 896 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA8FEE0CD94EA182D7 - -Count = 897 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA15EDFBE7677C177D - -Count = 898 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA1F2316223615133B - -Count = 899 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA797B0B9A9AE26421 - -Count = 900 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAE2560CBADA783E95 - -Count = 901 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA2A107EE04AB228FF - -Count = 902 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAC14A96A7587C768F - -Count = 903 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0E08BD40A973FAC4 - -Count = 904 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAF3886ADDA987D2C2 - -Count = 905 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAA907F9295848463B - -Count = 906 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA557441B45B6AF36F - -Count = 907 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAE533F82A4F373B5D - -Count = 908 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA854F5317CC1802AE - -Count = 909 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA516EAE9B73CBCE54 - -Count = 910 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA42DB8FD549B79D4C - -Count = 911 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAC5473D2F07782935 - -Count = 912 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA85B347975B84D81A - -Count = 913 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FABA17F885C09DF368 - -Count = 914 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA66363881935D888B - -Count = 915 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAFB12CB473FFDBE0E - -Count = 916 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAB741FE5C46C9C885 - -Count = 917 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA21BBE92407722CCF - -Count = 918 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA19DC27A03BCA5302 - -Count = 919 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA3821C0588038C749 - -Count = 920 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA6779277684B5704B - -Count = 921 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAF14303B95F25B7B0 - -Count = 922 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAD54B7448085DB555 - -Count = 923 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA9F5135F6F4DA0D4B - -Count = 924 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FAA07882CBB1BA7F7B - -Count = 925 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CF4E2AF1AD60EDADD - -Count = 926 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CB39FE6C8835E2013 - -Count = 927 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C618B2139425D672E - -Count = 928 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C08D29FC5BABAFAC1 - -Count = 929 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C662E4C55C8659595 - -Count = 930 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CFC2DBB6BE1B8003F - -Count = 931 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CF6E356AEB0D10479 - -Count = 932 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C90BB4B161C267363 - -Count = 933 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C0B964C365CBC29D7 - -Count = 934 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CC3D03E6CCC763FBD - -Count = 935 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C288AD62BDEB861CD - -Count = 936 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CE7C8FDCC2FB7ED86 - -Count = 937 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C1A482A512F43C580 - -Count = 938 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C40C7B9A5DE8C5179 - -Count = 939 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CBCB40138DDAEE42D - -Count = 940 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C0CF3B8A6C9F32C1F - -Count = 941 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C6C8F139B4ADC15EC - -Count = 942 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CB8AEEE17F50FD916 - -Count = 943 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CAB1BCF59CF738A0E - -Count = 944 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2C877DA381BC3E77 - -Count = 945 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C6C73071BDD40CF58 - -Count = 946 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C53D7B8094659E42A - -Count = 947 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C8FF6780D15999FC9 - -Count = 948 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C12D28BCBB939A94C - -Count = 949 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C5E81BED0C00DDFC7 - -Count = 950 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CC87BA9A881B63B8D - -Count = 951 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CF01C672CBD0E4440 - -Count = 952 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0CD1E180D406FCD00B - -Count = 953 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C8EB967FA02716709 - -Count = 954 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C18834335D9E1A0F2 - -Count = 955 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C3C8B34C48E99A217 - -Count = 956 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C7691757A721E1A09 - -Count = 957 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C49B8C247377E6839 - -Count = 958 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E593E87D00022ED24 - -Count = 959 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E1E43CE02557217EA - -Count = 960 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2ECC5709F3947150D7 - -Count = 961 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EA50EB70F6C96CD38 - -Count = 962 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2ECBF2649F1E49A26C - -Count = 963 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E51F193A1379437C6 - -Count = 964 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E5B3F7E6466FD3380 - -Count = 965 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3D6763DCCA0A449A - -Count = 966 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EA64A64FC8A901E2E - -Count = 967 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E6E0C16A61A5A0844 - -Count = 968 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E8556FEE108945634 - -Count = 969 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E4A14D506F99BDA7F - -Count = 970 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EB794029BF96FF279 - -Count = 971 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EED1B916F08A06680 - -Count = 972 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E116829F20B82D3D4 - -Count = 973 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EA12F906C1FDF1BE6 - -Count = 974 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EC1533B519CF02215 - -Count = 975 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E1572C6DD2323EEEF - -Count = 976 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E06C7E793195FBDF7 - -Count = 977 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E815B55695790098E - -Count = 978 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EC1AF2FD10B6CF8A1 - -Count = 979 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EFE0B90C39075D3D3 - -Count = 980 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E222A50C7C3B5A830 - -Count = 981 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EBF0EA3016F159EB5 - -Count = 982 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EF35D961A1621E83E - -Count = 983 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E65A78162579A0C74 - -Count = 984 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E5DC04FE66B2273B9 - -Count = 985 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E7C3DA81ED0D0E7F2 - -Count = 986 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E23654F30D45D50F0 - -Count = 987 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EB55F6BFF0FCD970B - -Count = 988 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E91571C0E58B595EE - -Count = 989 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EDB4D5DB0A4322DF0 - -Count = 990 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2EE464EA8DE1525FC0 - -Count = 991 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E335955C32AF45527B3 - -Count = 992 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E331E288AF8A105DD7D - -Count = 993 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33CC3C4D0960069A40 - -Count = 994 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33A565F3F598E107AF - -Count = 995 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33CB992065EA3E68FB - -Count = 996 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33519AD75BC3E3FD51 - -Count = 997 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E335B543A9E928AF917 - -Count = 998 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E333D0C27263E7D8E0D - -Count = 999 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33A62120067EE7D4B9 - -Count = 1000 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E336E67525CEE2DC2D3 - -Count = 1001 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33853DBA1BFCE39CA3 - -Count = 1002 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E334A7F91FC0DEC10E8 - -Count = 1003 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33B7FF46610D1838EE - -Count = 1004 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33ED70D595FCD7AC17 - -Count = 1005 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3311036D08FFF51943 - -Count = 1006 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33A144D496EBA8D171 - -Count = 1007 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33C1387FAB6887E882 - -Count = 1008 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3315198227D7542478 - -Count = 1009 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3306ACA369ED287760 - -Count = 1010 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3381301193A3E7C319 - -Count = 1011 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33C1C46B2BFF1B3236 - -Count = 1012 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33FE60D43964021944 - -Count = 1013 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E332241143D37C262A7 - -Count = 1014 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33BF65E7FB9B625422 - -Count = 1015 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33F336D2E0E25622A9 - -Count = 1016 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365CCC598A3EDC6E3 - -Count = 1017 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E335DAB0B1C9F55B92E - -Count = 1018 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E337C56ECE424A72D65 - -Count = 1019 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33230E0BCA202A9A67 - -Count = 1020 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33B5342F05FBBA5D9C - -Count = 1021 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33913C58F4ACC25F79 - -Count = 1022 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33DB26194A5045E767 - -Count = 1023 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33E40FAE7715259557 - -Count = 1024 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E336519FC5173FEE9AC46 - -Count = 1025 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33655E8118A1ABB95688 - -Count = 1026 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33658C95DF506ABA11B5 - -Count = 1027 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365E5CC61AC925D8C5A - -Count = 1028 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33658B30B23CE082E30E - -Count = 1029 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E336511334502C95F76A4 - -Count = 1030 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33651BFDA8C7983672E2 - -Count = 1031 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33657DA5B57F34C105F8 - -Count = 1032 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365E688B25F745B5F4C - -Count = 1033 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33652ECEC005E4914926 - -Count = 1034 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365C5942842F65F1756 - -Count = 1035 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33650AD603A507509B1D - -Count = 1036 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365F756D43807A4B31B - -Count = 1037 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365ADD947CCF66B27E2 - -Count = 1038 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E336551AAFF51F54992B6 - -Count = 1039 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365E1ED46CFE1145A84 - -Count = 1040 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33658191EDF2623B6377 - -Count = 1041 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E336555B0107EDDE8AF8D - -Count = 1042 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E336546053130E794FC95 - -Count = 1043 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365C19983CAA95B48EC - -Count = 1044 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365816DF972F5A7B9C3 - -Count = 1045 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365BEC946606EBE92B1 - -Count = 1046 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E336562E886643D7EE952 - -Count = 1047 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365FFCC75A291DEDFD7 - -Count = 1048 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365B39F40B9E8EAA95C - -Count = 1049 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365256557C1A9514D16 - -Count = 1050 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33651D02994595E932DB - -Count = 1051 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33653CFF7EBD2E1BA690 - -Count = 1052 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E336563A799932A961192 - -Count = 1053 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365F59DBD5CF106D669 - -Count = 1054 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365D195CAADA67ED48C - -Count = 1055 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33659B8F8B135AF96C92 - -Count = 1056 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E3365A4A63C2E1F991EA2 - -Count = 1057 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EBF84220B134F3973 - -Count = 1058 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EF8F96BD9461FC3BD - -Count = 1059 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E2AEDAC28871C8480 - -Count = 1060 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E43B412D47FFB196F - -Count = 1061 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E2D48C1440D24763B - -Count = 1062 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EB74B367A24F9E391 - -Count = 1063 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EBD85DBBF7590E7D7 - -Count = 1064 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EDBDDC607D96790CD - -Count = 1065 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304050607 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E40F0C12799FDCA79 - -Count = 1066 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E88B6B37D0937DC13 - -Count = 1067 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506070809 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E63EC5B3A1BF98263 - -Count = 1068 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EACAE70DDEAF60E28 - -Count = 1069 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E512EA740EA02262E - -Count = 1070 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E0BA134B41BCDB2D7 - -Count = 1071 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EF7D28C2918EF0783 - -Count = 1072 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E479535B70CB2CFB1 - -Count = 1073 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E27E99E8A8F9DF642 - -Count = 1074 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EF3C86306304E3AB8 - -Count = 1075 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EE07D42480A3269A0 - -Count = 1076 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E67E1F0B244FDDDD9 - -Count = 1077 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E27158A0A18012CF6 - -Count = 1078 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E18B1351883180784 - -Count = 1079 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EC490F51CD0D87C67 - -Count = 1080 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E59B406DA7C784AE2 - -Count = 1081 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E15E733C1054C3C69 - -Count = 1082 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E831D24B944F7D823 - -Count = 1083 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EBB7AEA3D784FA7EE - -Count = 1084 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E9A870DC5C3BD33A5 - -Count = 1085 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654EC5DFEAEBC73084A7 - -Count = 1086 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E53E5CE241CA0435C - -Count = 1087 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E77EDB9D54BD841B9 - -Count = 1088 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E3DF7F86BB75FF9A7 - -Count = 1089 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C9034A2F7F9698DCB41ACCCFBF549BF747D246A868FA0E76ED27FA0C2E33654E02DE4F56F23F8B97 - diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys/aead-common.c b/elephant/Implementations/crypto_aead/elephant160v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant160v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys/aead-common.h b/elephant/Implementations/crypto_aead/elephant160v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant160v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys/api.h b/elephant/Implementations/crypto_aead/elephant160v1/rhys/api.h new file mode 100644 index 0000000..32c9622 --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant160v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 12 +#define CRYPTO_ABYTES 8 +#define CRYPTO_NOOVERLAP 1 diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys/elephant.c b/elephant/Implementations/crypto_aead/elephant160v1/rhys/elephant.c new file mode 100644 index 0000000..770f568 --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant160v1/rhys/elephant.c @@ -0,0 +1,881 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "elephant.h" +#include "internal-keccak.h" +#include "internal-spongent.h" +#include + +aead_cipher_t const dumbo_cipher = { + "Dumbo", + DUMBO_KEY_SIZE, + DUMBO_NONCE_SIZE, + DUMBO_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + dumbo_aead_encrypt, + dumbo_aead_decrypt +}; + +aead_cipher_t const jumbo_cipher = { + "Jumbo", + JUMBO_KEY_SIZE, + JUMBO_NONCE_SIZE, + JUMBO_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + jumbo_aead_encrypt, + jumbo_aead_decrypt +}; + +aead_cipher_t const delirium_cipher = { + "Delirium", + DELIRIUM_KEY_SIZE, + DELIRIUM_NONCE_SIZE, + DELIRIUM_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + delirium_aead_encrypt, + delirium_aead_decrypt +}; + +/** + * \brief Applies the Dumbo LFSR to the mask. + * + * \param out The output mask. + * \param in The input mask. + */ +static void dumbo_lfsr + (unsigned char out[SPONGENT160_STATE_SIZE], + const unsigned char in[SPONGENT160_STATE_SIZE]) +{ + unsigned char temp = + leftRotate3_8(in[0]) ^ (in[3] << 7) ^ (in[13] >> 7); + unsigned index; + for (index = 0; index < SPONGENT160_STATE_SIZE - 1; ++index) + out[index] = in[index + 1]; + out[SPONGENT160_STATE_SIZE - 1] = temp; +} + +/** + * \brief Processes the nonce and associated data for Dumbo. + * + * \param state Points to the Spongent-pi[160] state. + * \param mask Points to the initial mask value. + * \param next Points to the next mask value. + * \param tag Points to the ongoing tag that is being computed. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data. + */ +static void dumbo_process_ad + (spongent160_state_t *state, + unsigned char mask[SPONGENT160_STATE_SIZE], + unsigned char next[SPONGENT160_STATE_SIZE], + unsigned char tag[DUMBO_TAG_SIZE], + const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned posn, size; + + /* We need the "previous" and "next" masks in each step. + * Compare the first such values */ + dumbo_lfsr(next, mask); + dumbo_lfsr(next, next); + + /* Absorb the nonce into the state */ + lw_xor_block_2_src(state->B, mask, next, SPONGENT160_STATE_SIZE); + lw_xor_block(state->B, npub, DUMBO_NONCE_SIZE); + + /* Absorb the rest of the associated data */ + posn = DUMBO_NONCE_SIZE; + while (adlen > 0) { + size = SPONGENT160_STATE_SIZE - posn; + if (size <= adlen) { + /* Process a complete block */ + lw_xor_block(state->B + posn, ad, size); + spongent160_permute(state); + lw_xor_block(state->B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state->B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state->B, DUMBO_TAG_SIZE); + dumbo_lfsr(mask, mask); + dumbo_lfsr(next, next); + lw_xor_block_2_src(state->B, mask, next, SPONGENT160_STATE_SIZE); + posn = 0; + } else { + /* Process the partial block at the end of the associated data */ + size = (unsigned)adlen; + lw_xor_block(state->B + posn, ad, size); + posn += size; + } + ad += size; + adlen -= size; + } + + /* Pad and absorb the final block */ + state->B[posn] ^= 0x01; + spongent160_permute(state); + lw_xor_block(state->B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state->B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state->B, DUMBO_TAG_SIZE); +} + +int dumbo_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + spongent160_state_t state; + unsigned char start[SPONGENT160_STATE_SIZE]; + unsigned char mask[SPONGENT160_STATE_SIZE]; + unsigned char next[SPONGENT160_STATE_SIZE]; + unsigned char tag[DUMBO_TAG_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + DUMBO_TAG_SIZE; + + /* Hash the key and generate the initial mask */ + memcpy(state.B, k, DUMBO_KEY_SIZE); + memset(state.B + DUMBO_KEY_SIZE, 0, sizeof(state.B) - DUMBO_KEY_SIZE); + spongent160_permute(&state); + memcpy(mask, state.B, DUMBO_KEY_SIZE); + memset(mask + DUMBO_KEY_SIZE, 0, sizeof(mask) - DUMBO_KEY_SIZE); + memcpy(start, mask, sizeof(mask)); + + /* Tag starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Authenticate the nonce and the associated data */ + dumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); + + /* Reset back to the starting mask for the encryption phase */ + memcpy(mask, start, sizeof(mask)); + + /* Encrypt and authenticate the payload */ + while (mlen >= SPONGENT160_STATE_SIZE) { + /* Encrypt using the current mask */ + memcpy(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, m, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); + memcpy(c, state.B, SPONGENT160_STATE_SIZE); + + /* Authenticate using the next mask */ + dumbo_lfsr(next, mask); + lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, next, SPONGENT160_STATE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state.B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); + + /* Advance to the next block */ + memcpy(mask, next, SPONGENT160_STATE_SIZE); + c += SPONGENT160_STATE_SIZE; + m += SPONGENT160_STATE_SIZE; + mlen -= SPONGENT160_STATE_SIZE; + } + if (mlen > 0) { + /* Encrypt the last block using the current mask */ + unsigned temp = (unsigned)mlen; + memcpy(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, m, temp); + lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); + memcpy(c, state.B, temp); + + /* Authenticate the last block using the next mask */ + dumbo_lfsr(next, mask); + state.B[temp] = 0x01; + memset(state.B + temp + 1, 0, SPONGENT160_STATE_SIZE - temp - 1); + lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, next, SPONGENT160_STATE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state.B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); + c += temp; + } else if (*clen != DUMBO_TAG_SIZE) { + /* Pad and authenticate when the last block is aligned */ + dumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); + state.B[0] ^= 0x01; + spongent160_permute(&state); + lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state.B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); + } + + /* Generate the authentication tag */ + memcpy(c, tag, DUMBO_TAG_SIZE); + return 0; +} + +int dumbo_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + spongent160_state_t state; + unsigned char *mtemp = m; + unsigned char start[SPONGENT160_STATE_SIZE]; + unsigned char mask[SPONGENT160_STATE_SIZE]; + unsigned char next[SPONGENT160_STATE_SIZE]; + unsigned char tag[DUMBO_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < DUMBO_TAG_SIZE) + return -1; + *mlen = clen - DUMBO_TAG_SIZE; + + /* Hash the key and generate the initial mask */ + memcpy(state.B, k, DUMBO_KEY_SIZE); + memset(state.B + DUMBO_KEY_SIZE, 0, sizeof(state.B) - DUMBO_KEY_SIZE); + spongent160_permute(&state); + memcpy(mask, state.B, DUMBO_KEY_SIZE); + memset(mask + DUMBO_KEY_SIZE, 0, sizeof(mask) - DUMBO_KEY_SIZE); + memcpy(start, mask, sizeof(mask)); + + /* Tag starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Authenticate the nonce and the associated data */ + dumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); + + /* Reset back to the starting mask for the encryption phase */ + memcpy(mask, start, sizeof(mask)); + + /* Decrypt and authenticate the payload */ + clen -= DUMBO_TAG_SIZE; + while (clen >= SPONGENT160_STATE_SIZE) { + /* Authenticate using the next mask */ + dumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, c, SPONGENT160_STATE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state.B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); + + /* Decrypt using the current mask */ + memcpy(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block_2_src(m, state.B, c, SPONGENT160_STATE_SIZE); + + /* Advance to the next block */ + memcpy(mask, next, SPONGENT160_STATE_SIZE); + c += SPONGENT160_STATE_SIZE; + m += SPONGENT160_STATE_SIZE; + clen -= SPONGENT160_STATE_SIZE; + } + if (clen > 0) { + /* Authenticate the last block using the next mask */ + unsigned temp = (unsigned)clen; + dumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, c, temp); + state.B[temp] ^= 0x01; + spongent160_permute(&state); + lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state.B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); + + /* Decrypt the last block using the current mask */ + memcpy(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, mask, temp); + lw_xor_block_2_src(m, state.B, c, temp); + c += temp; + } else if (*mlen != 0) { + /* Pad and authenticate when the last block is aligned */ + dumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); + state.B[0] ^= 0x01; + spongent160_permute(&state); + lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state.B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); + } + + /* Check the authentication tag */ + return aead_check_tag(mtemp, *mlen, tag, c, DUMBO_TAG_SIZE); +} + +/** + * \brief Applies the Jumbo LFSR to the mask. + * + * \param out The output mask. + * \param in The input mask. + */ +static void jumbo_lfsr + (unsigned char out[SPONGENT176_STATE_SIZE], + const unsigned char in[SPONGENT176_STATE_SIZE]) +{ + unsigned char temp = + leftRotate1_8(in[0]) ^ (in[3] << 7) ^ (in[19] >> 7); + unsigned index; + for (index = 0; index < SPONGENT176_STATE_SIZE - 1; ++index) + out[index] = in[index + 1]; + out[SPONGENT176_STATE_SIZE - 1] = temp; +} + +/** + * \brief Processes the nonce and associated data for Jumbo. + * + * \param state Points to the Spongent-pi[170] state. + * \param mask Points to the initial mask value. + * \param next Points to the next mask value. + * \param tag Points to the ongoing tag that is being computed. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data. + */ +static void jumbo_process_ad + (spongent176_state_t *state, + unsigned char mask[SPONGENT176_STATE_SIZE], + unsigned char next[SPONGENT176_STATE_SIZE], + unsigned char tag[JUMBO_TAG_SIZE], + const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned posn, size; + + /* We need the "previous" and "next" masks in each step. + * Compare the first such values */ + jumbo_lfsr(next, mask); + jumbo_lfsr(next, next); + + /* Absorb the nonce into the state */ + lw_xor_block_2_src(state->B, mask, next, SPONGENT176_STATE_SIZE); + lw_xor_block(state->B, npub, JUMBO_NONCE_SIZE); + + /* Absorb the rest of the associated data */ + posn = JUMBO_NONCE_SIZE; + while (adlen > 0) { + size = SPONGENT176_STATE_SIZE - posn; + if (size <= adlen) { + /* Process a complete block */ + lw_xor_block(state->B + posn, ad, size); + spongent176_permute(state); + lw_xor_block(state->B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state->B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state->B, JUMBO_TAG_SIZE); + jumbo_lfsr(mask, mask); + jumbo_lfsr(next, next); + lw_xor_block_2_src(state->B, mask, next, SPONGENT176_STATE_SIZE); + posn = 0; + } else { + /* Process the partial block at the end of the associated data */ + size = (unsigned)adlen; + lw_xor_block(state->B + posn, ad, size); + posn += size; + } + ad += size; + adlen -= size; + } + + /* Pad and absorb the final block */ + state->B[posn] ^= 0x01; + spongent176_permute(state); + lw_xor_block(state->B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state->B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state->B, JUMBO_TAG_SIZE); +} + +int jumbo_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + spongent176_state_t state; + unsigned char start[SPONGENT176_STATE_SIZE]; + unsigned char mask[SPONGENT176_STATE_SIZE]; + unsigned char next[SPONGENT176_STATE_SIZE]; + unsigned char tag[JUMBO_TAG_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + JUMBO_TAG_SIZE; + + /* Hash the key and generate the initial mask */ + memcpy(state.B, k, JUMBO_KEY_SIZE); + memset(state.B + JUMBO_KEY_SIZE, 0, sizeof(state.B) - JUMBO_KEY_SIZE); + spongent176_permute(&state); + memcpy(mask, state.B, JUMBO_KEY_SIZE); + memset(mask + JUMBO_KEY_SIZE, 0, sizeof(mask) - JUMBO_KEY_SIZE); + memcpy(start, mask, sizeof(mask)); + + /* Tag starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Authenticate the nonce and the associated data */ + jumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); + + /* Reset back to the starting mask for the encryption phase */ + memcpy(mask, start, sizeof(mask)); + + /* Encrypt and authenticate the payload */ + while (mlen >= SPONGENT176_STATE_SIZE) { + /* Encrypt using the current mask */ + memcpy(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, m, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); + memcpy(c, state.B, SPONGENT176_STATE_SIZE); + + /* Authenticate using the next mask */ + jumbo_lfsr(next, mask); + lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, next, SPONGENT176_STATE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state.B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); + + /* Advance to the next block */ + memcpy(mask, next, SPONGENT176_STATE_SIZE); + c += SPONGENT176_STATE_SIZE; + m += SPONGENT176_STATE_SIZE; + mlen -= SPONGENT176_STATE_SIZE; + } + if (mlen > 0) { + /* Encrypt the last block using the current mask */ + unsigned temp = (unsigned)mlen; + memcpy(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, m, temp); + lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); + memcpy(c, state.B, temp); + + /* Authenticate the last block using the next mask */ + jumbo_lfsr(next, mask); + state.B[temp] = 0x01; + memset(state.B + temp + 1, 0, SPONGENT176_STATE_SIZE - temp - 1); + lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, next, SPONGENT176_STATE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state.B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); + c += temp; + } else if (*clen != JUMBO_TAG_SIZE) { + /* Pad and authenticate when the last block is aligned */ + jumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); + state.B[0] ^= 0x01; + spongent176_permute(&state); + lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state.B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); + } + + /* Generate the authentication tag */ + memcpy(c, tag, JUMBO_TAG_SIZE); + return 0; +} + +int jumbo_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + spongent176_state_t state; + unsigned char *mtemp = m; + unsigned char start[SPONGENT176_STATE_SIZE]; + unsigned char mask[SPONGENT176_STATE_SIZE]; + unsigned char next[SPONGENT176_STATE_SIZE]; + unsigned char tag[JUMBO_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < JUMBO_TAG_SIZE) + return -1; + *mlen = clen - JUMBO_TAG_SIZE; + + /* Hash the key and generate the initial mask */ + memcpy(state.B, k, JUMBO_KEY_SIZE); + memset(state.B + JUMBO_KEY_SIZE, 0, sizeof(state.B) - JUMBO_KEY_SIZE); + spongent176_permute(&state); + memcpy(mask, state.B, JUMBO_KEY_SIZE); + memset(mask + JUMBO_KEY_SIZE, 0, sizeof(mask) - JUMBO_KEY_SIZE); + memcpy(start, mask, sizeof(mask)); + + /* Tag starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Authenticate the nonce and the associated data */ + jumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); + + /* Reset back to the starting mask for the encryption phase */ + memcpy(mask, start, sizeof(mask)); + + /* Decrypt and authenticate the payload */ + clen -= JUMBO_TAG_SIZE; + while (clen >= SPONGENT176_STATE_SIZE) { + /* Authenticate using the next mask */ + jumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, c, SPONGENT176_STATE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state.B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); + + /* Decrypt using the current mask */ + memcpy(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block_2_src(m, state.B, c, SPONGENT176_STATE_SIZE); + + /* Advance to the next block */ + memcpy(mask, next, SPONGENT176_STATE_SIZE); + c += SPONGENT176_STATE_SIZE; + m += SPONGENT176_STATE_SIZE; + clen -= SPONGENT176_STATE_SIZE; + } + if (clen > 0) { + /* Authenticate the last block using the next mask */ + unsigned temp = (unsigned)clen; + jumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, c, temp); + state.B[temp] ^= 0x01; + spongent176_permute(&state); + lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state.B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); + + /* Decrypt the last block using the current mask */ + memcpy(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, mask, temp); + lw_xor_block_2_src(m, state.B, c, temp); + c += temp; + } else if (*mlen != 0) { + /* Pad and authenticate when the last block is aligned */ + jumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); + state.B[0] ^= 0x01; + spongent176_permute(&state); + lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state.B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); + } + + /* Check the authentication tag */ + return aead_check_tag(mtemp, *mlen, tag, c, JUMBO_TAG_SIZE); +} + +/** + * \brief Applies the Delirium LFSR to the mask. + * + * \param out The output mask. + * \param in The input mask. + */ +static void delirium_lfsr + (unsigned char out[KECCAKP_200_STATE_SIZE], + const unsigned char in[KECCAKP_200_STATE_SIZE]) +{ + unsigned char temp = + leftRotate1_8(in[0]) ^ leftRotate1_8(in[2]) ^ (in[13] << 1); + unsigned index; + for (index = 0; index < KECCAKP_200_STATE_SIZE - 1; ++index) + out[index] = in[index + 1]; + out[KECCAKP_200_STATE_SIZE - 1] = temp; +} + +/** + * \brief Processes the nonce and associated data for Delirium. + * + * \param state Points to the Keccak[200] state. + * \param mask Points to the initial mask value. + * \param next Points to the next mask value. + * \param tag Points to the ongoing tag that is being computed. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data. + */ +static void delirium_process_ad + (keccakp_200_state_t *state, + unsigned char mask[KECCAKP_200_STATE_SIZE], + unsigned char next[KECCAKP_200_STATE_SIZE], + unsigned char tag[DELIRIUM_TAG_SIZE], + const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned posn, size; + + /* We need the "previous" and "next" masks in each step. + * Compare the first such values */ + delirium_lfsr(next, mask); + delirium_lfsr(next, next); + + /* Absorb the nonce into the state */ + lw_xor_block_2_src(state->B, mask, next, KECCAKP_200_STATE_SIZE); + lw_xor_block(state->B, npub, DELIRIUM_NONCE_SIZE); + + /* Absorb the rest of the associated data */ + posn = DELIRIUM_NONCE_SIZE; + while (adlen > 0) { + size = KECCAKP_200_STATE_SIZE - posn; + if (size <= adlen) { + /* Process a complete block */ + lw_xor_block(state->B + posn, ad, size); + keccakp_200_permute(state, 18); + lw_xor_block(state->B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state->B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state->B, DELIRIUM_TAG_SIZE); + delirium_lfsr(mask, mask); + delirium_lfsr(next, next); + lw_xor_block_2_src(state->B, mask, next, KECCAKP_200_STATE_SIZE); + posn = 0; + } else { + /* Process the partial block at the end of the associated data */ + size = (unsigned)adlen; + lw_xor_block(state->B + posn, ad, size); + posn += size; + } + ad += size; + adlen -= size; + } + + /* Pad and absorb the final block */ + state->B[posn] ^= 0x01; + keccakp_200_permute(state, 18); + lw_xor_block(state->B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state->B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state->B, DELIRIUM_TAG_SIZE); +} + +int delirium_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + keccakp_200_state_t state; + unsigned char start[KECCAKP_200_STATE_SIZE]; + unsigned char mask[KECCAKP_200_STATE_SIZE]; + unsigned char next[KECCAKP_200_STATE_SIZE]; + unsigned char tag[DELIRIUM_TAG_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + DELIRIUM_TAG_SIZE; + + /* Hash the key and generate the initial mask */ + memcpy(state.B, k, DELIRIUM_KEY_SIZE); + memset(state.B + DELIRIUM_KEY_SIZE, 0, sizeof(state.B) - DELIRIUM_KEY_SIZE); + keccakp_200_permute(&state, 18); + memcpy(mask, state.B, DELIRIUM_KEY_SIZE); + memset(mask + DELIRIUM_KEY_SIZE, 0, sizeof(mask) - DELIRIUM_KEY_SIZE); + memcpy(start, mask, sizeof(mask)); + + /* Tag starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Authenticate the nonce and the associated data */ + delirium_process_ad(&state, mask, next, tag, npub, ad, adlen); + + /* Reset back to the starting mask for the encryption phase */ + memcpy(mask, start, sizeof(mask)); + + /* Encrypt and authenticate the payload */ + while (mlen >= KECCAKP_200_STATE_SIZE) { + /* Encrypt using the current mask */ + memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, m, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); + memcpy(c, state.B, KECCAKP_200_STATE_SIZE); + + /* Authenticate using the next mask */ + delirium_lfsr(next, mask); + lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, next, KECCAKP_200_STATE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); + + /* Advance to the next block */ + memcpy(mask, next, KECCAKP_200_STATE_SIZE); + c += KECCAKP_200_STATE_SIZE; + m += KECCAKP_200_STATE_SIZE; + mlen -= KECCAKP_200_STATE_SIZE; + } + if (mlen > 0) { + /* Encrypt the last block using the current mask */ + unsigned temp = (unsigned)mlen; + memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, m, temp); + lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); + memcpy(c, state.B, temp); + + /* Authenticate the last block using the next mask */ + delirium_lfsr(next, mask); + state.B[temp] = 0x01; + memset(state.B + temp + 1, 0, KECCAKP_200_STATE_SIZE - temp - 1); + lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, next, KECCAKP_200_STATE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); + c += temp; + } else if (*clen != DELIRIUM_TAG_SIZE) { + /* Pad and authenticate when the last block is aligned */ + delirium_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); + state.B[0] ^= 0x01; + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); + } + + /* Generate the authentication tag */ + memcpy(c, tag, DELIRIUM_TAG_SIZE); + return 0; +} + +int delirium_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + keccakp_200_state_t state; + unsigned char *mtemp = m; + unsigned char start[KECCAKP_200_STATE_SIZE]; + unsigned char mask[KECCAKP_200_STATE_SIZE]; + unsigned char next[KECCAKP_200_STATE_SIZE]; + unsigned char tag[DELIRIUM_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < DELIRIUM_TAG_SIZE) + return -1; + *mlen = clen - DELIRIUM_TAG_SIZE; + + /* Hash the key and generate the initial mask */ + memcpy(state.B, k, DELIRIUM_KEY_SIZE); + memset(state.B + DELIRIUM_KEY_SIZE, 0, sizeof(state.B) - DELIRIUM_KEY_SIZE); + keccakp_200_permute(&state, 18); + memcpy(mask, state.B, DELIRIUM_KEY_SIZE); + memset(mask + DELIRIUM_KEY_SIZE, 0, sizeof(mask) - DELIRIUM_KEY_SIZE); + memcpy(start, mask, sizeof(mask)); + + /* Tag starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Authenticate the nonce and the associated data */ + delirium_process_ad(&state, mask, next, tag, npub, ad, adlen); + + /* Reset back to the starting mask for the encryption phase */ + memcpy(mask, start, sizeof(mask)); + + /* Decrypt and authenticate the payload */ + clen -= DELIRIUM_TAG_SIZE; + while (clen >= KECCAKP_200_STATE_SIZE) { + /* Authenticate using the next mask */ + delirium_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, c, KECCAKP_200_STATE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); + + /* Decrypt using the current mask */ + memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block_2_src(m, state.B, c, KECCAKP_200_STATE_SIZE); + + /* Advance to the next block */ + memcpy(mask, next, KECCAKP_200_STATE_SIZE); + c += KECCAKP_200_STATE_SIZE; + m += KECCAKP_200_STATE_SIZE; + clen -= KECCAKP_200_STATE_SIZE; + } + if (clen > 0) { + /* Authenticate the last block using the next mask */ + unsigned temp = (unsigned)clen; + delirium_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, c, temp); + state.B[temp] ^= 0x01; + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); + + /* Decrypt the last block using the current mask */ + memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, temp); + lw_xor_block_2_src(m, state.B, c, temp); + c += temp; + } else if (*mlen != 0) { + /* Pad and authenticate when the last block is aligned */ + delirium_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); + state.B[0] ^= 0x01; + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); + } + + /* Check the authentication tag */ + return aead_check_tag(mtemp, *mlen, tag, c, DELIRIUM_TAG_SIZE); +} diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys/elephant.h b/elephant/Implementations/crypto_aead/elephant160v1/rhys/elephant.h new file mode 100644 index 0000000..f775e3d --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant160v1/rhys/elephant.h @@ -0,0 +1,291 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ELEPHANT_H +#define LWCRYPTO_ELEPHANT_H + +#include "aead-common.h" + +/** + * \file elephant.h + * \brief Elephant authenticated encryption algorithm family. + * + * Elephant is a family of authenticated encryption algorithms based + * around the Spongent-pi and Keccak permutations. + * + * \li Dumbo has a 128-bit key, a 96-bit nonce, and a 64-bit authentication + * tag. It is based around the Spongent-pi[160] permutation. This is + * the primary member of the family. + * \li Jumbo has a 128-bit key, a 96-bit nonce, and a 64-bit authentication + * tag. It is based around the Spongent-pi[176] permutation. + * \li Delirium has a 128-bit key, a 96-bit nonce, and a 128-bit authentication + * tag. It is based around the Keccak[200] permutation. + * + * References: https://www.esat.kuleuven.be/cosic/elephant/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for Dumbo. + */ +#define DUMBO_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Dumbo. + */ +#define DUMBO_TAG_SIZE 8 + +/** + * \brief Size of the nonce for Dumbo. + */ +#define DUMBO_NONCE_SIZE 12 + +/** + * \brief Size of the key for Jumbo. + */ +#define JUMBO_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Jumbo. + */ +#define JUMBO_TAG_SIZE 8 + +/** + * \brief Size of the nonce for Jumbo. + */ +#define JUMBO_NONCE_SIZE 12 + +/** + * \brief Size of the key for Delirium. + */ +#define DELIRIUM_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Delirium. + */ +#define DELIRIUM_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Delirium. + */ +#define DELIRIUM_NONCE_SIZE 12 + +/** + * \brief Meta-information block for the Dumbo cipher. + */ +extern aead_cipher_t const dumbo_cipher; + +/** + * \brief Meta-information block for the Jumbo cipher. + */ +extern aead_cipher_t const jumbo_cipher; + +/** + * \brief Meta-information block for the Delirium cipher. + */ +extern aead_cipher_t const delirium_cipher; + +/** + * \brief Encrypts and authenticates a packet with Dumbo. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa dumbo_aead_decrypt() + */ +int dumbo_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Dumbo. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa dumbo_aead_encrypt() + */ +int dumbo_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Jumbo. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa jumbo_aead_decrypt() + */ +int jumbo_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Jumbo. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa jumbo_aead_encrypt() + */ +int jumbo_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Delirium. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa delirium_aead_decrypt() + */ +int delirium_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Delirium. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa delirium_aead_encrypt() + */ +int delirium_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys/encrypt.c b/elephant/Implementations/crypto_aead/elephant160v1/rhys/encrypt.c new file mode 100644 index 0000000..df2a4b5 --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant160v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "elephant.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return dumbo_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return dumbo_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-keccak.c b/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-keccak.c new file mode 100644 index 0000000..c3c4011 --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-keccak.c @@ -0,0 +1,204 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-keccak.h" + +/* Faster method to compute ((x + y) % 5) that avoids the division */ +static unsigned char const addMod5Table[9] = { + 0, 1, 2, 3, 4, 0, 1, 2, 3 +}; +#define addMod5(x, y) (addMod5Table[(x) + (y)]) + +void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds) +{ + static uint8_t const RC[18] = { + 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, + 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, + 0x02, 0x80 + }; + uint8_t B[5][5]; + uint8_t D; + unsigned round; + unsigned index, index2; + for (round = 18 - rounds; round < 18; ++round) { + /* Step mapping theta. The specification mentions two temporary + * arrays of size 5 called C and D. To save a bit of memory, + * we use the first row of B to store C and compute D on the fly */ + for (index = 0; index < 5; ++index) { + B[0][index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; + } + for (index = 0; index < 5; ++index) { + D = B[0][addMod5(index, 4)] ^ + leftRotate1_8(B[0][addMod5(index, 1)]); + for (index2 = 0; index2 < 5; ++index2) + state->A[index2][index] ^= D; + } + + /* Step mapping rho and pi combined into a single step. + * Rotate all lanes by a specific offset and rearrange */ + B[0][0] = state->A[0][0]; + B[1][0] = leftRotate4_8(state->A[0][3]); + B[2][0] = leftRotate1_8(state->A[0][1]); + B[3][0] = leftRotate3_8(state->A[0][4]); + B[4][0] = leftRotate6_8(state->A[0][2]); + B[0][1] = leftRotate4_8(state->A[1][1]); + B[1][1] = leftRotate4_8(state->A[1][4]); + B[2][1] = leftRotate6_8(state->A[1][2]); + B[3][1] = leftRotate4_8(state->A[1][0]); + B[4][1] = leftRotate7_8(state->A[1][3]); + B[0][2] = leftRotate3_8(state->A[2][2]); + B[1][2] = leftRotate3_8(state->A[2][0]); + B[2][2] = leftRotate1_8(state->A[2][3]); + B[3][2] = leftRotate2_8(state->A[2][1]); + B[4][2] = leftRotate7_8(state->A[2][4]); + B[0][3] = leftRotate5_8(state->A[3][3]); + B[1][3] = leftRotate5_8(state->A[3][1]); + B[2][3] = state->A[3][4]; + B[3][3] = leftRotate7_8(state->A[3][2]); + B[4][3] = leftRotate1_8(state->A[3][0]); + B[0][4] = leftRotate6_8(state->A[4][4]); + B[1][4] = leftRotate5_8(state->A[4][2]); + B[2][4] = leftRotate2_8(state->A[4][0]); + B[3][4] = state->A[4][3]; + B[4][4] = leftRotate2_8(state->A[4][1]); + + /* Step mapping chi. Combine each lane with two others in its row */ + for (index = 0; index < 5; ++index) { + for (index2 = 0; index2 < 5; ++index2) { + state->A[index2][index] = + B[index2][index] ^ + ((~B[index2][addMod5(index, 1)]) & + B[index2][addMod5(index, 2)]); + } + } + + /* Step mapping iota. XOR A[0][0] with the round constant */ + state->A[0][0] ^= RC[round]; + } +} + +#if defined(LW_UTIL_LITTLE_ENDIAN) +#define keccakp_400_permute_host keccakp_400_permute +#endif + +/* Keccak-p[400] that assumes that the input is already in host byte order */ +void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) +{ + static uint16_t const RC[20] = { + 0x0001, 0x8082, 0x808A, 0x8000, 0x808B, 0x0001, 0x8081, 0x8009, + 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, + 0x8002, 0x0080, 0x800A, 0x000A + }; + uint16_t B[5][5]; + uint16_t D; + unsigned round; + unsigned index, index2; + for (round = 20 - rounds; round < 20; ++round) { + /* Step mapping theta. The specification mentions two temporary + * arrays of size 5 called C and D. To save a bit of memory, + * we use the first row of B to store C and compute D on the fly */ + for (index = 0; index < 5; ++index) { + B[0][index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; + } + for (index = 0; index < 5; ++index) { + D = B[0][addMod5(index, 4)] ^ + leftRotate1_16(B[0][addMod5(index, 1)]); + for (index2 = 0; index2 < 5; ++index2) + state->A[index2][index] ^= D; + } + + /* Step mapping rho and pi combined into a single step. + * Rotate all lanes by a specific offset and rearrange */ + B[0][0] = state->A[0][0]; + B[1][0] = leftRotate12_16(state->A[0][3]); + B[2][0] = leftRotate1_16 (state->A[0][1]); + B[3][0] = leftRotate11_16(state->A[0][4]); + B[4][0] = leftRotate14_16(state->A[0][2]); + B[0][1] = leftRotate12_16(state->A[1][1]); + B[1][1] = leftRotate4_16 (state->A[1][4]); + B[2][1] = leftRotate6_16 (state->A[1][2]); + B[3][1] = leftRotate4_16 (state->A[1][0]); + B[4][1] = leftRotate7_16 (state->A[1][3]); + B[0][2] = leftRotate11_16(state->A[2][2]); + B[1][2] = leftRotate3_16 (state->A[2][0]); + B[2][2] = leftRotate9_16 (state->A[2][3]); + B[3][2] = leftRotate10_16(state->A[2][1]); + B[4][2] = leftRotate7_16 (state->A[2][4]); + B[0][3] = leftRotate5_16 (state->A[3][3]); + B[1][3] = leftRotate13_16(state->A[3][1]); + B[2][3] = leftRotate8_16 (state->A[3][4]); + B[3][3] = leftRotate15_16(state->A[3][2]); + B[4][3] = leftRotate9_16 (state->A[3][0]); + B[0][4] = leftRotate14_16(state->A[4][4]); + B[1][4] = leftRotate13_16(state->A[4][2]); + B[2][4] = leftRotate2_16 (state->A[4][0]); + B[3][4] = leftRotate8_16 (state->A[4][3]); + B[4][4] = leftRotate2_16 (state->A[4][1]); + + /* Step mapping chi. Combine each lane with two others in its row */ + for (index = 0; index < 5; ++index) { + for (index2 = 0; index2 < 5; ++index2) { + state->A[index2][index] = + B[index2][index] ^ + ((~B[index2][addMod5(index, 1)]) & + B[index2][addMod5(index, 2)]); + } + } + + /* Step mapping iota. XOR A[0][0] with the round constant */ + state->A[0][0] ^= RC[round]; + } +} + +#if !defined(LW_UTIL_LITTLE_ENDIAN) + +/** + * \brief Reverses the bytes in a Keccak-p[400] state. + * + * \param state The Keccak-p[400] state to apply byte-reversal to. + */ +static void keccakp_400_reverse_bytes(keccakp_400_state_t *state) +{ + unsigned index; + unsigned char temp1; + unsigned char temp2; + for (index = 0; index < 50; index += 2) { + temp1 = state->B[index]; + temp2 = state->B[index + 1]; + state->B[index] = temp2; + state->B[index + 1] = temp1; + } +} + +/* Keccak-p[400] that requires byte reversal on input and output */ +void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) +{ + keccakp_400_reverse_bytes(state); + keccakp_400_permute_host(state, rounds); + keccakp_400_reverse_bytes(state); +} + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-keccak.h b/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-keccak.h new file mode 100644 index 0000000..026da50 --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-keccak.h @@ -0,0 +1,88 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_KECCAK_H +#define LW_INTERNAL_KECCAK_H + +#include "internal-util.h" + +/** + * \file internal-keccak.h + * \brief Internal implementation of the Keccak-p permutation. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the state for the Keccak-p[200] permutation. + */ +#define KECCAKP_200_STATE_SIZE 25 + +/** + * \brief Size of the state for the Keccak-p[400] permutation. + */ +#define KECCAKP_400_STATE_SIZE 50 + +/** + * \brief Structure of the internal state of the Keccak-p[200] permutation. + */ +typedef union +{ + uint8_t A[5][5]; /**< Keccak-p[200] state as a 5x5 array of lanes */ + uint8_t B[25]; /**< Keccak-p[200] state as a byte array */ + +} keccakp_200_state_t; + +/** + * \brief Structure of the internal state of the Keccak-p[400] permutation. + */ +typedef union +{ + uint16_t A[5][5]; /**< Keccak-p[400] state as a 5x5 array of lanes */ + uint8_t B[50]; /**< Keccak-p[400] state as a byte array */ + +} keccakp_400_state_t; + +/** + * \brief Permutes the Keccak-p[200] state. + * + * \param state The Keccak-p[200] state to be permuted. + * \param rounds The number of rounds to perform (up to 18). + */ +void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds); + +/** + * \brief Permutes the Keccak-p[400] state, which is assumed to be in + * little-endian byte order. + * + * \param state The Keccak-p[400] state to be permuted. + * \param rounds The number of rounds to perform (up to 20). + */ +void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-spongent.c b/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-spongent.c new file mode 100644 index 0000000..69a8ecb --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-spongent.c @@ -0,0 +1,346 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-spongent.h" + +/** + * \brief Applies the Spongent-pi S-box in parallel to the 8 nibbles + * of a 32-bit word. + * + * \param x3 The input values to the parallel S-boxes. + * + * \return The output values from the parallel S-boxes. + * + * Based on the bit-sliced S-box implementation from here: + * https://github.com/DadaIsCrazy/usuba/blob/master/data/sboxes/spongent.ua + * + * Note that spongent.ua numbers bits from highest to lowest, so x0 is the + * high bit of each nibble and x3 is the low bit. + */ +static uint32_t spongent_sbox(uint32_t x3) +{ + uint32_t q0, q1, q2, q3, t0, t1, t2, t3; + uint32_t x2 = (x3 >> 1); + uint32_t x1 = (x2 >> 1); + uint32_t x0 = (x1 >> 1); + q0 = x0 ^ x2; + q1 = x1 ^ x2; + t0 = q0 & q1; + q2 = ~(x0 ^ x1 ^ x3 ^ t0); + t1 = q2 & ~x0; + q3 = x1 ^ t1; + t2 = q3 & (q3 ^ x2 ^ x3 ^ t0); + t3 = (x2 ^ t0) & ~(x1 ^ t0); + q0 = x1 ^ x2 ^ x3 ^ t2; + q1 = x0 ^ x2 ^ x3 ^ t0 ^ t1; + q2 = x0 ^ x1 ^ x2 ^ t1; + q3 = x0 ^ x3 ^ t0 ^ t3; + return ((q0 << 3) & 0x88888888U) | ((q1 << 2) & 0x44444444U) | + ((q2 << 1) & 0x22222222U) | (q3 & 0x11111111U); +} + +void spongent160_permute(spongent160_state_t *state) +{ + static uint8_t const RC[] = { + /* Round constants for Spongent-pi[160] */ + 0x75, 0xae, 0x6a, 0x56, 0x54, 0x2a, 0x29, 0x94, + 0x53, 0xca, 0x27, 0xe4, 0x4f, 0xf2, 0x1f, 0xf8, + 0x3e, 0x7c, 0x7d, 0xbe, 0x7a, 0x5e, 0x74, 0x2e, + 0x68, 0x16, 0x50, 0x0a, 0x21, 0x84, 0x43, 0xc2, + 0x07, 0xe0, 0x0e, 0x70, 0x1c, 0x38, 0x38, 0x1c, + 0x71, 0x8e, 0x62, 0x46, 0x44, 0x22, 0x09, 0x90, + 0x12, 0x48, 0x24, 0x24, 0x49, 0x92, 0x13, 0xc8, + 0x26, 0x64, 0x4d, 0xb2, 0x1b, 0xd8, 0x36, 0x6c, + 0x6d, 0xb6, 0x5a, 0x5a, 0x35, 0xac, 0x6b, 0xd6, + 0x56, 0x6a, 0x2d, 0xb4, 0x5b, 0xda, 0x37, 0xec, + 0x6f, 0xf6, 0x5e, 0x7a, 0x3d, 0xbc, 0x7b, 0xde, + 0x76, 0x6e, 0x6c, 0x36, 0x58, 0x1a, 0x31, 0x8c, + 0x63, 0xc6, 0x46, 0x62, 0x0d, 0xb0, 0x1a, 0x58, + 0x34, 0x2c, 0x69, 0x96, 0x52, 0x4a, 0x25, 0xa4, + 0x4b, 0xd2, 0x17, 0xe8, 0x2e, 0x74, 0x5d, 0xba, + 0x3b, 0xdc, 0x77, 0xee, 0x6e, 0x76, 0x5c, 0x3a, + 0x39, 0x9c, 0x73, 0xce, 0x66, 0x66, 0x4c, 0x32, + 0x19, 0x98, 0x32, 0x4c, 0x65, 0xa6, 0x4a, 0x52, + 0x15, 0xa8, 0x2a, 0x54, 0x55, 0xaa, 0x2b, 0xd4, + 0x57, 0xea, 0x2f, 0xf4, 0x5f, 0xfa, 0x3f, 0xfc + }; + const uint8_t *rc = RC; + uint32_t x0, x1, x2, x3, x4; + uint32_t t0, t1, t2, t3, t4; + uint8_t round; + + /* Load the state into local variables and convert from little-endian */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = state->W[0]; + x1 = state->W[1]; + x2 = state->W[2]; + x3 = state->W[3]; + x4 = state->W[4]; +#else + x0 = le_load_word32(state->B); + x1 = le_load_word32(state->B + 4); + x2 = le_load_word32(state->B + 8); + x3 = le_load_word32(state->B + 12); + x4 = le_load_word32(state->B + 16); +#endif + + /* Perform the 80 rounds of Spongent-pi[160] */ + for (round = 0; round < 80; ++round, rc += 2) { + /* Add the round constant to front and back of the state */ + x0 ^= rc[0]; + x4 ^= ((uint32_t)(rc[1])) << 24; + + /* Apply the S-box to all 4-bit groups in the state */ + t0 = spongent_sbox(x0); + t1 = spongent_sbox(x1); + t2 = spongent_sbox(x2); + t3 = spongent_sbox(x3); + t4 = spongent_sbox(x4); + + /* Permute the bits of the state. Bit i is moved to (40 * i) % 159 + * for all bits except the last which is left where it is. + * BCP = bit copy, BUP = move bit up, BDN = move bit down */ + #define BCP(x, bit) ((x) & (((uint32_t)1) << (bit))) + #define BUP(x, from, to) \ + (((x) << ((to) - (from))) & (((uint32_t)1) << (to))) + #define BDN(x, from, to) \ + (((x) >> ((from) - (to))) & (((uint32_t)1) << (to))) + x0 = BCP(t0, 0) ^ BDN(t0, 4, 1) ^ BDN(t0, 8, 2) ^ + BDN(t0, 12, 3) ^ BDN(t0, 16, 4) ^ BDN(t0, 20, 5) ^ + BDN(t0, 24, 6) ^ BDN(t0, 28, 7) ^ BUP(t1, 0, 8) ^ + BUP(t1, 4, 9) ^ BUP(t1, 8, 10) ^ BDN(t1, 12, 11) ^ + BDN(t1, 16, 12) ^ BDN(t1, 20, 13) ^ BDN(t1, 24, 14) ^ + BDN(t1, 28, 15) ^ BUP(t2, 0, 16) ^ BUP(t2, 4, 17) ^ + BUP(t2, 8, 18) ^ BUP(t2, 12, 19) ^ BUP(t2, 16, 20) ^ + BUP(t2, 20, 21) ^ BDN(t2, 24, 22) ^ BDN(t2, 28, 23) ^ + BUP(t3, 0, 24) ^ BUP(t3, 4, 25) ^ BUP(t3, 8, 26) ^ + BUP(t3, 12, 27) ^ BUP(t3, 16, 28) ^ BUP(t3, 20, 29) ^ + BUP(t3, 24, 30) ^ BUP(t3, 28, 31); + x1 = BUP(t0, 1, 8) ^ BUP(t0, 5, 9) ^ BUP(t0, 9, 10) ^ + BDN(t0, 13, 11) ^ BDN(t0, 17, 12) ^ BDN(t0, 21, 13) ^ + BDN(t0, 25, 14) ^ BDN(t0, 29, 15) ^ BUP(t1, 1, 16) ^ + BUP(t1, 5, 17) ^ BUP(t1, 9, 18) ^ BUP(t1, 13, 19) ^ + BUP(t1, 17, 20) ^ BCP(t1, 21) ^ BDN(t1, 25, 22) ^ + BDN(t1, 29, 23) ^ BUP(t2, 1, 24) ^ BUP(t2, 5, 25) ^ + BUP(t2, 9, 26) ^ BUP(t2, 13, 27) ^ BUP(t2, 17, 28) ^ + BUP(t2, 21, 29) ^ BUP(t2, 25, 30) ^ BUP(t2, 29, 31) ^ + BCP(t4, 0) ^ BDN(t4, 4, 1) ^ BDN(t4, 8, 2) ^ + BDN(t4, 12, 3) ^ BDN(t4, 16, 4) ^ BDN(t4, 20, 5) ^ + BDN(t4, 24, 6) ^ BDN(t4, 28, 7); + x2 = BUP(t0, 2, 16) ^ BUP(t0, 6, 17) ^ BUP(t0, 10, 18) ^ + BUP(t0, 14, 19) ^ BUP(t0, 18, 20) ^ BDN(t0, 22, 21) ^ + BDN(t0, 26, 22) ^ BDN(t0, 30, 23) ^ BUP(t1, 2, 24) ^ + BUP(t1, 6, 25) ^ BUP(t1, 10, 26) ^ BUP(t1, 14, 27) ^ + BUP(t1, 18, 28) ^ BUP(t1, 22, 29) ^ BUP(t1, 26, 30) ^ + BUP(t1, 30, 31) ^ BDN(t3, 1, 0) ^ BDN(t3, 5, 1) ^ + BDN(t3, 9, 2) ^ BDN(t3, 13, 3) ^ BDN(t3, 17, 4) ^ + BDN(t3, 21, 5) ^ BDN(t3, 25, 6) ^ BDN(t3, 29, 7) ^ + BUP(t4, 1, 8) ^ BUP(t4, 5, 9) ^ BUP(t4, 9, 10) ^ + BDN(t4, 13, 11) ^ BDN(t4, 17, 12) ^ BDN(t4, 21, 13) ^ + BDN(t4, 25, 14) ^ BDN(t4, 29, 15); + x3 = BUP(t0, 3, 24) ^ BUP(t0, 7, 25) ^ BUP(t0, 11, 26) ^ + BUP(t0, 15, 27) ^ BUP(t0, 19, 28) ^ BUP(t0, 23, 29) ^ + BUP(t0, 27, 30) ^ BCP(t0, 31) ^ BDN(t2, 2, 0) ^ + BDN(t2, 6, 1) ^ BDN(t2, 10, 2) ^ BDN(t2, 14, 3) ^ + BDN(t2, 18, 4) ^ BDN(t2, 22, 5) ^ BDN(t2, 26, 6) ^ + BDN(t2, 30, 7) ^ BUP(t3, 2, 8) ^ BUP(t3, 6, 9) ^ + BCP(t3, 10) ^ BDN(t3, 14, 11) ^ BDN(t3, 18, 12) ^ + BDN(t3, 22, 13) ^ BDN(t3, 26, 14) ^ BDN(t3, 30, 15) ^ + BUP(t4, 2, 16) ^ BUP(t4, 6, 17) ^ BUP(t4, 10, 18) ^ + BUP(t4, 14, 19) ^ BUP(t4, 18, 20) ^ BDN(t4, 22, 21) ^ + BDN(t4, 26, 22) ^ BDN(t4, 30, 23); + x4 = BDN(t1, 3, 0) ^ BDN(t1, 7, 1) ^ BDN(t1, 11, 2) ^ + BDN(t1, 15, 3) ^ BDN(t1, 19, 4) ^ BDN(t1, 23, 5) ^ + BDN(t1, 27, 6) ^ BDN(t1, 31, 7) ^ BUP(t2, 3, 8) ^ + BUP(t2, 7, 9) ^ BDN(t2, 11, 10) ^ BDN(t2, 15, 11) ^ + BDN(t2, 19, 12) ^ BDN(t2, 23, 13) ^ BDN(t2, 27, 14) ^ + BDN(t2, 31, 15) ^ BUP(t3, 3, 16) ^ BUP(t3, 7, 17) ^ + BUP(t3, 11, 18) ^ BUP(t3, 15, 19) ^ BUP(t3, 19, 20) ^ + BDN(t3, 23, 21) ^ BDN(t3, 27, 22) ^ BDN(t3, 31, 23) ^ + BUP(t4, 3, 24) ^ BUP(t4, 7, 25) ^ BUP(t4, 11, 26) ^ + BUP(t4, 15, 27) ^ BUP(t4, 19, 28) ^ BUP(t4, 23, 29) ^ + BUP(t4, 27, 30) ^ BCP(t4, 31); + } + + /* Store the local variables back to the state in little-endian order */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->W[0] = x0; + state->W[1] = x1; + state->W[2] = x2; + state->W[3] = x3; + state->W[4] = x4; +#else + le_store_word32(state->B, x0); + le_store_word32(state->B + 4, x1); + le_store_word32(state->B + 8, x2); + le_store_word32(state->B + 12, x3); + le_store_word32(state->B + 16, x4); +#endif +} + +void spongent176_permute(spongent176_state_t *state) +{ + static uint8_t const RC[] = { + /* Round constants for Spongent-pi[176] */ + 0x45, 0xa2, 0x0b, 0xd0, 0x16, 0x68, 0x2c, 0x34, + 0x59, 0x9a, 0x33, 0xcc, 0x67, 0xe6, 0x4e, 0x72, + 0x1d, 0xb8, 0x3a, 0x5c, 0x75, 0xae, 0x6a, 0x56, + 0x54, 0x2a, 0x29, 0x94, 0x53, 0xca, 0x27, 0xe4, + 0x4f, 0xf2, 0x1f, 0xf8, 0x3e, 0x7c, 0x7d, 0xbe, + 0x7a, 0x5e, 0x74, 0x2e, 0x68, 0x16, 0x50, 0x0a, + 0x21, 0x84, 0x43, 0xc2, 0x07, 0xe0, 0x0e, 0x70, + 0x1c, 0x38, 0x38, 0x1c, 0x71, 0x8e, 0x62, 0x46, + 0x44, 0x22, 0x09, 0x90, 0x12, 0x48, 0x24, 0x24, + 0x49, 0x92, 0x13, 0xc8, 0x26, 0x64, 0x4d, 0xb2, + 0x1b, 0xd8, 0x36, 0x6c, 0x6d, 0xb6, 0x5a, 0x5a, + 0x35, 0xac, 0x6b, 0xd6, 0x56, 0x6a, 0x2d, 0xb4, + 0x5b, 0xda, 0x37, 0xec, 0x6f, 0xf6, 0x5e, 0x7a, + 0x3d, 0xbc, 0x7b, 0xde, 0x76, 0x6e, 0x6c, 0x36, + 0x58, 0x1a, 0x31, 0x8c, 0x63, 0xc6, 0x46, 0x62, + 0x0d, 0xb0, 0x1a, 0x58, 0x34, 0x2c, 0x69, 0x96, + 0x52, 0x4a, 0x25, 0xa4, 0x4b, 0xd2, 0x17, 0xe8, + 0x2e, 0x74, 0x5d, 0xba, 0x3b, 0xdc, 0x77, 0xee, + 0x6e, 0x76, 0x5c, 0x3a, 0x39, 0x9c, 0x73, 0xce, + 0x66, 0x66, 0x4c, 0x32, 0x19, 0x98, 0x32, 0x4c, + 0x65, 0xa6, 0x4a, 0x52, 0x15, 0xa8, 0x2a, 0x54, + 0x55, 0xaa, 0x2b, 0xd4, 0x57, 0xea, 0x2f, 0xf4, + 0x5f, 0xfa, 0x3f, 0xfc + }; + const uint8_t *rc = RC; + uint32_t x0, x1, x2, x3, x4, x5; + uint32_t t0, t1, t2, t3, t4, t5; + uint8_t round; + + /* Load the state into local variables and convert from little-endian */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = state->W[0]; + x1 = state->W[1]; + x2 = state->W[2]; + x3 = state->W[3]; + x4 = state->W[4]; + x5 = state->W[5]; +#else + x0 = le_load_word32(state->B); + x1 = le_load_word32(state->B + 4); + x2 = le_load_word32(state->B + 8); + x3 = le_load_word32(state->B + 12); + x4 = le_load_word32(state->B + 16); + x5 = le_load_word16(state->B + 20); /* Last word is only 16 bits */ +#endif + + /* Perform the 90 rounds of Spongent-pi[176] */ + for (round = 0; round < 90; ++round, rc += 2) { + /* Add the round constant to front and back of the state */ + x0 ^= rc[0]; + x5 ^= ((uint32_t)(rc[1])) << 8; + + /* Apply the S-box to all 4-bit groups in the state */ + t0 = spongent_sbox(x0); + t1 = spongent_sbox(x1); + t2 = spongent_sbox(x2); + t3 = spongent_sbox(x3); + t4 = spongent_sbox(x4); + t5 = spongent_sbox(x5); + + /* Permute the bits of the state. Bit i is moved to (44 * i) % 175 + * for all bits except the last which is left where it is. + * BCP = bit copy, BUP = move bit up, BDN = move bit down */ + x0 = BCP(t0, 0) ^ BDN(t0, 4, 1) ^ BDN(t0, 8, 2) ^ + BDN(t0, 12, 3) ^ BDN(t0, 16, 4) ^ BDN(t0, 20, 5) ^ + BDN(t0, 24, 6) ^ BDN(t0, 28, 7) ^ BUP(t1, 0, 8) ^ + BUP(t1, 4, 9) ^ BUP(t1, 8, 10) ^ BDN(t1, 12, 11) ^ + BDN(t1, 16, 12) ^ BDN(t1, 20, 13) ^ BDN(t1, 24, 14) ^ + BDN(t1, 28, 15) ^ BUP(t2, 0, 16) ^ BUP(t2, 4, 17) ^ + BUP(t2, 8, 18) ^ BUP(t2, 12, 19) ^ BUP(t2, 16, 20) ^ + BUP(t2, 20, 21) ^ BDN(t2, 24, 22) ^ BDN(t2, 28, 23) ^ + BUP(t3, 0, 24) ^ BUP(t3, 4, 25) ^ BUP(t3, 8, 26) ^ + BUP(t3, 12, 27) ^ BUP(t3, 16, 28) ^ BUP(t3, 20, 29) ^ + BUP(t3, 24, 30) ^ BUP(t3, 28, 31); + x1 = BUP(t0, 1, 12) ^ BUP(t0, 5, 13) ^ BUP(t0, 9, 14) ^ + BUP(t0, 13, 15) ^ BDN(t0, 17, 16) ^ BDN(t0, 21, 17) ^ + BDN(t0, 25, 18) ^ BDN(t0, 29, 19) ^ BUP(t1, 1, 20) ^ + BUP(t1, 5, 21) ^ BUP(t1, 9, 22) ^ BUP(t1, 13, 23) ^ + BUP(t1, 17, 24) ^ BUP(t1, 21, 25) ^ BUP(t1, 25, 26) ^ + BDN(t1, 29, 27) ^ BUP(t2, 1, 28) ^ BUP(t2, 5, 29) ^ + BUP(t2, 9, 30) ^ BUP(t2, 13, 31) ^ BCP(t4, 0) ^ + BDN(t4, 4, 1) ^ BDN(t4, 8, 2) ^ BDN(t4, 12, 3) ^ + BDN(t4, 16, 4) ^ BDN(t4, 20, 5) ^ BDN(t4, 24, 6) ^ + BDN(t4, 28, 7) ^ BUP(t5, 0, 8) ^ BUP(t5, 4, 9) ^ + BUP(t5, 8, 10) ^ BDN(t5, 12, 11); + x2 = BUP(t0, 2, 24) ^ BUP(t0, 6, 25) ^ BUP(t0, 10, 26) ^ + BUP(t0, 14, 27) ^ BUP(t0, 18, 28) ^ BUP(t0, 22, 29) ^ + BUP(t0, 26, 30) ^ BUP(t0, 30, 31) ^ BDN(t2, 17, 0) ^ + BDN(t2, 21, 1) ^ BDN(t2, 25, 2) ^ BDN(t2, 29, 3) ^ + BUP(t3, 1, 4) ^ BCP(t3, 5) ^ BDN(t3, 9, 6) ^ + BDN(t3, 13, 7) ^ BDN(t3, 17, 8) ^ BDN(t3, 21, 9) ^ + BDN(t3, 25, 10) ^ BDN(t3, 29, 11) ^ BUP(t4, 1, 12) ^ + BUP(t4, 5, 13) ^ BUP(t4, 9, 14) ^ BUP(t4, 13, 15) ^ + BDN(t4, 17, 16) ^ BDN(t4, 21, 17) ^ BDN(t4, 25, 18) ^ + BDN(t4, 29, 19) ^ BUP(t5, 1, 20) ^ BUP(t5, 5, 21) ^ + BUP(t5, 9, 22) ^ BUP(t5, 13, 23); + x3 = BDN(t1, 2, 0) ^ BDN(t1, 6, 1) ^ BDN(t1, 10, 2) ^ + BDN(t1, 14, 3) ^ BDN(t1, 18, 4) ^ BDN(t1, 22, 5) ^ + BDN(t1, 26, 6) ^ BDN(t1, 30, 7) ^ BUP(t2, 2, 8) ^ + BUP(t2, 6, 9) ^ BCP(t2, 10) ^ BDN(t2, 14, 11) ^ + BDN(t2, 18, 12) ^ BDN(t2, 22, 13) ^ BDN(t2, 26, 14) ^ + BDN(t2, 30, 15) ^ BUP(t3, 2, 16) ^ BUP(t3, 6, 17) ^ + BUP(t3, 10, 18) ^ BUP(t3, 14, 19) ^ BUP(t3, 18, 20) ^ + BDN(t3, 22, 21) ^ BDN(t3, 26, 22) ^ BDN(t3, 30, 23) ^ + BUP(t4, 2, 24) ^ BUP(t4, 6, 25) ^ BUP(t4, 10, 26) ^ + BUP(t4, 14, 27) ^ BUP(t4, 18, 28) ^ BUP(t4, 22, 29) ^ + BUP(t4, 26, 30) ^ BUP(t4, 30, 31); + x4 = BUP(t0, 3, 4) ^ BDN(t0, 7, 5) ^ BDN(t0, 11, 6) ^ + BDN(t0, 15, 7) ^ BDN(t0, 19, 8) ^ BDN(t0, 23, 9) ^ + BDN(t0, 27, 10) ^ BDN(t0, 31, 11) ^ BUP(t1, 3, 12) ^ + BUP(t1, 7, 13) ^ BUP(t1, 11, 14) ^ BCP(t1, 15) ^ + BDN(t1, 19, 16) ^ BDN(t1, 23, 17) ^ BDN(t1, 27, 18) ^ + BDN(t1, 31, 19) ^ BUP(t2, 3, 20) ^ BUP(t2, 7, 21) ^ + BUP(t2, 11, 22) ^ BUP(t2, 15, 23) ^ BUP(t2, 19, 24) ^ + BUP(t2, 23, 25) ^ BDN(t2, 27, 26) ^ BDN(t2, 31, 27) ^ + BUP(t3, 3, 28) ^ BUP(t3, 7, 29) ^ BUP(t3, 11, 30) ^ + BUP(t3, 15, 31) ^ BDN(t5, 2, 0) ^ BDN(t5, 6, 1) ^ + BDN(t5, 10, 2) ^ BDN(t5, 14, 3); + x5 = BDN(t3, 19, 0) ^ BDN(t3, 23, 1) ^ BDN(t3, 27, 2) ^ + BDN(t3, 31, 3) ^ BUP(t4, 3, 4) ^ BDN(t4, 7, 5) ^ + BDN(t4, 11, 6) ^ BDN(t4, 15, 7) ^ BDN(t4, 19, 8) ^ + BDN(t4, 23, 9) ^ BDN(t4, 27, 10) ^ BDN(t4, 31, 11) ^ + BUP(t5, 3, 12) ^ BUP(t5, 7, 13) ^ BUP(t5, 11, 14) ^ + BCP(t5, 15); + } + + /* Store the local variables back to the state in little-endian order */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->W[0] = x0; + state->W[1] = x1; + state->W[2] = x2; + state->W[3] = x3; + state->W[4] = x4; + state->W[5] = x5; +#else + le_store_word32(state->B, x0); + le_store_word32(state->B + 4, x1); + le_store_word32(state->B + 8, x2); + le_store_word32(state->B + 12, x3); + le_store_word32(state->B + 16, x4); + le_store_word16(state->B + 20, x5); /* Last word is only 16 bits */ +#endif +} diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-spongent.h b/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-spongent.h new file mode 100644 index 0000000..bb9823f --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-spongent.h @@ -0,0 +1,91 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SPONGENT_H +#define LW_INTERNAL_SPONGENT_H + +#include "internal-util.h" + +/** + * \file internal-spongent.h + * \brief Internal implementation of the Spongent-pi permutation. + * + * References: https://www.esat.kuleuven.be/cosic/elephant/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the Spongent-pi[160] state in bytes. + */ +#define SPONGENT160_STATE_SIZE 20 + +/** + * \brief Size of the Spongent-pi[176] state in bytes. + */ +#define SPONGENT176_STATE_SIZE 22 + +/** + * \brief Structure of the internal state of the Spongent-pi[160] permutation. + */ +typedef union +{ + uint32_t W[5]; /**< Spongent-pi[160] state as 32-bit words */ + uint8_t B[20]; /**< Spongent-pi[160] state as bytes */ + +} spongent160_state_t; + +/** + * \brief Structure of the internal state of the Spongent-pi[176] permutation. + * + * Note: The state is technically only 176 bits, but we increase it to + * 192 bits so that we can use 32-bit word operations to manipulate the + * state. The extra bits in the last word are fixed to zero. + */ +typedef union +{ + uint32_t W[6]; /**< Spongent-pi[176] state as 32-bit words */ + uint8_t B[24]; /**< Spongent-pi[176] state as bytes */ + +} spongent176_state_t; + +/** + * \brief Permutes the Spongent-pi[160] state. + * + * \param state The Spongent-pi[160] state to be permuted. + */ +void spongent160_permute(spongent160_state_t *state); + +/** + * \brief Permutes the Spongent-pi[176] state. + * + * \param state The Spongent-pi[176] state to be permuted. + */ +void spongent176_permute(spongent176_state_t *state); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-util.h b/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant176v1/LWC_AEAD_KAT_128_96.txt b/elephant/Implementations/crypto_aead/elephant176v1/LWC_AEAD_KAT_128_96.txt new file mode 100644 index 0000000..3069a6b --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant176v1/LWC_AEAD_KAT_128_96.txt @@ -0,0 +1,7623 @@ +Count = 1 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = +CT = F9F52C3201D8EE81 + +Count = 2 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 00 +CT = 56F0058E7C78EC2C + +Count = 3 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 0001 +CT = 79E9C6803C3417AD + +Count = 4 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102 +CT = 768E1F200B61C076 + +Count = 5 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 00010203 +CT = DBC152B6ED0F8634 + +Count = 6 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 0001020304 +CT = 1564ED2EB9783366 + +Count = 7 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405 +CT = 5CE812FA41D357CF + +Count = 8 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 00010203040506 +CT = FDE915DD1AD241D0 + +Count = 9 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 0001020304050607 +CT = 717CDC35B10DC35A + +Count = 10 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708 +CT = B9A245343D21BFF2 + +Count = 11 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 00010203040506070809 +CT = 32A19787FF322F01 + +Count = 12 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A +CT = 74980ABB12C52562 + +Count = 13 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B +CT = 2E7A838B88A44924 + +Count = 14 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C +CT = D16E817692F67CF0 + +Count = 15 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D +CT = 961A4476E4552DB7 + +Count = 16 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E +CT = 2740B55EDFD9D4E3 + +Count = 17 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F +CT = E792EFD2456C6D1E + +Count = 18 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B04E2CAD1EE58029 + +Count = 19 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 72E6D9BD17795BB5 + +Count = 20 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 83A4F4BC8C32A7E7 + +Count = 21 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 50694A2CD9343BB4 + +Count = 22 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = F0C0DAEFE18C6BFD + +Count = 23 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 406A6DC888A7B6B5 + +Count = 24 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 6A8549B20113B476 + +Count = 25 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B7EFECA8ADD9CA53 + +Count = 26 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 4A894B808287767A + +Count = 27 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 93D71398484A7585 + +Count = 28 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 235A7E11AB5A2FE2 + +Count = 29 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 91C231087BF2FEC6 + +Count = 30 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 488B52477EC7A91B + +Count = 31 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 8EFC1861083FD51E + +Count = 32 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 7BAB5FC020140241 + +Count = 33 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = BC8A4531026641A2 + +Count = 34 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = +CT = FE2C92E25CDDEBE2A5 + +Count = 35 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 00 +CT = FE8397CBE0A04BE008 + +Count = 36 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 0001 +CT = FEAC8E08EEE0071B89 + +Count = 37 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102 +CT = FEA3E9D14ED752CC52 + +Count = 38 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 00010203 +CT = FE0EA69CD8313C8A10 + +Count = 39 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 0001020304 +CT = FEC0032340654B3F42 + +Count = 40 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405 +CT = FE898FDC949DE05BEB + +Count = 41 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 00010203040506 +CT = FE288EDBB3C6E14DF4 + +Count = 42 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 0001020304050607 +CT = FEA41B125B6D3ECF7E + +Count = 43 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708 +CT = FE6CC58B5AE112B3D6 + +Count = 44 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 00010203040506070809 +CT = FEE7C659E923012325 + +Count = 45 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A +CT = FEA1FFC4D5CEF62946 + +Count = 46 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B +CT = FEFB1D4DE554974500 + +Count = 47 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C +CT = FE04094F184EC570D4 + +Count = 48 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D +CT = FE437D8A1838662193 + +Count = 49 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E +CT = FEF2277B3003EAD8C7 + +Count = 50 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F +CT = FE32F521BC995F613A + +Count = 51 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FE6529E2C3C2D68C0D + +Count = 52 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEA78117D3CB4A5791 + +Count = 53 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FE56C33AD25001ABC3 + +Count = 54 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FE850E844205073790 + +Count = 55 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FE25A714813DBF67D9 + +Count = 56 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FE950DA3A65494BA91 + +Count = 57 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEBFE287DCDD20B852 + +Count = 58 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FE628822C671EAC677 + +Count = 59 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FE9FEE85EE5EB47A5E + +Count = 60 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FE46B0DDF6947979A1 + +Count = 61 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEF63DB07F776923C6 + +Count = 62 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FE44A5FF66A7C1F2E2 + +Count = 63 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FE9DEC9C29A2F4A53F + +Count = 64 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FE5B9BD60FD40CD93A + +Count = 65 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEAECC91AEFC270E65 + +Count = 66 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FE69ED8B5FDE554D86 + +Count = 67 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = +CT = FEC9C5D02385265671AA + +Count = 68 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 00 +CT = FEC96AD50A395BF67307 + +Count = 69 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 0001 +CT = FEC945CCC9371BBA8886 + +Count = 70 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102 +CT = FEC94AAB10972CEF5F5D + +Count = 71 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 00010203 +CT = FEC9E7E45D01CA81191F + +Count = 72 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 0001020304 +CT = FEC92941E2999EF6AC4D + +Count = 73 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405 +CT = FEC960CD1D4D665DC8E4 + +Count = 74 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 00010203040506 +CT = FEC9C1CC1A6A3D5CDEFB + +Count = 75 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 0001020304050607 +CT = FEC94D59D38296835C71 + +Count = 76 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708 +CT = FEC985874A831AAF20D9 + +Count = 77 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 00010203040506070809 +CT = FEC90E849830D8BCB02A + +Count = 78 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A +CT = FEC948BD050C354BBA49 + +Count = 79 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B +CT = FEC9125F8C3CAF2AD60F + +Count = 80 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C +CT = FEC9ED4B8EC1B578E3DB + +Count = 81 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D +CT = FEC9AA3F4BC1C3DBB29C + +Count = 82 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E +CT = FEC91B65BAE9F8574BC8 + +Count = 83 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC9DBB7E06562E2F235 + +Count = 84 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC98C6B231A396B1F02 + +Count = 85 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC94EC3D60A30F7C49E + +Count = 86 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC9BF81FB0BABBC38CC + +Count = 87 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC96C4C459BFEBAA49F + +Count = 88 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC9CCE5D558C602F4D6 + +Count = 89 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC97C4F627FAF29299E + +Count = 90 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC956A04605269D2B5D + +Count = 91 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC98BCAE31F8A575578 + +Count = 92 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC976AC4437A509E951 + +Count = 93 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC9AFF21C2F6FC4EAAE + +Count = 94 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC91F7F71A68CD4B0C9 + +Count = 95 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC9ADE73EBF5C7C61ED + +Count = 96 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC974AE5DF059493630 + +Count = 97 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC9B2D917D62FB14A35 + +Count = 98 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC9478E5077079A9D6A + +Count = 99 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC980AF4A8625E8DE89 + +Count = 100 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = +CT = FEC9411BC7AA32DC76BB7D + +Count = 101 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 00 +CT = FEC941B4C2838EA1D6B9D0 + +Count = 102 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 0001 +CT = FEC9419BDB4080E19A4251 + +Count = 103 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102 +CT = FEC94194BC9920D6CF958A + +Count = 104 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 00010203 +CT = FEC94139F3D4B630A1D3C8 + +Count = 105 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 0001020304 +CT = FEC941F7566B2E64D6669A + +Count = 106 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405 +CT = FEC941BEDA94FA9C7D0233 + +Count = 107 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 00010203040506 +CT = FEC9411FDB93DDC77C142C + +Count = 108 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 0001020304050607 +CT = FEC941934E5A356CA396A6 + +Count = 109 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708 +CT = FEC9415B90C334E08FEA0E + +Count = 110 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 00010203040506070809 +CT = FEC941D0931187229C7AFD + +Count = 111 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A +CT = FEC94196AA8CBBCF6B709E + +Count = 112 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B +CT = FEC941CC48058B550A1CD8 + +Count = 113 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C +CT = FEC941335C07764F58290C + +Count = 114 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D +CT = FEC9417428C27639FB784B + +Count = 115 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E +CT = FEC941C572335E0277811F + +Count = 116 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC94105A069D298C238E2 + +Count = 117 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941527CAAADC34BD5D5 + +Count = 118 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC94190D45FBDCAD70E49 + +Count = 119 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941619672BC519CF21B + +Count = 120 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941B25BCC2C049A6E48 + +Count = 121 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC94112F25CEF3C223E01 + +Count = 122 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941A258EBC85509E349 + +Count = 123 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC94188B7CFB2DCBDE18A + +Count = 124 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC94155DD6AA870779FAF + +Count = 125 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941A8BBCD805F292386 + +Count = 126 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC94171E5959895E42079 + +Count = 127 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941C168F81176F47A1E + +Count = 128 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC94173F0B708A65CAB3A + +Count = 129 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941AAB9D447A369FCE7 + +Count = 130 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC9416CCE9E61D59180E2 + +Count = 131 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC9419999D9C0FDBA57BD + +Count = 132 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC9415EB8C331DFC8145E + +Count = 133 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = +CT = FEC941479E83007EEF580F5C + +Count = 134 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 00 +CT = FEC94147318629C292F80DF1 + +Count = 135 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 0001 +CT = FEC941471E9FEACCD2B4F670 + +Count = 136 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102 +CT = FEC9414711F8336CE5E121AB + +Count = 137 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 00010203 +CT = FEC94147BCB77EFA038F67E9 + +Count = 138 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 0001020304 +CT = FEC941477212C16257F8D2BB + +Count = 139 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405 +CT = FEC941473B9E3EB6AF53B612 + +Count = 140 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 00010203040506 +CT = FEC941479A9F3991F452A00D + +Count = 141 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 0001020304050607 +CT = FEC94147160AF0795F8D2287 + +Count = 142 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708 +CT = FEC94147DED46978D3A15E2F + +Count = 143 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 00010203040506070809 +CT = FEC9414755D7BBCB11B2CEDC + +Count = 144 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A +CT = FEC9414713EE26F7FC45C4BF + +Count = 145 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B +CT = FEC94147490CAFC76624A8F9 + +Count = 146 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C +CT = FEC94147B618AD3A7C769D2D + +Count = 147 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D +CT = FEC94147F16C683A0AD5CC6A + +Count = 148 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E +CT = FEC94147403699123159353E + +Count = 149 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC9414780E4C39EABEC8CC3 + +Count = 150 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC94147D73800E1F06561F4 + +Count = 151 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941471590F5F1F9F9BA68 + +Count = 152 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC94147E4D2D8F062B2463A + +Count = 153 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC94147371F666037B4DA69 + +Count = 154 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC9414797B6F6A30F0C8A20 + +Count = 155 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC94147271C418466275768 + +Count = 156 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470DF365FEEF9355AB + +Count = 157 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC94147D099C0E443592B8E + +Count = 158 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941472DFF67CC6C0797A7 + +Count = 159 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC94147F4A13FD4A6CA9458 + +Count = 160 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC94147442C525D45DACE3F + +Count = 161 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC94147F6B41D4495721F1B + +Count = 162 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941472FFD7E0B904748C6 + +Count = 163 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC94147E98A342DE6BF34C3 + +Count = 164 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941471CDD738CCE94E39C + +Count = 165 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC94147DBFC697DECE6A07F + +Count = 166 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = +CT = FEC941470C278F4DD8B1E42763 + +Count = 167 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 00 +CT = FEC941470C888A6464CC4425CE + +Count = 168 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 0001 +CT = FEC941470CA793A76A8C08DE4F + +Count = 169 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102 +CT = FEC941470CA8F47ECABB5D0994 + +Count = 170 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 00010203 +CT = FEC941470C05BB335C5D334FD6 + +Count = 171 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 0001020304 +CT = FEC941470CCB1E8CC40944FA84 + +Count = 172 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405 +CT = FEC941470C82927310F1EF9E2D + +Count = 173 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 00010203040506 +CT = FEC941470C23937437AAEE8832 + +Count = 174 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 0001020304050607 +CT = FEC941470CAF06BDDF01310AB8 + +Count = 175 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708 +CT = FEC941470C67D824DE8D1D7610 + +Count = 176 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 00010203040506070809 +CT = FEC941470CECDBF66D4F0EE6E3 + +Count = 177 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A +CT = FEC941470CAAE26B51A2F9EC80 + +Count = 178 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B +CT = FEC941470CF000E261389880C6 + +Count = 179 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C +CT = FEC941470C0F14E09C22CAB512 + +Count = 180 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D +CT = FEC941470C4860259C5469E455 + +Count = 181 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CF93AD4B46FE51D01 + +Count = 182 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470C39E88E38F550A4FC + +Count = 183 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470C6E344D47AED949CB + +Count = 184 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CAC9CB857A7459257 + +Count = 185 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470C5DDE95563C0E6E05 + +Count = 186 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470C8E132BC66908F256 + +Count = 187 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470C2EBABB0551B0A21F + +Count = 188 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470C9E100C22389B7F57 + +Count = 189 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB4FF2858B12F7D94 + +Count = 190 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470C69958D421DE503B1 + +Count = 191 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470C94F32A6A32BBBF98 + +Count = 192 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470C4DAD7272F876BC67 + +Count = 193 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CFD201FFB1B66E600 + +Count = 194 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470C4FB850E2CBCE3724 + +Count = 195 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470C96F133ADCEFB60F9 + +Count = 196 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470C5086798BB8031CFC + +Count = 197 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CA5D13E2A9028CBA3 + +Count = 198 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470C62F024DBB25A8840 + +Count = 199 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = +CT = FEC941470CB8E24205EEF8093C08 + +Count = 200 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 00 +CT = FEC941470CB84D472C5285A93EA5 + +Count = 201 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 0001 +CT = FEC941470CB8625EEF5CC5E5C524 + +Count = 202 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102 +CT = FEC941470CB86D3936FCF2B012FF + +Count = 203 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 00010203 +CT = FEC941470CB8C0767B6A14DE54BD + +Count = 204 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 0001020304 +CT = FEC941470CB80ED3C4F240A9E1EF + +Count = 205 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405 +CT = FEC941470CB8475F3B26B8028546 + +Count = 206 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 00010203040506 +CT = FEC941470CB8E65E3C01E3039359 + +Count = 207 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 0001020304050607 +CT = FEC941470CB86ACBF5E948DC11D3 + +Count = 208 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708 +CT = FEC941470CB8A2156CE8C4F06D7B + +Count = 209 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 00010203040506070809 +CT = FEC941470CB82916BE5B06E3FD88 + +Count = 210 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A +CT = FEC941470CB86F2F2367EB14F7EB + +Count = 211 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B +CT = FEC941470CB835CDAA5771759BAD + +Count = 212 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C +CT = FEC941470CB8CAD9A8AA6B27AE79 + +Count = 213 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB88DAD6DAA1D84FF3E + +Count = 214 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB83CF79C822608066A + +Count = 215 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB8FC25C60EBCBDBF97 + +Count = 216 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB8ABF90571E73452A0 + +Count = 217 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB86951F061EEA8893C + +Count = 218 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB89813DD6075E3756E + +Count = 219 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB84BDE63F020E5E93D + +Count = 220 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB8EB77F333185DB974 + +Count = 221 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB85BDD44147176643C + +Count = 222 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB87132606EF8C266FF + +Count = 223 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB8AC58C574540818DA + +Count = 224 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB8513E625C7B56A4F3 + +Count = 225 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB888603A44B19BA70C + +Count = 226 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB838ED57CD528BFD6B + +Count = 227 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB88A7518D482232C4F + +Count = 228 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB8533C7B9B87167B92 + +Count = 229 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB8954B31BDF1EE0797 + +Count = 230 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB8601C761CD9C5D0C8 + +Count = 231 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB8A73D6CEDFBB7932B + +Count = 232 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = +CT = FEC941470CB85931CD20ED8103BD44 + +Count = 233 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 00 +CT = FEC941470CB8599EC80951FCA3BFE9 + +Count = 234 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 0001 +CT = FEC941470CB859B1D1CA5FBCEF4468 + +Count = 235 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102 +CT = FEC941470CB859BEB613FF8BBA93B3 + +Count = 236 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 00010203 +CT = FEC941470CB85913F95E696DD4D5F1 + +Count = 237 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 0001020304 +CT = FEC941470CB859DD5CE1F139A360A3 + +Count = 238 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405 +CT = FEC941470CB85994D01E25C108040A + +Count = 239 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 00010203040506 +CT = FEC941470CB85935D119029A091215 + +Count = 240 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 0001020304050607 +CT = FEC941470CB859B944D0EA31D6909F + +Count = 241 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708 +CT = FEC941470CB859719A49EBBDFAEC37 + +Count = 242 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 00010203040506070809 +CT = FEC941470CB859FA999B587FE97CC4 + +Count = 243 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A +CT = FEC941470CB859BCA00664921E76A7 + +Count = 244 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B +CT = FEC941470CB859E6428F54087F1AE1 + +Count = 245 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C +CT = FEC941470CB85919568DA9122D2F35 + +Count = 246 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB8595E2248A9648E7E72 + +Count = 247 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859EF78B9815F028726 + +Count = 248 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB8592FAAE30DC5B73EDB + +Count = 249 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859787620729E3ED3EC + +Count = 250 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859BADED56297A20870 + +Count = 251 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB8594B9CF8630CE9F422 + +Count = 252 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859985146F359EF6871 + +Count = 253 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB85938F8D63061573838 + +Count = 254 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB85988526117087CE570 + +Count = 255 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859A2BD456D81C8E7B3 + +Count = 256 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB8597FD7E0772D029996 + +Count = 257 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB85982B1475F025C25BF + +Count = 258 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB8595BEF1F47C8912640 + +Count = 259 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859EB6272CE2B817C27 + +Count = 260 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB85959FA3DD7FB29AD03 + +Count = 261 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB85980B35E98FE1CFADE + +Count = 262 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB85946C414BE88E486DB + +Count = 263 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859B393531FA0CF5184 + +Count = 264 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB85974B249EE82BD1267 + +Count = 265 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = +CT = FEC941470CB859D7A1F29672CF3310E0 + +Count = 266 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 00 +CT = FEC941470CB859D70EF7BFCEB293124D + +Count = 267 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 0001 +CT = FEC941470CB859D721EE7CC0F2DFE9CC + +Count = 268 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102 +CT = FEC941470CB859D72E89A560C58A3E17 + +Count = 269 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 00010203 +CT = FEC941470CB859D783C6E8F623E47855 + +Count = 270 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 0001020304 +CT = FEC941470CB859D74D63576E7793CD07 + +Count = 271 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405 +CT = FEC941470CB859D704EFA8BA8F38A9AE + +Count = 272 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 00010203040506 +CT = FEC941470CB859D7A5EEAF9DD439BFB1 + +Count = 273 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 0001020304050607 +CT = FEC941470CB859D7297B66757FE63D3B + +Count = 274 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708 +CT = FEC941470CB859D7E1A5FF74F3CA4193 + +Count = 275 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 00010203040506070809 +CT = FEC941470CB859D76AA62DC731D9D160 + +Count = 276 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A +CT = FEC941470CB859D72C9FB0FBDC2EDB03 + +Count = 277 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B +CT = FEC941470CB859D7767D39CB464FB745 + +Count = 278 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D789693B365C1D8291 + +Count = 279 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D7CE1DFE362ABED3D6 + +Count = 280 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D77F470F1E11322A82 + +Count = 281 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D7BF9555928B87937F + +Count = 282 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D7E84996EDD00E7E48 + +Count = 283 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D72AE163FDD992A5D4 + +Count = 284 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D7DBA34EFC42D95986 + +Count = 285 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D7086EF06C17DFC5D5 + +Count = 286 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D7A8C760AF2F67959C + +Count = 287 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D7186DD788464C48D4 + +Count = 288 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D73282F3F2CFF84A17 + +Count = 289 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D7EFE856E863323432 + +Count = 290 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D7128EF1C04C6C881B + +Count = 291 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D7CBD0A9D886A18BE4 + +Count = 292 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D77B5DC45165B1D183 + +Count = 293 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D7C9C58B48B51900A7 + +Count = 294 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D7108CE807B02C577A + +Count = 295 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D7D6FBA221C6D42B7F + +Count = 296 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D723ACE580EEFFFC20 + +Count = 297 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D7E48DFF71CC8DBFC3 + +Count = 298 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = +CT = FEC941470CB859D7354BDE6B3DDA94AA48 + +Count = 299 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 00 +CT = FEC941470CB859D735E4DB4281A734A8E5 + +Count = 300 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 0001 +CT = FEC941470CB859D735CBC2818FE7785364 + +Count = 301 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102 +CT = FEC941470CB859D735C4A5582FD02D84BF + +Count = 302 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 00010203 +CT = FEC941470CB859D73569EA15B93643C2FD + +Count = 303 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 0001020304 +CT = FEC941470CB859D735A74FAA21623477AF + +Count = 304 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405 +CT = FEC941470CB859D735EEC355F59A9F1306 + +Count = 305 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 00010203040506 +CT = FEC941470CB859D7354FC252D2C19E0519 + +Count = 306 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 0001020304050607 +CT = FEC941470CB859D735C3579B3A6A418793 + +Count = 307 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708 +CT = FEC941470CB859D7350B89023BE66DFB3B + +Count = 308 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 00010203040506070809 +CT = FEC941470CB859D735808AD088247E6BC8 + +Count = 309 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A +CT = FEC941470CB859D735C6B34DB4C98961AB + +Count = 310 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B +CT = FEC941470CB859D7359C51C48453E80DED + +Count = 311 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D7356345C67949BA3839 + +Count = 312 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735243103793F19697E + +Count = 313 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735956BF2510495902A + +Count = 314 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D73555B9A8DD9E2029D7 + +Count = 315 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D73502656BA2C5A9C4E0 + +Count = 316 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735C0CD9EB2CC351F7C + +Count = 317 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735318FB3B3577EE32E + +Count = 318 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735E2420D2302787F7D + +Count = 319 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D73542EB9DE03AC02F34 + +Count = 320 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735F2412AC753EBF27C + +Count = 321 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735D8AE0EBDDA5FF0BF + +Count = 322 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D73505C4ABA776958E9A + +Count = 323 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735F8A20C8F59CB32B3 + +Count = 324 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D73521FC54979306314C + +Count = 325 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D7359171391E70166B2B + +Count = 326 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D73523E97607A0BEBA0F + +Count = 327 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735FAA01548A58BEDD2 + +Count = 328 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D7353CD75F6ED37391D7 + +Count = 329 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735C98018CFFB584688 + +Count = 330 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D7350EA1023ED92A056B + +Count = 331 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = +CT = FEC941470CB859D735256D1107BAA5D56B3C + +Count = 332 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 00 +CT = FEC941470CB859D73525C2142E06D8756991 + +Count = 333 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 0001 +CT = FEC941470CB859D73525ED0DED0898399210 + +Count = 334 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102 +CT = FEC941470CB859D73525E26A34A8AF6C45CB + +Count = 335 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 00010203 +CT = FEC941470CB859D735254F25793E49020389 + +Count = 336 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 0001020304 +CT = FEC941470CB859D735258180C6A61D75B6DB + +Count = 337 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405 +CT = FEC941470CB859D73525C80C3972E5DED272 + +Count = 338 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 00010203040506 +CT = FEC941470CB859D73525690D3E55BEDFC46D + +Count = 339 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 0001020304050607 +CT = FEC941470CB859D73525E598F7BD150046E7 + +Count = 340 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708 +CT = FEC941470CB859D735252D466EBC992C3A4F + +Count = 341 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 00010203040506070809 +CT = FEC941470CB859D73525A645BC0F5B3FAABC + +Count = 342 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A +CT = FEC941470CB859D73525E07C2133B6C8A0DF + +Count = 343 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B +CT = FEC941470CB859D73525BA9EA8032CA9CC99 + +Count = 344 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D73525458AAAFE36FBF94D + +Count = 345 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D7352502FE6FFE4058A80A + +Count = 346 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D73525B3A49ED67BD4515E + +Count = 347 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735257376C45AE161E8A3 + +Count = 348 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D7352524AA0725BAE80594 + +Count = 349 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D73525E602F235B374DE08 + +Count = 350 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735251740DF34283F225A + +Count = 351 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D73525C48D61A47D39BE09 + +Count = 352 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735256424F1674581EE40 + +Count = 353 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D73525D48E46402CAA3308 + +Count = 354 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D73525FE61623AA51E31CB + +Count = 355 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D73525230BC72009D44FEE + +Count = 356 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D73525DE6D6008268AF3C7 + +Count = 357 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D7352507333810EC47F038 + +Count = 358 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D73525B7BE55990F57AA5F + +Count = 359 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D7352505261A80DFFF7B7B + +Count = 360 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D73525DC6F79CFDACA2CA6 + +Count = 361 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735251A1833E9AC3250A3 + +Count = 362 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D73525EF4F7448841987FC + +Count = 363 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D73525286E6EB9A66BC41F + +Count = 364 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = +CT = FEC941470CB859D735255BFCFBA78DDD0631FE + +Count = 365 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 00 +CT = FEC941470CB859D735255B53FE8E31A0A63353 + +Count = 366 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 0001 +CT = FEC941470CB859D735255B7CE74D3FE0EAC8D2 + +Count = 367 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102 +CT = FEC941470CB859D735255B7380949FD7BF1F09 + +Count = 368 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 00010203 +CT = FEC941470CB859D735255BDECFD90931D1594B + +Count = 369 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 0001020304 +CT = FEC941470CB859D735255B106A669165A6EC19 + +Count = 370 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405 +CT = FEC941470CB859D735255B59E699459D0D88B0 + +Count = 371 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 00010203040506 +CT = FEC941470CB859D735255BF8E79E62C60C9EAF + +Count = 372 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 0001020304050607 +CT = FEC941470CB859D735255B7472578A6DD31C25 + +Count = 373 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708 +CT = FEC941470CB859D735255BBCACCE8BE1FF608D + +Count = 374 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 00010203040506070809 +CT = FEC941470CB859D735255B37AF1C3823ECF07E + +Count = 375 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A +CT = FEC941470CB859D735255B71968104CE1BFA1D + +Count = 376 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B2B740834547A965B + +Count = 377 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255BD4600AC94E28A38F + +Count = 378 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B9314CFC9388BF2C8 + +Count = 379 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B224E3EE103070B9C + +Count = 380 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255BE29C646D99B2B261 + +Count = 381 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255BB540A712C23B5F56 + +Count = 382 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B77E85202CBA784CA + +Count = 383 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B86AA7F0350EC7898 + +Count = 384 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B5567C19305EAE4CB + +Count = 385 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255BF5CE51503D52B482 + +Count = 386 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B4564E677547969CA + +Count = 387 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B6F8BC20DDDCD6B09 + +Count = 388 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255BB2E167177107152C + +Count = 389 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B4F87C03F5E59A905 + +Count = 390 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B96D998279494AAFA + +Count = 391 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B2654F5AE7784F09D + +Count = 392 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B94CCBAB7A72C21B9 + +Count = 393 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B4D85D9F8A2197664 + +Count = 394 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B8BF293DED4E10A61 + +Count = 395 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B7EA5D47FFCCADD3E + +Count = 396 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255BB984CE8EDEB89EDD + +Count = 397 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = +CT = FEC941470CB859D735255B80B658144E4BAC29D0 + +Count = 398 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 00 +CT = FEC941470CB859D735255B80195D3DF2360C2B7D + +Count = 399 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 0001 +CT = FEC941470CB859D735255B803644FEFC7640D0FC + +Count = 400 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102 +CT = FEC941470CB859D735255B803923275C41150727 + +Count = 401 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 00010203 +CT = FEC941470CB859D735255B80946C6ACAA77B4165 + +Count = 402 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 0001020304 +CT = FEC941470CB859D735255B805AC9D552F30CF437 + +Count = 403 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405 +CT = FEC941470CB859D735255B8013452A860BA7909E + +Count = 404 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 00010203040506 +CT = FEC941470CB859D735255B80B2442DA150A68681 + +Count = 405 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 0001020304050607 +CT = FEC941470CB859D735255B803ED1E449FB79040B + +Count = 406 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708 +CT = FEC941470CB859D735255B80F60F7D48775578A3 + +Count = 407 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 00010203040506070809 +CT = FEC941470CB859D735255B807D0CAFFBB546E850 + +Count = 408 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A +CT = FEC941470CB859D735255B803B3532C758B1E233 + +Count = 409 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B8061D7BBF7C2D08E75 + +Count = 410 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B809EC3B90AD882BBA1 + +Count = 411 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B80D9B77C0AAE21EAE6 + +Count = 412 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B8068ED8D2295AD13B2 + +Count = 413 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B80A83FD7AE0F18AA4F + +Count = 414 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B80FFE314D154914778 + +Count = 415 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B803D4BE1C15D0D9CE4 + +Count = 416 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B80CC09CCC0C64660B6 + +Count = 417 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B801FC472509340FCE5 + +Count = 418 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B80BF6DE293ABF8ACAC + +Count = 419 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B800FC755B4C2D371E4 + +Count = 420 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B80252871CE4B677327 + +Count = 421 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B80F842D4D4E7AD0D02 + +Count = 422 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B80052473FCC8F3B12B + +Count = 423 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B80DC7A2BE4023EB2D4 + +Count = 424 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B806CF7466DE12EE8B3 + +Count = 425 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B80DE6F097431863997 + +Count = 426 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B8007266A3B34B36E4A + +Count = 427 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B80C151201D424B124F + +Count = 428 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B80340667BC6A60C510 + +Count = 429 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B80F3277D4D481286F3 + +Count = 430 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = +CT = FEC941470CB859D735255B80669A87B729D1F56CAC + +Count = 431 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 00 +CT = FEC941470CB859D735255B806635829E95AC556E01 + +Count = 432 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 0001 +CT = FEC941470CB859D735255B80661A9B5D9BEC199580 + +Count = 433 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102 +CT = FEC941470CB859D735255B806615FC843BDB4C425B + +Count = 434 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 00010203 +CT = FEC941470CB859D735255B8066B8B3C9AD3D220419 + +Count = 435 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 0001020304 +CT = FEC941470CB859D735255B8066761676356955B14B + +Count = 436 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405 +CT = FEC941470CB859D735255B80663F9A89E191FED5E2 + +Count = 437 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 00010203040506 +CT = FEC941470CB859D735255B80669E9B8EC6CAFFC3FD + +Count = 438 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 0001020304050607 +CT = FEC941470CB859D735255B8066120E472E61204177 + +Count = 439 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708 +CT = FEC941470CB859D735255B8066DAD0DE2FED0C3DDF + +Count = 440 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 00010203040506070809 +CT = FEC941470CB859D735255B806651D30C9C2F1FAD2C + +Count = 441 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A +CT = FEC941470CB859D735255B806617EA91A0C2E8A74F + +Count = 442 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B80664D0818905889CB09 + +Count = 443 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B8066B21C1A6D42DBFEDD + +Count = 444 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B8066F568DF6D3478AF9A + +Count = 445 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B806644322E450FF456CE + +Count = 446 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B806684E074C99541EF33 + +Count = 447 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B8066D33CB7B6CEC80204 + +Count = 448 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B8066119442A6C754D998 + +Count = 449 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B8066E0D66FA75C1F25CA + +Count = 450 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B8066331BD1370919B999 + +Count = 451 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B806693B241F431A1E9D0 + +Count = 452 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B80662318F6D3588A3498 + +Count = 453 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B806609F7D2A9D13E365B + +Count = 454 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B8066D49D77B37DF4487E + +Count = 455 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B806629FBD09B52AAF457 + +Count = 456 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B8066F0A588839867F7A8 + +Count = 457 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B80664028E50A7B77ADCF + +Count = 458 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B8066F2B0AA13ABDF7CEB + +Count = 459 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B80662BF9C95CAEEA2B36 + +Count = 460 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B8066ED8E837AD8125733 + +Count = 461 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B806618D9C4DBF039806C + +Count = 462 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B8066DFF8DE2AD24BC38F + +Count = 463 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = +CT = FEC941470CB859D735255B80663E379995F290E84795 + +Count = 464 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 00 +CT = FEC941470CB859D735255B80663E989CBC4EED484538 + +Count = 465 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 0001 +CT = FEC941470CB859D735255B80663EB7857F40AD04BEB9 + +Count = 466 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102 +CT = FEC941470CB859D735255B80663EB8E2A6E09A516962 + +Count = 467 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 00010203 +CT = FEC941470CB859D735255B80663E15ADEB767C3F2F20 + +Count = 468 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 0001020304 +CT = FEC941470CB859D735255B80663EDB0854EE28489A72 + +Count = 469 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405 +CT = FEC941470CB859D735255B80663E9284AB3AD0E3FEDB + +Count = 470 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 00010203040506 +CT = FEC941470CB859D735255B80663E3385AC1D8BE2E8C4 + +Count = 471 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 0001020304050607 +CT = FEC941470CB859D735255B80663EBF1065F5203D6A4E + +Count = 472 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708 +CT = FEC941470CB859D735255B80663E77CEFCF4AC1116E6 + +Count = 473 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 00010203040506070809 +CT = FEC941470CB859D735255B80663EFCCD2E476E028615 + +Count = 474 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A +CT = FEC941470CB859D735255B80663EBAF4B37B83F58C76 + +Count = 475 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B80663EE0163A4B1994E030 + +Count = 476 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B80663E1F0238B603C6D5E4 + +Count = 477 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B80663E5876FDB6756584A3 + +Count = 478 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B80663EE92C0C9E4EE97DF7 + +Count = 479 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B80663E29FE5612D45CC40A + +Count = 480 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B80663E7E22956D8FD5293D + +Count = 481 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B80663EBC8A607D8649F2A1 + +Count = 482 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B80663E4DC84D7C1D020EF3 + +Count = 483 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B80663E9E05F3EC480492A0 + +Count = 484 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B80663E3EAC632F70BCC2E9 + +Count = 485 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B80663E8E06D40819971FA1 + +Count = 486 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B80663EA4E9F07290231D62 + +Count = 487 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B80663E798355683CE96347 + +Count = 488 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B80663E84E5F24013B7DF6E + +Count = 489 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B80663E5DBBAA58D97ADC91 + +Count = 490 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B80663EED36C7D13A6A86F6 + +Count = 491 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B80663E5FAE88C8EAC257D2 + +Count = 492 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B80663E86E7EB87EFF7000F + +Count = 493 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B80663E4090A1A1990F7C0A + +Count = 494 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B80663EB5C7E600B124AB55 + +Count = 495 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B80663E72E6FCF19356E8B6 + +Count = 496 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = +CT = FEC941470CB859D735255B80663E80CA51659B586156DC + +Count = 497 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 00 +CT = FEC941470CB859D735255B80663E8065544C2725C15471 + +Count = 498 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 0001 +CT = FEC941470CB859D735255B80663E804A4D8F29658DAFF0 + +Count = 499 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102 +CT = FEC941470CB859D735255B80663E80452A568952D8782B + +Count = 500 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 00010203 +CT = FEC941470CB859D735255B80663E80E8651B1FB4B63E69 + +Count = 501 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 0001020304 +CT = FEC941470CB859D735255B80663E8026C0A487E0C18B3B + +Count = 502 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405 +CT = FEC941470CB859D735255B80663E806F4C5B53186AEF92 + +Count = 503 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 00010203040506 +CT = FEC941470CB859D735255B80663E80CE4D5C74436BF98D + +Count = 504 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 0001020304050607 +CT = FEC941470CB859D735255B80663E8042D8959CE8B47B07 + +Count = 505 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708 +CT = FEC941470CB859D735255B80663E808A060C9D649807AF + +Count = 506 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 00010203040506070809 +CT = FEC941470CB859D735255B80663E800105DE2EA68B975C + +Count = 507 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A +CT = FEC941470CB859D735255B80663E80473C43124B7C9D3F + +Count = 508 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B80663E801DDECA22D11DF179 + +Count = 509 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B80663E80E2CAC8DFCB4FC4AD + +Count = 510 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B80663E80A5BE0DDFBDEC95EA + +Count = 511 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B80663E8014E4FCF786606CBE + +Count = 512 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B80663E80D436A67B1CD5D543 + +Count = 513 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B80663E8083EA6504475C3874 + +Count = 514 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B80663E80414290144EC0E3E8 + +Count = 515 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B80663E80B000BD15D58B1FBA + +Count = 516 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B80663E8063CD0385808D83E9 + +Count = 517 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B80663E80C3649346B835D3A0 + +Count = 518 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B80663E8073CE2461D11E0EE8 + +Count = 519 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B80663E805921001B58AA0C2B + +Count = 520 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B80663E80844BA501F460720E + +Count = 521 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B80663E80792D0229DB3ECE27 + +Count = 522 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B80663E80A0735A3111F3CDD8 + +Count = 523 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B80663E8010FE37B8F2E397BF + +Count = 524 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B80663E80A26678A1224B469B + +Count = 525 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B80663E807B2F1BEE277E1146 + +Count = 526 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B80663E80BD5851C851866D43 + +Count = 527 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B80663E80480F166979ADBA1C + +Count = 528 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B80663E808F2E0C985BDFF9FF + +Count = 529 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = +CT = FEC941470CB859D735255B80663E807AB39D122E7B101B1A + +Count = 530 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 00 +CT = FEC941470CB859D735255B80663E807A1C983B9206B019B7 + +Count = 531 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001 +CT = FEC941470CB859D735255B80663E807A3381F89C46FCE236 + +Count = 532 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102 +CT = FEC941470CB859D735255B80663E807A3CE6213C71A935ED + +Count = 533 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203 +CT = FEC941470CB859D735255B80663E807A91A96CAA97C773AF + +Count = 534 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001020304 +CT = FEC941470CB859D735255B80663E807A5F0CD332C3B0C6FD + +Count = 535 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405 +CT = FEC941470CB859D735255B80663E807A16802CE63B1BA254 + +Count = 536 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203040506 +CT = FEC941470CB859D735255B80663E807AB7812BC1601AB44B + +Count = 537 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001020304050607 +CT = FEC941470CB859D735255B80663E807A3B14E229CBC536C1 + +Count = 538 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708 +CT = FEC941470CB859D735255B80663E807AF3CA7B2847E94A69 + +Count = 539 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203040506070809 +CT = FEC941470CB859D735255B80663E807A78C9A99B85FADA9A + +Count = 540 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A +CT = FEC941470CB859D735255B80663E807A3EF034A7680DD0F9 + +Count = 541 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B80663E807A6412BD97F26CBCBF + +Count = 542 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B80663E807A9B06BF6AE83E896B + +Count = 543 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B80663E807ADC727A6A9E9DD82C + +Count = 544 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B80663E807A6D288B42A5112178 + +Count = 545 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B80663E807AADFAD1CE3FA49885 + +Count = 546 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B80663E807AFA2612B1642D75B2 + +Count = 547 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B80663E807A388EE7A16DB1AE2E + +Count = 548 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B80663E807AC9CCCAA0F6FA527C + +Count = 549 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B80663E807A1A017430A3FCCE2F + +Count = 550 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B80663E807ABAA8E4F39B449E66 + +Count = 551 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B80663E807A0A0253D4F26F432E + +Count = 552 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B80663E807A20ED77AE7BDB41ED + +Count = 553 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B80663E807AFD87D2B4D7113FC8 + +Count = 554 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B80663E807A00E1759CF84F83E1 + +Count = 555 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B80663E807AD9BF2D843282801E + +Count = 556 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B80663E807A6932400DD192DA79 + +Count = 557 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B80663E807ADBAA0F14013A0B5D + +Count = 558 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B80663E807A02E36C5B040F5C80 + +Count = 559 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B80663E807AC494267D72F72085 + +Count = 560 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B80663E807A31C361DC5ADCF7DA + +Count = 561 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B80663E807AF6E27B2D78AEB439 + +Count = 562 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = +CT = FEC941470CB859D735255B80663E807A63A849D541118342CC + +Count = 563 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00 +CT = FEC941470CB859D735255B80663E807A63074CFCFD6C234061 + +Count = 564 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001 +CT = FEC941470CB859D735255B80663E807A6328553FF32C6FBBE0 + +Count = 565 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102 +CT = FEC941470CB859D735255B80663E807A632732E6531B3A6C3B + +Count = 566 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203 +CT = FEC941470CB859D735255B80663E807A638A7DABC5FD542A79 + +Count = 567 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001020304 +CT = FEC941470CB859D735255B80663E807A6344D8145DA9239F2B + +Count = 568 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405 +CT = FEC941470CB859D735255B80663E807A630D54EB895188FB82 + +Count = 569 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203040506 +CT = FEC941470CB859D735255B80663E807A63AC55ECAE0A89ED9D + +Count = 570 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001020304050607 +CT = FEC941470CB859D735255B80663E807A6320C02546A1566F17 + +Count = 571 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708 +CT = FEC941470CB859D735255B80663E807A63E81EBC472D7A13BF + +Count = 572 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203040506070809 +CT = FEC941470CB859D735255B80663E807A63631D6EF4EF69834C + +Count = 573 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A +CT = FEC941470CB859D735255B80663E807A632524F3C8029E892F + +Count = 574 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B80663E807A637FC67AF898FFE569 + +Count = 575 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B80663E807A6380D2780582ADD0BD + +Count = 576 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B80663E807A63C7A6BD05F40E81FA + +Count = 577 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B80663E807A6376FC4C2DCF8278AE + +Count = 578 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B80663E807A63B62E16A15537C153 + +Count = 579 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B80663E807A63E1F2D5DE0EBE2C64 + +Count = 580 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B80663E807A63235A20CE0722F7F8 + +Count = 581 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B80663E807A63D2180DCF9C690BAA + +Count = 582 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B80663E807A6301D5B35FC96F97F9 + +Count = 583 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B80663E807A63A17C239CF1D7C7B0 + +Count = 584 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B80663E807A6311D694BB98FC1AF8 + +Count = 585 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B80663E807A633B39B0C11148183B + +Count = 586 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B80663E807A63E65315DBBD82661E + +Count = 587 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B80663E807A631B35B2F392DCDA37 + +Count = 588 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B80663E807A63C26BEAEB5811D9C8 + +Count = 589 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B80663E807A6372E68762BB0183AF + +Count = 590 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B80663E807A63C07EC87B6BA9528B + +Count = 591 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B80663E807A631937AB346E9C0556 + +Count = 592 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B80663E807A63DF40E11218647953 + +Count = 593 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B80663E807A632A17A6B3304FAE0C + +Count = 594 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B80663E807A63ED36BC42123DEDEF + +Count = 595 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = +CT = FEC941470CB859D735255B80663E807A63D56D03C2D7ECE3838B + +Count = 596 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00 +CT = FEC941470CB859D735255B80663E807A63D5C206EB6B91438126 + +Count = 597 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001 +CT = FEC941470CB859D735255B80663E807A63D5ED1F2865D10F7AA7 + +Count = 598 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102 +CT = FEC941470CB859D735255B80663E807A63D5E278F1C5E65AAD7C + +Count = 599 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203 +CT = FEC941470CB859D735255B80663E807A63D54F37BC530034EB3E + +Count = 600 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001020304 +CT = FEC941470CB859D735255B80663E807A63D5819203CB54435E6C + +Count = 601 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405 +CT = FEC941470CB859D735255B80663E807A63D5C81EFC1FACE83AC5 + +Count = 602 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203040506 +CT = FEC941470CB859D735255B80663E807A63D5691FFB38F7E92CDA + +Count = 603 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001020304050607 +CT = FEC941470CB859D735255B80663E807A63D5E58A32D05C36AE50 + +Count = 604 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708 +CT = FEC941470CB859D735255B80663E807A63D52D54ABD1D01AD2F8 + +Count = 605 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203040506070809 +CT = FEC941470CB859D735255B80663E807A63D5A65779621209420B + +Count = 606 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A +CT = FEC941470CB859D735255B80663E807A63D5E06EE45EFFFE4868 + +Count = 607 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B80663E807A63D5BA8C6D6E659F242E + +Count = 608 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B80663E807A63D545986F937FCD11FA + +Count = 609 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B80663E807A63D502ECAA93096E40BD + +Count = 610 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B80663E807A63D5B3B65BBB32E2B9E9 + +Count = 611 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B80663E807A63D573640137A8570014 + +Count = 612 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B80663E807A63D524B8C248F3DEED23 + +Count = 613 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B80663E807A63D5E6103758FA4236BF + +Count = 614 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B80663E807A63D517521A596109CAED + +Count = 615 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B80663E807A63D5C49FA4C9340F56BE + +Count = 616 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B80663E807A63D56436340A0CB706F7 + +Count = 617 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B80663E807A63D5D49C832D659CDBBF + +Count = 618 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B80663E807A63D5FE73A757EC28D97C + +Count = 619 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B80663E807A63D52319024D40E2A759 + +Count = 620 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B80663E807A63D5DE7FA5656FBC1B70 + +Count = 621 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B80663E807A63D50721FD7DA571188F + +Count = 622 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B80663E807A63D5B7AC90F4466142E8 + +Count = 623 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B80663E807A63D50534DFED96C993CC + +Count = 624 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B80663E807A63D5DC7DBCA293FCC411 + +Count = 625 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B80663E807A63D51A0AF684E504B814 + +Count = 626 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B80663E807A63D5EF5DB125CD2F6F4B + +Count = 627 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B80663E807A63D5287CABD4EF5D2CA8 + +Count = 628 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = +CT = FEC941470CB859D735255B80663E807A63D52AF436ED08F7854A6A + +Count = 629 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00 +CT = FEC941470CB859D735255B80663E807A63D52A5B33C4B48A2548C7 + +Count = 630 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001 +CT = FEC941470CB859D735255B80663E807A63D52A742A07BACA69B346 + +Count = 631 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102 +CT = FEC941470CB859D735255B80663E807A63D52A7B4DDE1AFD3C649D + +Count = 632 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203 +CT = FEC941470CB859D735255B80663E807A63D52AD602938C1B5222DF + +Count = 633 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001020304 +CT = FEC941470CB859D735255B80663E807A63D52A18A72C144F25978D + +Count = 634 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405 +CT = FEC941470CB859D735255B80663E807A63D52A512BD3C0B78EF324 + +Count = 635 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203040506 +CT = FEC941470CB859D735255B80663E807A63D52AF02AD4E7EC8FE53B + +Count = 636 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001020304050607 +CT = FEC941470CB859D735255B80663E807A63D52A7CBF1D0F475067B1 + +Count = 637 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708 +CT = FEC941470CB859D735255B80663E807A63D52AB461840ECB7C1B19 + +Count = 638 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203040506070809 +CT = FEC941470CB859D735255B80663E807A63D52A3F6256BD096F8BEA + +Count = 639 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A +CT = FEC941470CB859D735255B80663E807A63D52A795BCB81E4988189 + +Count = 640 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B80663E807A63D52A23B942B17EF9EDCF + +Count = 641 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B80663E807A63D52ADCAD404C64ABD81B + +Count = 642 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B80663E807A63D52A9BD9854C1208895C + +Count = 643 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B80663E807A63D52A2A83746429847008 + +Count = 644 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B80663E807A63D52AEA512EE8B331C9F5 + +Count = 645 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B80663E807A63D52ABD8DED97E8B824C2 + +Count = 646 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B80663E807A63D52A7F251887E124FF5E + +Count = 647 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B80663E807A63D52A8E6735867A6F030C + +Count = 648 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B80663E807A63D52A5DAA8B162F699F5F + +Count = 649 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B80663E807A63D52AFD031BD517D1CF16 + +Count = 650 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B80663E807A63D52A4DA9ACF27EFA125E + +Count = 651 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B80663E807A63D52A67468888F74E109D + +Count = 652 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B80663E807A63D52ABA2C2D925B846EB8 + +Count = 653 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B80663E807A63D52A474A8ABA74DAD291 + +Count = 654 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B80663E807A63D52A9E14D2A2BE17D16E + +Count = 655 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B80663E807A63D52A2E99BF2B5D078B09 + +Count = 656 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B80663E807A63D52A9C01F0328DAF5A2D + +Count = 657 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B80663E807A63D52A4548937D889A0DF0 + +Count = 658 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B80663E807A63D52A833FD95BFE6271F5 + +Count = 659 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B80663E807A63D52A76689EFAD649A6AA + +Count = 660 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B80663E807A63D52AB149840BF43BE549 + +Count = 661 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = +CT = FEC941470CB859D735255B80663E807A63D52A71528442BF6E4962EA + +Count = 662 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00 +CT = FEC941470CB859D735255B80663E807A63D52A71FD816B0313E96047 + +Count = 663 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001 +CT = FEC941470CB859D735255B80663E807A63D52A71D298A80D53A59BC6 + +Count = 664 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102 +CT = FEC941470CB859D735255B80663E807A63D52A71DDFF71AD64F04C1D + +Count = 665 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203 +CT = FEC941470CB859D735255B80663E807A63D52A7170B03C3B829E0A5F + +Count = 666 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001020304 +CT = FEC941470CB859D735255B80663E807A63D52A71BE1583A3D6E9BF0D + +Count = 667 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405 +CT = FEC941470CB859D735255B80663E807A63D52A71F7997C772E42DBA4 + +Count = 668 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203040506 +CT = FEC941470CB859D735255B80663E807A63D52A7156987B507543CDBB + +Count = 669 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001020304050607 +CT = FEC941470CB859D735255B80663E807A63D52A71DA0DB2B8DE9C4F31 + +Count = 670 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708 +CT = FEC941470CB859D735255B80663E807A63D52A7112D32BB952B03399 + +Count = 671 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203040506070809 +CT = FEC941470CB859D735255B80663E807A63D52A7199D0F90A90A3A36A + +Count = 672 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A +CT = FEC941470CB859D735255B80663E807A63D52A71DFE964367D54A909 + +Count = 673 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B80663E807A63D52A71850BED06E735C54F + +Count = 674 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B80663E807A63D52A717A1FEFFBFD67F09B + +Count = 675 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B80663E807A63D52A713D6B2AFB8BC4A1DC + +Count = 676 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B80663E807A63D52A718C31DBD3B0485888 + +Count = 677 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B80663E807A63D52A714CE3815F2AFDE175 + +Count = 678 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B80663E807A63D52A711B3F422071740C42 + +Count = 679 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B80663E807A63D52A71D997B73078E8D7DE + +Count = 680 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B80663E807A63D52A7128D59A31E3A32B8C + +Count = 681 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B80663E807A63D52A71FB1824A1B6A5B7DF + +Count = 682 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B80663E807A63D52A715BB1B4628E1DE796 + +Count = 683 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B80663E807A63D52A71EB1B0345E7363ADE + +Count = 684 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B80663E807A63D52A71C1F4273F6E82381D + +Count = 685 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B80663E807A63D52A711C9E8225C2484638 + +Count = 686 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B80663E807A63D52A71E1F8250DED16FA11 + +Count = 687 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B80663E807A63D52A7138A67D1527DBF9EE + +Count = 688 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B80663E807A63D52A71882B109CC4CBA389 + +Count = 689 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B80663E807A63D52A713AB35F85146372AD + +Count = 690 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B80663E807A63D52A71E3FA3CCA11562570 + +Count = 691 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B80663E807A63D52A71258D76EC67AE5975 + +Count = 692 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B80663E807A63D52A71D0DA314D4F858E2A + +Count = 693 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B80663E807A63D52A7117FB2BBC6DF7CDC9 + +Count = 694 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = +CT = FEC941470CB859D735255B80663E807A63D52A7182F7CF78EF4708A1F1 + +Count = 695 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00 +CT = FEC941470CB859D735255B80663E807A63D52A718258CA51533AA8A35C + +Count = 696 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001 +CT = FEC941470CB859D735255B80663E807A63D52A718277D3925D7AE458DD + +Count = 697 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102 +CT = FEC941470CB859D735255B80663E807A63D52A718278B44BFD4DB18F06 + +Count = 698 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203 +CT = FEC941470CB859D735255B80663E807A63D52A7182D5FB066BABDFC944 + +Count = 699 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001020304 +CT = FEC941470CB859D735255B80663E807A63D52A71821B5EB9F3FFA87C16 + +Count = 700 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405 +CT = FEC941470CB859D735255B80663E807A63D52A718252D24627070318BF + +Count = 701 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203040506 +CT = FEC941470CB859D735255B80663E807A63D52A7182F3D341005C020EA0 + +Count = 702 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001020304050607 +CT = FEC941470CB859D735255B80663E807A63D52A71827F4688E8F7DD8C2A + +Count = 703 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708 +CT = FEC941470CB859D735255B80663E807A63D52A7182B79811E97BF1F082 + +Count = 704 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203040506070809 +CT = FEC941470CB859D735255B80663E807A63D52A71823C9BC35AB9E26071 + +Count = 705 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A +CT = FEC941470CB859D735255B80663E807A63D52A71827AA25E6654156A12 + +Count = 706 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B80663E807A63D52A71822040D756CE740654 + +Count = 707 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B80663E807A63D52A7182DF54D5ABD4263380 + +Count = 708 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B80663E807A63D52A7182982010ABA28562C7 + +Count = 709 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B80663E807A63D52A7182297AE18399099B93 + +Count = 710 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B80663E807A63D52A7182E9A8BB0F03BC226E + +Count = 711 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B80663E807A63D52A7182BE7478705835CF59 + +Count = 712 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B80663E807A63D52A71827CDC8D6051A914C5 + +Count = 713 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B80663E807A63D52A71828D9EA061CAE2E897 + +Count = 714 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B80663E807A63D52A71825E531EF19FE474C4 + +Count = 715 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B80663E807A63D52A7182FEFA8E32A75C248D + +Count = 716 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B80663E807A63D52A71824E503915CE77F9C5 + +Count = 717 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B80663E807A63D52A718264BF1D6F47C3FB06 + +Count = 718 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B80663E807A63D52A7182B9D5B875EB098523 + +Count = 719 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B80663E807A63D52A718244B31F5DC457390A + +Count = 720 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B80663E807A63D52A71829DED47450E9A3AF5 + +Count = 721 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B80663E807A63D52A71822D602ACCED8A6092 + +Count = 722 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B80663E807A63D52A71829FF865D53D22B1B6 + +Count = 723 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B80663E807A63D52A718246B1069A3817E66B + +Count = 724 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B80663E807A63D52A718280C64CBC4EEF9A6E + +Count = 725 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B80663E807A63D52A718275910B1D66C44D31 + +Count = 726 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B80663E807A63D52A7182B2B011EC44B60ED2 + +Count = 727 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = +CT = FEC941470CB859D735255B80663E807A63D52A71829F40136AEEE40417C1 + +Count = 728 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00 +CT = FEC941470CB859D735255B80663E807A63D52A71829FEF16435299A4156C + +Count = 729 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001 +CT = FEC941470CB859D735255B80663E807A63D52A71829FC00F805CD9E8EEED + +Count = 730 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102 +CT = FEC941470CB859D735255B80663E807A63D52A71829FCF6859FCEEBD3936 + +Count = 731 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203 +CT = FEC941470CB859D735255B80663E807A63D52A71829F6227146A08D37F74 + +Count = 732 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001020304 +CT = FEC941470CB859D735255B80663E807A63D52A71829FAC82ABF25CA4CA26 + +Count = 733 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405 +CT = FEC941470CB859D735255B80663E807A63D52A71829FE50E5426A40FAE8F + +Count = 734 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203040506 +CT = FEC941470CB859D735255B80663E807A63D52A71829F440F5301FF0EB890 + +Count = 735 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001020304050607 +CT = FEC941470CB859D735255B80663E807A63D52A71829FC89A9AE954D13A1A + +Count = 736 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708 +CT = FEC941470CB859D735255B80663E807A63D52A71829F004403E8D8FD46B2 + +Count = 737 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203040506070809 +CT = FEC941470CB859D735255B80663E807A63D52A71829F8B47D15B1AEED641 + +Count = 738 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A +CT = FEC941470CB859D735255B80663E807A63D52A71829FCD7E4C67F719DC22 + +Count = 739 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B80663E807A63D52A71829F979CC5576D78B064 + +Count = 740 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B80663E807A63D52A71829F6888C7AA772A85B0 + +Count = 741 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B80663E807A63D52A71829F2FFC02AA0189D4F7 + +Count = 742 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B80663E807A63D52A71829F9EA6F3823A052DA3 + +Count = 743 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B80663E807A63D52A71829F5E74A90EA0B0945E + +Count = 744 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B80663E807A63D52A71829F09A86A71FB397969 + +Count = 745 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B80663E807A63D52A71829FCB009F61F2A5A2F5 + +Count = 746 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B80663E807A63D52A71829F3A42B26069EE5EA7 + +Count = 747 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B80663E807A63D52A71829FE98F0CF03CE8C2F4 + +Count = 748 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B80663E807A63D52A71829F49269C33045092BD + +Count = 749 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B80663E807A63D52A71829FF98C2B146D7B4FF5 + +Count = 750 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B80663E807A63D52A71829FD3630F6EE4CF4D36 + +Count = 751 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0E09AA7448053313 + +Count = 752 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B80663E807A63D52A71829FF36F0D5C675B8F3A + +Count = 753 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B80663E807A63D52A71829F2A315544AD968CC5 + +Count = 754 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B80663E807A63D52A71829F9ABC38CD4E86D6A2 + +Count = 755 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B80663E807A63D52A71829F282477D49E2E0786 + +Count = 756 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B80663E807A63D52A71829FF16D149B9B1B505B + +Count = 757 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B80663E807A63D52A71829F371A5EBDEDE32C5E + +Count = 758 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B80663E807A63D52A71829FC24D191CC5C8FB01 + +Count = 759 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B80663E807A63D52A71829F056C03EDE7BAB8E2 + +Count = 760 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BE9115FD98DC24AD6 + +Count = 761 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B46147665F062487B + +Count = 762 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B690DB56BB02EB3FA + +Count = 763 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B666A6CCB877B6421 + +Count = 764 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BCB25215D61152263 + +Count = 765 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001020304 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B05809EC535629731 + +Count = 766 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B4C0C6111CDC9F398 + +Count = 767 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203040506 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BED0D663696C8E587 + +Count = 768 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001020304050607 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B6198AFDE3D17670D + +Count = 769 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BA94636DFB13B1BA5 + +Count = 770 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203040506070809 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B2245E46C73288B56 + +Count = 771 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B647C79509EDF8135 + +Count = 772 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B3E9EF06004BEED73 + +Count = 773 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BC18AF29D1EECD8A7 + +Count = 774 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B86FE379D684F89E0 + +Count = 775 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B37A4C6B553C370B4 + +Count = 776 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF7769C39C976C949 + +Count = 777 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BA0AA5F4692FF247E + +Count = 778 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B6202AA569B63FFE2 + +Count = 779 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B93408757002803B0 + +Count = 780 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B408D39C7552E9FE3 + +Count = 781 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BE024A9046D96CFAA + +Count = 782 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B508E1E2304BD12E2 + +Count = 783 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B7A613A598D091021 + +Count = 784 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BA70B9F4321C36E04 + +Count = 785 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B5A6D386B0E9DD22D + +Count = 786 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B83336073C450D1D2 + +Count = 787 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B33BE0DFA27408BB5 + +Count = 788 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B812642E3F7E85A91 + +Count = 789 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B586F21ACF2DD0D4C + +Count = 790 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B9E186B8A84257149 + +Count = 791 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B80663E807A63D52A71829F0B6B4F2C2BAC0EA616 + +Count = 792 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BAC6E36DA8E7CE5F5 + +Count = 793 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF321133DC6BF15EAF6 + +Count = 794 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF38E16147AC2B5E85B + +Count = 795 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3A10FD77482F913DA + +Count = 796 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3AE680ED4B5ACC401 + +Count = 797 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF30327434253C28243 + +Count = 798 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001020304 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3CD82FCDA07B53711 + +Count = 799 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3840E030EFF1E53B8 + +Count = 800 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203040506 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3250F0429A41F45A7 + +Count = 801 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001020304050607 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3A99ACDC10FC0C72D + +Count = 802 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3614454C083ECBB85 + +Count = 803 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203040506070809 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3EA47867341FF2B76 + +Count = 804 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3AC7E1B4FAC082115 + +Count = 805 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3F69C927F36694D53 + +Count = 806 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3098890822C3B7887 + +Count = 807 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF34EFC55825A9829C0 + +Count = 808 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3FFA6A4AA6114D094 + +Count = 809 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF33F74FE26FBA16969 + +Count = 810 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF368A83D59A028845E + +Count = 811 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3AA00C849A9B45FC2 + +Count = 812 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF35B42E54832FFA390 + +Count = 813 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3888F5BD867F93FC3 + +Count = 814 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF32826CB1B5F416F8A + +Count = 815 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3988C7C3C366AB2C2 + +Count = 816 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3B2635846BFDEB001 + +Count = 817 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF36F09FD5C1314CE24 + +Count = 818 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3926F5A743C4A720D + +Count = 819 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF34B31026CF68771F2 + +Count = 820 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3FBBC6FE515972B95 + +Count = 821 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3492420FCC53FFAB1 + +Count = 822 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3906D43B3C00AAD6C + +Count = 823 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3561A0995B6F2D169 + +Count = 824 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3A34D4E349ED90636 + +Count = 825 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3646C54C5BCAB45D5 + +Count = 826 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C5B28C82D80F3CB89 + +Count = 827 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CF42DE191FD53C924 + +Count = 828 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CDB34229FBD1F32A5 + +Count = 829 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CD453FB3F8A4AE57E + +Count = 830 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C791CB6A96C24A33C + +Count = 831 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001020304 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CB7B909313853166E + +Count = 832 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CFE35F6E5C0F872C7 + +Count = 833 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203040506 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C5F34F1C29BF964D8 + +Count = 834 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001020304050607 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CD3A1382A3026E652 + +Count = 835 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C1B7FA12BBC0A9AFA + +Count = 836 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203040506070809 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C907C73987E190A09 + +Count = 837 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CD645EEA493EE006A + +Count = 838 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C8CA76794098F6C2C + +Count = 839 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C73B3656913DD59F8 + +Count = 840 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C34C7A069657E08BF + +Count = 841 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C859D51415EF2F1EB + +Count = 842 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C454F0BCDC4474816 + +Count = 843 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C1293C8B29FCEA521 + +Count = 844 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CD03B3DA296527EBD + +Count = 845 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C217910A30D1982EF + +Count = 846 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CF2B4AE33581F1EBC + +Count = 847 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C521D3EF060A74EF5 + +Count = 848 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CE2B789D7098C93BD + +Count = 849 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CC858ADAD8038917E + +Count = 850 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C153208B72CF2EF5B + +Count = 851 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CE854AF9F03AC5372 + +Count = 852 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C310AF787C961508D + +Count = 853 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C81879A0E2A710AEA + +Count = 854 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C331FD517FAD9DBCE + +Count = 855 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CEA56B658FFEC8C13 + +Count = 856 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C2C21FC7E8914F016 + +Count = 857 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CD976BBDFA13F2749 + +Count = 858 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C1E57A12E834D64AA + +Count = 859 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27B83F449CB1372B2C + +Count = 860 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27173A6D20CC972981 + +Count = 861 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C273823AE2E8CDBD200 + +Count = 862 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C273744778EBB8E05DB + +Count = 863 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C279A0B3A185DE04399 + +Count = 864 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001020304 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C2754AE85800997F6CB + +Count = 865 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C271D227A54F13C9262 + +Count = 866 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203040506 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27BC237D73AA3D847D + +Count = 867 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001020304050607 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C2730B6B49B01E206F7 + +Count = 868 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27F8682D9A8DCE7A5F + +Count = 869 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203040506070809 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27736BFF294FDDEAAC + +Count = 870 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C2735526215A22AE0CF + +Count = 871 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C276FB0EB25384B8C89 + +Count = 872 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C2790A4E9D82219B95D + +Count = 873 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27D7D02CD854BAE81A + +Count = 874 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27668ADDF06F36114E + +Count = 875 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27A658877CF583A8B3 + +Count = 876 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27F1844403AE0A4584 + +Count = 877 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27332CB113A7969E18 + +Count = 878 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27C26E9C123CDD624A + +Count = 879 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C2711A3228269DBFE19 + +Count = 880 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27B10AB2415163AE50 + +Count = 881 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C2701A0056638487318 + +Count = 882 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C272B4F211CB1FC71DB + +Count = 883 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27F62584061D360FFE + +Count = 884 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C270B43232E3268B3D7 + +Count = 885 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27D21D7B36F8A5B028 + +Count = 886 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27629016BF1BB5EA4F + +Count = 887 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27D00859A6CB1D3B6B + +Count = 888 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C2709413AE9CE286CB6 + +Count = 889 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27CF3670CFB8D010B3 + +Count = 890 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C273A61376E90FBC7EC + +Count = 891 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27FD402D9FB289840F + +Count = 892 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E664EB0E34E4BFDB08 + +Count = 893 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CBEE2788991FD9A5 + +Count = 894 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6E4F7E486D9532224 + +Count = 895 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6EB903D26EE06F5FF + +Count = 896 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E646DF70B00868B3BD + +Count = 897 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001020304 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6887ACF285C1F06EF + +Count = 898 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6C1F630FCA4B46246 + +Count = 899 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203040506 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E660F737DBFFB57459 + +Count = 900 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001020304050607 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6EC62FE33546AF6D3 + +Count = 901 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E624BC6732D8468A7B + +Count = 902 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203040506070809 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6AFBFB5811A551A88 + +Count = 903 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6E98628BDF7A210EB + +Count = 904 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6B364A18D6DC37CAD + +Count = 905 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E64C70A37077914979 + +Count = 906 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E60B0466700132183E + +Count = 907 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6BA5E97583ABEE16A + +Count = 908 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E67A8CCDD4A00B5897 + +Count = 909 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E62D500EABFB82B5A0 + +Count = 910 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6EFF8FBBBF21E6E3C + +Count = 911 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E61EBAD6BA6955926E + +Count = 912 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CD77682A3C530E3D + +Count = 913 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E66DDEF8E904EB5E74 + +Count = 914 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6DD744FCE6DC0833C + +Count = 915 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6F79B6BB4E47481FF + +Count = 916 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E62AF1CEAE48BEFFDA + +Count = 917 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6D797698667E043F3 + +Count = 918 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E60EC9319EAD2D400C + +Count = 919 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6BE445C174E3D1A6B + +Count = 920 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E60CDC130E9E95CB4F + +Count = 921 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6D59570419BA09C92 + +Count = 922 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E613E23A67ED58E097 + +Count = 923 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6E6B57DC6C57337C8 + +Count = 924 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E621946737E701742B + +Count = 925 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC16EAF1576BD8ED2C + +Count = 926 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCB9EFD8EB1678EF81 + +Count = 927 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC96F61BE556341400 + +Count = 928 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC9991C2456161C3DB + +Count = 929 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC34DE8FD3870F8599 + +Count = 930 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001020304 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCFA7B304BD37830CB + +Count = 931 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCB3F7CF9F2BD35462 + +Count = 932 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203040506 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC12F6C8B870D2427D + +Count = 933 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001020304050607 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC9E630150DB0DC0F7 + +Count = 934 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC56BD98515721BC5F + +Count = 935 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203040506070809 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCDDBE4AE295322CAC + +Count = 936 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC9B87D7DE78C526CF + +Count = 937 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCC1655EEEE2A44A89 + +Count = 938 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC3E715C13F8F67F5D + +Count = 939 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC790599138E552E1A + +Count = 940 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCC85F683BB5D9D74E + +Count = 941 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC088D32B72F6C6EB3 + +Count = 942 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC5F51F1C874E58384 + +Count = 943 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC9DF904D87D795818 + +Count = 944 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC6CBB29D9E632A44A + +Count = 945 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBF769749B3343819 + +Count = 946 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC1FDF078A8B8C6850 + +Count = 947 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCAF75B0ADE2A7B518 + +Count = 948 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC859A94D76B13B7DB + +Count = 949 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC58F031CDC7D9C9FE + +Count = 950 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCA59696E5E88775D7 + +Count = 951 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC7CC8CEFD224A7628 + +Count = 952 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCCC45A374C15A2C4F + +Count = 953 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC7EDDEC6D11F2FD6B + +Count = 954 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCA7948F2214C7AAB6 + +Count = 955 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC61E3C504623FD6B3 + +Count = 956 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC94B482A54A1401EC + +Count = 957 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC539598546866420F + +Count = 958 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC9AB6F46C910247FA + +Count = 959 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC35B3DDD0ECA24557 + +Count = 960 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC1AAA1EDEACEEBED6 + +Count = 961 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC15CDC77E9BBB690D + +Count = 962 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCB8828AE87DD52F4F + +Count = 963 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001020304 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC7627357029A29A1D + +Count = 964 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC3FABCAA4D109FEB4 + +Count = 965 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203040506 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC9EAACD838A08E8AB + +Count = 966 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001020304050607 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC123F046B21D76A21 + +Count = 967 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCDAE19D6AADFB1689 + +Count = 968 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203040506070809 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC51E24FD96FE8867A + +Count = 969 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC17DBD2E5821F8C19 + +Count = 970 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC4D395BD5187EE05F + +Count = 971 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCB22D5928022CD58B + +Count = 972 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCF5599C28748F84CC + +Count = 973 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC44036D004F037D98 + +Count = 974 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC84D1378CD5B6C465 + +Count = 975 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCD30DF4F38E3F2952 + +Count = 976 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC11A501E387A3F2CE + +Count = 977 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCE0E72CE21CE80E9C + +Count = 978 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC332A927249EE92CF + +Count = 979 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC938302B17156C286 + +Count = 980 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC2329B596187D1FCE + +Count = 981 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC09C691EC91C91D0D + +Count = 982 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCD4AC34F63D036328 + +Count = 983 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC29CA93DE125DDF01 + +Count = 984 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCF094CBC6D890DCFE + +Count = 985 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC4019A64F3B808699 + +Count = 986 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCF281E956EB2857BD + +Count = 987 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC2BC88A19EE1D0060 + +Count = 988 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCEDBFC03F98E57C65 + +Count = 989 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC18E8879EB0CEAB3A + +Count = 990 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCDFC99D6F92BCE8D9 + +Count = 991 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B40FE4CF065DC957E + +Count = 992 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BEFFB654C187C97D3 + +Count = 993 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BC0E2A64258306C52 + +Count = 994 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BCF857FE26F65BB89 + +Count = 995 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B62CA3274890BFDCB + +Count = 996 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001020304 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BAC6F8DECDD7C4899 + +Count = 997 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BE5E3723825D72C30 + +Count = 998 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203040506 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B44E2751F7ED63A2F + +Count = 999 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001020304050607 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BC877BCF7D509B8A5 + +Count = 1000 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B00A925F65925C40D + +Count = 1001 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203040506070809 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B8BAAF7459B3654FE + +Count = 1002 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BCD936A7976C15E9D + +Count = 1003 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B9771E349ECA032DB + +Count = 1004 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B6865E1B4F6F2070F + +Count = 1005 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B2F1124B480515648 + +Count = 1006 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B9E4BD59CBBDDAF1C + +Count = 1007 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5E998F10216816E1 + +Count = 1008 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B09454C6F7AE1FBD6 + +Count = 1009 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BCBEDB97F737D204A + +Count = 1010 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B3AAF947EE836DC18 + +Count = 1011 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BE9622AEEBD30404B + +Count = 1012 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B49CBBA2D85881002 + +Count = 1013 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BF9610D0AECA3CD4A + +Count = 1014 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BD38E29706517CF89 + +Count = 1015 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B0EE48C6AC9DDB1AC + +Count = 1016 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BF3822B42E6830D85 + +Count = 1017 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B2ADC735A2C4E0E7A + +Count = 1018 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B9A511ED3CF5E541D + +Count = 1019 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B28C951CA1FF68539 + +Count = 1020 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BF18032851AC3D2E4 + +Count = 1021 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B37F778A36C3BAEE1 + +Count = 1022 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BC2A03F02441079BE + +Count = 1023 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B058125F366623A5D + +Count = 1024 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5AC550DC80ABDC9E65 + +Count = 1025 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A6A55F53CD67C9CC8 + +Count = 1026 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A454C363296306749 + +Count = 1027 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A4A2BEF92A165B092 + +Count = 1028 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5AE764A204470BF6D0 + +Count = 1029 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001020304 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A29C11D9C137C4382 + +Count = 1030 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A604DE248EBD7272B + +Count = 1031 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203040506 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5AC14CE56FB0D63134 + +Count = 1032 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001020304050607 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A4DD92C871B09B3BE + +Count = 1033 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A8507B5869725CF16 + +Count = 1034 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203040506070809 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A0E04673555365FE5 + +Count = 1035 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A483DFA09B8C15586 + +Count = 1036 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A12DF733922A039C0 + +Count = 1037 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5AEDCB71C438F20C14 + +Count = 1038 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5AAABFB4C44E515D53 + +Count = 1039 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A1BE545EC75DDA407 + +Count = 1040 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5ADB371F60EF681DFA + +Count = 1041 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A8CEBDC1FB4E1F0CD + +Count = 1042 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A4E43290FBD7D2B51 + +Count = 1043 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5ABF01040E2636D703 + +Count = 1044 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A6CCCBA9E73304B50 + +Count = 1045 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5ACC652A5D4B881B19 + +Count = 1046 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A7CCF9D7A22A3C651 + +Count = 1047 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A5620B900AB17C492 + +Count = 1048 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A8B4A1C1A07DDBAB7 + +Count = 1049 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A762CBB322883069E + +Count = 1050 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5AAF72E32AE24E0561 + +Count = 1051 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A1FFF8EA3015E5F06 + +Count = 1052 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5AAD67C1BAD1F68E22 + +Count = 1053 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A742EA2F5D4C3D9FF + +Count = 1054 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5AB259E8D3A23BA5FA + +Count = 1055 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A470EAF728A1072A5 + +Count = 1056 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A802FB583A8623146 + +Count = 1057 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16129984AAE23DA1FE + +Count = 1058 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16BD9CAD169F9DA353 + +Count = 1059 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A1692856E18DFD158D2 + +Count = 1060 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A169DE2B7B8E8848F09 + +Count = 1061 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A1630ADFA2E0EEAC94B + +Count = 1062 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001020304 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16FE0845B65A9D7C19 + +Count = 1063 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16B784BA62A23618B0 + +Count = 1064 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203040506 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A161685BD45F9370EAF + +Count = 1065 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001020304050607 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A169A1074AD52E88C25 + +Count = 1066 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A1652CEEDACDEC4F08D + +Count = 1067 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203040506070809 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16D9CD3F1F1CD7607E + +Count = 1068 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A169FF4A223F1206A1D + +Count = 1069 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16C5162B136B41065B + +Count = 1070 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A163A0229EE7113338F + +Count = 1071 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A167D76ECEE07B062C8 + +Count = 1072 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16CC2C1DC63C3C9B9C + +Count = 1073 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A160CFE474AA6892261 + +Count = 1074 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A165B228435FD00CF56 + +Count = 1075 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16998A7125F49C14CA + +Count = 1076 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A1668C85C246FD7E898 + +Count = 1077 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16BB05E2B43AD174CB + +Count = 1078 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A161BAC727702692482 + +Count = 1079 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16AB06C5506B42F9CA + +Count = 1080 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A1681E9E12AE2F6FB09 + +Count = 1081 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A165C8344304E3C852C + +Count = 1082 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16A1E5E31861623905 + +Count = 1083 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A1678BBBB00ABAF3AFA + +Count = 1084 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16C836D68948BF609D + +Count = 1085 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A167AAE99909817B1B9 + +Count = 1086 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16A3E7FADF9D22E664 + +Count = 1087 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A166590B0F9EBDA9A61 + +Count = 1088 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A1690C7F758C3F14D3E + +Count = 1089 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A1657E6EDA9E1830EDD + diff --git a/elephant/Implementations/crypto_aead/elephant176v1/ref/LWC_AEAD_KAT_128_96.txt b/elephant/Implementations/crypto_aead/elephant176v1/ref/LWC_AEAD_KAT_128_96.txt deleted file mode 100644 index 6b167cf..0000000 --- a/elephant/Implementations/crypto_aead/elephant176v1/ref/LWC_AEAD_KAT_128_96.txt +++ /dev/null @@ -1,7623 +0,0 @@ -Count = 1 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = -CT = F9F52C3201D8EE81 - -Count = 2 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00 -CT = 56F0058E7C78EC2C - -Count = 3 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001 -CT = 79E9C6803C3417AD - -Count = 4 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102 -CT = 768E1F200B61C076 - -Count = 5 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203 -CT = DBC152B6ED0F8634 - -Count = 6 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001020304 -CT = 1564ED2EB9783366 - -Count = 7 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405 -CT = 5CE812FA41D357CF - -Count = 8 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203040506 -CT = FDE915DD1AD241D0 - -Count = 9 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001020304050607 -CT = 717CDC35B10DC35A - -Count = 10 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708 -CT = B9A245343D21BFF2 - -Count = 11 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203040506070809 -CT = 32A19787FF322F01 - -Count = 12 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A -CT = 74980ABB12C52562 - -Count = 13 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B -CT = 2E7A838B88A44924 - -Count = 14 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C -CT = D16E817692F67CF0 - -Count = 15 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D -CT = 961A4476E4552DB7 - -Count = 16 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E -CT = 2740B55EDFD9D4E3 - -Count = 17 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F -CT = E792EFD2456C6D1E - -Count = 18 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B04E2CAD1EE58029 - -Count = 19 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 72E6D9BD17795BB5 - -Count = 20 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 83A4F4BC8C32A7E7 - -Count = 21 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 50694A2CD9343BB4 - -Count = 22 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = F0C0DAEFE18C6BFD - -Count = 23 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 406A6DC888A7B6B5 - -Count = 24 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 6A8549B20113B476 - -Count = 25 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B7EFECA8ADD9CA53 - -Count = 26 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 4A894B808287767A - -Count = 27 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 93D71398484A7585 - -Count = 28 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 235A7E11AB5A2FE2 - -Count = 29 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 91C231087BF2FEC6 - -Count = 30 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 488B52477EC7A91B - -Count = 31 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 8EFC1861083FD51E - -Count = 32 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 7BAB5FC020140241 - -Count = 33 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = BC8A4531026641A2 - -Count = 34 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = -CT = FE2C92E25CDDEBE2A5 - -Count = 35 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00 -CT = FE8397CBE0A04BE008 - -Count = 36 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001 -CT = FEAC8E08EEE0071B89 - -Count = 37 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102 -CT = FEA3E9D14ED752CC52 - -Count = 38 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203 -CT = FE0EA69CD8313C8A10 - -Count = 39 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001020304 -CT = FEC0032340654B3F42 - -Count = 40 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405 -CT = FE898FDC949DE05BEB - -Count = 41 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203040506 -CT = FE288EDBB3C6E14DF4 - -Count = 42 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001020304050607 -CT = FEA41B125B6D3ECF7E - -Count = 43 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708 -CT = FE6CC58B5AE112B3D6 - -Count = 44 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203040506070809 -CT = FEE7C659E923012325 - -Count = 45 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A -CT = FEA1FFC4D5CEF62946 - -Count = 46 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B -CT = FEFB1D4DE554974500 - -Count = 47 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C -CT = FE04094F184EC570D4 - -Count = 48 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D -CT = FE437D8A1838662193 - -Count = 49 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E -CT = FEF2277B3003EAD8C7 - -Count = 50 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F -CT = FE32F521BC995F613A - -Count = 51 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FE6529E2C3C2D68C0D - -Count = 52 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEA78117D3CB4A5791 - -Count = 53 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FE56C33AD25001ABC3 - -Count = 54 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FE850E844205073790 - -Count = 55 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FE25A714813DBF67D9 - -Count = 56 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FE950DA3A65494BA91 - -Count = 57 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEBFE287DCDD20B852 - -Count = 58 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FE628822C671EAC677 - -Count = 59 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FE9FEE85EE5EB47A5E - -Count = 60 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FE46B0DDF6947979A1 - -Count = 61 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEF63DB07F776923C6 - -Count = 62 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FE44A5FF66A7C1F2E2 - -Count = 63 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FE9DEC9C29A2F4A53F - -Count = 64 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FE5B9BD60FD40CD93A - -Count = 65 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEAECC91AEFC270E65 - -Count = 66 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FE69ED8B5FDE554D86 - -Count = 67 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = -CT = FEC9C5D02385265671AA - -Count = 68 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00 -CT = FEC96AD50A395BF67307 - -Count = 69 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001 -CT = FEC945CCC9371BBA8886 - -Count = 70 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102 -CT = FEC94AAB10972CEF5F5D - -Count = 71 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203 -CT = FEC9E7E45D01CA81191F - -Count = 72 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001020304 -CT = FEC92941E2999EF6AC4D - -Count = 73 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405 -CT = FEC960CD1D4D665DC8E4 - -Count = 74 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203040506 -CT = FEC9C1CC1A6A3D5CDEFB - -Count = 75 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001020304050607 -CT = FEC94D59D38296835C71 - -Count = 76 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708 -CT = FEC985874A831AAF20D9 - -Count = 77 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203040506070809 -CT = FEC90E849830D8BCB02A - -Count = 78 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A -CT = FEC948BD050C354BBA49 - -Count = 79 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B -CT = FEC9125F8C3CAF2AD60F - -Count = 80 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C -CT = FEC9ED4B8EC1B578E3DB - -Count = 81 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D -CT = FEC9AA3F4BC1C3DBB29C - -Count = 82 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E -CT = FEC91B65BAE9F8574BC8 - -Count = 83 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC9DBB7E06562E2F235 - -Count = 84 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC98C6B231A396B1F02 - -Count = 85 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC94EC3D60A30F7C49E - -Count = 86 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC9BF81FB0BABBC38CC - -Count = 87 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC96C4C459BFEBAA49F - -Count = 88 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC9CCE5D558C602F4D6 - -Count = 89 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC97C4F627FAF29299E - -Count = 90 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC956A04605269D2B5D - -Count = 91 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC98BCAE31F8A575578 - -Count = 92 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC976AC4437A509E951 - -Count = 93 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC9AFF21C2F6FC4EAAE - -Count = 94 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC91F7F71A68CD4B0C9 - -Count = 95 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC9ADE73EBF5C7C61ED - -Count = 96 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC974AE5DF059493630 - -Count = 97 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC9B2D917D62FB14A35 - -Count = 98 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC9478E5077079A9D6A - -Count = 99 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC980AF4A8625E8DE89 - -Count = 100 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = -CT = FEC9411BC7AA32DC76BB7D - -Count = 101 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00 -CT = FEC941B4C2838EA1D6B9D0 - -Count = 102 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001 -CT = FEC9419BDB4080E19A4251 - -Count = 103 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102 -CT = FEC94194BC9920D6CF958A - -Count = 104 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203 -CT = FEC94139F3D4B630A1D3C8 - -Count = 105 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001020304 -CT = FEC941F7566B2E64D6669A - -Count = 106 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405 -CT = FEC941BEDA94FA9C7D0233 - -Count = 107 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203040506 -CT = FEC9411FDB93DDC77C142C - -Count = 108 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001020304050607 -CT = FEC941934E5A356CA396A6 - -Count = 109 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708 -CT = FEC9415B90C334E08FEA0E - -Count = 110 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203040506070809 -CT = FEC941D0931187229C7AFD - -Count = 111 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A -CT = FEC94196AA8CBBCF6B709E - -Count = 112 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B -CT = FEC941CC48058B550A1CD8 - -Count = 113 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C -CT = FEC941335C07764F58290C - -Count = 114 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D -CT = FEC9417428C27639FB784B - -Count = 115 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E -CT = FEC941C572335E0277811F - -Count = 116 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC94105A069D298C238E2 - -Count = 117 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941527CAAADC34BD5D5 - -Count = 118 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC94190D45FBDCAD70E49 - -Count = 119 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941619672BC519CF21B - -Count = 120 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941B25BCC2C049A6E48 - -Count = 121 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC94112F25CEF3C223E01 - -Count = 122 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941A258EBC85509E349 - -Count = 123 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC94188B7CFB2DCBDE18A - -Count = 124 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC94155DD6AA870779FAF - -Count = 125 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941A8BBCD805F292386 - -Count = 126 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC94171E5959895E42079 - -Count = 127 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941C168F81176F47A1E - -Count = 128 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC94173F0B708A65CAB3A - -Count = 129 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941AAB9D447A369FCE7 - -Count = 130 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC9416CCE9E61D59180E2 - -Count = 131 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC9419999D9C0FDBA57BD - -Count = 132 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC9415EB8C331DFC8145E - -Count = 133 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = -CT = FEC941479E83007EEF580F5C - -Count = 134 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00 -CT = FEC94147318629C292F80DF1 - -Count = 135 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001 -CT = FEC941471E9FEACCD2B4F670 - -Count = 136 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102 -CT = FEC9414711F8336CE5E121AB - -Count = 137 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203 -CT = FEC94147BCB77EFA038F67E9 - -Count = 138 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001020304 -CT = FEC941477212C16257F8D2BB - -Count = 139 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405 -CT = FEC941473B9E3EB6AF53B612 - -Count = 140 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203040506 -CT = FEC941479A9F3991F452A00D - -Count = 141 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001020304050607 -CT = FEC94147160AF0795F8D2287 - -Count = 142 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708 -CT = FEC94147DED46978D3A15E2F - -Count = 143 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203040506070809 -CT = FEC9414755D7BBCB11B2CEDC - -Count = 144 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A -CT = FEC9414713EE26F7FC45C4BF - -Count = 145 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B -CT = FEC94147490CAFC76624A8F9 - -Count = 146 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C -CT = FEC94147B618AD3A7C769D2D - -Count = 147 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D -CT = FEC94147F16C683A0AD5CC6A - -Count = 148 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E -CT = FEC94147403699123159353E - -Count = 149 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC9414780E4C39EABEC8CC3 - -Count = 150 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC94147D73800E1F06561F4 - -Count = 151 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941471590F5F1F9F9BA68 - -Count = 152 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC94147E4D2D8F062B2463A - -Count = 153 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC94147371F666037B4DA69 - -Count = 154 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC9414797B6F6A30F0C8A20 - -Count = 155 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC94147271C418466275768 - -Count = 156 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470DF365FEEF9355AB - -Count = 157 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC94147D099C0E443592B8E - -Count = 158 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941472DFF67CC6C0797A7 - -Count = 159 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC94147F4A13FD4A6CA9458 - -Count = 160 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC94147442C525D45DACE3F - -Count = 161 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC94147F6B41D4495721F1B - -Count = 162 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941472FFD7E0B904748C6 - -Count = 163 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC94147E98A342DE6BF34C3 - -Count = 164 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941471CDD738CCE94E39C - -Count = 165 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC94147DBFC697DECE6A07F - -Count = 166 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = -CT = FEC941470C278F4DD8B1E42763 - -Count = 167 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00 -CT = FEC941470C888A6464CC4425CE - -Count = 168 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001 -CT = FEC941470CA793A76A8C08DE4F - -Count = 169 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102 -CT = FEC941470CA8F47ECABB5D0994 - -Count = 170 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203 -CT = FEC941470C05BB335C5D334FD6 - -Count = 171 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001020304 -CT = FEC941470CCB1E8CC40944FA84 - -Count = 172 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405 -CT = FEC941470C82927310F1EF9E2D - -Count = 173 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203040506 -CT = FEC941470C23937437AAEE8832 - -Count = 174 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001020304050607 -CT = FEC941470CAF06BDDF01310AB8 - -Count = 175 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708 -CT = FEC941470C67D824DE8D1D7610 - -Count = 176 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203040506070809 -CT = FEC941470CECDBF66D4F0EE6E3 - -Count = 177 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A -CT = FEC941470CAAE26B51A2F9EC80 - -Count = 178 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B -CT = FEC941470CF000E261389880C6 - -Count = 179 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C -CT = FEC941470C0F14E09C22CAB512 - -Count = 180 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D -CT = FEC941470C4860259C5469E455 - -Count = 181 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CF93AD4B46FE51D01 - -Count = 182 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470C39E88E38F550A4FC - -Count = 183 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470C6E344D47AED949CB - -Count = 184 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CAC9CB857A7459257 - -Count = 185 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470C5DDE95563C0E6E05 - -Count = 186 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470C8E132BC66908F256 - -Count = 187 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470C2EBABB0551B0A21F - -Count = 188 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470C9E100C22389B7F57 - -Count = 189 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB4FF2858B12F7D94 - -Count = 190 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470C69958D421DE503B1 - -Count = 191 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470C94F32A6A32BBBF98 - -Count = 192 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470C4DAD7272F876BC67 - -Count = 193 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CFD201FFB1B66E600 - -Count = 194 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470C4FB850E2CBCE3724 - -Count = 195 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470C96F133ADCEFB60F9 - -Count = 196 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470C5086798BB8031CFC - -Count = 197 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CA5D13E2A9028CBA3 - -Count = 198 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470C62F024DBB25A8840 - -Count = 199 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = -CT = FEC941470CB8E24205EEF8093C08 - -Count = 200 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00 -CT = FEC941470CB84D472C5285A93EA5 - -Count = 201 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001 -CT = FEC941470CB8625EEF5CC5E5C524 - -Count = 202 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102 -CT = FEC941470CB86D3936FCF2B012FF - -Count = 203 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203 -CT = FEC941470CB8C0767B6A14DE54BD - -Count = 204 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001020304 -CT = FEC941470CB80ED3C4F240A9E1EF - -Count = 205 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405 -CT = FEC941470CB8475F3B26B8028546 - -Count = 206 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203040506 -CT = FEC941470CB8E65E3C01E3039359 - -Count = 207 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001020304050607 -CT = FEC941470CB86ACBF5E948DC11D3 - -Count = 208 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708 -CT = FEC941470CB8A2156CE8C4F06D7B - -Count = 209 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203040506070809 -CT = FEC941470CB82916BE5B06E3FD88 - -Count = 210 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A -CT = FEC941470CB86F2F2367EB14F7EB - -Count = 211 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B -CT = FEC941470CB835CDAA5771759BAD - -Count = 212 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C -CT = FEC941470CB8CAD9A8AA6B27AE79 - -Count = 213 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB88DAD6DAA1D84FF3E - -Count = 214 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB83CF79C822608066A - -Count = 215 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB8FC25C60EBCBDBF97 - -Count = 216 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB8ABF90571E73452A0 - -Count = 217 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB86951F061EEA8893C - -Count = 218 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB89813DD6075E3756E - -Count = 219 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB84BDE63F020E5E93D - -Count = 220 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB8EB77F333185DB974 - -Count = 221 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB85BDD44147176643C - -Count = 222 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB87132606EF8C266FF - -Count = 223 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB8AC58C574540818DA - -Count = 224 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB8513E625C7B56A4F3 - -Count = 225 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB888603A44B19BA70C - -Count = 226 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB838ED57CD528BFD6B - -Count = 227 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB88A7518D482232C4F - -Count = 228 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB8533C7B9B87167B92 - -Count = 229 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB8954B31BDF1EE0797 - -Count = 230 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB8601C761CD9C5D0C8 - -Count = 231 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB8A73D6CEDFBB7932B - -Count = 232 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = -CT = FEC941470CB85931CD20ED8103BD44 - -Count = 233 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00 -CT = FEC941470CB8599EC80951FCA3BFE9 - -Count = 234 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001 -CT = FEC941470CB859B1D1CA5FBCEF4468 - -Count = 235 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102 -CT = FEC941470CB859BEB613FF8BBA93B3 - -Count = 236 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203 -CT = FEC941470CB85913F95E696DD4D5F1 - -Count = 237 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001020304 -CT = FEC941470CB859DD5CE1F139A360A3 - -Count = 238 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405 -CT = FEC941470CB85994D01E25C108040A - -Count = 239 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203040506 -CT = FEC941470CB85935D119029A091215 - -Count = 240 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001020304050607 -CT = FEC941470CB859B944D0EA31D6909F - -Count = 241 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708 -CT = FEC941470CB859719A49EBBDFAEC37 - -Count = 242 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203040506070809 -CT = FEC941470CB859FA999B587FE97CC4 - -Count = 243 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A -CT = FEC941470CB859BCA00664921E76A7 - -Count = 244 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B -CT = FEC941470CB859E6428F54087F1AE1 - -Count = 245 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C -CT = FEC941470CB85919568DA9122D2F35 - -Count = 246 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB8595E2248A9648E7E72 - -Count = 247 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859EF78B9815F028726 - -Count = 248 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB8592FAAE30DC5B73EDB - -Count = 249 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859787620729E3ED3EC - -Count = 250 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859BADED56297A20870 - -Count = 251 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB8594B9CF8630CE9F422 - -Count = 252 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859985146F359EF6871 - -Count = 253 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB85938F8D63061573838 - -Count = 254 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB85988526117087CE570 - -Count = 255 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859A2BD456D81C8E7B3 - -Count = 256 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB8597FD7E0772D029996 - -Count = 257 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB85982B1475F025C25BF - -Count = 258 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB8595BEF1F47C8912640 - -Count = 259 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859EB6272CE2B817C27 - -Count = 260 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB85959FA3DD7FB29AD03 - -Count = 261 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB85980B35E98FE1CFADE - -Count = 262 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB85946C414BE88E486DB - -Count = 263 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859B393531FA0CF5184 - -Count = 264 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB85974B249EE82BD1267 - -Count = 265 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = -CT = FEC941470CB859D7A1F29672CF3310E0 - -Count = 266 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00 -CT = FEC941470CB859D70EF7BFCEB293124D - -Count = 267 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001 -CT = FEC941470CB859D721EE7CC0F2DFE9CC - -Count = 268 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102 -CT = FEC941470CB859D72E89A560C58A3E17 - -Count = 269 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203 -CT = FEC941470CB859D783C6E8F623E47855 - -Count = 270 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001020304 -CT = FEC941470CB859D74D63576E7793CD07 - -Count = 271 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405 -CT = FEC941470CB859D704EFA8BA8F38A9AE - -Count = 272 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203040506 -CT = FEC941470CB859D7A5EEAF9DD439BFB1 - -Count = 273 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001020304050607 -CT = FEC941470CB859D7297B66757FE63D3B - -Count = 274 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708 -CT = FEC941470CB859D7E1A5FF74F3CA4193 - -Count = 275 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203040506070809 -CT = FEC941470CB859D76AA62DC731D9D160 - -Count = 276 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A -CT = FEC941470CB859D72C9FB0FBDC2EDB03 - -Count = 277 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B -CT = FEC941470CB859D7767D39CB464FB745 - -Count = 278 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D789693B365C1D8291 - -Count = 279 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D7CE1DFE362ABED3D6 - -Count = 280 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D77F470F1E11322A82 - -Count = 281 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D7BF9555928B87937F - -Count = 282 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D7E84996EDD00E7E48 - -Count = 283 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D72AE163FDD992A5D4 - -Count = 284 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D7DBA34EFC42D95986 - -Count = 285 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D7086EF06C17DFC5D5 - -Count = 286 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D7A8C760AF2F67959C - -Count = 287 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D7186DD788464C48D4 - -Count = 288 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D73282F3F2CFF84A17 - -Count = 289 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D7EFE856E863323432 - -Count = 290 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D7128EF1C04C6C881B - -Count = 291 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D7CBD0A9D886A18BE4 - -Count = 292 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D77B5DC45165B1D183 - -Count = 293 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D7C9C58B48B51900A7 - -Count = 294 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D7108CE807B02C577A - -Count = 295 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D7D6FBA221C6D42B7F - -Count = 296 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D723ACE580EEFFFC20 - -Count = 297 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D7E48DFF71CC8DBFC3 - -Count = 298 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = -CT = FEC941470CB859D7354BDE6B3DDA94AA48 - -Count = 299 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00 -CT = FEC941470CB859D735E4DB4281A734A8E5 - -Count = 300 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001 -CT = FEC941470CB859D735CBC2818FE7785364 - -Count = 301 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102 -CT = FEC941470CB859D735C4A5582FD02D84BF - -Count = 302 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203 -CT = FEC941470CB859D73569EA15B93643C2FD - -Count = 303 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001020304 -CT = FEC941470CB859D735A74FAA21623477AF - -Count = 304 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405 -CT = FEC941470CB859D735EEC355F59A9F1306 - -Count = 305 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203040506 -CT = FEC941470CB859D7354FC252D2C19E0519 - -Count = 306 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001020304050607 -CT = FEC941470CB859D735C3579B3A6A418793 - -Count = 307 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708 -CT = FEC941470CB859D7350B89023BE66DFB3B - -Count = 308 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203040506070809 -CT = FEC941470CB859D735808AD088247E6BC8 - -Count = 309 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A -CT = FEC941470CB859D735C6B34DB4C98961AB - -Count = 310 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B -CT = FEC941470CB859D7359C51C48453E80DED - -Count = 311 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D7356345C67949BA3839 - -Count = 312 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735243103793F19697E - -Count = 313 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735956BF2510495902A - -Count = 314 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D73555B9A8DD9E2029D7 - -Count = 315 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D73502656BA2C5A9C4E0 - -Count = 316 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735C0CD9EB2CC351F7C - -Count = 317 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735318FB3B3577EE32E - -Count = 318 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735E2420D2302787F7D - -Count = 319 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D73542EB9DE03AC02F34 - -Count = 320 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735F2412AC753EBF27C - -Count = 321 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735D8AE0EBDDA5FF0BF - -Count = 322 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D73505C4ABA776958E9A - -Count = 323 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735F8A20C8F59CB32B3 - -Count = 324 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D73521FC54979306314C - -Count = 325 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D7359171391E70166B2B - -Count = 326 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D73523E97607A0BEBA0F - -Count = 327 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735FAA01548A58BEDD2 - -Count = 328 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D7353CD75F6ED37391D7 - -Count = 329 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735C98018CFFB584688 - -Count = 330 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D7350EA1023ED92A056B - -Count = 331 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = -CT = FEC941470CB859D735256D1107BAA5D56B3C - -Count = 332 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00 -CT = FEC941470CB859D73525C2142E06D8756991 - -Count = 333 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001 -CT = FEC941470CB859D73525ED0DED0898399210 - -Count = 334 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102 -CT = FEC941470CB859D73525E26A34A8AF6C45CB - -Count = 335 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203 -CT = FEC941470CB859D735254F25793E49020389 - -Count = 336 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001020304 -CT = FEC941470CB859D735258180C6A61D75B6DB - -Count = 337 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405 -CT = FEC941470CB859D73525C80C3972E5DED272 - -Count = 338 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203040506 -CT = FEC941470CB859D73525690D3E55BEDFC46D - -Count = 339 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001020304050607 -CT = FEC941470CB859D73525E598F7BD150046E7 - -Count = 340 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708 -CT = FEC941470CB859D735252D466EBC992C3A4F - -Count = 341 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203040506070809 -CT = FEC941470CB859D73525A645BC0F5B3FAABC - -Count = 342 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A -CT = FEC941470CB859D73525E07C2133B6C8A0DF - -Count = 343 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B -CT = FEC941470CB859D73525BA9EA8032CA9CC99 - -Count = 344 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D73525458AAAFE36FBF94D - -Count = 345 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D7352502FE6FFE4058A80A - -Count = 346 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D73525B3A49ED67BD4515E - -Count = 347 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735257376C45AE161E8A3 - -Count = 348 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D7352524AA0725BAE80594 - -Count = 349 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D73525E602F235B374DE08 - -Count = 350 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735251740DF34283F225A - -Count = 351 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D73525C48D61A47D39BE09 - -Count = 352 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735256424F1674581EE40 - -Count = 353 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D73525D48E46402CAA3308 - -Count = 354 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D73525FE61623AA51E31CB - -Count = 355 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D73525230BC72009D44FEE - -Count = 356 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D73525DE6D6008268AF3C7 - -Count = 357 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D7352507333810EC47F038 - -Count = 358 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D73525B7BE55990F57AA5F - -Count = 359 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D7352505261A80DFFF7B7B - -Count = 360 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D73525DC6F79CFDACA2CA6 - -Count = 361 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735251A1833E9AC3250A3 - -Count = 362 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D73525EF4F7448841987FC - -Count = 363 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D73525286E6EB9A66BC41F - -Count = 364 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = -CT = FEC941470CB859D735255BFCFBA78DDD0631FE - -Count = 365 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00 -CT = FEC941470CB859D735255B53FE8E31A0A63353 - -Count = 366 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001 -CT = FEC941470CB859D735255B7CE74D3FE0EAC8D2 - -Count = 367 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102 -CT = FEC941470CB859D735255B7380949FD7BF1F09 - -Count = 368 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203 -CT = FEC941470CB859D735255BDECFD90931D1594B - -Count = 369 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001020304 -CT = FEC941470CB859D735255B106A669165A6EC19 - -Count = 370 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405 -CT = FEC941470CB859D735255B59E699459D0D88B0 - -Count = 371 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203040506 -CT = FEC941470CB859D735255BF8E79E62C60C9EAF - -Count = 372 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001020304050607 -CT = FEC941470CB859D735255B7472578A6DD31C25 - -Count = 373 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708 -CT = FEC941470CB859D735255BBCACCE8BE1FF608D - -Count = 374 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203040506070809 -CT = FEC941470CB859D735255B37AF1C3823ECF07E - -Count = 375 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A -CT = FEC941470CB859D735255B71968104CE1BFA1D - -Count = 376 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B2B740834547A965B - -Count = 377 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255BD4600AC94E28A38F - -Count = 378 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B9314CFC9388BF2C8 - -Count = 379 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B224E3EE103070B9C - -Count = 380 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255BE29C646D99B2B261 - -Count = 381 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255BB540A712C23B5F56 - -Count = 382 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B77E85202CBA784CA - -Count = 383 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B86AA7F0350EC7898 - -Count = 384 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B5567C19305EAE4CB - -Count = 385 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255BF5CE51503D52B482 - -Count = 386 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B4564E677547969CA - -Count = 387 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B6F8BC20DDDCD6B09 - -Count = 388 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255BB2E167177107152C - -Count = 389 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B4F87C03F5E59A905 - -Count = 390 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B96D998279494AAFA - -Count = 391 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B2654F5AE7784F09D - -Count = 392 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B94CCBAB7A72C21B9 - -Count = 393 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B4D85D9F8A2197664 - -Count = 394 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B8BF293DED4E10A61 - -Count = 395 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B7EA5D47FFCCADD3E - -Count = 396 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255BB984CE8EDEB89EDD - -Count = 397 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = -CT = FEC941470CB859D735255B80B658144E4BAC29D0 - -Count = 398 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00 -CT = FEC941470CB859D735255B80195D3DF2360C2B7D - -Count = 399 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001 -CT = FEC941470CB859D735255B803644FEFC7640D0FC - -Count = 400 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102 -CT = FEC941470CB859D735255B803923275C41150727 - -Count = 401 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203 -CT = FEC941470CB859D735255B80946C6ACAA77B4165 - -Count = 402 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001020304 -CT = FEC941470CB859D735255B805AC9D552F30CF437 - -Count = 403 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405 -CT = FEC941470CB859D735255B8013452A860BA7909E - -Count = 404 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203040506 -CT = FEC941470CB859D735255B80B2442DA150A68681 - -Count = 405 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001020304050607 -CT = FEC941470CB859D735255B803ED1E449FB79040B - -Count = 406 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708 -CT = FEC941470CB859D735255B80F60F7D48775578A3 - -Count = 407 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203040506070809 -CT = FEC941470CB859D735255B807D0CAFFBB546E850 - -Count = 408 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A -CT = FEC941470CB859D735255B803B3532C758B1E233 - -Count = 409 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B8061D7BBF7C2D08E75 - -Count = 410 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B809EC3B90AD882BBA1 - -Count = 411 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B80D9B77C0AAE21EAE6 - -Count = 412 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B8068ED8D2295AD13B2 - -Count = 413 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B80A83FD7AE0F18AA4F - -Count = 414 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B80FFE314D154914778 - -Count = 415 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B803D4BE1C15D0D9CE4 - -Count = 416 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B80CC09CCC0C64660B6 - -Count = 417 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B801FC472509340FCE5 - -Count = 418 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B80BF6DE293ABF8ACAC - -Count = 419 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B800FC755B4C2D371E4 - -Count = 420 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B80252871CE4B677327 - -Count = 421 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B80F842D4D4E7AD0D02 - -Count = 422 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B80052473FCC8F3B12B - -Count = 423 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B80DC7A2BE4023EB2D4 - -Count = 424 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B806CF7466DE12EE8B3 - -Count = 425 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B80DE6F097431863997 - -Count = 426 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B8007266A3B34B36E4A - -Count = 427 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B80C151201D424B124F - -Count = 428 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B80340667BC6A60C510 - -Count = 429 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B80F3277D4D481286F3 - -Count = 430 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = -CT = FEC941470CB859D735255B80669A87B729D1F56CAC - -Count = 431 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00 -CT = FEC941470CB859D735255B806635829E95AC556E01 - -Count = 432 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001 -CT = FEC941470CB859D735255B80661A9B5D9BEC199580 - -Count = 433 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102 -CT = FEC941470CB859D735255B806615FC843BDB4C425B - -Count = 434 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203 -CT = FEC941470CB859D735255B8066B8B3C9AD3D220419 - -Count = 435 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001020304 -CT = FEC941470CB859D735255B8066761676356955B14B - -Count = 436 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405 -CT = FEC941470CB859D735255B80663F9A89E191FED5E2 - -Count = 437 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203040506 -CT = FEC941470CB859D735255B80669E9B8EC6CAFFC3FD - -Count = 438 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001020304050607 -CT = FEC941470CB859D735255B8066120E472E61204177 - -Count = 439 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708 -CT = FEC941470CB859D735255B8066DAD0DE2FED0C3DDF - -Count = 440 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203040506070809 -CT = FEC941470CB859D735255B806651D30C9C2F1FAD2C - -Count = 441 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A -CT = FEC941470CB859D735255B806617EA91A0C2E8A74F - -Count = 442 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B80664D0818905889CB09 - -Count = 443 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B8066B21C1A6D42DBFEDD - -Count = 444 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B8066F568DF6D3478AF9A - -Count = 445 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B806644322E450FF456CE - -Count = 446 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B806684E074C99541EF33 - -Count = 447 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B8066D33CB7B6CEC80204 - -Count = 448 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B8066119442A6C754D998 - -Count = 449 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B8066E0D66FA75C1F25CA - -Count = 450 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B8066331BD1370919B999 - -Count = 451 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B806693B241F431A1E9D0 - -Count = 452 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B80662318F6D3588A3498 - -Count = 453 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B806609F7D2A9D13E365B - -Count = 454 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B8066D49D77B37DF4487E - -Count = 455 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B806629FBD09B52AAF457 - -Count = 456 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B8066F0A588839867F7A8 - -Count = 457 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B80664028E50A7B77ADCF - -Count = 458 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B8066F2B0AA13ABDF7CEB - -Count = 459 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B80662BF9C95CAEEA2B36 - -Count = 460 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B8066ED8E837AD8125733 - -Count = 461 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B806618D9C4DBF039806C - -Count = 462 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B8066DFF8DE2AD24BC38F - -Count = 463 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = -CT = FEC941470CB859D735255B80663E379995F290E84795 - -Count = 464 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00 -CT = FEC941470CB859D735255B80663E989CBC4EED484538 - -Count = 465 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001 -CT = FEC941470CB859D735255B80663EB7857F40AD04BEB9 - -Count = 466 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102 -CT = FEC941470CB859D735255B80663EB8E2A6E09A516962 - -Count = 467 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203 -CT = FEC941470CB859D735255B80663E15ADEB767C3F2F20 - -Count = 468 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001020304 -CT = FEC941470CB859D735255B80663EDB0854EE28489A72 - -Count = 469 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405 -CT = FEC941470CB859D735255B80663E9284AB3AD0E3FEDB - -Count = 470 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203040506 -CT = FEC941470CB859D735255B80663E3385AC1D8BE2E8C4 - -Count = 471 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001020304050607 -CT = FEC941470CB859D735255B80663EBF1065F5203D6A4E - -Count = 472 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708 -CT = FEC941470CB859D735255B80663E77CEFCF4AC1116E6 - -Count = 473 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203040506070809 -CT = FEC941470CB859D735255B80663EFCCD2E476E028615 - -Count = 474 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A -CT = FEC941470CB859D735255B80663EBAF4B37B83F58C76 - -Count = 475 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B80663EE0163A4B1994E030 - -Count = 476 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B80663E1F0238B603C6D5E4 - -Count = 477 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B80663E5876FDB6756584A3 - -Count = 478 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B80663EE92C0C9E4EE97DF7 - -Count = 479 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B80663E29FE5612D45CC40A - -Count = 480 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B80663E7E22956D8FD5293D - -Count = 481 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B80663EBC8A607D8649F2A1 - -Count = 482 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B80663E4DC84D7C1D020EF3 - -Count = 483 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B80663E9E05F3EC480492A0 - -Count = 484 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B80663E3EAC632F70BCC2E9 - -Count = 485 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B80663E8E06D40819971FA1 - -Count = 486 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B80663EA4E9F07290231D62 - -Count = 487 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B80663E798355683CE96347 - -Count = 488 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B80663E84E5F24013B7DF6E - -Count = 489 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B80663E5DBBAA58D97ADC91 - -Count = 490 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B80663EED36C7D13A6A86F6 - -Count = 491 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B80663E5FAE88C8EAC257D2 - -Count = 492 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B80663E86E7EB87EFF7000F - -Count = 493 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B80663E4090A1A1990F7C0A - -Count = 494 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B80663EB5C7E600B124AB55 - -Count = 495 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B80663E72E6FCF19356E8B6 - -Count = 496 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = -CT = FEC941470CB859D735255B80663E80CA51659B586156DC - -Count = 497 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00 -CT = FEC941470CB859D735255B80663E8065544C2725C15471 - -Count = 498 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001 -CT = FEC941470CB859D735255B80663E804A4D8F29658DAFF0 - -Count = 499 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102 -CT = FEC941470CB859D735255B80663E80452A568952D8782B - -Count = 500 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203 -CT = FEC941470CB859D735255B80663E80E8651B1FB4B63E69 - -Count = 501 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304 -CT = FEC941470CB859D735255B80663E8026C0A487E0C18B3B - -Count = 502 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405 -CT = FEC941470CB859D735255B80663E806F4C5B53186AEF92 - -Count = 503 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506 -CT = FEC941470CB859D735255B80663E80CE4D5C74436BF98D - -Count = 504 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304050607 -CT = FEC941470CB859D735255B80663E8042D8959CE8B47B07 - -Count = 505 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708 -CT = FEC941470CB859D735255B80663E808A060C9D649807AF - -Count = 506 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506070809 -CT = FEC941470CB859D735255B80663E800105DE2EA68B975C - -Count = 507 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A -CT = FEC941470CB859D735255B80663E80473C43124B7C9D3F - -Count = 508 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B80663E801DDECA22D11DF179 - -Count = 509 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B80663E80E2CAC8DFCB4FC4AD - -Count = 510 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B80663E80A5BE0DDFBDEC95EA - -Count = 511 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B80663E8014E4FCF786606CBE - -Count = 512 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B80663E80D436A67B1CD5D543 - -Count = 513 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B80663E8083EA6504475C3874 - -Count = 514 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B80663E80414290144EC0E3E8 - -Count = 515 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B80663E80B000BD15D58B1FBA - -Count = 516 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B80663E8063CD0385808D83E9 - -Count = 517 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B80663E80C3649346B835D3A0 - -Count = 518 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B80663E8073CE2461D11E0EE8 - -Count = 519 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B80663E805921001B58AA0C2B - -Count = 520 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B80663E80844BA501F460720E - -Count = 521 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B80663E80792D0229DB3ECE27 - -Count = 522 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B80663E80A0735A3111F3CDD8 - -Count = 523 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B80663E8010FE37B8F2E397BF - -Count = 524 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B80663E80A26678A1224B469B - -Count = 525 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B80663E807B2F1BEE277E1146 - -Count = 526 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B80663E80BD5851C851866D43 - -Count = 527 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B80663E80480F166979ADBA1C - -Count = 528 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B80663E808F2E0C985BDFF9FF - -Count = 529 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = -CT = FEC941470CB859D735255B80663E807AB39D122E7B101B1A - -Count = 530 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00 -CT = FEC941470CB859D735255B80663E807A1C983B9206B019B7 - -Count = 531 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001 -CT = FEC941470CB859D735255B80663E807A3381F89C46FCE236 - -Count = 532 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102 -CT = FEC941470CB859D735255B80663E807A3CE6213C71A935ED - -Count = 533 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203 -CT = FEC941470CB859D735255B80663E807A91A96CAA97C773AF - -Count = 534 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304 -CT = FEC941470CB859D735255B80663E807A5F0CD332C3B0C6FD - -Count = 535 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405 -CT = FEC941470CB859D735255B80663E807A16802CE63B1BA254 - -Count = 536 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506 -CT = FEC941470CB859D735255B80663E807AB7812BC1601AB44B - -Count = 537 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304050607 -CT = FEC941470CB859D735255B80663E807A3B14E229CBC536C1 - -Count = 538 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708 -CT = FEC941470CB859D735255B80663E807AF3CA7B2847E94A69 - -Count = 539 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506070809 -CT = FEC941470CB859D735255B80663E807A78C9A99B85FADA9A - -Count = 540 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A -CT = FEC941470CB859D735255B80663E807A3EF034A7680DD0F9 - -Count = 541 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B80663E807A6412BD97F26CBCBF - -Count = 542 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B80663E807A9B06BF6AE83E896B - -Count = 543 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B80663E807ADC727A6A9E9DD82C - -Count = 544 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B80663E807A6D288B42A5112178 - -Count = 545 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B80663E807AADFAD1CE3FA49885 - -Count = 546 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B80663E807AFA2612B1642D75B2 - -Count = 547 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B80663E807A388EE7A16DB1AE2E - -Count = 548 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B80663E807AC9CCCAA0F6FA527C - -Count = 549 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B80663E807A1A017430A3FCCE2F - -Count = 550 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B80663E807ABAA8E4F39B449E66 - -Count = 551 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B80663E807A0A0253D4F26F432E - -Count = 552 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B80663E807A20ED77AE7BDB41ED - -Count = 553 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B80663E807AFD87D2B4D7113FC8 - -Count = 554 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B80663E807A00E1759CF84F83E1 - -Count = 555 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B80663E807AD9BF2D843282801E - -Count = 556 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B80663E807A6932400DD192DA79 - -Count = 557 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B80663E807ADBAA0F14013A0B5D - -Count = 558 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B80663E807A02E36C5B040F5C80 - -Count = 559 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B80663E807AC494267D72F72085 - -Count = 560 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B80663E807A31C361DC5ADCF7DA - -Count = 561 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B80663E807AF6E27B2D78AEB439 - -Count = 562 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = -CT = FEC941470CB859D735255B80663E807A63A849D541118342CC - -Count = 563 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00 -CT = FEC941470CB859D735255B80663E807A63074CFCFD6C234061 - -Count = 564 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001 -CT = FEC941470CB859D735255B80663E807A6328553FF32C6FBBE0 - -Count = 565 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102 -CT = FEC941470CB859D735255B80663E807A632732E6531B3A6C3B - -Count = 566 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203 -CT = FEC941470CB859D735255B80663E807A638A7DABC5FD542A79 - -Count = 567 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304 -CT = FEC941470CB859D735255B80663E807A6344D8145DA9239F2B - -Count = 568 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405 -CT = FEC941470CB859D735255B80663E807A630D54EB895188FB82 - -Count = 569 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506 -CT = FEC941470CB859D735255B80663E807A63AC55ECAE0A89ED9D - -Count = 570 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304050607 -CT = FEC941470CB859D735255B80663E807A6320C02546A1566F17 - -Count = 571 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708 -CT = FEC941470CB859D735255B80663E807A63E81EBC472D7A13BF - -Count = 572 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506070809 -CT = FEC941470CB859D735255B80663E807A63631D6EF4EF69834C - -Count = 573 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A -CT = FEC941470CB859D735255B80663E807A632524F3C8029E892F - -Count = 574 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B80663E807A637FC67AF898FFE569 - -Count = 575 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B80663E807A6380D2780582ADD0BD - -Count = 576 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B80663E807A63C7A6BD05F40E81FA - -Count = 577 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B80663E807A6376FC4C2DCF8278AE - -Count = 578 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B80663E807A63B62E16A15537C153 - -Count = 579 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B80663E807A63E1F2D5DE0EBE2C64 - -Count = 580 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B80663E807A63235A20CE0722F7F8 - -Count = 581 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B80663E807A63D2180DCF9C690BAA - -Count = 582 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B80663E807A6301D5B35FC96F97F9 - -Count = 583 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B80663E807A63A17C239CF1D7C7B0 - -Count = 584 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B80663E807A6311D694BB98FC1AF8 - -Count = 585 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B80663E807A633B39B0C11148183B - -Count = 586 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B80663E807A63E65315DBBD82661E - -Count = 587 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B80663E807A631B35B2F392DCDA37 - -Count = 588 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B80663E807A63C26BEAEB5811D9C8 - -Count = 589 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B80663E807A6372E68762BB0183AF - -Count = 590 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B80663E807A63C07EC87B6BA9528B - -Count = 591 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B80663E807A631937AB346E9C0556 - -Count = 592 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B80663E807A63DF40E11218647953 - -Count = 593 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B80663E807A632A17A6B3304FAE0C - -Count = 594 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B80663E807A63ED36BC42123DEDEF - -Count = 595 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = -CT = FEC941470CB859D735255B80663E807A63D56D03C2D7ECE3838B - -Count = 596 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00 -CT = FEC941470CB859D735255B80663E807A63D5C206EB6B91438126 - -Count = 597 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001 -CT = FEC941470CB859D735255B80663E807A63D5ED1F2865D10F7AA7 - -Count = 598 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102 -CT = FEC941470CB859D735255B80663E807A63D5E278F1C5E65AAD7C - -Count = 599 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203 -CT = FEC941470CB859D735255B80663E807A63D54F37BC530034EB3E - -Count = 600 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304 -CT = FEC941470CB859D735255B80663E807A63D5819203CB54435E6C - -Count = 601 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405 -CT = FEC941470CB859D735255B80663E807A63D5C81EFC1FACE83AC5 - -Count = 602 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506 -CT = FEC941470CB859D735255B80663E807A63D5691FFB38F7E92CDA - -Count = 603 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304050607 -CT = FEC941470CB859D735255B80663E807A63D5E58A32D05C36AE50 - -Count = 604 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708 -CT = FEC941470CB859D735255B80663E807A63D52D54ABD1D01AD2F8 - -Count = 605 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506070809 -CT = FEC941470CB859D735255B80663E807A63D5A65779621209420B - -Count = 606 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A -CT = FEC941470CB859D735255B80663E807A63D5E06EE45EFFFE4868 - -Count = 607 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B80663E807A63D5BA8C6D6E659F242E - -Count = 608 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B80663E807A63D545986F937FCD11FA - -Count = 609 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B80663E807A63D502ECAA93096E40BD - -Count = 610 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B80663E807A63D5B3B65BBB32E2B9E9 - -Count = 611 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B80663E807A63D573640137A8570014 - -Count = 612 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B80663E807A63D524B8C248F3DEED23 - -Count = 613 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B80663E807A63D5E6103758FA4236BF - -Count = 614 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B80663E807A63D517521A596109CAED - -Count = 615 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B80663E807A63D5C49FA4C9340F56BE - -Count = 616 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B80663E807A63D56436340A0CB706F7 - -Count = 617 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B80663E807A63D5D49C832D659CDBBF - -Count = 618 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B80663E807A63D5FE73A757EC28D97C - -Count = 619 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B80663E807A63D52319024D40E2A759 - -Count = 620 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B80663E807A63D5DE7FA5656FBC1B70 - -Count = 621 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B80663E807A63D50721FD7DA571188F - -Count = 622 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B80663E807A63D5B7AC90F4466142E8 - -Count = 623 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B80663E807A63D50534DFED96C993CC - -Count = 624 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B80663E807A63D5DC7DBCA293FCC411 - -Count = 625 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B80663E807A63D51A0AF684E504B814 - -Count = 626 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B80663E807A63D5EF5DB125CD2F6F4B - -Count = 627 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B80663E807A63D5287CABD4EF5D2CA8 - -Count = 628 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = -CT = FEC941470CB859D735255B80663E807A63D52AF436ED08F7854A6A - -Count = 629 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00 -CT = FEC941470CB859D735255B80663E807A63D52A5B33C4B48A2548C7 - -Count = 630 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001 -CT = FEC941470CB859D735255B80663E807A63D52A742A07BACA69B346 - -Count = 631 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102 -CT = FEC941470CB859D735255B80663E807A63D52A7B4DDE1AFD3C649D - -Count = 632 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203 -CT = FEC941470CB859D735255B80663E807A63D52AD602938C1B5222DF - -Count = 633 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304 -CT = FEC941470CB859D735255B80663E807A63D52A18A72C144F25978D - -Count = 634 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405 -CT = FEC941470CB859D735255B80663E807A63D52A512BD3C0B78EF324 - -Count = 635 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506 -CT = FEC941470CB859D735255B80663E807A63D52AF02AD4E7EC8FE53B - -Count = 636 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304050607 -CT = FEC941470CB859D735255B80663E807A63D52A7CBF1D0F475067B1 - -Count = 637 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708 -CT = FEC941470CB859D735255B80663E807A63D52AB461840ECB7C1B19 - -Count = 638 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506070809 -CT = FEC941470CB859D735255B80663E807A63D52A3F6256BD096F8BEA - -Count = 639 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A -CT = FEC941470CB859D735255B80663E807A63D52A795BCB81E4988189 - -Count = 640 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B80663E807A63D52A23B942B17EF9EDCF - -Count = 641 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B80663E807A63D52ADCAD404C64ABD81B - -Count = 642 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B80663E807A63D52A9BD9854C1208895C - -Count = 643 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B80663E807A63D52A2A83746429847008 - -Count = 644 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B80663E807A63D52AEA512EE8B331C9F5 - -Count = 645 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B80663E807A63D52ABD8DED97E8B824C2 - -Count = 646 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B80663E807A63D52A7F251887E124FF5E - -Count = 647 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B80663E807A63D52A8E6735867A6F030C - -Count = 648 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B80663E807A63D52A5DAA8B162F699F5F - -Count = 649 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B80663E807A63D52AFD031BD517D1CF16 - -Count = 650 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B80663E807A63D52A4DA9ACF27EFA125E - -Count = 651 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B80663E807A63D52A67468888F74E109D - -Count = 652 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B80663E807A63D52ABA2C2D925B846EB8 - -Count = 653 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B80663E807A63D52A474A8ABA74DAD291 - -Count = 654 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B80663E807A63D52A9E14D2A2BE17D16E - -Count = 655 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B80663E807A63D52A2E99BF2B5D078B09 - -Count = 656 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B80663E807A63D52A9C01F0328DAF5A2D - -Count = 657 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B80663E807A63D52A4548937D889A0DF0 - -Count = 658 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B80663E807A63D52A833FD95BFE6271F5 - -Count = 659 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B80663E807A63D52A76689EFAD649A6AA - -Count = 660 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B80663E807A63D52AB149840BF43BE549 - -Count = 661 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = -CT = FEC941470CB859D735255B80663E807A63D52A71528442BF6E4962EA - -Count = 662 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00 -CT = FEC941470CB859D735255B80663E807A63D52A71FD816B0313E96047 - -Count = 663 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001 -CT = FEC941470CB859D735255B80663E807A63D52A71D298A80D53A59BC6 - -Count = 664 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102 -CT = FEC941470CB859D735255B80663E807A63D52A71DDFF71AD64F04C1D - -Count = 665 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203 -CT = FEC941470CB859D735255B80663E807A63D52A7170B03C3B829E0A5F - -Count = 666 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304 -CT = FEC941470CB859D735255B80663E807A63D52A71BE1583A3D6E9BF0D - -Count = 667 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405 -CT = FEC941470CB859D735255B80663E807A63D52A71F7997C772E42DBA4 - -Count = 668 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506 -CT = FEC941470CB859D735255B80663E807A63D52A7156987B507543CDBB - -Count = 669 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304050607 -CT = FEC941470CB859D735255B80663E807A63D52A71DA0DB2B8DE9C4F31 - -Count = 670 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708 -CT = FEC941470CB859D735255B80663E807A63D52A7112D32BB952B03399 - -Count = 671 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506070809 -CT = FEC941470CB859D735255B80663E807A63D52A7199D0F90A90A3A36A - -Count = 672 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A -CT = FEC941470CB859D735255B80663E807A63D52A71DFE964367D54A909 - -Count = 673 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B80663E807A63D52A71850BED06E735C54F - -Count = 674 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B80663E807A63D52A717A1FEFFBFD67F09B - -Count = 675 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B80663E807A63D52A713D6B2AFB8BC4A1DC - -Count = 676 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B80663E807A63D52A718C31DBD3B0485888 - -Count = 677 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B80663E807A63D52A714CE3815F2AFDE175 - -Count = 678 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B80663E807A63D52A711B3F422071740C42 - -Count = 679 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B80663E807A63D52A71D997B73078E8D7DE - -Count = 680 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B80663E807A63D52A7128D59A31E3A32B8C - -Count = 681 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B80663E807A63D52A71FB1824A1B6A5B7DF - -Count = 682 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B80663E807A63D52A715BB1B4628E1DE796 - -Count = 683 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B80663E807A63D52A71EB1B0345E7363ADE - -Count = 684 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B80663E807A63D52A71C1F4273F6E82381D - -Count = 685 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B80663E807A63D52A711C9E8225C2484638 - -Count = 686 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B80663E807A63D52A71E1F8250DED16FA11 - -Count = 687 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B80663E807A63D52A7138A67D1527DBF9EE - -Count = 688 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B80663E807A63D52A71882B109CC4CBA389 - -Count = 689 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B80663E807A63D52A713AB35F85146372AD - -Count = 690 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B80663E807A63D52A71E3FA3CCA11562570 - -Count = 691 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B80663E807A63D52A71258D76EC67AE5975 - -Count = 692 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B80663E807A63D52A71D0DA314D4F858E2A - -Count = 693 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B80663E807A63D52A7117FB2BBC6DF7CDC9 - -Count = 694 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = -CT = FEC941470CB859D735255B80663E807A63D52A7182F7CF78EF4708A1F1 - -Count = 695 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00 -CT = FEC941470CB859D735255B80663E807A63D52A718258CA51533AA8A35C - -Count = 696 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001 -CT = FEC941470CB859D735255B80663E807A63D52A718277D3925D7AE458DD - -Count = 697 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102 -CT = FEC941470CB859D735255B80663E807A63D52A718278B44BFD4DB18F06 - -Count = 698 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203 -CT = FEC941470CB859D735255B80663E807A63D52A7182D5FB066BABDFC944 - -Count = 699 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304 -CT = FEC941470CB859D735255B80663E807A63D52A71821B5EB9F3FFA87C16 - -Count = 700 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405 -CT = FEC941470CB859D735255B80663E807A63D52A718252D24627070318BF - -Count = 701 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506 -CT = FEC941470CB859D735255B80663E807A63D52A7182F3D341005C020EA0 - -Count = 702 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304050607 -CT = FEC941470CB859D735255B80663E807A63D52A71827F4688E8F7DD8C2A - -Count = 703 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708 -CT = FEC941470CB859D735255B80663E807A63D52A7182B79811E97BF1F082 - -Count = 704 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506070809 -CT = FEC941470CB859D735255B80663E807A63D52A71823C9BC35AB9E26071 - -Count = 705 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A -CT = FEC941470CB859D735255B80663E807A63D52A71827AA25E6654156A12 - -Count = 706 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B80663E807A63D52A71822040D756CE740654 - -Count = 707 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B80663E807A63D52A7182DF54D5ABD4263380 - -Count = 708 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B80663E807A63D52A7182982010ABA28562C7 - -Count = 709 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B80663E807A63D52A7182297AE18399099B93 - -Count = 710 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B80663E807A63D52A7182E9A8BB0F03BC226E - -Count = 711 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B80663E807A63D52A7182BE7478705835CF59 - -Count = 712 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B80663E807A63D52A71827CDC8D6051A914C5 - -Count = 713 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B80663E807A63D52A71828D9EA061CAE2E897 - -Count = 714 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B80663E807A63D52A71825E531EF19FE474C4 - -Count = 715 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B80663E807A63D52A7182FEFA8E32A75C248D - -Count = 716 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B80663E807A63D52A71824E503915CE77F9C5 - -Count = 717 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B80663E807A63D52A718264BF1D6F47C3FB06 - -Count = 718 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B80663E807A63D52A7182B9D5B875EB098523 - -Count = 719 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B80663E807A63D52A718244B31F5DC457390A - -Count = 720 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B80663E807A63D52A71829DED47450E9A3AF5 - -Count = 721 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B80663E807A63D52A71822D602ACCED8A6092 - -Count = 722 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B80663E807A63D52A71829FF865D53D22B1B6 - -Count = 723 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B80663E807A63D52A718246B1069A3817E66B - -Count = 724 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B80663E807A63D52A718280C64CBC4EEF9A6E - -Count = 725 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B80663E807A63D52A718275910B1D66C44D31 - -Count = 726 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B80663E807A63D52A7182B2B011EC44B60ED2 - -Count = 727 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = -CT = FEC941470CB859D735255B80663E807A63D52A71829F40136AEEE40417C1 - -Count = 728 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00 -CT = FEC941470CB859D735255B80663E807A63D52A71829FEF16435299A4156C - -Count = 729 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001 -CT = FEC941470CB859D735255B80663E807A63D52A71829FC00F805CD9E8EEED - -Count = 730 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102 -CT = FEC941470CB859D735255B80663E807A63D52A71829FCF6859FCEEBD3936 - -Count = 731 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203 -CT = FEC941470CB859D735255B80663E807A63D52A71829F6227146A08D37F74 - -Count = 732 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304 -CT = FEC941470CB859D735255B80663E807A63D52A71829FAC82ABF25CA4CA26 - -Count = 733 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405 -CT = FEC941470CB859D735255B80663E807A63D52A71829FE50E5426A40FAE8F - -Count = 734 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506 -CT = FEC941470CB859D735255B80663E807A63D52A71829F440F5301FF0EB890 - -Count = 735 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304050607 -CT = FEC941470CB859D735255B80663E807A63D52A71829FC89A9AE954D13A1A - -Count = 736 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708 -CT = FEC941470CB859D735255B80663E807A63D52A71829F004403E8D8FD46B2 - -Count = 737 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506070809 -CT = FEC941470CB859D735255B80663E807A63D52A71829F8B47D15B1AEED641 - -Count = 738 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A -CT = FEC941470CB859D735255B80663E807A63D52A71829FCD7E4C67F719DC22 - -Count = 739 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B80663E807A63D52A71829F979CC5576D78B064 - -Count = 740 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B80663E807A63D52A71829F6888C7AA772A85B0 - -Count = 741 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B80663E807A63D52A71829F2FFC02AA0189D4F7 - -Count = 742 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B80663E807A63D52A71829F9EA6F3823A052DA3 - -Count = 743 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B80663E807A63D52A71829F5E74A90EA0B0945E - -Count = 744 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B80663E807A63D52A71829F09A86A71FB397969 - -Count = 745 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B80663E807A63D52A71829FCB009F61F2A5A2F5 - -Count = 746 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B80663E807A63D52A71829F3A42B26069EE5EA7 - -Count = 747 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B80663E807A63D52A71829FE98F0CF03CE8C2F4 - -Count = 748 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B80663E807A63D52A71829F49269C33045092BD - -Count = 749 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B80663E807A63D52A71829FF98C2B146D7B4FF5 - -Count = 750 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B80663E807A63D52A71829FD3630F6EE4CF4D36 - -Count = 751 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0E09AA7448053313 - -Count = 752 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B80663E807A63D52A71829FF36F0D5C675B8F3A - -Count = 753 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B80663E807A63D52A71829F2A315544AD968CC5 - -Count = 754 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B80663E807A63D52A71829F9ABC38CD4E86D6A2 - -Count = 755 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B80663E807A63D52A71829F282477D49E2E0786 - -Count = 756 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B80663E807A63D52A71829FF16D149B9B1B505B - -Count = 757 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B80663E807A63D52A71829F371A5EBDEDE32C5E - -Count = 758 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B80663E807A63D52A71829FC24D191CC5C8FB01 - -Count = 759 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B80663E807A63D52A71829F056C03EDE7BAB8E2 - -Count = 760 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BE9115FD98DC24AD6 - -Count = 761 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B46147665F062487B - -Count = 762 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B690DB56BB02EB3FA - -Count = 763 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B666A6CCB877B6421 - -Count = 764 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BCB25215D61152263 - -Count = 765 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B05809EC535629731 - -Count = 766 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B4C0C6111CDC9F398 - -Count = 767 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BED0D663696C8E587 - -Count = 768 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304050607 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B6198AFDE3D17670D - -Count = 769 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BA94636DFB13B1BA5 - -Count = 770 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506070809 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B2245E46C73288B56 - -Count = 771 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B647C79509EDF8135 - -Count = 772 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B3E9EF06004BEED73 - -Count = 773 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BC18AF29D1EECD8A7 - -Count = 774 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B86FE379D684F89E0 - -Count = 775 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B37A4C6B553C370B4 - -Count = 776 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF7769C39C976C949 - -Count = 777 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BA0AA5F4692FF247E - -Count = 778 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B6202AA569B63FFE2 - -Count = 779 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B93408757002803B0 - -Count = 780 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B408D39C7552E9FE3 - -Count = 781 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BE024A9046D96CFAA - -Count = 782 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B508E1E2304BD12E2 - -Count = 783 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B7A613A598D091021 - -Count = 784 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BA70B9F4321C36E04 - -Count = 785 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B5A6D386B0E9DD22D - -Count = 786 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B83336073C450D1D2 - -Count = 787 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B33BE0DFA27408BB5 - -Count = 788 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B812642E3F7E85A91 - -Count = 789 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B586F21ACF2DD0D4C - -Count = 790 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B9E186B8A84257149 - -Count = 791 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B80663E807A63D52A71829F0B6B4F2C2BAC0EA616 - -Count = 792 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BAC6E36DA8E7CE5F5 - -Count = 793 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF321133DC6BF15EAF6 - -Count = 794 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF38E16147AC2B5E85B - -Count = 795 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3A10FD77482F913DA - -Count = 796 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3AE680ED4B5ACC401 - -Count = 797 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF30327434253C28243 - -Count = 798 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3CD82FCDA07B53711 - -Count = 799 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3840E030EFF1E53B8 - -Count = 800 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3250F0429A41F45A7 - -Count = 801 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304050607 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3A99ACDC10FC0C72D - -Count = 802 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3614454C083ECBB85 - -Count = 803 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506070809 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3EA47867341FF2B76 - -Count = 804 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3AC7E1B4FAC082115 - -Count = 805 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3F69C927F36694D53 - -Count = 806 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3098890822C3B7887 - -Count = 807 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF34EFC55825A9829C0 - -Count = 808 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3FFA6A4AA6114D094 - -Count = 809 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF33F74FE26FBA16969 - -Count = 810 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF368A83D59A028845E - -Count = 811 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3AA00C849A9B45FC2 - -Count = 812 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF35B42E54832FFA390 - -Count = 813 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3888F5BD867F93FC3 - -Count = 814 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF32826CB1B5F416F8A - -Count = 815 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3988C7C3C366AB2C2 - -Count = 816 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3B2635846BFDEB001 - -Count = 817 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF36F09FD5C1314CE24 - -Count = 818 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3926F5A743C4A720D - -Count = 819 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF34B31026CF68771F2 - -Count = 820 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3FBBC6FE515972B95 - -Count = 821 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3492420FCC53FFAB1 - -Count = 822 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3906D43B3C00AAD6C - -Count = 823 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3561A0995B6F2D169 - -Count = 824 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3A34D4E349ED90636 - -Count = 825 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF3646C54C5BCAB45D5 - -Count = 826 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C5B28C82D80F3CB89 - -Count = 827 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CF42DE191FD53C924 - -Count = 828 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CDB34229FBD1F32A5 - -Count = 829 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CD453FB3F8A4AE57E - -Count = 830 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C791CB6A96C24A33C - -Count = 831 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CB7B909313853166E - -Count = 832 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CFE35F6E5C0F872C7 - -Count = 833 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C5F34F1C29BF964D8 - -Count = 834 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304050607 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CD3A1382A3026E652 - -Count = 835 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C1B7FA12BBC0A9AFA - -Count = 836 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506070809 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C907C73987E190A09 - -Count = 837 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CD645EEA493EE006A - -Count = 838 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C8CA76794098F6C2C - -Count = 839 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C73B3656913DD59F8 - -Count = 840 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C34C7A069657E08BF - -Count = 841 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C859D51415EF2F1EB - -Count = 842 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C454F0BCDC4474816 - -Count = 843 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C1293C8B29FCEA521 - -Count = 844 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CD03B3DA296527EBD - -Count = 845 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C217910A30D1982EF - -Count = 846 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CF2B4AE33581F1EBC - -Count = 847 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C521D3EF060A74EF5 - -Count = 848 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CE2B789D7098C93BD - -Count = 849 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CC858ADAD8038917E - -Count = 850 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C153208B72CF2EF5B - -Count = 851 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CE854AF9F03AC5372 - -Count = 852 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C310AF787C961508D - -Count = 853 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C81879A0E2A710AEA - -Count = 854 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C331FD517FAD9DBCE - -Count = 855 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CEA56B658FFEC8C13 - -Count = 856 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C2C21FC7E8914F016 - -Count = 857 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37CD976BBDFA13F2749 - -Count = 858 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C1E57A12E834D64AA - -Count = 859 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27B83F449CB1372B2C - -Count = 860 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27173A6D20CC972981 - -Count = 861 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C273823AE2E8CDBD200 - -Count = 862 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C273744778EBB8E05DB - -Count = 863 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C279A0B3A185DE04399 - -Count = 864 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C2754AE85800997F6CB - -Count = 865 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C271D227A54F13C9262 - -Count = 866 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27BC237D73AA3D847D - -Count = 867 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304050607 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C2730B6B49B01E206F7 - -Count = 868 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27F8682D9A8DCE7A5F - -Count = 869 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506070809 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27736BFF294FDDEAAC - -Count = 870 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C2735526215A22AE0CF - -Count = 871 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C276FB0EB25384B8C89 - -Count = 872 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C2790A4E9D82219B95D - -Count = 873 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27D7D02CD854BAE81A - -Count = 874 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27668ADDF06F36114E - -Count = 875 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27A658877CF583A8B3 - -Count = 876 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27F1844403AE0A4584 - -Count = 877 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27332CB113A7969E18 - -Count = 878 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27C26E9C123CDD624A - -Count = 879 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C2711A3228269DBFE19 - -Count = 880 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27B10AB2415163AE50 - -Count = 881 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C2701A0056638487318 - -Count = 882 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C272B4F211CB1FC71DB - -Count = 883 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27F62584061D360FFE - -Count = 884 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C270B43232E3268B3D7 - -Count = 885 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27D21D7B36F8A5B028 - -Count = 886 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27629016BF1BB5EA4F - -Count = 887 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27D00859A6CB1D3B6B - -Count = 888 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C2709413AE9CE286CB6 - -Count = 889 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27CF3670CFB8D010B3 - -Count = 890 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C273A61376E90FBC7EC - -Count = 891 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27FD402D9FB289840F - -Count = 892 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E664EB0E34E4BFDB08 - -Count = 893 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CBEE2788991FD9A5 - -Count = 894 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6E4F7E486D9532224 - -Count = 895 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6EB903D26EE06F5FF - -Count = 896 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E646DF70B00868B3BD - -Count = 897 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6887ACF285C1F06EF - -Count = 898 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6C1F630FCA4B46246 - -Count = 899 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E660F737DBFFB57459 - -Count = 900 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304050607 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6EC62FE33546AF6D3 - -Count = 901 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E624BC6732D8468A7B - -Count = 902 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506070809 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6AFBFB5811A551A88 - -Count = 903 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6E98628BDF7A210EB - -Count = 904 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6B364A18D6DC37CAD - -Count = 905 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E64C70A37077914979 - -Count = 906 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E60B0466700132183E - -Count = 907 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6BA5E97583ABEE16A - -Count = 908 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E67A8CCDD4A00B5897 - -Count = 909 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E62D500EABFB82B5A0 - -Count = 910 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6EFF8FBBBF21E6E3C - -Count = 911 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E61EBAD6BA6955926E - -Count = 912 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CD77682A3C530E3D - -Count = 913 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E66DDEF8E904EB5E74 - -Count = 914 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6DD744FCE6DC0833C - -Count = 915 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6F79B6BB4E47481FF - -Count = 916 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E62AF1CEAE48BEFFDA - -Count = 917 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6D797698667E043F3 - -Count = 918 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E60EC9319EAD2D400C - -Count = 919 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6BE445C174E3D1A6B - -Count = 920 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E60CDC130E9E95CB4F - -Count = 921 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6D59570419BA09C92 - -Count = 922 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E613E23A67ED58E097 - -Count = 923 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6E6B57DC6C57337C8 - -Count = 924 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E621946737E701742B - -Count = 925 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC16EAF1576BD8ED2C - -Count = 926 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCB9EFD8EB1678EF81 - -Count = 927 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC96F61BE556341400 - -Count = 928 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC9991C2456161C3DB - -Count = 929 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC34DE8FD3870F8599 - -Count = 930 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCFA7B304BD37830CB - -Count = 931 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCB3F7CF9F2BD35462 - -Count = 932 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC12F6C8B870D2427D - -Count = 933 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304050607 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC9E630150DB0DC0F7 - -Count = 934 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC56BD98515721BC5F - -Count = 935 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506070809 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCDDBE4AE295322CAC - -Count = 936 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC9B87D7DE78C526CF - -Count = 937 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCC1655EEEE2A44A89 - -Count = 938 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC3E715C13F8F67F5D - -Count = 939 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC790599138E552E1A - -Count = 940 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCC85F683BB5D9D74E - -Count = 941 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC088D32B72F6C6EB3 - -Count = 942 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC5F51F1C874E58384 - -Count = 943 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC9DF904D87D795818 - -Count = 944 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC6CBB29D9E632A44A - -Count = 945 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBF769749B3343819 - -Count = 946 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC1FDF078A8B8C6850 - -Count = 947 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCAF75B0ADE2A7B518 - -Count = 948 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC859A94D76B13B7DB - -Count = 949 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC58F031CDC7D9C9FE - -Count = 950 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCA59696E5E88775D7 - -Count = 951 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC7CC8CEFD224A7628 - -Count = 952 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCCC45A374C15A2C4F - -Count = 953 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC7EDDEC6D11F2FD6B - -Count = 954 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCA7948F2214C7AAB6 - -Count = 955 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC61E3C504623FD6B3 - -Count = 956 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC94B482A54A1401EC - -Count = 957 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CC539598546866420F - -Count = 958 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC9AB6F46C910247FA - -Count = 959 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC35B3DDD0ECA24557 - -Count = 960 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC1AAA1EDEACEEBED6 - -Count = 961 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC15CDC77E9BBB690D - -Count = 962 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCB8828AE87DD52F4F - -Count = 963 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC7627357029A29A1D - -Count = 964 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC3FABCAA4D109FEB4 - -Count = 965 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC9EAACD838A08E8AB - -Count = 966 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304050607 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC123F046B21D76A21 - -Count = 967 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCDAE19D6AADFB1689 - -Count = 968 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506070809 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC51E24FD96FE8867A - -Count = 969 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC17DBD2E5821F8C19 - -Count = 970 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC4D395BD5187EE05F - -Count = 971 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCB22D5928022CD58B - -Count = 972 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCF5599C28748F84CC - -Count = 973 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC44036D004F037D98 - -Count = 974 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC84D1378CD5B6C465 - -Count = 975 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCD30DF4F38E3F2952 - -Count = 976 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC11A501E387A3F2CE - -Count = 977 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCE0E72CE21CE80E9C - -Count = 978 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC332A927249EE92CF - -Count = 979 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC938302B17156C286 - -Count = 980 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC2329B596187D1FCE - -Count = 981 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC09C691EC91C91D0D - -Count = 982 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCD4AC34F63D036328 - -Count = 983 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC29CA93DE125DDF01 - -Count = 984 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCF094CBC6D890DCFE - -Count = 985 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC4019A64F3B808699 - -Count = 986 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCF281E956EB2857BD - -Count = 987 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC2BC88A19EE1D0060 - -Count = 988 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCEDBFC03F98E57C65 - -Count = 989 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC18E8879EB0CEAB3A - -Count = 990 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBCDFC99D6F92BCE8D9 - -Count = 991 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B40FE4CF065DC957E - -Count = 992 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BEFFB654C187C97D3 - -Count = 993 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BC0E2A64258306C52 - -Count = 994 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BCF857FE26F65BB89 - -Count = 995 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B62CA3274890BFDCB - -Count = 996 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BAC6F8DECDD7C4899 - -Count = 997 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BE5E3723825D72C30 - -Count = 998 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B44E2751F7ED63A2F - -Count = 999 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304050607 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BC877BCF7D509B8A5 - -Count = 1000 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B00A925F65925C40D - -Count = 1001 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506070809 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B8BAAF7459B3654FE - -Count = 1002 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BCD936A7976C15E9D - -Count = 1003 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B9771E349ECA032DB - -Count = 1004 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B6865E1B4F6F2070F - -Count = 1005 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B2F1124B480515648 - -Count = 1006 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B9E4BD59CBBDDAF1C - -Count = 1007 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5E998F10216816E1 - -Count = 1008 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B09454C6F7AE1FBD6 - -Count = 1009 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BCBEDB97F737D204A - -Count = 1010 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B3AAF947EE836DC18 - -Count = 1011 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BE9622AEEBD30404B - -Count = 1012 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B49CBBA2D85881002 - -Count = 1013 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BF9610D0AECA3CD4A - -Count = 1014 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BD38E29706517CF89 - -Count = 1015 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B0EE48C6AC9DDB1AC - -Count = 1016 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BF3822B42E6830D85 - -Count = 1017 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B2ADC735A2C4E0E7A - -Count = 1018 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B9A511ED3CF5E541D - -Count = 1019 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B28C951CA1FF68539 - -Count = 1020 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BF18032851AC3D2E4 - -Count = 1021 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B37F778A36C3BAEE1 - -Count = 1022 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6BC2A03F02441079BE - -Count = 1023 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B058125F366623A5D - -Count = 1024 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5AC550DC80ABDC9E65 - -Count = 1025 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A6A55F53CD67C9CC8 - -Count = 1026 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A454C363296306749 - -Count = 1027 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A4A2BEF92A165B092 - -Count = 1028 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5AE764A204470BF6D0 - -Count = 1029 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A29C11D9C137C4382 - -Count = 1030 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A604DE248EBD7272B - -Count = 1031 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5AC14CE56FB0D63134 - -Count = 1032 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304050607 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A4DD92C871B09B3BE - -Count = 1033 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A8507B5869725CF16 - -Count = 1034 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506070809 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A0E04673555365FE5 - -Count = 1035 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A483DFA09B8C15586 - -Count = 1036 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A12DF733922A039C0 - -Count = 1037 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5AEDCB71C438F20C14 - -Count = 1038 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5AAABFB4C44E515D53 - -Count = 1039 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A1BE545EC75DDA407 - -Count = 1040 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5ADB371F60EF681DFA - -Count = 1041 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A8CEBDC1FB4E1F0CD - -Count = 1042 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A4E43290FBD7D2B51 - -Count = 1043 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5ABF01040E2636D703 - -Count = 1044 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A6CCCBA9E73304B50 - -Count = 1045 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5ACC652A5D4B881B19 - -Count = 1046 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A7CCF9D7A22A3C651 - -Count = 1047 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A5620B900AB17C492 - -Count = 1048 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A8B4A1C1A07DDBAB7 - -Count = 1049 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A762CBB322883069E - -Count = 1050 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5AAF72E32AE24E0561 - -Count = 1051 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A1FFF8EA3015E5F06 - -Count = 1052 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5AAD67C1BAD1F68E22 - -Count = 1053 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A742EA2F5D4C3D9FF - -Count = 1054 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5AB259E8D3A23BA5FA - -Count = 1055 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A470EAF728A1072A5 - -Count = 1056 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A802FB583A8623146 - -Count = 1057 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16129984AAE23DA1FE - -Count = 1058 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16BD9CAD169F9DA353 - -Count = 1059 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A1692856E18DFD158D2 - -Count = 1060 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A169DE2B7B8E8848F09 - -Count = 1061 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A1630ADFA2E0EEAC94B - -Count = 1062 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16FE0845B65A9D7C19 - -Count = 1063 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16B784BA62A23618B0 - -Count = 1064 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A161685BD45F9370EAF - -Count = 1065 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304050607 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A169A1074AD52E88C25 - -Count = 1066 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A1652CEEDACDEC4F08D - -Count = 1067 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506070809 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16D9CD3F1F1CD7607E - -Count = 1068 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A169FF4A223F1206A1D - -Count = 1069 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16C5162B136B41065B - -Count = 1070 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A163A0229EE7113338F - -Count = 1071 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A167D76ECEE07B062C8 - -Count = 1072 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16CC2C1DC63C3C9B9C - -Count = 1073 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A160CFE474AA6892261 - -Count = 1074 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A165B228435FD00CF56 - -Count = 1075 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16998A7125F49C14CA - -Count = 1076 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A1668C85C246FD7E898 - -Count = 1077 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16BB05E2B43AD174CB - -Count = 1078 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A161BAC727702692482 - -Count = 1079 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16AB06C5506B42F9CA - -Count = 1080 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A1681E9E12AE2F6FB09 - -Count = 1081 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A165C8344304E3C852C - -Count = 1082 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16A1E5E31861623905 - -Count = 1083 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A1678BBBB00ABAF3AFA - -Count = 1084 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16C836D68948BF609D - -Count = 1085 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A167AAE99909817B1B9 - -Count = 1086 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A16A3E7FADF9D22E664 - -Count = 1087 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A166590B0F9EBDA9A61 - -Count = 1088 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A1690C7F758C3F14D3E - -Count = 1089 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FEC941470CB859D735255B80663E807A63D52A71829F0BF37C27E6CCBC6B5A1657E6EDA9E1830EDD - diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys/aead-common.c b/elephant/Implementations/crypto_aead/elephant176v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant176v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys/aead-common.h b/elephant/Implementations/crypto_aead/elephant176v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant176v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys/api.h b/elephant/Implementations/crypto_aead/elephant176v1/rhys/api.h new file mode 100644 index 0000000..32c9622 --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant176v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 12 +#define CRYPTO_ABYTES 8 +#define CRYPTO_NOOVERLAP 1 diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys/elephant.c b/elephant/Implementations/crypto_aead/elephant176v1/rhys/elephant.c new file mode 100644 index 0000000..770f568 --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant176v1/rhys/elephant.c @@ -0,0 +1,881 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "elephant.h" +#include "internal-keccak.h" +#include "internal-spongent.h" +#include + +aead_cipher_t const dumbo_cipher = { + "Dumbo", + DUMBO_KEY_SIZE, + DUMBO_NONCE_SIZE, + DUMBO_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + dumbo_aead_encrypt, + dumbo_aead_decrypt +}; + +aead_cipher_t const jumbo_cipher = { + "Jumbo", + JUMBO_KEY_SIZE, + JUMBO_NONCE_SIZE, + JUMBO_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + jumbo_aead_encrypt, + jumbo_aead_decrypt +}; + +aead_cipher_t const delirium_cipher = { + "Delirium", + DELIRIUM_KEY_SIZE, + DELIRIUM_NONCE_SIZE, + DELIRIUM_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + delirium_aead_encrypt, + delirium_aead_decrypt +}; + +/** + * \brief Applies the Dumbo LFSR to the mask. + * + * \param out The output mask. + * \param in The input mask. + */ +static void dumbo_lfsr + (unsigned char out[SPONGENT160_STATE_SIZE], + const unsigned char in[SPONGENT160_STATE_SIZE]) +{ + unsigned char temp = + leftRotate3_8(in[0]) ^ (in[3] << 7) ^ (in[13] >> 7); + unsigned index; + for (index = 0; index < SPONGENT160_STATE_SIZE - 1; ++index) + out[index] = in[index + 1]; + out[SPONGENT160_STATE_SIZE - 1] = temp; +} + +/** + * \brief Processes the nonce and associated data for Dumbo. + * + * \param state Points to the Spongent-pi[160] state. + * \param mask Points to the initial mask value. + * \param next Points to the next mask value. + * \param tag Points to the ongoing tag that is being computed. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data. + */ +static void dumbo_process_ad + (spongent160_state_t *state, + unsigned char mask[SPONGENT160_STATE_SIZE], + unsigned char next[SPONGENT160_STATE_SIZE], + unsigned char tag[DUMBO_TAG_SIZE], + const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned posn, size; + + /* We need the "previous" and "next" masks in each step. + * Compare the first such values */ + dumbo_lfsr(next, mask); + dumbo_lfsr(next, next); + + /* Absorb the nonce into the state */ + lw_xor_block_2_src(state->B, mask, next, SPONGENT160_STATE_SIZE); + lw_xor_block(state->B, npub, DUMBO_NONCE_SIZE); + + /* Absorb the rest of the associated data */ + posn = DUMBO_NONCE_SIZE; + while (adlen > 0) { + size = SPONGENT160_STATE_SIZE - posn; + if (size <= adlen) { + /* Process a complete block */ + lw_xor_block(state->B + posn, ad, size); + spongent160_permute(state); + lw_xor_block(state->B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state->B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state->B, DUMBO_TAG_SIZE); + dumbo_lfsr(mask, mask); + dumbo_lfsr(next, next); + lw_xor_block_2_src(state->B, mask, next, SPONGENT160_STATE_SIZE); + posn = 0; + } else { + /* Process the partial block at the end of the associated data */ + size = (unsigned)adlen; + lw_xor_block(state->B + posn, ad, size); + posn += size; + } + ad += size; + adlen -= size; + } + + /* Pad and absorb the final block */ + state->B[posn] ^= 0x01; + spongent160_permute(state); + lw_xor_block(state->B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state->B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state->B, DUMBO_TAG_SIZE); +} + +int dumbo_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + spongent160_state_t state; + unsigned char start[SPONGENT160_STATE_SIZE]; + unsigned char mask[SPONGENT160_STATE_SIZE]; + unsigned char next[SPONGENT160_STATE_SIZE]; + unsigned char tag[DUMBO_TAG_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + DUMBO_TAG_SIZE; + + /* Hash the key and generate the initial mask */ + memcpy(state.B, k, DUMBO_KEY_SIZE); + memset(state.B + DUMBO_KEY_SIZE, 0, sizeof(state.B) - DUMBO_KEY_SIZE); + spongent160_permute(&state); + memcpy(mask, state.B, DUMBO_KEY_SIZE); + memset(mask + DUMBO_KEY_SIZE, 0, sizeof(mask) - DUMBO_KEY_SIZE); + memcpy(start, mask, sizeof(mask)); + + /* Tag starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Authenticate the nonce and the associated data */ + dumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); + + /* Reset back to the starting mask for the encryption phase */ + memcpy(mask, start, sizeof(mask)); + + /* Encrypt and authenticate the payload */ + while (mlen >= SPONGENT160_STATE_SIZE) { + /* Encrypt using the current mask */ + memcpy(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, m, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); + memcpy(c, state.B, SPONGENT160_STATE_SIZE); + + /* Authenticate using the next mask */ + dumbo_lfsr(next, mask); + lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, next, SPONGENT160_STATE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state.B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); + + /* Advance to the next block */ + memcpy(mask, next, SPONGENT160_STATE_SIZE); + c += SPONGENT160_STATE_SIZE; + m += SPONGENT160_STATE_SIZE; + mlen -= SPONGENT160_STATE_SIZE; + } + if (mlen > 0) { + /* Encrypt the last block using the current mask */ + unsigned temp = (unsigned)mlen; + memcpy(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, m, temp); + lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); + memcpy(c, state.B, temp); + + /* Authenticate the last block using the next mask */ + dumbo_lfsr(next, mask); + state.B[temp] = 0x01; + memset(state.B + temp + 1, 0, SPONGENT160_STATE_SIZE - temp - 1); + lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, next, SPONGENT160_STATE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state.B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); + c += temp; + } else if (*clen != DUMBO_TAG_SIZE) { + /* Pad and authenticate when the last block is aligned */ + dumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); + state.B[0] ^= 0x01; + spongent160_permute(&state); + lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state.B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); + } + + /* Generate the authentication tag */ + memcpy(c, tag, DUMBO_TAG_SIZE); + return 0; +} + +int dumbo_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + spongent160_state_t state; + unsigned char *mtemp = m; + unsigned char start[SPONGENT160_STATE_SIZE]; + unsigned char mask[SPONGENT160_STATE_SIZE]; + unsigned char next[SPONGENT160_STATE_SIZE]; + unsigned char tag[DUMBO_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < DUMBO_TAG_SIZE) + return -1; + *mlen = clen - DUMBO_TAG_SIZE; + + /* Hash the key and generate the initial mask */ + memcpy(state.B, k, DUMBO_KEY_SIZE); + memset(state.B + DUMBO_KEY_SIZE, 0, sizeof(state.B) - DUMBO_KEY_SIZE); + spongent160_permute(&state); + memcpy(mask, state.B, DUMBO_KEY_SIZE); + memset(mask + DUMBO_KEY_SIZE, 0, sizeof(mask) - DUMBO_KEY_SIZE); + memcpy(start, mask, sizeof(mask)); + + /* Tag starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Authenticate the nonce and the associated data */ + dumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); + + /* Reset back to the starting mask for the encryption phase */ + memcpy(mask, start, sizeof(mask)); + + /* Decrypt and authenticate the payload */ + clen -= DUMBO_TAG_SIZE; + while (clen >= SPONGENT160_STATE_SIZE) { + /* Authenticate using the next mask */ + dumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, c, SPONGENT160_STATE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state.B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); + + /* Decrypt using the current mask */ + memcpy(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block_2_src(m, state.B, c, SPONGENT160_STATE_SIZE); + + /* Advance to the next block */ + memcpy(mask, next, SPONGENT160_STATE_SIZE); + c += SPONGENT160_STATE_SIZE; + m += SPONGENT160_STATE_SIZE; + clen -= SPONGENT160_STATE_SIZE; + } + if (clen > 0) { + /* Authenticate the last block using the next mask */ + unsigned temp = (unsigned)clen; + dumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, c, temp); + state.B[temp] ^= 0x01; + spongent160_permute(&state); + lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state.B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); + + /* Decrypt the last block using the current mask */ + memcpy(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, mask, temp); + lw_xor_block_2_src(m, state.B, c, temp); + c += temp; + } else if (*mlen != 0) { + /* Pad and authenticate when the last block is aligned */ + dumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); + state.B[0] ^= 0x01; + spongent160_permute(&state); + lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state.B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); + } + + /* Check the authentication tag */ + return aead_check_tag(mtemp, *mlen, tag, c, DUMBO_TAG_SIZE); +} + +/** + * \brief Applies the Jumbo LFSR to the mask. + * + * \param out The output mask. + * \param in The input mask. + */ +static void jumbo_lfsr + (unsigned char out[SPONGENT176_STATE_SIZE], + const unsigned char in[SPONGENT176_STATE_SIZE]) +{ + unsigned char temp = + leftRotate1_8(in[0]) ^ (in[3] << 7) ^ (in[19] >> 7); + unsigned index; + for (index = 0; index < SPONGENT176_STATE_SIZE - 1; ++index) + out[index] = in[index + 1]; + out[SPONGENT176_STATE_SIZE - 1] = temp; +} + +/** + * \brief Processes the nonce and associated data for Jumbo. + * + * \param state Points to the Spongent-pi[170] state. + * \param mask Points to the initial mask value. + * \param next Points to the next mask value. + * \param tag Points to the ongoing tag that is being computed. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data. + */ +static void jumbo_process_ad + (spongent176_state_t *state, + unsigned char mask[SPONGENT176_STATE_SIZE], + unsigned char next[SPONGENT176_STATE_SIZE], + unsigned char tag[JUMBO_TAG_SIZE], + const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned posn, size; + + /* We need the "previous" and "next" masks in each step. + * Compare the first such values */ + jumbo_lfsr(next, mask); + jumbo_lfsr(next, next); + + /* Absorb the nonce into the state */ + lw_xor_block_2_src(state->B, mask, next, SPONGENT176_STATE_SIZE); + lw_xor_block(state->B, npub, JUMBO_NONCE_SIZE); + + /* Absorb the rest of the associated data */ + posn = JUMBO_NONCE_SIZE; + while (adlen > 0) { + size = SPONGENT176_STATE_SIZE - posn; + if (size <= adlen) { + /* Process a complete block */ + lw_xor_block(state->B + posn, ad, size); + spongent176_permute(state); + lw_xor_block(state->B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state->B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state->B, JUMBO_TAG_SIZE); + jumbo_lfsr(mask, mask); + jumbo_lfsr(next, next); + lw_xor_block_2_src(state->B, mask, next, SPONGENT176_STATE_SIZE); + posn = 0; + } else { + /* Process the partial block at the end of the associated data */ + size = (unsigned)adlen; + lw_xor_block(state->B + posn, ad, size); + posn += size; + } + ad += size; + adlen -= size; + } + + /* Pad and absorb the final block */ + state->B[posn] ^= 0x01; + spongent176_permute(state); + lw_xor_block(state->B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state->B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state->B, JUMBO_TAG_SIZE); +} + +int jumbo_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + spongent176_state_t state; + unsigned char start[SPONGENT176_STATE_SIZE]; + unsigned char mask[SPONGENT176_STATE_SIZE]; + unsigned char next[SPONGENT176_STATE_SIZE]; + unsigned char tag[JUMBO_TAG_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + JUMBO_TAG_SIZE; + + /* Hash the key and generate the initial mask */ + memcpy(state.B, k, JUMBO_KEY_SIZE); + memset(state.B + JUMBO_KEY_SIZE, 0, sizeof(state.B) - JUMBO_KEY_SIZE); + spongent176_permute(&state); + memcpy(mask, state.B, JUMBO_KEY_SIZE); + memset(mask + JUMBO_KEY_SIZE, 0, sizeof(mask) - JUMBO_KEY_SIZE); + memcpy(start, mask, sizeof(mask)); + + /* Tag starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Authenticate the nonce and the associated data */ + jumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); + + /* Reset back to the starting mask for the encryption phase */ + memcpy(mask, start, sizeof(mask)); + + /* Encrypt and authenticate the payload */ + while (mlen >= SPONGENT176_STATE_SIZE) { + /* Encrypt using the current mask */ + memcpy(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, m, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); + memcpy(c, state.B, SPONGENT176_STATE_SIZE); + + /* Authenticate using the next mask */ + jumbo_lfsr(next, mask); + lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, next, SPONGENT176_STATE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state.B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); + + /* Advance to the next block */ + memcpy(mask, next, SPONGENT176_STATE_SIZE); + c += SPONGENT176_STATE_SIZE; + m += SPONGENT176_STATE_SIZE; + mlen -= SPONGENT176_STATE_SIZE; + } + if (mlen > 0) { + /* Encrypt the last block using the current mask */ + unsigned temp = (unsigned)mlen; + memcpy(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, m, temp); + lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); + memcpy(c, state.B, temp); + + /* Authenticate the last block using the next mask */ + jumbo_lfsr(next, mask); + state.B[temp] = 0x01; + memset(state.B + temp + 1, 0, SPONGENT176_STATE_SIZE - temp - 1); + lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, next, SPONGENT176_STATE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state.B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); + c += temp; + } else if (*clen != JUMBO_TAG_SIZE) { + /* Pad and authenticate when the last block is aligned */ + jumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); + state.B[0] ^= 0x01; + spongent176_permute(&state); + lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state.B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); + } + + /* Generate the authentication tag */ + memcpy(c, tag, JUMBO_TAG_SIZE); + return 0; +} + +int jumbo_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + spongent176_state_t state; + unsigned char *mtemp = m; + unsigned char start[SPONGENT176_STATE_SIZE]; + unsigned char mask[SPONGENT176_STATE_SIZE]; + unsigned char next[SPONGENT176_STATE_SIZE]; + unsigned char tag[JUMBO_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < JUMBO_TAG_SIZE) + return -1; + *mlen = clen - JUMBO_TAG_SIZE; + + /* Hash the key and generate the initial mask */ + memcpy(state.B, k, JUMBO_KEY_SIZE); + memset(state.B + JUMBO_KEY_SIZE, 0, sizeof(state.B) - JUMBO_KEY_SIZE); + spongent176_permute(&state); + memcpy(mask, state.B, JUMBO_KEY_SIZE); + memset(mask + JUMBO_KEY_SIZE, 0, sizeof(mask) - JUMBO_KEY_SIZE); + memcpy(start, mask, sizeof(mask)); + + /* Tag starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Authenticate the nonce and the associated data */ + jumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); + + /* Reset back to the starting mask for the encryption phase */ + memcpy(mask, start, sizeof(mask)); + + /* Decrypt and authenticate the payload */ + clen -= JUMBO_TAG_SIZE; + while (clen >= SPONGENT176_STATE_SIZE) { + /* Authenticate using the next mask */ + jumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, c, SPONGENT176_STATE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state.B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); + + /* Decrypt using the current mask */ + memcpy(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block_2_src(m, state.B, c, SPONGENT176_STATE_SIZE); + + /* Advance to the next block */ + memcpy(mask, next, SPONGENT176_STATE_SIZE); + c += SPONGENT176_STATE_SIZE; + m += SPONGENT176_STATE_SIZE; + clen -= SPONGENT176_STATE_SIZE; + } + if (clen > 0) { + /* Authenticate the last block using the next mask */ + unsigned temp = (unsigned)clen; + jumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, c, temp); + state.B[temp] ^= 0x01; + spongent176_permute(&state); + lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state.B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); + + /* Decrypt the last block using the current mask */ + memcpy(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, mask, temp); + lw_xor_block_2_src(m, state.B, c, temp); + c += temp; + } else if (*mlen != 0) { + /* Pad and authenticate when the last block is aligned */ + jumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); + state.B[0] ^= 0x01; + spongent176_permute(&state); + lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state.B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); + } + + /* Check the authentication tag */ + return aead_check_tag(mtemp, *mlen, tag, c, JUMBO_TAG_SIZE); +} + +/** + * \brief Applies the Delirium LFSR to the mask. + * + * \param out The output mask. + * \param in The input mask. + */ +static void delirium_lfsr + (unsigned char out[KECCAKP_200_STATE_SIZE], + const unsigned char in[KECCAKP_200_STATE_SIZE]) +{ + unsigned char temp = + leftRotate1_8(in[0]) ^ leftRotate1_8(in[2]) ^ (in[13] << 1); + unsigned index; + for (index = 0; index < KECCAKP_200_STATE_SIZE - 1; ++index) + out[index] = in[index + 1]; + out[KECCAKP_200_STATE_SIZE - 1] = temp; +} + +/** + * \brief Processes the nonce and associated data for Delirium. + * + * \param state Points to the Keccak[200] state. + * \param mask Points to the initial mask value. + * \param next Points to the next mask value. + * \param tag Points to the ongoing tag that is being computed. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data. + */ +static void delirium_process_ad + (keccakp_200_state_t *state, + unsigned char mask[KECCAKP_200_STATE_SIZE], + unsigned char next[KECCAKP_200_STATE_SIZE], + unsigned char tag[DELIRIUM_TAG_SIZE], + const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned posn, size; + + /* We need the "previous" and "next" masks in each step. + * Compare the first such values */ + delirium_lfsr(next, mask); + delirium_lfsr(next, next); + + /* Absorb the nonce into the state */ + lw_xor_block_2_src(state->B, mask, next, KECCAKP_200_STATE_SIZE); + lw_xor_block(state->B, npub, DELIRIUM_NONCE_SIZE); + + /* Absorb the rest of the associated data */ + posn = DELIRIUM_NONCE_SIZE; + while (adlen > 0) { + size = KECCAKP_200_STATE_SIZE - posn; + if (size <= adlen) { + /* Process a complete block */ + lw_xor_block(state->B + posn, ad, size); + keccakp_200_permute(state, 18); + lw_xor_block(state->B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state->B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state->B, DELIRIUM_TAG_SIZE); + delirium_lfsr(mask, mask); + delirium_lfsr(next, next); + lw_xor_block_2_src(state->B, mask, next, KECCAKP_200_STATE_SIZE); + posn = 0; + } else { + /* Process the partial block at the end of the associated data */ + size = (unsigned)adlen; + lw_xor_block(state->B + posn, ad, size); + posn += size; + } + ad += size; + adlen -= size; + } + + /* Pad and absorb the final block */ + state->B[posn] ^= 0x01; + keccakp_200_permute(state, 18); + lw_xor_block(state->B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state->B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state->B, DELIRIUM_TAG_SIZE); +} + +int delirium_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + keccakp_200_state_t state; + unsigned char start[KECCAKP_200_STATE_SIZE]; + unsigned char mask[KECCAKP_200_STATE_SIZE]; + unsigned char next[KECCAKP_200_STATE_SIZE]; + unsigned char tag[DELIRIUM_TAG_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + DELIRIUM_TAG_SIZE; + + /* Hash the key and generate the initial mask */ + memcpy(state.B, k, DELIRIUM_KEY_SIZE); + memset(state.B + DELIRIUM_KEY_SIZE, 0, sizeof(state.B) - DELIRIUM_KEY_SIZE); + keccakp_200_permute(&state, 18); + memcpy(mask, state.B, DELIRIUM_KEY_SIZE); + memset(mask + DELIRIUM_KEY_SIZE, 0, sizeof(mask) - DELIRIUM_KEY_SIZE); + memcpy(start, mask, sizeof(mask)); + + /* Tag starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Authenticate the nonce and the associated data */ + delirium_process_ad(&state, mask, next, tag, npub, ad, adlen); + + /* Reset back to the starting mask for the encryption phase */ + memcpy(mask, start, sizeof(mask)); + + /* Encrypt and authenticate the payload */ + while (mlen >= KECCAKP_200_STATE_SIZE) { + /* Encrypt using the current mask */ + memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, m, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); + memcpy(c, state.B, KECCAKP_200_STATE_SIZE); + + /* Authenticate using the next mask */ + delirium_lfsr(next, mask); + lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, next, KECCAKP_200_STATE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); + + /* Advance to the next block */ + memcpy(mask, next, KECCAKP_200_STATE_SIZE); + c += KECCAKP_200_STATE_SIZE; + m += KECCAKP_200_STATE_SIZE; + mlen -= KECCAKP_200_STATE_SIZE; + } + if (mlen > 0) { + /* Encrypt the last block using the current mask */ + unsigned temp = (unsigned)mlen; + memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, m, temp); + lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); + memcpy(c, state.B, temp); + + /* Authenticate the last block using the next mask */ + delirium_lfsr(next, mask); + state.B[temp] = 0x01; + memset(state.B + temp + 1, 0, KECCAKP_200_STATE_SIZE - temp - 1); + lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, next, KECCAKP_200_STATE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); + c += temp; + } else if (*clen != DELIRIUM_TAG_SIZE) { + /* Pad and authenticate when the last block is aligned */ + delirium_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); + state.B[0] ^= 0x01; + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); + } + + /* Generate the authentication tag */ + memcpy(c, tag, DELIRIUM_TAG_SIZE); + return 0; +} + +int delirium_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + keccakp_200_state_t state; + unsigned char *mtemp = m; + unsigned char start[KECCAKP_200_STATE_SIZE]; + unsigned char mask[KECCAKP_200_STATE_SIZE]; + unsigned char next[KECCAKP_200_STATE_SIZE]; + unsigned char tag[DELIRIUM_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < DELIRIUM_TAG_SIZE) + return -1; + *mlen = clen - DELIRIUM_TAG_SIZE; + + /* Hash the key and generate the initial mask */ + memcpy(state.B, k, DELIRIUM_KEY_SIZE); + memset(state.B + DELIRIUM_KEY_SIZE, 0, sizeof(state.B) - DELIRIUM_KEY_SIZE); + keccakp_200_permute(&state, 18); + memcpy(mask, state.B, DELIRIUM_KEY_SIZE); + memset(mask + DELIRIUM_KEY_SIZE, 0, sizeof(mask) - DELIRIUM_KEY_SIZE); + memcpy(start, mask, sizeof(mask)); + + /* Tag starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Authenticate the nonce and the associated data */ + delirium_process_ad(&state, mask, next, tag, npub, ad, adlen); + + /* Reset back to the starting mask for the encryption phase */ + memcpy(mask, start, sizeof(mask)); + + /* Decrypt and authenticate the payload */ + clen -= DELIRIUM_TAG_SIZE; + while (clen >= KECCAKP_200_STATE_SIZE) { + /* Authenticate using the next mask */ + delirium_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, c, KECCAKP_200_STATE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); + + /* Decrypt using the current mask */ + memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block_2_src(m, state.B, c, KECCAKP_200_STATE_SIZE); + + /* Advance to the next block */ + memcpy(mask, next, KECCAKP_200_STATE_SIZE); + c += KECCAKP_200_STATE_SIZE; + m += KECCAKP_200_STATE_SIZE; + clen -= KECCAKP_200_STATE_SIZE; + } + if (clen > 0) { + /* Authenticate the last block using the next mask */ + unsigned temp = (unsigned)clen; + delirium_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, c, temp); + state.B[temp] ^= 0x01; + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); + + /* Decrypt the last block using the current mask */ + memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, temp); + lw_xor_block_2_src(m, state.B, c, temp); + c += temp; + } else if (*mlen != 0) { + /* Pad and authenticate when the last block is aligned */ + delirium_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); + state.B[0] ^= 0x01; + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); + } + + /* Check the authentication tag */ + return aead_check_tag(mtemp, *mlen, tag, c, DELIRIUM_TAG_SIZE); +} diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys/elephant.h b/elephant/Implementations/crypto_aead/elephant176v1/rhys/elephant.h new file mode 100644 index 0000000..f775e3d --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant176v1/rhys/elephant.h @@ -0,0 +1,291 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ELEPHANT_H +#define LWCRYPTO_ELEPHANT_H + +#include "aead-common.h" + +/** + * \file elephant.h + * \brief Elephant authenticated encryption algorithm family. + * + * Elephant is a family of authenticated encryption algorithms based + * around the Spongent-pi and Keccak permutations. + * + * \li Dumbo has a 128-bit key, a 96-bit nonce, and a 64-bit authentication + * tag. It is based around the Spongent-pi[160] permutation. This is + * the primary member of the family. + * \li Jumbo has a 128-bit key, a 96-bit nonce, and a 64-bit authentication + * tag. It is based around the Spongent-pi[176] permutation. + * \li Delirium has a 128-bit key, a 96-bit nonce, and a 128-bit authentication + * tag. It is based around the Keccak[200] permutation. + * + * References: https://www.esat.kuleuven.be/cosic/elephant/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for Dumbo. + */ +#define DUMBO_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Dumbo. + */ +#define DUMBO_TAG_SIZE 8 + +/** + * \brief Size of the nonce for Dumbo. + */ +#define DUMBO_NONCE_SIZE 12 + +/** + * \brief Size of the key for Jumbo. + */ +#define JUMBO_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Jumbo. + */ +#define JUMBO_TAG_SIZE 8 + +/** + * \brief Size of the nonce for Jumbo. + */ +#define JUMBO_NONCE_SIZE 12 + +/** + * \brief Size of the key for Delirium. + */ +#define DELIRIUM_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Delirium. + */ +#define DELIRIUM_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Delirium. + */ +#define DELIRIUM_NONCE_SIZE 12 + +/** + * \brief Meta-information block for the Dumbo cipher. + */ +extern aead_cipher_t const dumbo_cipher; + +/** + * \brief Meta-information block for the Jumbo cipher. + */ +extern aead_cipher_t const jumbo_cipher; + +/** + * \brief Meta-information block for the Delirium cipher. + */ +extern aead_cipher_t const delirium_cipher; + +/** + * \brief Encrypts and authenticates a packet with Dumbo. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa dumbo_aead_decrypt() + */ +int dumbo_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Dumbo. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa dumbo_aead_encrypt() + */ +int dumbo_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Jumbo. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa jumbo_aead_decrypt() + */ +int jumbo_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Jumbo. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa jumbo_aead_encrypt() + */ +int jumbo_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Delirium. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa delirium_aead_decrypt() + */ +int delirium_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Delirium. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa delirium_aead_encrypt() + */ +int delirium_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys/encrypt.c b/elephant/Implementations/crypto_aead/elephant176v1/rhys/encrypt.c new file mode 100644 index 0000000..89b60ae --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant176v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "elephant.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return jumbo_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return jumbo_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-keccak.c b/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-keccak.c new file mode 100644 index 0000000..c3c4011 --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-keccak.c @@ -0,0 +1,204 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-keccak.h" + +/* Faster method to compute ((x + y) % 5) that avoids the division */ +static unsigned char const addMod5Table[9] = { + 0, 1, 2, 3, 4, 0, 1, 2, 3 +}; +#define addMod5(x, y) (addMod5Table[(x) + (y)]) + +void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds) +{ + static uint8_t const RC[18] = { + 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, + 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, + 0x02, 0x80 + }; + uint8_t B[5][5]; + uint8_t D; + unsigned round; + unsigned index, index2; + for (round = 18 - rounds; round < 18; ++round) { + /* Step mapping theta. The specification mentions two temporary + * arrays of size 5 called C and D. To save a bit of memory, + * we use the first row of B to store C and compute D on the fly */ + for (index = 0; index < 5; ++index) { + B[0][index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; + } + for (index = 0; index < 5; ++index) { + D = B[0][addMod5(index, 4)] ^ + leftRotate1_8(B[0][addMod5(index, 1)]); + for (index2 = 0; index2 < 5; ++index2) + state->A[index2][index] ^= D; + } + + /* Step mapping rho and pi combined into a single step. + * Rotate all lanes by a specific offset and rearrange */ + B[0][0] = state->A[0][0]; + B[1][0] = leftRotate4_8(state->A[0][3]); + B[2][0] = leftRotate1_8(state->A[0][1]); + B[3][0] = leftRotate3_8(state->A[0][4]); + B[4][0] = leftRotate6_8(state->A[0][2]); + B[0][1] = leftRotate4_8(state->A[1][1]); + B[1][1] = leftRotate4_8(state->A[1][4]); + B[2][1] = leftRotate6_8(state->A[1][2]); + B[3][1] = leftRotate4_8(state->A[1][0]); + B[4][1] = leftRotate7_8(state->A[1][3]); + B[0][2] = leftRotate3_8(state->A[2][2]); + B[1][2] = leftRotate3_8(state->A[2][0]); + B[2][2] = leftRotate1_8(state->A[2][3]); + B[3][2] = leftRotate2_8(state->A[2][1]); + B[4][2] = leftRotate7_8(state->A[2][4]); + B[0][3] = leftRotate5_8(state->A[3][3]); + B[1][3] = leftRotate5_8(state->A[3][1]); + B[2][3] = state->A[3][4]; + B[3][3] = leftRotate7_8(state->A[3][2]); + B[4][3] = leftRotate1_8(state->A[3][0]); + B[0][4] = leftRotate6_8(state->A[4][4]); + B[1][4] = leftRotate5_8(state->A[4][2]); + B[2][4] = leftRotate2_8(state->A[4][0]); + B[3][4] = state->A[4][3]; + B[4][4] = leftRotate2_8(state->A[4][1]); + + /* Step mapping chi. Combine each lane with two others in its row */ + for (index = 0; index < 5; ++index) { + for (index2 = 0; index2 < 5; ++index2) { + state->A[index2][index] = + B[index2][index] ^ + ((~B[index2][addMod5(index, 1)]) & + B[index2][addMod5(index, 2)]); + } + } + + /* Step mapping iota. XOR A[0][0] with the round constant */ + state->A[0][0] ^= RC[round]; + } +} + +#if defined(LW_UTIL_LITTLE_ENDIAN) +#define keccakp_400_permute_host keccakp_400_permute +#endif + +/* Keccak-p[400] that assumes that the input is already in host byte order */ +void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) +{ + static uint16_t const RC[20] = { + 0x0001, 0x8082, 0x808A, 0x8000, 0x808B, 0x0001, 0x8081, 0x8009, + 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, + 0x8002, 0x0080, 0x800A, 0x000A + }; + uint16_t B[5][5]; + uint16_t D; + unsigned round; + unsigned index, index2; + for (round = 20 - rounds; round < 20; ++round) { + /* Step mapping theta. The specification mentions two temporary + * arrays of size 5 called C and D. To save a bit of memory, + * we use the first row of B to store C and compute D on the fly */ + for (index = 0; index < 5; ++index) { + B[0][index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; + } + for (index = 0; index < 5; ++index) { + D = B[0][addMod5(index, 4)] ^ + leftRotate1_16(B[0][addMod5(index, 1)]); + for (index2 = 0; index2 < 5; ++index2) + state->A[index2][index] ^= D; + } + + /* Step mapping rho and pi combined into a single step. + * Rotate all lanes by a specific offset and rearrange */ + B[0][0] = state->A[0][0]; + B[1][0] = leftRotate12_16(state->A[0][3]); + B[2][0] = leftRotate1_16 (state->A[0][1]); + B[3][0] = leftRotate11_16(state->A[0][4]); + B[4][0] = leftRotate14_16(state->A[0][2]); + B[0][1] = leftRotate12_16(state->A[1][1]); + B[1][1] = leftRotate4_16 (state->A[1][4]); + B[2][1] = leftRotate6_16 (state->A[1][2]); + B[3][1] = leftRotate4_16 (state->A[1][0]); + B[4][1] = leftRotate7_16 (state->A[1][3]); + B[0][2] = leftRotate11_16(state->A[2][2]); + B[1][2] = leftRotate3_16 (state->A[2][0]); + B[2][2] = leftRotate9_16 (state->A[2][3]); + B[3][2] = leftRotate10_16(state->A[2][1]); + B[4][2] = leftRotate7_16 (state->A[2][4]); + B[0][3] = leftRotate5_16 (state->A[3][3]); + B[1][3] = leftRotate13_16(state->A[3][1]); + B[2][3] = leftRotate8_16 (state->A[3][4]); + B[3][3] = leftRotate15_16(state->A[3][2]); + B[4][3] = leftRotate9_16 (state->A[3][0]); + B[0][4] = leftRotate14_16(state->A[4][4]); + B[1][4] = leftRotate13_16(state->A[4][2]); + B[2][4] = leftRotate2_16 (state->A[4][0]); + B[3][4] = leftRotate8_16 (state->A[4][3]); + B[4][4] = leftRotate2_16 (state->A[4][1]); + + /* Step mapping chi. Combine each lane with two others in its row */ + for (index = 0; index < 5; ++index) { + for (index2 = 0; index2 < 5; ++index2) { + state->A[index2][index] = + B[index2][index] ^ + ((~B[index2][addMod5(index, 1)]) & + B[index2][addMod5(index, 2)]); + } + } + + /* Step mapping iota. XOR A[0][0] with the round constant */ + state->A[0][0] ^= RC[round]; + } +} + +#if !defined(LW_UTIL_LITTLE_ENDIAN) + +/** + * \brief Reverses the bytes in a Keccak-p[400] state. + * + * \param state The Keccak-p[400] state to apply byte-reversal to. + */ +static void keccakp_400_reverse_bytes(keccakp_400_state_t *state) +{ + unsigned index; + unsigned char temp1; + unsigned char temp2; + for (index = 0; index < 50; index += 2) { + temp1 = state->B[index]; + temp2 = state->B[index + 1]; + state->B[index] = temp2; + state->B[index + 1] = temp1; + } +} + +/* Keccak-p[400] that requires byte reversal on input and output */ +void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) +{ + keccakp_400_reverse_bytes(state); + keccakp_400_permute_host(state, rounds); + keccakp_400_reverse_bytes(state); +} + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-keccak.h b/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-keccak.h new file mode 100644 index 0000000..026da50 --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-keccak.h @@ -0,0 +1,88 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_KECCAK_H +#define LW_INTERNAL_KECCAK_H + +#include "internal-util.h" + +/** + * \file internal-keccak.h + * \brief Internal implementation of the Keccak-p permutation. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the state for the Keccak-p[200] permutation. + */ +#define KECCAKP_200_STATE_SIZE 25 + +/** + * \brief Size of the state for the Keccak-p[400] permutation. + */ +#define KECCAKP_400_STATE_SIZE 50 + +/** + * \brief Structure of the internal state of the Keccak-p[200] permutation. + */ +typedef union +{ + uint8_t A[5][5]; /**< Keccak-p[200] state as a 5x5 array of lanes */ + uint8_t B[25]; /**< Keccak-p[200] state as a byte array */ + +} keccakp_200_state_t; + +/** + * \brief Structure of the internal state of the Keccak-p[400] permutation. + */ +typedef union +{ + uint16_t A[5][5]; /**< Keccak-p[400] state as a 5x5 array of lanes */ + uint8_t B[50]; /**< Keccak-p[400] state as a byte array */ + +} keccakp_400_state_t; + +/** + * \brief Permutes the Keccak-p[200] state. + * + * \param state The Keccak-p[200] state to be permuted. + * \param rounds The number of rounds to perform (up to 18). + */ +void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds); + +/** + * \brief Permutes the Keccak-p[400] state, which is assumed to be in + * little-endian byte order. + * + * \param state The Keccak-p[400] state to be permuted. + * \param rounds The number of rounds to perform (up to 20). + */ +void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-spongent.c b/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-spongent.c new file mode 100644 index 0000000..69a8ecb --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-spongent.c @@ -0,0 +1,346 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-spongent.h" + +/** + * \brief Applies the Spongent-pi S-box in parallel to the 8 nibbles + * of a 32-bit word. + * + * \param x3 The input values to the parallel S-boxes. + * + * \return The output values from the parallel S-boxes. + * + * Based on the bit-sliced S-box implementation from here: + * https://github.com/DadaIsCrazy/usuba/blob/master/data/sboxes/spongent.ua + * + * Note that spongent.ua numbers bits from highest to lowest, so x0 is the + * high bit of each nibble and x3 is the low bit. + */ +static uint32_t spongent_sbox(uint32_t x3) +{ + uint32_t q0, q1, q2, q3, t0, t1, t2, t3; + uint32_t x2 = (x3 >> 1); + uint32_t x1 = (x2 >> 1); + uint32_t x0 = (x1 >> 1); + q0 = x0 ^ x2; + q1 = x1 ^ x2; + t0 = q0 & q1; + q2 = ~(x0 ^ x1 ^ x3 ^ t0); + t1 = q2 & ~x0; + q3 = x1 ^ t1; + t2 = q3 & (q3 ^ x2 ^ x3 ^ t0); + t3 = (x2 ^ t0) & ~(x1 ^ t0); + q0 = x1 ^ x2 ^ x3 ^ t2; + q1 = x0 ^ x2 ^ x3 ^ t0 ^ t1; + q2 = x0 ^ x1 ^ x2 ^ t1; + q3 = x0 ^ x3 ^ t0 ^ t3; + return ((q0 << 3) & 0x88888888U) | ((q1 << 2) & 0x44444444U) | + ((q2 << 1) & 0x22222222U) | (q3 & 0x11111111U); +} + +void spongent160_permute(spongent160_state_t *state) +{ + static uint8_t const RC[] = { + /* Round constants for Spongent-pi[160] */ + 0x75, 0xae, 0x6a, 0x56, 0x54, 0x2a, 0x29, 0x94, + 0x53, 0xca, 0x27, 0xe4, 0x4f, 0xf2, 0x1f, 0xf8, + 0x3e, 0x7c, 0x7d, 0xbe, 0x7a, 0x5e, 0x74, 0x2e, + 0x68, 0x16, 0x50, 0x0a, 0x21, 0x84, 0x43, 0xc2, + 0x07, 0xe0, 0x0e, 0x70, 0x1c, 0x38, 0x38, 0x1c, + 0x71, 0x8e, 0x62, 0x46, 0x44, 0x22, 0x09, 0x90, + 0x12, 0x48, 0x24, 0x24, 0x49, 0x92, 0x13, 0xc8, + 0x26, 0x64, 0x4d, 0xb2, 0x1b, 0xd8, 0x36, 0x6c, + 0x6d, 0xb6, 0x5a, 0x5a, 0x35, 0xac, 0x6b, 0xd6, + 0x56, 0x6a, 0x2d, 0xb4, 0x5b, 0xda, 0x37, 0xec, + 0x6f, 0xf6, 0x5e, 0x7a, 0x3d, 0xbc, 0x7b, 0xde, + 0x76, 0x6e, 0x6c, 0x36, 0x58, 0x1a, 0x31, 0x8c, + 0x63, 0xc6, 0x46, 0x62, 0x0d, 0xb0, 0x1a, 0x58, + 0x34, 0x2c, 0x69, 0x96, 0x52, 0x4a, 0x25, 0xa4, + 0x4b, 0xd2, 0x17, 0xe8, 0x2e, 0x74, 0x5d, 0xba, + 0x3b, 0xdc, 0x77, 0xee, 0x6e, 0x76, 0x5c, 0x3a, + 0x39, 0x9c, 0x73, 0xce, 0x66, 0x66, 0x4c, 0x32, + 0x19, 0x98, 0x32, 0x4c, 0x65, 0xa6, 0x4a, 0x52, + 0x15, 0xa8, 0x2a, 0x54, 0x55, 0xaa, 0x2b, 0xd4, + 0x57, 0xea, 0x2f, 0xf4, 0x5f, 0xfa, 0x3f, 0xfc + }; + const uint8_t *rc = RC; + uint32_t x0, x1, x2, x3, x4; + uint32_t t0, t1, t2, t3, t4; + uint8_t round; + + /* Load the state into local variables and convert from little-endian */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = state->W[0]; + x1 = state->W[1]; + x2 = state->W[2]; + x3 = state->W[3]; + x4 = state->W[4]; +#else + x0 = le_load_word32(state->B); + x1 = le_load_word32(state->B + 4); + x2 = le_load_word32(state->B + 8); + x3 = le_load_word32(state->B + 12); + x4 = le_load_word32(state->B + 16); +#endif + + /* Perform the 80 rounds of Spongent-pi[160] */ + for (round = 0; round < 80; ++round, rc += 2) { + /* Add the round constant to front and back of the state */ + x0 ^= rc[0]; + x4 ^= ((uint32_t)(rc[1])) << 24; + + /* Apply the S-box to all 4-bit groups in the state */ + t0 = spongent_sbox(x0); + t1 = spongent_sbox(x1); + t2 = spongent_sbox(x2); + t3 = spongent_sbox(x3); + t4 = spongent_sbox(x4); + + /* Permute the bits of the state. Bit i is moved to (40 * i) % 159 + * for all bits except the last which is left where it is. + * BCP = bit copy, BUP = move bit up, BDN = move bit down */ + #define BCP(x, bit) ((x) & (((uint32_t)1) << (bit))) + #define BUP(x, from, to) \ + (((x) << ((to) - (from))) & (((uint32_t)1) << (to))) + #define BDN(x, from, to) \ + (((x) >> ((from) - (to))) & (((uint32_t)1) << (to))) + x0 = BCP(t0, 0) ^ BDN(t0, 4, 1) ^ BDN(t0, 8, 2) ^ + BDN(t0, 12, 3) ^ BDN(t0, 16, 4) ^ BDN(t0, 20, 5) ^ + BDN(t0, 24, 6) ^ BDN(t0, 28, 7) ^ BUP(t1, 0, 8) ^ + BUP(t1, 4, 9) ^ BUP(t1, 8, 10) ^ BDN(t1, 12, 11) ^ + BDN(t1, 16, 12) ^ BDN(t1, 20, 13) ^ BDN(t1, 24, 14) ^ + BDN(t1, 28, 15) ^ BUP(t2, 0, 16) ^ BUP(t2, 4, 17) ^ + BUP(t2, 8, 18) ^ BUP(t2, 12, 19) ^ BUP(t2, 16, 20) ^ + BUP(t2, 20, 21) ^ BDN(t2, 24, 22) ^ BDN(t2, 28, 23) ^ + BUP(t3, 0, 24) ^ BUP(t3, 4, 25) ^ BUP(t3, 8, 26) ^ + BUP(t3, 12, 27) ^ BUP(t3, 16, 28) ^ BUP(t3, 20, 29) ^ + BUP(t3, 24, 30) ^ BUP(t3, 28, 31); + x1 = BUP(t0, 1, 8) ^ BUP(t0, 5, 9) ^ BUP(t0, 9, 10) ^ + BDN(t0, 13, 11) ^ BDN(t0, 17, 12) ^ BDN(t0, 21, 13) ^ + BDN(t0, 25, 14) ^ BDN(t0, 29, 15) ^ BUP(t1, 1, 16) ^ + BUP(t1, 5, 17) ^ BUP(t1, 9, 18) ^ BUP(t1, 13, 19) ^ + BUP(t1, 17, 20) ^ BCP(t1, 21) ^ BDN(t1, 25, 22) ^ + BDN(t1, 29, 23) ^ BUP(t2, 1, 24) ^ BUP(t2, 5, 25) ^ + BUP(t2, 9, 26) ^ BUP(t2, 13, 27) ^ BUP(t2, 17, 28) ^ + BUP(t2, 21, 29) ^ BUP(t2, 25, 30) ^ BUP(t2, 29, 31) ^ + BCP(t4, 0) ^ BDN(t4, 4, 1) ^ BDN(t4, 8, 2) ^ + BDN(t4, 12, 3) ^ BDN(t4, 16, 4) ^ BDN(t4, 20, 5) ^ + BDN(t4, 24, 6) ^ BDN(t4, 28, 7); + x2 = BUP(t0, 2, 16) ^ BUP(t0, 6, 17) ^ BUP(t0, 10, 18) ^ + BUP(t0, 14, 19) ^ BUP(t0, 18, 20) ^ BDN(t0, 22, 21) ^ + BDN(t0, 26, 22) ^ BDN(t0, 30, 23) ^ BUP(t1, 2, 24) ^ + BUP(t1, 6, 25) ^ BUP(t1, 10, 26) ^ BUP(t1, 14, 27) ^ + BUP(t1, 18, 28) ^ BUP(t1, 22, 29) ^ BUP(t1, 26, 30) ^ + BUP(t1, 30, 31) ^ BDN(t3, 1, 0) ^ BDN(t3, 5, 1) ^ + BDN(t3, 9, 2) ^ BDN(t3, 13, 3) ^ BDN(t3, 17, 4) ^ + BDN(t3, 21, 5) ^ BDN(t3, 25, 6) ^ BDN(t3, 29, 7) ^ + BUP(t4, 1, 8) ^ BUP(t4, 5, 9) ^ BUP(t4, 9, 10) ^ + BDN(t4, 13, 11) ^ BDN(t4, 17, 12) ^ BDN(t4, 21, 13) ^ + BDN(t4, 25, 14) ^ BDN(t4, 29, 15); + x3 = BUP(t0, 3, 24) ^ BUP(t0, 7, 25) ^ BUP(t0, 11, 26) ^ + BUP(t0, 15, 27) ^ BUP(t0, 19, 28) ^ BUP(t0, 23, 29) ^ + BUP(t0, 27, 30) ^ BCP(t0, 31) ^ BDN(t2, 2, 0) ^ + BDN(t2, 6, 1) ^ BDN(t2, 10, 2) ^ BDN(t2, 14, 3) ^ + BDN(t2, 18, 4) ^ BDN(t2, 22, 5) ^ BDN(t2, 26, 6) ^ + BDN(t2, 30, 7) ^ BUP(t3, 2, 8) ^ BUP(t3, 6, 9) ^ + BCP(t3, 10) ^ BDN(t3, 14, 11) ^ BDN(t3, 18, 12) ^ + BDN(t3, 22, 13) ^ BDN(t3, 26, 14) ^ BDN(t3, 30, 15) ^ + BUP(t4, 2, 16) ^ BUP(t4, 6, 17) ^ BUP(t4, 10, 18) ^ + BUP(t4, 14, 19) ^ BUP(t4, 18, 20) ^ BDN(t4, 22, 21) ^ + BDN(t4, 26, 22) ^ BDN(t4, 30, 23); + x4 = BDN(t1, 3, 0) ^ BDN(t1, 7, 1) ^ BDN(t1, 11, 2) ^ + BDN(t1, 15, 3) ^ BDN(t1, 19, 4) ^ BDN(t1, 23, 5) ^ + BDN(t1, 27, 6) ^ BDN(t1, 31, 7) ^ BUP(t2, 3, 8) ^ + BUP(t2, 7, 9) ^ BDN(t2, 11, 10) ^ BDN(t2, 15, 11) ^ + BDN(t2, 19, 12) ^ BDN(t2, 23, 13) ^ BDN(t2, 27, 14) ^ + BDN(t2, 31, 15) ^ BUP(t3, 3, 16) ^ BUP(t3, 7, 17) ^ + BUP(t3, 11, 18) ^ BUP(t3, 15, 19) ^ BUP(t3, 19, 20) ^ + BDN(t3, 23, 21) ^ BDN(t3, 27, 22) ^ BDN(t3, 31, 23) ^ + BUP(t4, 3, 24) ^ BUP(t4, 7, 25) ^ BUP(t4, 11, 26) ^ + BUP(t4, 15, 27) ^ BUP(t4, 19, 28) ^ BUP(t4, 23, 29) ^ + BUP(t4, 27, 30) ^ BCP(t4, 31); + } + + /* Store the local variables back to the state in little-endian order */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->W[0] = x0; + state->W[1] = x1; + state->W[2] = x2; + state->W[3] = x3; + state->W[4] = x4; +#else + le_store_word32(state->B, x0); + le_store_word32(state->B + 4, x1); + le_store_word32(state->B + 8, x2); + le_store_word32(state->B + 12, x3); + le_store_word32(state->B + 16, x4); +#endif +} + +void spongent176_permute(spongent176_state_t *state) +{ + static uint8_t const RC[] = { + /* Round constants for Spongent-pi[176] */ + 0x45, 0xa2, 0x0b, 0xd0, 0x16, 0x68, 0x2c, 0x34, + 0x59, 0x9a, 0x33, 0xcc, 0x67, 0xe6, 0x4e, 0x72, + 0x1d, 0xb8, 0x3a, 0x5c, 0x75, 0xae, 0x6a, 0x56, + 0x54, 0x2a, 0x29, 0x94, 0x53, 0xca, 0x27, 0xe4, + 0x4f, 0xf2, 0x1f, 0xf8, 0x3e, 0x7c, 0x7d, 0xbe, + 0x7a, 0x5e, 0x74, 0x2e, 0x68, 0x16, 0x50, 0x0a, + 0x21, 0x84, 0x43, 0xc2, 0x07, 0xe0, 0x0e, 0x70, + 0x1c, 0x38, 0x38, 0x1c, 0x71, 0x8e, 0x62, 0x46, + 0x44, 0x22, 0x09, 0x90, 0x12, 0x48, 0x24, 0x24, + 0x49, 0x92, 0x13, 0xc8, 0x26, 0x64, 0x4d, 0xb2, + 0x1b, 0xd8, 0x36, 0x6c, 0x6d, 0xb6, 0x5a, 0x5a, + 0x35, 0xac, 0x6b, 0xd6, 0x56, 0x6a, 0x2d, 0xb4, + 0x5b, 0xda, 0x37, 0xec, 0x6f, 0xf6, 0x5e, 0x7a, + 0x3d, 0xbc, 0x7b, 0xde, 0x76, 0x6e, 0x6c, 0x36, + 0x58, 0x1a, 0x31, 0x8c, 0x63, 0xc6, 0x46, 0x62, + 0x0d, 0xb0, 0x1a, 0x58, 0x34, 0x2c, 0x69, 0x96, + 0x52, 0x4a, 0x25, 0xa4, 0x4b, 0xd2, 0x17, 0xe8, + 0x2e, 0x74, 0x5d, 0xba, 0x3b, 0xdc, 0x77, 0xee, + 0x6e, 0x76, 0x5c, 0x3a, 0x39, 0x9c, 0x73, 0xce, + 0x66, 0x66, 0x4c, 0x32, 0x19, 0x98, 0x32, 0x4c, + 0x65, 0xa6, 0x4a, 0x52, 0x15, 0xa8, 0x2a, 0x54, + 0x55, 0xaa, 0x2b, 0xd4, 0x57, 0xea, 0x2f, 0xf4, + 0x5f, 0xfa, 0x3f, 0xfc + }; + const uint8_t *rc = RC; + uint32_t x0, x1, x2, x3, x4, x5; + uint32_t t0, t1, t2, t3, t4, t5; + uint8_t round; + + /* Load the state into local variables and convert from little-endian */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = state->W[0]; + x1 = state->W[1]; + x2 = state->W[2]; + x3 = state->W[3]; + x4 = state->W[4]; + x5 = state->W[5]; +#else + x0 = le_load_word32(state->B); + x1 = le_load_word32(state->B + 4); + x2 = le_load_word32(state->B + 8); + x3 = le_load_word32(state->B + 12); + x4 = le_load_word32(state->B + 16); + x5 = le_load_word16(state->B + 20); /* Last word is only 16 bits */ +#endif + + /* Perform the 90 rounds of Spongent-pi[176] */ + for (round = 0; round < 90; ++round, rc += 2) { + /* Add the round constant to front and back of the state */ + x0 ^= rc[0]; + x5 ^= ((uint32_t)(rc[1])) << 8; + + /* Apply the S-box to all 4-bit groups in the state */ + t0 = spongent_sbox(x0); + t1 = spongent_sbox(x1); + t2 = spongent_sbox(x2); + t3 = spongent_sbox(x3); + t4 = spongent_sbox(x4); + t5 = spongent_sbox(x5); + + /* Permute the bits of the state. Bit i is moved to (44 * i) % 175 + * for all bits except the last which is left where it is. + * BCP = bit copy, BUP = move bit up, BDN = move bit down */ + x0 = BCP(t0, 0) ^ BDN(t0, 4, 1) ^ BDN(t0, 8, 2) ^ + BDN(t0, 12, 3) ^ BDN(t0, 16, 4) ^ BDN(t0, 20, 5) ^ + BDN(t0, 24, 6) ^ BDN(t0, 28, 7) ^ BUP(t1, 0, 8) ^ + BUP(t1, 4, 9) ^ BUP(t1, 8, 10) ^ BDN(t1, 12, 11) ^ + BDN(t1, 16, 12) ^ BDN(t1, 20, 13) ^ BDN(t1, 24, 14) ^ + BDN(t1, 28, 15) ^ BUP(t2, 0, 16) ^ BUP(t2, 4, 17) ^ + BUP(t2, 8, 18) ^ BUP(t2, 12, 19) ^ BUP(t2, 16, 20) ^ + BUP(t2, 20, 21) ^ BDN(t2, 24, 22) ^ BDN(t2, 28, 23) ^ + BUP(t3, 0, 24) ^ BUP(t3, 4, 25) ^ BUP(t3, 8, 26) ^ + BUP(t3, 12, 27) ^ BUP(t3, 16, 28) ^ BUP(t3, 20, 29) ^ + BUP(t3, 24, 30) ^ BUP(t3, 28, 31); + x1 = BUP(t0, 1, 12) ^ BUP(t0, 5, 13) ^ BUP(t0, 9, 14) ^ + BUP(t0, 13, 15) ^ BDN(t0, 17, 16) ^ BDN(t0, 21, 17) ^ + BDN(t0, 25, 18) ^ BDN(t0, 29, 19) ^ BUP(t1, 1, 20) ^ + BUP(t1, 5, 21) ^ BUP(t1, 9, 22) ^ BUP(t1, 13, 23) ^ + BUP(t1, 17, 24) ^ BUP(t1, 21, 25) ^ BUP(t1, 25, 26) ^ + BDN(t1, 29, 27) ^ BUP(t2, 1, 28) ^ BUP(t2, 5, 29) ^ + BUP(t2, 9, 30) ^ BUP(t2, 13, 31) ^ BCP(t4, 0) ^ + BDN(t4, 4, 1) ^ BDN(t4, 8, 2) ^ BDN(t4, 12, 3) ^ + BDN(t4, 16, 4) ^ BDN(t4, 20, 5) ^ BDN(t4, 24, 6) ^ + BDN(t4, 28, 7) ^ BUP(t5, 0, 8) ^ BUP(t5, 4, 9) ^ + BUP(t5, 8, 10) ^ BDN(t5, 12, 11); + x2 = BUP(t0, 2, 24) ^ BUP(t0, 6, 25) ^ BUP(t0, 10, 26) ^ + BUP(t0, 14, 27) ^ BUP(t0, 18, 28) ^ BUP(t0, 22, 29) ^ + BUP(t0, 26, 30) ^ BUP(t0, 30, 31) ^ BDN(t2, 17, 0) ^ + BDN(t2, 21, 1) ^ BDN(t2, 25, 2) ^ BDN(t2, 29, 3) ^ + BUP(t3, 1, 4) ^ BCP(t3, 5) ^ BDN(t3, 9, 6) ^ + BDN(t3, 13, 7) ^ BDN(t3, 17, 8) ^ BDN(t3, 21, 9) ^ + BDN(t3, 25, 10) ^ BDN(t3, 29, 11) ^ BUP(t4, 1, 12) ^ + BUP(t4, 5, 13) ^ BUP(t4, 9, 14) ^ BUP(t4, 13, 15) ^ + BDN(t4, 17, 16) ^ BDN(t4, 21, 17) ^ BDN(t4, 25, 18) ^ + BDN(t4, 29, 19) ^ BUP(t5, 1, 20) ^ BUP(t5, 5, 21) ^ + BUP(t5, 9, 22) ^ BUP(t5, 13, 23); + x3 = BDN(t1, 2, 0) ^ BDN(t1, 6, 1) ^ BDN(t1, 10, 2) ^ + BDN(t1, 14, 3) ^ BDN(t1, 18, 4) ^ BDN(t1, 22, 5) ^ + BDN(t1, 26, 6) ^ BDN(t1, 30, 7) ^ BUP(t2, 2, 8) ^ + BUP(t2, 6, 9) ^ BCP(t2, 10) ^ BDN(t2, 14, 11) ^ + BDN(t2, 18, 12) ^ BDN(t2, 22, 13) ^ BDN(t2, 26, 14) ^ + BDN(t2, 30, 15) ^ BUP(t3, 2, 16) ^ BUP(t3, 6, 17) ^ + BUP(t3, 10, 18) ^ BUP(t3, 14, 19) ^ BUP(t3, 18, 20) ^ + BDN(t3, 22, 21) ^ BDN(t3, 26, 22) ^ BDN(t3, 30, 23) ^ + BUP(t4, 2, 24) ^ BUP(t4, 6, 25) ^ BUP(t4, 10, 26) ^ + BUP(t4, 14, 27) ^ BUP(t4, 18, 28) ^ BUP(t4, 22, 29) ^ + BUP(t4, 26, 30) ^ BUP(t4, 30, 31); + x4 = BUP(t0, 3, 4) ^ BDN(t0, 7, 5) ^ BDN(t0, 11, 6) ^ + BDN(t0, 15, 7) ^ BDN(t0, 19, 8) ^ BDN(t0, 23, 9) ^ + BDN(t0, 27, 10) ^ BDN(t0, 31, 11) ^ BUP(t1, 3, 12) ^ + BUP(t1, 7, 13) ^ BUP(t1, 11, 14) ^ BCP(t1, 15) ^ + BDN(t1, 19, 16) ^ BDN(t1, 23, 17) ^ BDN(t1, 27, 18) ^ + BDN(t1, 31, 19) ^ BUP(t2, 3, 20) ^ BUP(t2, 7, 21) ^ + BUP(t2, 11, 22) ^ BUP(t2, 15, 23) ^ BUP(t2, 19, 24) ^ + BUP(t2, 23, 25) ^ BDN(t2, 27, 26) ^ BDN(t2, 31, 27) ^ + BUP(t3, 3, 28) ^ BUP(t3, 7, 29) ^ BUP(t3, 11, 30) ^ + BUP(t3, 15, 31) ^ BDN(t5, 2, 0) ^ BDN(t5, 6, 1) ^ + BDN(t5, 10, 2) ^ BDN(t5, 14, 3); + x5 = BDN(t3, 19, 0) ^ BDN(t3, 23, 1) ^ BDN(t3, 27, 2) ^ + BDN(t3, 31, 3) ^ BUP(t4, 3, 4) ^ BDN(t4, 7, 5) ^ + BDN(t4, 11, 6) ^ BDN(t4, 15, 7) ^ BDN(t4, 19, 8) ^ + BDN(t4, 23, 9) ^ BDN(t4, 27, 10) ^ BDN(t4, 31, 11) ^ + BUP(t5, 3, 12) ^ BUP(t5, 7, 13) ^ BUP(t5, 11, 14) ^ + BCP(t5, 15); + } + + /* Store the local variables back to the state in little-endian order */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->W[0] = x0; + state->W[1] = x1; + state->W[2] = x2; + state->W[3] = x3; + state->W[4] = x4; + state->W[5] = x5; +#else + le_store_word32(state->B, x0); + le_store_word32(state->B + 4, x1); + le_store_word32(state->B + 8, x2); + le_store_word32(state->B + 12, x3); + le_store_word32(state->B + 16, x4); + le_store_word16(state->B + 20, x5); /* Last word is only 16 bits */ +#endif +} diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-spongent.h b/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-spongent.h new file mode 100644 index 0000000..bb9823f --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-spongent.h @@ -0,0 +1,91 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SPONGENT_H +#define LW_INTERNAL_SPONGENT_H + +#include "internal-util.h" + +/** + * \file internal-spongent.h + * \brief Internal implementation of the Spongent-pi permutation. + * + * References: https://www.esat.kuleuven.be/cosic/elephant/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the Spongent-pi[160] state in bytes. + */ +#define SPONGENT160_STATE_SIZE 20 + +/** + * \brief Size of the Spongent-pi[176] state in bytes. + */ +#define SPONGENT176_STATE_SIZE 22 + +/** + * \brief Structure of the internal state of the Spongent-pi[160] permutation. + */ +typedef union +{ + uint32_t W[5]; /**< Spongent-pi[160] state as 32-bit words */ + uint8_t B[20]; /**< Spongent-pi[160] state as bytes */ + +} spongent160_state_t; + +/** + * \brief Structure of the internal state of the Spongent-pi[176] permutation. + * + * Note: The state is technically only 176 bits, but we increase it to + * 192 bits so that we can use 32-bit word operations to manipulate the + * state. The extra bits in the last word are fixed to zero. + */ +typedef union +{ + uint32_t W[6]; /**< Spongent-pi[176] state as 32-bit words */ + uint8_t B[24]; /**< Spongent-pi[176] state as bytes */ + +} spongent176_state_t; + +/** + * \brief Permutes the Spongent-pi[160] state. + * + * \param state The Spongent-pi[160] state to be permuted. + */ +void spongent160_permute(spongent160_state_t *state); + +/** + * \brief Permutes the Spongent-pi[176] state. + * + * \param state The Spongent-pi[176] state to be permuted. + */ +void spongent176_permute(spongent176_state_t *state); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-util.h b/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant200v1/LWC_AEAD_KAT_128_96.txt b/elephant/Implementations/crypto_aead/elephant200v1/LWC_AEAD_KAT_128_96.txt new file mode 100644 index 0000000..1b18aca --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant200v1/LWC_AEAD_KAT_128_96.txt @@ -0,0 +1,7623 @@ +Count = 1 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = +CT = F15ACBDAAD35B3172B71A67F6D61743E + +Count = 2 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 00 +CT = 34A51A359BB2BC6E0FD2FE971A8F2E9A + +Count = 3 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 0001 +CT = F1B7119EE3E759F50B23D20CC34F3BD2 + +Count = 4 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102 +CT = 68668A3627C7D4FCE5DB770CFDE3B4C6 + +Count = 5 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 00010203 +CT = 65B32A1FF4548BD6C3E880D1F8D29832 + +Count = 6 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 0001020304 +CT = 89AEEE9C5A7E3377C3EF1623AC8C18BE + +Count = 7 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405 +CT = F06E6E2DCCAC2B1BE87AA1694A954B85 + +Count = 8 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 00010203040506 +CT = 7CDE5DB1EACAAE1AED428BB7DA7346A2 + +Count = 9 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 0001020304050607 +CT = 3EF470DA12441DE00B4AF48B299DB5EF + +Count = 10 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708 +CT = 6687F92C696A4E9DA87EA41DAA51081D + +Count = 11 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 00010203040506070809 +CT = CAE0E7766CAEB7E14A8238415E21C48B + +Count = 12 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A +CT = F86A1C0AD98EADBDCA619A3419A6F380 + +Count = 13 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B +CT = 1A27A16634EA15F59B8FBB62CB06BDBC + +Count = 14 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C +CT = B7297B7DB06F6F4DDE9AE6AC0C8302E5 + +Count = 15 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D +CT = B25A050247EE077E52117FEEA4B955E3 + +Count = 16 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E +CT = 360B5CB0CCC1914211DFD65EF1B1F3EF + +Count = 17 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F +CT = F8D62F1384C3258A6E3483766F70B9C3 + +Count = 18 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2359560C641B5CDACDED28D9C0A45D81 + +Count = 19 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = EBBA4DE56CE76EA0F20B9D6199580005 + +Count = 20 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 1801ADDB77E9E798539E8FB1A490FFA5 + +Count = 21 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 49813ED636C0C4E8741F443FCCD307CC + +Count = 22 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 1BB1ED7F0316E62419057968808702C9 + +Count = 23 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 1E7F9010BDDD33A3CAE79E98C5A4334A + +Count = 24 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 3689CC310FEF5C2ACDA4E1E44C2671D5 + +Count = 25 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 5423B3217C804E5539A1B1FD84FE52BB + +Count = 26 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 1CAEB31F7DE27243E3C99374C555631F + +Count = 27 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = D38C9AD6399301C284F71AA7C4717C80 + +Count = 28 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = A2740607BD980E459E521974E8993835 + +Count = 29 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 9B3760AC69587B865CE014ED915CAB1B + +Count = 30 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = ABE9B4A89C7036B3E64BD759ECEC52A2 + +Count = 31 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = F3921ACC6526F09CE880E05B1C3D5F1D + +Count = 32 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = C56C67DBE9684B200DC84DEE046022BC + +Count = 33 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 5AAE347244FA223539C5F9379B16775D + +Count = 34 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = +CT = 75F797289653F5E1F298E281E32386CFCC + +Count = 35 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 00 +CT = 753268F9796572EE8BBC41D90B54689568 + +Count = 36 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 0001 +CT = 75F77AF2D21D270B10B8B0F5908DA88020 + +Count = 37 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102 +CT = 756EAB697AD907861956485090B3040F34 + +Count = 38 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 00010203 +CT = 75637EC9530A94D933707BA74DB63523C0 + +Count = 39 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 0001020304 +CT = 758F630DD0A4BE6192707C31BFE26BA34C + +Count = 40 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405 +CT = 75F6A38D61326C79FE5BE986F50472F077 + +Count = 41 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 00010203040506 +CT = 757A13BEFD140AFCFF5ED1AC2B9494FD50 + +Count = 42 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 0001020304050607 +CT = 7538399396EC844F05B8D9D317677A0E1D + +Count = 43 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708 +CT = 75604A1A6097AA1C781BED8381E4B6B3EF + +Count = 44 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 00010203040506070809 +CT = 75CC2D043A926EE504F9111FDD10C67F79 + +Count = 45 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A +CT = 75FEA7FF46274EFF5879F2BDA857414872 + +Count = 46 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B +CT = 751CEA422ACA2A4710281C9CFE85E1064E + +Count = 47 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C +CT = 75B1E498314EAF3DA86D09C1304264B917 + +Count = 48 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D +CT = 75B497E64EB92E559BE1825872EA5EEE11 + +Count = 49 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E +CT = 7530C6BFFC3201C3A7A24CF1C2BF56481D + +Count = 50 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F +CT = 75FE1BCC5F7A03776FDDA7A4EA21970231 + +Count = 51 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 752594B5409ADB0E3F7E7E0F458E43E673 + +Count = 52 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75ED77AEA992273C454198BAFDD7BFBBF7 + +Count = 53 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 751ECC4E978929B57DE00DA82DEA774457 + +Count = 54 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 754F4CDD9AC800960DC78C63A38234BC3E + +Count = 55 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 751D7C0E33FDD6B4C1AA965EF4CE60B93B + +Count = 56 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 7518B2735C431D61467974B9048B4388B8 + +Count = 57 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 7530442F7DF12F0ECF7E37C67802C1CA27 + +Count = 58 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 7552EE506D82401CB08A329661CA19E949 + +Count = 59 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 751A635053832220A6505AB4E88BB2D8ED + +Count = 60 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75D541799AC753532737643D3B8A96C772 + +Count = 61 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75A4B9E54B43585CA02DC13EE8A67E83C7 + +Count = 62 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 759DFA83E097982963EF733371DFBB10E9 + +Count = 63 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75AD2457E462B0645655D8F0C5A20BE950 + +Count = 64 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F55FF9809BE6A2795B13C7C752DAE4EF + +Count = 65 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75C3A1849717A819C5BE5B6A724A87994E + +Count = 66 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 755C63D73EBA3A70D08A56DEABD5F1CCAF + +Count = 67 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = +CT = 75F8800643012C02E88E68F12495367A7CBF + +Count = 68 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 00 +CT = 75F845F992EE1A85E7F74C527C7D4194261B + +Count = 69 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 0001 +CT = 75F880EB994562D0026C48A350E698543353 + +Count = 70 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102 +CT = 75F8193A02EDA6F08F65A65BF5E6A6F8BC47 + +Count = 71 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 00010203 +CT = 75F814EFA2C47563D04F8068023BA3C990B3 + +Count = 72 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 0001020304 +CT = 75F8F8F26647DB4968EE806F94C9F797103F + +Count = 73 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405 +CT = 75F88132E6F64D9B7082ABFA2383118E4304 + +Count = 74 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 00010203040506 +CT = 75F80D82D56A6BFDF583AEC2095D81684E23 + +Count = 75 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 0001020304050607 +CT = 75F84FA8F8019373467948CA76617286BD6E + +Count = 76 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708 +CT = 75F817DB71F7E85D1504EBFE26F7F14A009C + +Count = 77 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 00010203040506070809 +CT = 75F8BBBC6FADED99EC780902BAAB053ACC0A + +Count = 78 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A +CT = 75F8893694D158B9F62489E118DE42BDFB01 + +Count = 79 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B +CT = 75F86B7B29BDB5DD4E6CD80F3988901DB53D + +Count = 80 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C +CT = 75F8C675F3A6315834D49D1A644657980A64 + +Count = 81 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D +CT = 75F8C3068DD9C6D95CE71191FD04FFA25D62 + +Count = 82 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E +CT = 75F84757D46B4DF6CADB525F54B4AAAAFB6E + +Count = 83 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8898AA7C805F47E132DB4019C346BB142 + +Count = 84 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F85205DED7E52C07438E6DAA339BBF5500 + +Count = 85 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F89AE6C53EEDD03539B18B1F8BC2430884 + +Count = 86 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8695D2500F6DEBC01101E0D5BFF8BF724 + +Count = 87 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F838DDB60DB7F79F71379FC6D597C80F4D + +Count = 88 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F86AED65A48221BDBD5A85FB82DB9C0A48 + +Count = 89 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F86F2318CB3CEA683A89671C729EBF3BCB + +Count = 90 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F847D544EA8ED807B38E24630E173D7954 + +Count = 91 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8257F3BFAFDB715CC7A213317DFE55A3A + +Count = 92 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F86DF23BC4FCD529DAA049119E9E4E6B9E + +Count = 93 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8A2D0120DB8A45A5BC777984D9F6A7401 + +Count = 94 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8D3288EDC3CAF55DCDDD29B9EB38230B4 + +Count = 95 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8EA6BE877E86F201F1F609607CA47A39A + +Count = 96 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8DAB53C731D476D2AA5CB55B3B7F75A23 + +Count = 97 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F882CE9217E411AB05AB0062B14726579C + +Count = 98 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8B430EF00685F10B94E48CF045F7B2A3D + +Count = 99 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F82BF2BCA9C5CD79AC7A457BDDC00D7FDC + +Count = 100 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = +CT = 75F8BD3516DE07D6044CA2EDC2B2770E1DA70A + +Count = 101 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 00 +CT = 75F8BDF0E90FE8E08343DBC961EA9F79F3FDAE + +Count = 102 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 0001 +CT = 75F8BD35FB044398D6A640CD90C604A033E8E6 + +Count = 103 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102 +CT = 75F8BDAC2A9FEB5CF62B49236863049E9F67F2 + +Count = 104 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 00010203 +CT = 75F8BDA1FF3FC28F657463055B94D99BAE4B06 + +Count = 105 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 0001020304 +CT = 75F8BD4DE2FB41214FCCC2055C022BCFF0CB8A + +Count = 106 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405 +CT = 75F8BD34227BF0B79DD4AE2EC9B56129E998B1 + +Count = 107 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 00010203040506 +CT = 75F8BDB892486C91FB51AF2BF19FBFB90F9596 + +Count = 108 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 0001020304050607 +CT = 75F8BDFAB865076975E255CDF9E0834AE166DB + +Count = 109 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708 +CT = 75F8BDA2CBECF1125BB1286ECDB015C92DDB29 + +Count = 110 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 00010203040506070809 +CT = 75F8BD0EACF2AB179F48548C312C493D5D17BF + +Count = 111 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A +CT = 75F8BD3C2609D7A2BF52080CD28E3C7ADA20B4 + +Count = 112 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B +CT = 75F8BDDE6BB4BB4FDBEA405D3CAF6AA87A6E88 + +Count = 113 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C +CT = 75F8BD73656EA0CB5E90F81829F2A46FFFD1D1 + +Count = 114 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D +CT = 75F8BD761610DF3CDFF8CB94A26BE6C7C586D7 + +Count = 115 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BDF247496DB7F06EF7D76CC25692CD20DB + +Count = 116 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD3C9A3ACEFFF2DA3FA887977E0C0C6AF7 + +Count = 117 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BDE71543D11F2AA36F0B5E3CD1A3D88EB5 + +Count = 118 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD2FF6583817D6911534B88969FA24D331 + +Count = 119 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BDDC4DB8060CD8182D952D9BB9C7EC2C91 + +Count = 120 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD8DCD2B0B4DF13B5DB2AC5037AFAFD4F8 + +Count = 121 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BDDFFDF8A278271991DFB66D60E3FBD1FD + +Count = 122 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BDDA3385CDC6ECCC160C548A90A6D8E07E + +Count = 123 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BDF2C5D9EC74DEA39F0B17F5EC2F5AA2E1 + +Count = 124 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD906FA6FC07B1B1E0FF12A5F5E782818F + +Count = 125 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BDD8E2A6C206D38DF6257A877CA629B02B + +Count = 126 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD17C08F0B42A2FE7742440EAFA70DAFB4 + +Count = 127 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD663813DAC6A9F1F058E10D7C8BE5EB01 + +Count = 128 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD5F7B7571126984339A5300E5F220782F + +Count = 129 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD6FA5A175E741C90620F8C3518F908196 + +Count = 130 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD37DE0F111E170F292E33F4537F418C29 + +Count = 131 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD012072069259B495CB7B59E6671CF188 + +Count = 132 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD9EE221AF3FCBDD80FF76ED3FF86AA469 + +Count = 133 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = +CT = 75F8BD7F52BDA7B96A4B5D488D71E517A1DC1495 + +Count = 134 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 00 +CT = 75F8BD7F974276565CCC5231A9D2BDFFD6324E31 + +Count = 135 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 0001 +CT = 75F8BD7F52507DFD2499B7AAAD2391640FF25B79 + +Count = 136 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102 +CT = 75F8BD7FCB81E655E0B93AA343DB3464315ED46D + +Count = 137 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 00010203 +CT = 75F8BD7FC654467C332A658965E8C3B9346FF899 + +Count = 138 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 0001020304 +CT = 75F8BD7F2A4982FF9D00DD2865EF554B60317815 + +Count = 139 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405 +CT = 75F8BD7F5389024E0BD2C5444E7AE20186282B2E + +Count = 140 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 00010203040506 +CT = 75F8BD7FDF3931D22DB440454B42C8DF16CE2609 + +Count = 141 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 0001020304050607 +CT = 75F8BD7F9D131CB9D53AF3BFAD4AB7E3E520D544 + +Count = 142 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708 +CT = 75F8BD7FC560954FAE14A0C20E7EE77566EC68B6 + +Count = 143 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 00010203040506070809 +CT = 75F8BD7F69078B15ABD059BEEC827B29929CA420 + +Count = 144 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A +CT = 75F8BD7F5B8D70691EF043E26C61D95CD51B932B + +Count = 145 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B +CT = 75F8BD7FB9C0CD05F394FBAA3D8FF80A07BBDD17 + +Count = 146 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C +CT = 75F8BD7F14CE171E77118112789AA5C4C03E624E + +Count = 147 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F11BD69618090E921F4113C8668043548 + +Count = 148 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F95EC30D30BBF7F1DB7DF95363D0C9344 + +Count = 149 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F5B31437043BDCBD5C834C01EA3CDD968 + +Count = 150 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F80BE3A6FA365B2856BED6BB10C193D2A + +Count = 151 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F485D2186AB9980FF540BDE0955E560AE + +Count = 152 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7FBBE6C1B8B09709C7F59ECCD9682D9F0E + +Count = 153 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7FEA6652B5F1BE2AB7D21F0757006E6767 + +Count = 154 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7FB856811CC468087BBF053A004C3A6262 + +Count = 155 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7FBD98FC737AA3DDFC6CE7DDF0091953E1 + +Count = 156 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F956EA052C891B2756BA4A28C809B117E + +Count = 157 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7FF7C4DF42BBFEA00A9FA1F29548433210 + +Count = 158 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7FBF49DF7CBA9C9C1C45C9D01C09E803B4 + +Count = 159 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F706BF6B5FEEDEF9D22F759CF08CC1C2B + +Count = 160 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F01936A647AE6E01A38525A1C2424589E + +Count = 161 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F38D00CCFAE2695D9FAE057855DE1CBB0 + +Count = 162 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F080ED8CB5B0ED8EC404B943120513209 + +Count = 163 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F507576AFA2581EC34E80A333D0803FB6 + +Count = 164 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F668B0BB82E16A57FABC80E86C8DD4217 + +Count = 165 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7FF94958118384CC6A9FC5BA5F57AB17F6 + +Count = 166 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = +CT = 75F8BD7F4713632EDC7CD5ADE3F56280918D754F0F + +Count = 167 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 00 +CT = 75F8BD7F47D69CFF334A52A29AD1C1D879FA9B15AB + +Count = 168 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 0001 +CT = 75F8BD7F47138EF49832074701D530F4E2235B00E3 + +Count = 169 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102 +CT = 75F8BD7F478A5F6F30F627CA083BC851E21DF78FF7 + +Count = 170 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 00010203 +CT = 75F8BD7F47878ACF1925B495221DFBA63F18C6A303 + +Count = 171 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 0001020304 +CT = 75F8BD7F476B970B9A8B9E2D831DFC30CD4C98238F + +Count = 172 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405 +CT = 75F8BD7F4712578B2B1D4C35EF36698787AA8170B4 + +Count = 173 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 00010203040506 +CT = 75F8BD7F479EE7B8B73B2AB0EE3351AD593A677D93 + +Count = 174 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 0001020304050607 +CT = 75F8BD7F47DCCD95DCC3A40314D559D265C9898EDE + +Count = 175 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708 +CT = 75F8BD7F4784BE1C2AB88A5069766D82F34A45332C + +Count = 176 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 00010203040506070809 +CT = 75F8BD7F4728D90270BD4EA91594911EAFBE35FFBA + +Count = 177 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A +CT = 75F8BD7F471A53F90C086EB3491472BCDAF9B2C8B1 + +Count = 178 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B +CT = 75F8BD7F47F81E4460E50A0B01459C9D8C2B12868D + +Count = 179 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4755109E7B618F71B90089C042EC9739D4 + +Count = 180 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F475063E004960E198A8C02590044AD6ED2 + +Count = 181 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F47D432B9B61D218FB6CFCCF0B011A5C8DE + +Count = 182 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F471AEFCA1555233B7EB027A5988F6482F2 + +Count = 183 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F47C160B30AB5FB422E13FE0E3720B066B0 + +Count = 184 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F470983A8E3BD0770542C18BB8F794C3B34 + +Count = 185 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F47FA3848DDA609F96C8D8DA95F4484C494 + +Count = 186 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F47ABB8DBD0E720DA1CAA0C62D12CC73CFD + +Count = 187 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F47F9880879D2F6F8D0C7165F86609339F8 + +Count = 188 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F47FC4675166C3D2D5714F4B87625B0087B + +Count = 189 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F47D4B02937DE0F42DE13B7C70AAC324AE4 + +Count = 190 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F47B61A5627AD6050A1E7B2971364EA698A + +Count = 191 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F47FE975619AC026CB73DDAB59A2541582E + +Count = 192 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4731B57FD0E8731F365AE43C49246547B1 + +Count = 193 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F47404DE3016C7810B140413F9A088D0304 + +Count = 194 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F47790E85AAB8B8657282F332037148902A + +Count = 195 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4749D051AE4D9028473858F1B70CF86993 + +Count = 196 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4711ABFFCAB4C6EE683693C6B5FC29642C + +Count = 197 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F47275582DD388855D4D3DB6B00E474198D + +Count = 198 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F47B897D174951A3CC1E7D6DFD97B024C6C + +Count = 199 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = +CT = 75F8BD7F4702B4A392153FB14CC7B698E976C1B4204A + +Count = 200 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 00 +CT = 75F8BD7F4702715C43FA093643BE923BB19EB65A7AEE + +Count = 201 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 0001 +CT = 75F8BD7F4702B44E48517163A62596CA9D056F9A6FA6 + +Count = 202 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102 +CT = 75F8BD7F47022D9FD3F9B5432B2C783238055136E0B2 + +Count = 203 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 00010203 +CT = 75F8BD7F4702204A73D066D074065E01CFD85407CC46 + +Count = 204 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 0001020304 +CT = 75F8BD7F4702CC57B753C8FACCA75E06592A00594CCA + +Count = 205 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405 +CT = 75F8BD7F4702B59737E25E28D4CB7593EE60E6401FF1 + +Count = 206 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 00010203040506 +CT = 75F8BD7F47023927047E784E51CA70ABC4BE76A612D6 + +Count = 207 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 0001020304050607 +CT = 75F8BD7F47027B0D291580C0E23096A3BB828548E19B + +Count = 208 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708 +CT = 75F8BD7F4702237EA0E3FBEEB14D3597EB1406845C69 + +Count = 209 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 00010203040506070809 +CT = 75F8BD7F47028F19BEB9FE2A4831D76B7748F2F490FF + +Count = 210 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A +CT = 75F8BD7F4702BD9345C54B0A526D5788D53DB573A7F4 + +Count = 211 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B +CT = 75F8BD7F47025FDEF8A9A66EEA250666F46B67D3E9C8 + +Count = 212 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702F2D022B222EB909D4373A9A5A0565691 + +Count = 213 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702F7A35CCDD56AF8AECFF830E7086C0197 + +Count = 214 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F470273F2057F5E456E928C3699575D64A79B + +Count = 215 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702BD2F76DC1647DA5AF3DDCC7FC3A5EDB7 + +Count = 216 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F470266A00FC3F69FA30A500467D06C7109F5 + +Count = 217 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702AE43142AFE6391706FE2D268358D5471 + +Count = 218 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F47025DF8F414E56D1848CE77C0B80845ABD1 + +Count = 219 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F47020C786719A4443B38E9F60B36600653B8 + +Count = 220 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F47025E48B4B0919219F484EC36612C5256BD + +Count = 221 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F47025B86C9DF2F59CC73570ED1916971673E + +Count = 222 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702737095FE9D6BA3FA504DAEEDE0F325A1 + +Count = 223 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F470211DAEAEEEE04B185A448FEF4282B06CF + +Count = 224 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F47025957EAD0EF668D937E20DC7D6980376B + +Count = 225 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F47029675C319AB17FE12191E55AE68A428F4 + +Count = 226 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702E78D5FC82F1CF19503BB567D444C6C41 + +Count = 227 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702DECE3963FBDC8456C1095BE43D89FF6F + +Count = 228 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EE10ED670EF4C9637BA29850403906D6 + +Count = 229 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702B66B4303F7A20F4C7569AF52B0E80B69 + +Count = 230 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F470280953E147BECB4F0902102E7A8B576C8 + +Count = 231 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F47021F576DBDD67EDDE5A42CB63E37C32329 + +Count = 232 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = +CT = 75F8BD7F4702EA437F55891181F70BDE51D1422E2BA8FE + +Count = 233 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 00 +CT = 75F8BD7F4702EA868084662706F872FAF289AA59C5F25A + +Count = 234 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 0001 +CT = 75F8BD7F4702EA43928FCD5F531DE9FE03A5318005E712 + +Count = 235 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102 +CT = 75F8BD7F4702EADA4314659B7390E010FB0031BEA96806 + +Count = 236 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 00010203 +CT = 75F8BD7F4702EAD796B44C48E0CFCA36C8F7ECBB9844F2 + +Count = 237 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 0001020304 +CT = 75F8BD7F4702EA3B8B70CFE6CA776B36CF611EEFC6C47E + +Count = 238 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405 +CT = 75F8BD7F4702EA424BF07E70186F071D5AD65409DF9745 + +Count = 239 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 00010203040506 +CT = 75F8BD7F4702EACEFBC3E2567EEA061862FC8A99399A62 + +Count = 240 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 0001020304050607 +CT = 75F8BD7F4702EA8CD1EE89AEF059FCFE6A83B66AD7692F + +Count = 241 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708 +CT = 75F8BD7F4702EAD4A2677FD5DE0A815D5ED320E91BD4DD + +Count = 242 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 00010203040506070809 +CT = 75F8BD7F4702EA78C57925D01AF3FDBFA24F7C1D6B184B + +Count = 243 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A +CT = 75F8BD7F4702EA4A4F8259653AE9A13F41ED095AEC2F40 + +Count = 244 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EAA8023F35885E51E96EAFCC5F884C617C + +Count = 245 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA050CE52E0CDB2B512BBA91914FC9DE25 + +Count = 246 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA007F9B51FB5A4362A73108D3E7F38923 + +Count = 247 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA842EC2E37075D55EE4FFA163B2FB2F2F + +Count = 248 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA4AF3B140387761969B14F44B2C3A6503 + +Count = 249 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA917CC85FD8AF18C638CD5FE483EE8141 + +Count = 250 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA599FD3B6D0532ABC072BEA5CDA12DCC5 + +Count = 251 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EAAA243388CB5DA384A6BEF88CE7DA2365 + +Count = 252 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EAFBA4A0858A7480F4813F33028F99DB0C + +Count = 253 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EAA994732CBFA2A238EC250E55C3CDDE09 + +Count = 254 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EAAC5A0E43016977BF3FC7E9A586EEEF8A + +Count = 255 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA84AC5262B35B1836388496D90F6CAD15 + +Count = 256 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EAE6062D72C0340A49CC81C6C0C7B48E7B + +Count = 257 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EAAE8B2D4CC156365F16E9E449861FBFDF + +Count = 258 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA61A90485852745DE71D76D9A873BA040 + +Count = 259 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA10519854012C4A596B726E49ABD3E4F5 + +Count = 260 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA2912FEFFD5EC3F9AA9C063D0D21677DB + +Count = 261 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA19CC2AFB20C472AF136BA064AFA68E62 + +Count = 262 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA41B7849FD992B4801DA097665F7783DD + +Count = 263 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA7749F98855DC0F3CF8E83AD3472AFE7C + +Count = 264 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EAE88BAA21F84E6629CCE58E0AD85CAB9D + +Count = 265 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = +CT = 75F8BD7F4702EA536D5F65A0813549A46484341041EB4E4D + +Count = 266 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 00 +CT = 75F8BD7F4702EA53A8A0B44FB7B246DD40276CF8360514E9 + +Count = 267 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 0001 +CT = 75F8BD7F4702EA536DB2BFE4CFE7A34644D64063EFC501A1 + +Count = 268 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102 +CT = 75F8BD7F4702EA53F463244C0BC72E4FAA2EE563D1698EB5 + +Count = 269 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 00010203 +CT = 75F8BD7F4702EA53F9B68465D85471658C1D12BED458A241 + +Count = 270 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 0001020304 +CT = 75F8BD7F4702EA5315AB40E6767EC9C48C1A844C800622CD + +Count = 271 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405 +CT = 75F8BD7F4702EA536C6BC057E0ACD1A8A78F3306661F71F6 + +Count = 272 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 00010203040506 +CT = 75F8BD7F4702EA53E0DBF3CBC6CA54A9A2B719D8F6F97CD1 + +Count = 273 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 0001020304050607 +CT = 75F8BD7F4702EA53A2F1DEA03E44E75344BF66E405178F9C + +Count = 274 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708 +CT = 75F8BD7F4702EA53FA825756456AB42EE78B367286DB326E + +Count = 275 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 00010203040506070809 +CT = 75F8BD7F4702EA5356E5490C40AE4D520577AA2E72ABFEF8 + +Count = 276 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A +CT = 75F8BD7F4702EA53646FB270F58E570E8594085B352CC9F3 + +Count = 277 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA5386220F1C18EAEF46D47A290DE78C87CF + +Count = 278 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA532B2CD5079C6F95FE916F74C320093896 + +Count = 279 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA532E5FAB786BEEFDCD1DE4ED8188336F90 + +Count = 280 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA53AA0EF2CAE0C16BF15E2A4431DD3BC99C + +Count = 281 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA5364D38169A8C3DF3921C1111943FA83B0 + +Count = 282 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA53BF5CF876481BA6698218BAB6EC2E67F2 + +Count = 283 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA5377BFE39F40E79413BDFE0F0EB5D23A76 + +Count = 284 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA53840403A15BE91D2B1C6B1DDE881AC5D6 + +Count = 285 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA53D58490AC1AC03E5B3BEAD650E0593DBF + +Count = 286 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA5387B443052F161C9756F0EB07AC0D38BA + +Count = 287 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA53827A3E6A91DDC91085120CF7E92E0939 + +Count = 288 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA53AA8C624B23EFA6998251738B60AC4BA6 + +Count = 289 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA53C8261D5B5080B4E676542392A87468C8 + +Count = 290 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA5380AB1D6551E288F0AC3C011BE9DF596C + +Count = 291 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA534F8934AC1593FB71CB0288C8E8FB46F3 + +Count = 292 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA533E71A87D9198F4F6D1A78B1BC4130246 + +Count = 293 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA530732CED64558813513158682BDD69168 + +Count = 294 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA5337EC1AD2B070CC00A9BE4536C06668D1 + +Count = 295 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA536F97B4B649260A2FA775723430B7656E + +Count = 296 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535969C9A1C568B193423DDF8128EA18CF + +Count = 297 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA53C6AB9A0868FAD88676306B58B79C4D2E + +Count = 298 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = +CT = 75F8BD7F4702EA535ACD2EE4E235206302B93720871498261B + +Count = 299 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 00 +CT = 75F8BD7F4702EA535A08D1350D03A76C7B9D94786F63767CBF + +Count = 300 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 0001 +CT = 75F8BD7F4702EA535ACDC33EA67BF289E0996554F4BAB669F7 + +Count = 301 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102 +CT = 75F8BD7F4702EA535A5412A50EBFD204E9779DF1F4841AE6E3 + +Count = 302 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 00010203 +CT = 75F8BD7F4702EA535A59C705276C415BC351AE0629812BCA17 + +Count = 303 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 0001020304 +CT = 75F8BD7F4702EA535AB5DAC1A4C26BE36251A990DBD5754A9B + +Count = 304 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405 +CT = 75F8BD7F4702EA535ACC1A411554B9FB0E7A3C2791336C19A0 + +Count = 305 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 00010203040506 +CT = 75F8BD7F4702EA535A40AA728972DF7E0F7F040D4FA38A1487 + +Count = 306 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A02805FE28A51CDF5990C72735064E7CA + +Count = 307 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A5AF3D614F17F9E883A3822E5D3A85A38 + +Count = 308 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535AF694C84EF4BB67F4D8C4BEB927D896AE + +Count = 309 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535AC41E3332419B7DA858271CCC605FA1A5 + +Count = 310 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A26538E5EACFFC5E009C93D9AB2FFEF99 + +Count = 311 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A8B5D5445287ABF584CDC6054757A50C0 + +Count = 312 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A8E2E2A3ADFFBD76BC057F916DD4007C6 + +Count = 313 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A0A7F738854D44157839950A68848A1CA + +Count = 314 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535AC4A2002B1CD6F59FFC72058E1689EBE6 + +Count = 315 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1F2D7934FC0E8CCF5FABAE21B95D0FA4 + +Count = 316 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535AD7CE62DDF4F2BEB5604D1B99E0A15220 + +Count = 317 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A247582E3EFFC378DC1D80949DD69AD80 + +Count = 318 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A75F511EEAED514FDE659C2C7B52A55E9 + +Count = 319 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A27C5C2479B0336318B43FF90F97E50EC + +Count = 320 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A220BBF2825C8E3B658A11860BC5D616F + +Count = 321 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A0AFDE30997FA8C3F5FE2671C35DF23F0 + +Count = 322 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A68579C19E4959E40ABE73705FD07009E + +Count = 323 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A20DA9C27E5F7A256718F158CBCAC313A + +Count = 324 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535AEFF8B5EEA186D1D716B19C5FBD882EA5 + +Count = 325 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A9E00293F258DDE500C149F8C91606A10 + +Count = 326 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535AA7434F94F14DAB93CEA69215E8A5F93E + +Count = 327 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A979D9B900465E6A6740D51A195150087 + +Count = 328 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535ACFE635F4FD3320897AC666A365C40D38 + +Count = 329 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535AF91848E3717D9B359F8ECB167D997099 + +Count = 330 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A66DA1B4ADCEFF220AB837FCFE2EF2578 + +Count = 331 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = +CT = 75F8BD7F4702EA535A1C305CBEF8FDC04C6B24F5314FEE4BB14E + +Count = 332 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 00 +CT = 75F8BD7F4702EA535A1CF5A36F17CB474312005669A799A5EBEA + +Count = 333 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 0001 +CT = 75F8BD7F4702EA535A1C30B164BCB312A68904A7453C4065FEA2 + +Count = 334 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102 +CT = 75F8BD7F4702EA535A1CA960FF1477322B80EA5FE03C7EC971B6 + +Count = 335 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 00010203 +CT = 75F8BD7F4702EA535A1CA4B55F3DA4A174AACC6C17E17BF85D42 + +Count = 336 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 0001020304 +CT = 75F8BD7F4702EA535A1C48A89BBE0A8BCC0BCC6B81132FA6DDCE + +Count = 337 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405 +CT = 75F8BD7F4702EA535A1C31681B0F9C59D467E7FE3659C9BF8EF5 + +Count = 338 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CBDD82893BA3F5166E2C61C87595983D2 + +Count = 339 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CFFF205F842B1E29C04CE63BBAAB7709F + +Count = 340 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CA7818C0E399FB1E1A7FA332D297BCD6D + +Count = 341 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1C0BE692543C5B489D4506AF71DD0B01FB + +Count = 342 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1C396C6928897B52C1C5E50D049A8C36F0 + +Count = 343 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CDB21D444641FEA89940B2C52482C78CC + +Count = 344 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1C762F0E5FE09A9031D11E719C8FA9C795 + +Count = 345 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1C735C7020171BF8025D95E8DE27939093 + +Count = 346 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CF70D29929C346E3E1E5B416E729B369F + +Count = 347 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1C39D05A31D436DAF661B01446EC5A7CB3 + +Count = 348 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE25F232E34EEA3A6C269BFE9438E98F1 + +Count = 349 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1C2ABC38C73C1291DCFD8F0A511A72C575 + +Count = 350 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CD907D8F9271C18E45C1A188127BA3AD5 + +Count = 351 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1C88874BF466353B947B9BD30F4FF9C2BC + +Count = 352 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CDAB7985D53E319581681EE5803ADC7B9 + +Count = 353 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CDF79E532ED28CCDFC56309A8468EF63A + +Count = 354 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CF78FB9135F1AA356C22076D4CF0CB4A5 + +Count = 355 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1C9525C6032C75B129362526CD07D497CB + +Count = 356 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CDDA8C63D2D178D3FEC4D0444467FA66F + +Count = 357 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1C128AEFF46966FEBE8B738D97475BB9F0 + +Count = 358 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1C63727325ED6DF13991D68E446BB3FD45 + +Count = 359 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1C5A31158E39AD84FA536483DD12766E6B + +Count = 360 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1C6AEFC18ACC85C9CFE9CF40696FC697D2 + +Count = 361 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1C32946FEE35D30FE0E704776B9F179A6D + +Count = 362 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1C046A12F9B99DB45C024CDADE874AE7CC + +Count = 363 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1C9BA84150140FDD4936416E07183CB22D + +Count = 364 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = +CT = 75F8BD7F4702EA535A1CE25C0A2BEADD549AF1B448FE28B6A4CC36 + +Count = 365 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 00 +CT = 75F8BD7F4702EA535A1CE299F5FA05EBD3958890EBA6C0C14A9692 + +Count = 366 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 0001 +CT = 75F8BD7F4702EA535A1CE25CE7F1AE93867013941A8A5B188A83DA + +Count = 367 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102 +CT = 75F8BD7F4702EA535A1CE2C5366A0657A6FD1A7AE22F5B26260CCE + +Count = 368 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE2C8E3CA2F8435A2305CD1D8862317203A + +Count = 369 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE224FE0EAC2A1F1A915CD64E747749A0B6 + +Count = 370 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE25D3E8E1DBCCD02FD7743F93E9150F38D + +Count = 371 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE2D18EBD819AAB87FC727BD3E001B6FEAA + +Count = 372 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE293A490EA622534069473ACDCF2580DE7 + +Count = 373 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE2CBD7191C190B677B3747FC4A7194B015 + +Count = 374 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE267B007461CCF9E07D5BB601685E47C83 + +Count = 375 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE2553AFC3AA9EF845B5558C263C2634B88 + +Count = 376 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE2B7774156448B3C1304B6E33510C305B4 + +Count = 377 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE21A799B4DC00E46AB41A3BEFBD746BAED + +Count = 378 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE21F0AE532378F2E98CD2827B97F7CEDEB + +Count = 379 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE29B5BBC80BCA0B8A48EE68E092A744BE7 + +Count = 380 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE25586CF23F4A20C6CF10DDB21B4B501CB + +Count = 381 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE28E09B63C147A753C52D4708E1B61E589 + +Count = 382 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE246EAADD51C8647466D32C536429DB80D + +Count = 383 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE2B5514DEB0788CE7ECCA7D7E67F5547AD + +Count = 384 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE2E4D1DEE646A1ED0EEB261C681716BFC4 + +Count = 385 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE2B6E10D4F7377CFC2863C213F5B42BAC1 + +Count = 386 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE2B32F7020CDBC1A4555DEC6CF1E618B42 + +Count = 387 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE29BD92C017F8E75CC529DB9B397E3C9DD + +Count = 388 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE2F97353110CE167B3A698E9AA5F3BEAB3 + +Count = 389 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE2B1FE532F0D835BA57CF0CB231E90DB17 + +Count = 390 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE27EDC7AE649F228241BCE42F01FB4C488 + +Count = 391 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE20F24E637CDF927A3016B4123335C803D + +Count = 392 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23667809C19395260C3D94CBA4A991313 + +Count = 393 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE206B95498EC111F5579728F0E3729EAAA + +Count = 394 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE25EC2FAFC1547D97A77B9B80CC7F8E715 + +Count = 395 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE2683C87EB990962C692F115B9DFA59AB4 + +Count = 396 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE2F7FED442349B0BD3A6FCA16040D3CF55 + +Count = 397 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = +CT = 75F8BD7F4702EA535A1CE23E2667F4CAD2004ABC625DDA08BF849DA7 + +Count = 398 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 00 +CT = 75F8BD7F4702EA535A1CE23EE3982525E48745C546FE82E0C86AC703 + +Count = 399 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E268A2E8E9CD2A05E420FAE7B11AAD24B + +Count = 400 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23EBF5BB52658F22D57ACF70B7B2F065D5F + +Count = 401 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23EB28E150F8B61727D8AC4FCA62A3771AB + +Count = 402 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E5E93D18C254BCADC8AC36A547E69F127 + +Count = 403 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2753513DB399D2B0A156DD1E9870A21C + +Count = 404 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23EABE362A195FF57B1A46EF7C00896AF3B + +Count = 405 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23EE9C94FCA6D71E44B426688FCFB785C76 + +Count = 406 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23EB1BAC63C165FB736E152D86A78B4E184 + +Count = 407 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E1DDDD866139B4E4A03AE44368CC42D12 + +Count = 408 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2F57231AA6BB5416834DE643CB431A19 + +Count = 409 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23ECD1A9E764BDFEC5ED2A3C71519E35425 + +Count = 410 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E6014446DCF5A96E697B69ADBDE66EB7C + +Count = 411 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E65673A1238DBFED51B3D0399765CBC7A + +Count = 412 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23EE13663A0B3F468E958F3AA2923541A76 + +Count = 413 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2FEB1003FBF6DC212718FF01BD95505A + +Count = 414 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23EF464691C1B2EA57184C154AE1241B418 + +Count = 415 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E3C8772F513D2970BBB27E1164BBDE99C + +Count = 416 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23ECF3C92CB08DC1E331AB2F3C67675163C + +Count = 417 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E9EBC01C649F53D433D3338481E36EE55 + +Count = 418 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23ECC8CD26F7C231F8F5029051F5262EB50 + +Count = 419 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23EC942AF00C2E8CA0883CBE2EF1741DAD3 + +Count = 420 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23EE1B4F32170DAA58184889D939EC3984C + +Count = 421 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E831E8C3103B5B7FE708DCD8A561BBB22 + +Count = 422 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23ECB938C0F02D78BE8AAE5EF0317B08A86 + +Count = 423 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E04B1A5C646A6F869CDDB66D016949519 + +Count = 424 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E75493917C2ADF7EED77E65033A7CD1AC + +Count = 425 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E4C0A5FBC166D822D15CC689A43B94282 + +Count = 426 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E7CD48BB8E345CF18AF67AB2E3E09BB3B + +Count = 427 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E24AF25DC1A130937A1AC9C2CCED8B684 + +Count = 428 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E125158CB965DB28B44E43199D685CB25 + +Count = 429 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E8D930B623BCFDB9E70E9854049F39EC4 + +Count = 430 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = +CT = 75F8BD7F4702EA535A1CE23E2DA4710F232426B4955579426D01DD9895 + +Count = 431 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 00 +CT = 75F8BD7F4702EA535A1CE23E2D618EDECC12A1BBEC71DA1A857633C231 + +Count = 432 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E2DA49CD5676AF45E77752B361EAFF3D779 + +Count = 433 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23E2D3D4D4ECFAED4D37E9BD3931E915F586D + +Count = 434 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23E2D3098EEE67D478C54BDE064C3946E7499 + +Count = 435 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E2DDC852A65D36D34F5BDE7F231C030F415 + +Count = 436 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2DA545AAD445BF2C999672457B2629A72E + +Count = 437 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23E2D29F5994863D9A998934A6FA5B6CFAA09 + +Count = 438 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23E2D6BDFB4239B571A627542109945215944 + +Count = 439 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23E2D33AC3DD5E079491FD676400FC6EDE4B6 + +Count = 440 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E2D9FCB238FE5BDB063348ADC53329D2820 + +Count = 441 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2DAD41D8F3509DAA3FB4697E26751A1F2B + +Count = 442 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23E2D4F0C659FBDF91277E5875F70A7BA5117 + +Count = 443 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E2DE202BF84397C68CFA09202BE603FEE4E + +Count = 444 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E2DE771C1FBCEFD00FC2C199BFCC805B948 + +Count = 445 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23E2D6320984945D296C06FD7324C9D0D1F44 + +Count = 446 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2DADFDEBEA0DD02208103C676403CC5568 + +Count = 447 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23E2D767292F5ED085B58B3E5CCCBAC18B12A + +Count = 448 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E2DBE91891CE5F469228C037973F5E4ECAE + +Count = 449 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23E2D4D2A6922FEFAE01A2D966BA3C82C130E + +Count = 450 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E2D1CAAFA2FBFD3C36A0A17A02DA06FEB67 + +Count = 451 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23E2D4E9A29868A05E1A6670D9D7AEC3BEE62 + +Count = 452 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23E2D4B5454E934CE3421B4EF7A8AA918DFE1 + +Count = 453 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23E2D63A208C886FC5BA8B3AC05F6209A9D7E + +Count = 454 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E2D010877D8F59349D747A955EFE842BE10 + +Count = 455 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23E2D498577E6F4F175C19DC17766A9E98FB4 + +Count = 456 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E2D86A75E2FB0800640FAFFFEB5A8CD902B + +Count = 457 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E2DF75FC2FE348B09C7E05AFD668425D49E + +Count = 458 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E2DCE1CA455E04B7C0422E8F0FFFDE047B0 + +Count = 459 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E2DFEC27051156331319843334B8050BE09 + +Count = 460 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E2DA6B9DE35EC35F71E968804497081B3B6 + +Count = 461 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E2D9047A322607B4CA273C0A9FC68DCCE17 + +Count = 462 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E2D0F85F08BCDE925B747CD1D25F7AA9BF6 + +Count = 463 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = +CT = 75F8BD7F4702EA535A1CE23E2D07EFCC1CCFBB3E95C86933C2F38767211B + +Count = 464 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 00 +CT = 75F8BD7F4702EA535A1CE23E2D072A33CD208DB99AB14D909A1BF0897BBF + +Count = 465 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E2D07EF21C68BF5EC7F2A4961B68029496EF7 + +Count = 466 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23E2D0776F05D2331CCF223A799138017E5E1E3 + +Count = 467 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23E2D077B25FD0AE25FAD0981AAE45D12D4CD17 + +Count = 468 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E2D07973839894C7515A881AD72AF468A4D9B + +Count = 469 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2D07EEF8B938DAA70DC4AA38C5E5A0931EA0 + +Count = 470 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23E2D0762488AA4FCC188C5AF00EF3B30751387 + +Count = 471 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23E2D072062A7CF044F3B3F49089007C39BE0CA + +Count = 472 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23E2D0778112E397F616842EA3CC09140575D38 + +Count = 473 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E2D07D47630637AA5913E08C05CCDB42791AE + +Count = 474 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2D07E6FCCB1FCF858B628823FEB8F3A0A6A5 + +Count = 475 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23E2D0704B1767322E1332AD9CDDFEE2100E899 + +Count = 476 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E2D07A9BFAC68A66449929CD88220E68557C0 + +Count = 477 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E2D07ACCCD21751E521A110531B624EBF00C6 + +Count = 478 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23E2D07289D8BA5DACAB79D539DB2D21BB7A6CA + +Count = 479 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2D07E640F80692C803552C76E7FA8576ECE6 + +Count = 480 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23E2D073DCF811972107A058FAF4C552AA208A4 + +Count = 481 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E2D07F52C9AF07AEC487FB049F9ED735E5520 + +Count = 482 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23E2D0706977ACE61E2C14711DCEB3D4E96AA80 + +Count = 483 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E2D075717E9C320CBE237365D20B326D552E9 + +Count = 484 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23E2D0705273A6A151DC0FB5B471DE46A8157EC + +Count = 485 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23E2D0700E94705ABD6157C88A5FA142FA2666F + +Count = 486 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23E2D07281F1B2419E47AF58FE68568A62024F0 + +Count = 487 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E2D074AB564346A8B688A7BE3D5716EF8079E + +Count = 488 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23E2D070238640A6BE9549CA18BF7F82F53363A + +Count = 489 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E2D07CD1A4DC32F98271DC6B57E2B2E7729A5 + +Count = 490 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E2D07BCE2D112AB93289ADC107DF8029F6D10 + +Count = 491 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E2D0785A1B7B97F535D591EA270617B5AFE3E + +Count = 492 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E2D07B57F63BD8A7B106CA409B3D506EA0787 + +Count = 493 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E2D07ED04CDD9732DD643AAC284D7F63B0A38 + +Count = 494 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E2D07DBFAB0CEFF636DFF4F8A2962EE667799 + +Count = 495 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E2D074438E36752F104EA7B879DBB71102278 + +Count = 496 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = +CT = 75F8BD7F4702EA535A1CE23E2D079F5030FDAE23A2BED9CF994E56BBE1E9CC + +Count = 497 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 00 +CT = 75F8BD7F4702EA535A1CE23E2D079F95CF2C411525B1A0EB3A16BECC0FB368 + +Count = 498 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E2D079F50DD27EA6D70543BEFCB3A2515CFA620 + +Count = 499 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23E2D079FC90CBC42A950D93201339F252B632934 + +Count = 500 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23E2D079FC4D91C6B7AC38618270068F82E5205C0 + +Count = 501 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E2D079F28C4D8E8D4E93EB92707FE0A7A0C854C + +Count = 502 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2D079F51045859423B26D50C9249409C15D677 + +Count = 503 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23E2D079FDDB46BC5645DA3D409AA639E0CF3DB50 + +Count = 504 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23E2D079F9F9E46AE9CD3102EEFA21CA2FF1D281D + +Count = 505 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23E2D079FC7EDCF58E7FD43534C964C347CD195EF + +Count = 506 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E2D079F6B8AD102E239BA2FAE6AD06888A15979 + +Count = 507 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2D079F59002A7E5719A0732E89721DCF266E72 + +Count = 508 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23E2D079FBB4D9712BA7D183B7F67534B1D86204E + +Count = 509 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E2D079F16434D093EF862833A720E85DA039F17 + +Count = 510 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E2D079F13303376C9790AB0B6F997C77239C811 + +Count = 511 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23E2D079F97616AC442569C8CF5373E7727316E1D + +Count = 512 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2D079F59BC19670A5428448ADC6B5FB9F02431 + +Count = 513 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23E2D079F82336078EA8C51142905C0F01624C073 + +Count = 514 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E2D079F4AD07B91E270636E16E375484FD89DF7 + +Count = 515 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23E2D079FB96B9BAFF97EEA56B776679872106257 + +Count = 516 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E2D079FE8EB08A2B857C92690F7AC161A539A3E + +Count = 517 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23E2D079FBADBDB0B8D81EBEAFDED914156079F3B + +Count = 518 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23E2D079FBF15A664334A3E6D2E0F76B11324AEB8 + +Count = 519 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23E2D079F97E3FA45817851E4294C09CD9AA6EC27 + +Count = 520 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E2D079FF5498555F217439BDD4959D4527ECF49 + +Count = 521 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23E2D079FBDC4856BF3757F8D07217B5D13D5FEED + +Count = 522 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E2D079F72E6ACA2B7040C0C601FF28E12F1E172 + +Count = 523 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E2D079F031E3073330F038B7ABAF15D3E19A5C7 + +Count = 524 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E2D079F3A5D56D8E7CF7648B808FCC447DC36E9 + +Count = 525 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E2D079F0A8382DC12E73B7D02A33F703A6CCF50 + +Count = 526 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E2D079F52F82CB8EBB1FD520C680872CABDC2EF + +Count = 527 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E2D079F640651AF67FF46EEE920A5C7D2E0BF4E + +Count = 528 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E2D079FFBC40206CA6D2FFBDD2D111E4D96EAAF + +Count = 529 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = +CT = 75F8BD7F4702EA535A1CE23E2D079F7B9096D461FC1B70AE3938A394172992C0 + +Count = 530 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 00 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B5569058ECA9C7FD71D9BFB7C60C7C864 + +Count = 531 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B907B0E25B2C99A4C196AD7E7B907DD2C + +Count = 532 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B09AA958D76E91745F79272E787AB5238 + +Count = 533 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B047F35A4A57A486FD1A1853A829A7ECC + +Count = 534 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E2D079F7BE862F1270B50F0CED1A613C8D6C4FE40 + +Count = 535 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B91A271969D82E8A2FA33A48230DDAD7B + +Count = 536 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B1D12420ABBE46DA3FF0B8E5CA03BA05C + +Count = 537 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B5F386F61436ADE591903F16053D55311 + +Count = 538 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B074BE69738448D24BA37A1F6D019EEE3 + +Count = 539 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E2D079F7BAB2CF8CD3D80745858CB3DAA24692275 + +Count = 540 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B99A603B188A06E04D8289FDF63EE157E + +Count = 541 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B7BEBBEDD65C4D64C89C6BE89B14E5B42 + +Count = 542 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E2D079F7BD6E564C6E141ACF4CCD3E34776CBE41B + +Count = 543 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E2D079F7BD3961AB916C0C4C740587A05DEF1B31D + +Count = 544 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B57C7430B9DEF52FB0396D3B58BF91511 + +Count = 545 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B991A30A8D5EDE6337C7D869D15385F3D + +Count = 546 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B429549B735359F63DFA42D32BAECBB7F + +Count = 547 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B8A76525E3DC9AD19E042988AE310E6FB + +Count = 548 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B79CDB26026C7242141D78A5ADED8195B + +Count = 549 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B284D216D67EE0751665641D4B69BE132 + +Count = 550 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B7A7DF2C45238259D0B4C7C83FACFE437 + +Count = 551 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B7FB38FABECF3F01AD8AE9B73BFECD5B4 + +Count = 552 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B5745D38A5EC19F93DFEDE40F366E972B + +Count = 553 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B35EFAC9A2DAE8DEC2BE8B416FEB6B445 + +Count = 554 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B7D62ACA42CCCB1FAF180969FBF1D85E1 + +Count = 555 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E2D079F7BB240856D68BDC27B96BE1F4CBE399A7E + +Count = 556 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E2D079F7BC3B819BCECB6CDFC8C1B1C9F92D1DECB + +Count = 557 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E2D079F7BFAFB7F173876B83F4EA91106EB144DE5 + +Count = 558 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E2D079F7BCA25AB13CD5EF50AF402D2B296A4B45C + +Count = 559 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B925E057734083325FAC9E5B06675B9E3 + +Count = 560 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E2D079F7BA4A07860B84688991F8148057E28C442 + +Count = 561 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B3B622BC915D4E18C2B8CFCDCE15E91A3 + +Count = 562 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = +CT = 75F8BD7F4702EA535A1CE23E2D079F7B628C9B9BC62D788F90572FED135FE6931B + +Count = 563 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6249644A291BFF80E9738CB5FB2808C9BF + +Count = 564 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B628C76418263AA6572777D9960F1C8DCF7 + +Count = 565 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6215A7DA2AA78AE87B99853C60CF6453E3 + +Count = 566 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6218727A037419B751BFB6CBBDCA557F17 + +Count = 567 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62F46FBE80DA330FF0BFB15D4F9E0BFF9B + +Count = 568 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B628DAF3E314CE1179C9424EA057812ACA0 + +Count = 569 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62011F0DAD6A87929D911CC0DBE8F4A187 + +Count = 570 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62433520C6920921677714BFE71B1A52CA + +Count = 571 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B621B46A930E927721AD420EF7198D6EF38 + +Count = 572 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62B721B76AECE38B6636DC732D6CA623AE + +Count = 573 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6285AB4C1659C3913AB63FD1582B2114A5 + +Count = 574 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6267E6F17AB4A72972E7D1F00EF9815A99 + +Count = 575 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62CAE82B61302253CAA2C4ADC03E04E5C0 + +Count = 576 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62CF9B551EC7A33BF92E4F3482963EB2C6 + +Count = 577 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B624BCA0CAC4C8CADC56D819D32C33614CA + +Count = 578 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6285177F0F048E190D126AC81A5DF75EE6 + +Count = 579 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B625E980610E456605DB1B363B5F223BAA4 + +Count = 580 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62967B1DF9ECAA52278E55D60DABDFE720 + +Count = 581 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6265C0FDC7F7A4DB1F2FC0C4DD96171880 + +Count = 582 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6234406ECAB68DF86F08410F53FE54E0E9 + +Count = 583 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B626670BD63835BDAA3655B3204B200E5EC + +Count = 584 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6263BEC00C3D900F24B6B9D5F4F723D46F + +Count = 585 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B624B489C2D8FA260ADB1FAAA887EA196F0 + +Count = 586 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6229E2E33DFCCD72D245FFFA91B679B59E + +Count = 587 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62616FE303FDAF4EC49F97D818F7D2843A + +Count = 588 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62AE4DCACAB9DE3D45F8A951CBF6F69BA5 + +Count = 589 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62DFB5561B3DD532C2E20C5218DA1EDF10 + +Count = 590 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62E6F630B0E915470120BE5F81A3DB4C3E + +Count = 591 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62D628E4B41C3D0A349A159C35DE6BB587 + +Count = 592 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B628E534AD0E56BCC1B94DEAB372EBAB838 + +Count = 593 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62B8AD37C7692577A77196068236E7C599 + +Count = 594 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62276F646EC4B71EB2459BB25BA9919078 + +Count = 595 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629958B63F3127C40FBA975DE8211515BC0B + +Count = 596 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62999D49EEDE114300C3B3FEB0C962FBE6AF + +Count = 597 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299585BE5756916E558B70F9C52BB3BF3E7 + +Count = 598 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299C18A7EDDAD36685159F7395285977CF3 + +Count = 599 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299CC5FDEF47EA5377B7FC4CE8F80A65007 + +Count = 600 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629920421A77D08F8FDA7FC3587DD4F8D08B + +Count = 601 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629959829AC6465D97B65456EF3732E183B0 + +Count = 602 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299D532A95A603B12B7516EC5E9A2078E97 + +Count = 603 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62999718843198B5A14DB766BAD551E97DDA + +Count = 604 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299CF6B0DC7E39BF2301452EA43D225C028 + +Count = 605 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299630C139DE65F0B4CF6AE761F26550CBE + +Count = 606 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62995186E8E1537F1110764DD46A61D23BB5 + +Count = 607 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299B3CB558DBE1BA95827A3F53CB3727589 + +Count = 608 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62991EC58F963A9ED3E062B6A8F274F7CAD0 + +Count = 609 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62991BB6F1E9CD1FBBD3EE3D31B0DCCD9DD6 + +Count = 610 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62999FE7A85B46302DEFADF3980089C53BDA + +Count = 611 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299513ADBF80E329927D218CD28170471F6 + +Count = 612 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62998AB5A2E7EEEAE07771C16687B8D095B4 + +Count = 613 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62994256B90EE616D20D4E27D33FE12CC830 + +Count = 614 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299B1ED5930FD185B35EFB2C1EFDCE43790 + +Count = 615 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299E06DCA3DBC317845C8330A61B4A7CFF9 + +Count = 616 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299B25D199489E75A89A5293736F8F3CAFC + +Count = 617 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299B79364FB372C8F0E76CBD0C6BDD0FB7F + +Count = 618 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62999F6538DA851EE0877188AFBA3452B9E0 + +Count = 619 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299FDCF47CAF671F2F8858DFFA3FC8A9A8E + +Count = 620 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299B54247F4F713CEEE5FE5DD2ABD21AB2A + +Count = 621 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62997A606E3DB362BD6F38DB54F9BC05B4B5 + +Count = 622 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62990B98F2EC3769B2E8227E572A90EDF000 + +Count = 623 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629932DB9447E3A9C72BE0CC5AB3E928632E + +Count = 624 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62990205404316818A1E5A67990794989A97 + +Count = 625 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62995A7EEE27EFD74C3154ACAE0564499728 + +Count = 626 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62996C8093306399F78DB1E403B07C14EA89 + +Count = 627 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299F342C099CE0B9E9885E9B769E362BF68 + +Count = 628 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62997969C2D9DA08ABA81C8EFB9CDABF0ECC43 + +Count = 629 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979AC3D08353E2CA765AA58C432C8E096E7 + +Count = 630 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979692F039E467942FEAEA9E8A9112083AF + +Count = 631 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979F0FE98368259CFF740514DA92F8C0CBB + +Count = 632 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979FD2B381F51CA90DD6662BA742ABD204F + +Count = 633 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299791136FC9CFFE0287C66652C867EE3A0C3 + +Count = 634 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62997968F67C2D693230104DF09BCC98FAF3F8 + +Count = 635 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979E4464FB14F54B51148C8B112081CFEDF + +Count = 636 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A66C62DAB7DA06EBAEC0CE2EFBF20D92 + +Count = 637 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979FE1FEB2CCCF455960DF49EB8783EB060 + +Count = 638 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299795278F576C930ACEAEF0802E48C4E7CF6 + +Count = 639 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62997960F20E0A7C10B6B66FEBA091CBC94BFD + +Count = 640 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62997982BFB36691740EFE3E0581C7196905C1 + +Count = 641 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299792FB1697D15F174467B10DC09DEECBA98 + +Count = 642 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299792AC21702E2701C75F79B454B76D6ED9E + +Count = 643 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979AE934EB0695F8A49B455ECFB23DE4B92 + +Count = 644 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979604E3D13215D3E81CBBEB9D3BD1F01BE + +Count = 645 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979BBC1440CC18547D16867127C12CBE5FC + +Count = 646 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62997973225FE5C97975AB5781A7C44B37B878 + +Count = 647 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299798099BFDBD277FC93F614B51476FF47D8 + +Count = 648 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979D1192CD6935EDFE3D1957E9A1EBCBFB1 + +Count = 649 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299798329FF7FA688FD2FBC8F43CD52E8BAB4 + +Count = 650 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62997986E78210184328A86F6DA43D17CB8B37 + +Count = 651 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979AE11DE31AA714721682EDB419E49C9A8 + +Count = 652 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979CCBBA121D91E555E9C2B8B585691EAC6 + +Count = 653 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299798436A11FD87C69484643A9D1173ADB62 + +Count = 654 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299794B1488D69C0D1AC9217D2002161EC4FD + +Count = 655 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299793AEC14071806154E3BD823D13AF68048 + +Count = 656 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B62997903AF72ACCCC6608DF96A2E4843331366 + +Count = 657 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299793371A6A839EE2DB843C1EDFC3E83EADF + +Count = 658 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299796B0A08CCC0B8EB974D0ADAFECE52E760 + +Count = 659 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299795DF475DB4CF6502BA842774BD60F9AC1 + +Count = 660 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979C2362672E164393E9C4FC3924979CF20 + +Count = 661 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2B9A593097205AA96CD53AB48F8592FAC + +Count = 662 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A27C5A42E64482A5EFE9F0F3A08FB77508 + +Count = 663 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2B948494D3CD74074ED01DF3B56776040 + +Count = 664 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A22099D2E5F8F7CD7D03F97A3B68DBEF54 + +Count = 665 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A22D4C72CC2B64925725CA8DE66DEAC3A0 + +Count = 666 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2C151B64F854E2AF625CD1B1439B4432C + +Count = 667 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2B89136FE139C329A0E58AC5EDFAD1017 + +Count = 668 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A23421056235FAB79B0B6086804F4B1D30 + +Count = 669 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2760B2809CD740461ED68F9BCBCA5EE7D + +Count = 670 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A22E78A1FFB65A571C4E5CA92A3F69538F + +Count = 671 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2821FBFA5B39EAE60ACA03576CB199F19 + +Count = 672 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2B09544D906BEB43C2C4397038C9EA812 + +Count = 673 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A252D8F9B5EBDA0C747DADB6555E3EE62E + +Count = 674 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2FFD623AE6F5F76CC38B8EB9B99BB5977 + +Count = 675 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2FAA55DD198DE1EFFB43372D931810E71 + +Count = 676 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A27EF4046313F188C3F7FDDB696489A87D + +Count = 677 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2B02977C05BF33C0B88168E41FA48E251 + +Count = 678 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A26BA60EDFBB2B455B2BCF25EE559C0613 + +Count = 679 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2A3451536B3D77721142990560C605B97 + +Count = 680 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A250FEF508A8D9FE19B5BC828631A8A437 + +Count = 681 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2017E6605E9F0DD69923D490859EB5C5E + +Count = 682 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2534EB5ACDC26FFA5FF27745F15BF595B + +Count = 683 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A25680C8C362ED2A222CC593AF509C68D8 + +Count = 684 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A27E7694E2D0DF45AB2B86ECD3D91E2A47 + +Count = 685 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A21CDCEBF2A3B057D4DF83BCCA11C60929 + +Count = 686 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A25451EBCCA2D26BC205EB9E43506D388D + +Count = 687 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A29B73C205E6A3184362D5179051492712 + +Count = 688 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2EA8B5ED462A817C4787014437DA163A7 + +Count = 689 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2D3C8387FB6686207BAC219DA0464F089 + +Count = 690 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2E316EC7B43402F320069DA6E79D40930 + +Count = 691 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2BB6D421FBA16E91D0EA2ED6C8905048F + +Count = 692 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A28D933F08365852A1EBEA40D99158792E + +Count = 693 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A212516CA19BCA3BB4DFE7F4000E2E2CCF + +Count = 694 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240434EE6A09FEDD4F51F39952D0B84AB3E + +Count = 695 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A24086B1374FA96ADB8C3B9ACDC57C6AF19A + +Count = 696 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A24043A33CE4D13F3E173F6BE15EA5AAE4D2 + +Count = 697 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240DA72A74C151FB31ED193445E9B066BC6 + +Count = 698 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240D7A70765C68CEC34F7A0B3839E374732 + +Count = 699 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403BBAC3E668A65495F7A72571CA69C7BE + +Count = 700 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240427A4357FE744CF9DC32923B2C709485 + +Count = 701 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240CECA70CBD812C9F8D90AB8E5BC9699A2 + +Count = 702 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2408CE05DA0209C7A023F02C7D94F786AEF + +Count = 703 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240D493D4565BB2297F9C36974FCCB4D71D + +Count = 704 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A24078F4CA0C5E76D0037ECA0B1338C41B8B + +Count = 705 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2404A7E3170EB56CA5FFE29A9667F432C80 + +Count = 706 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240A8338C1C06327217AFC78830ADE362BC + +Count = 707 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240053D560782B708AFEAD2D5FE6A66DDE5 + +Count = 708 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240004E28787536609C66594CBCC25C8AE3 + +Count = 709 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240841F71CAFE19F6A02597E50C97542CEF + +Count = 710 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2404AC20269B61B42685A7CB024099566C3 + +Count = 711 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240914D7B7656C33B38F9A51B8BA6418281 + +Count = 712 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A24059AE609F5E3F0942C643AE33FFBDDF05 + +Count = 713 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240AA1580A14531807A67D6BCE3C27520A5 + +Count = 714 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240FB9513AC0418A30A4057776DAA36D8CC + +Count = 715 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240A9A5C00531CE81C62D4D4A3AE662DDC9 + +Count = 716 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240AC6BBD6A8F055441FEAFADCAA341EC4A + +Count = 717 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240849DE14B3D373BC8F9ECD2B62AC3AED5 + +Count = 718 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240E6379E5B4E5829B70DE982AFE21B8DBB + +Count = 719 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240AEBA9E654F3A15A1D781A026A3B0BC1F + +Count = 720 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2406198B7AC0B4B6620B0BF29F5A294A380 + +Count = 721 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A24010602B7D8F4069A7AA1A2A268E7CE735 + +Count = 722 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A24029234DD65B801C6468A827BFF7B9741B + +Count = 723 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A24019FD99D2AEA85151D203E40B8A098DA2 + +Count = 724 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240418637B657FE977EDCC8D3097AD8801D + +Count = 725 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A24077784AA1DBB02CC239807EBC6285FDBC + +Count = 726 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240E8BA1908762245D70D8DCA65FDF3A85D + +Count = 727 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D546FE67094BB75016786E3EA9E6A5BCD + +Count = 728 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9190379FA23C7A784325BB02E9840169 + +Count = 729 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D54823C34DA699FE347D4979930441421 + +Count = 730 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DCD53A79C1E4912EAA92C32990EE89B35 + +Count = 731 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DC08607B5CDDA4DC08F1FC5440BD9B7C1 + +Count = 732 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D2C9BC33663F0F5618F1853B65F87374D + +Count = 733 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D555B4387F522ED0DA48DE4FCB99E6476 + +Count = 734 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DD9EB701BD344680CA1B5CE2229786951 + +Count = 735 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9BC15D702BCADBF647BDB11EDA969A1C + +Count = 736 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DC3B2D48650E4888BE489E188595A27EE + +Count = 737 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D6FD5CADC552071F706757DD4AD2AEB78 + +Count = 738 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D5D5F31A0E0006BAB8696DFA1EAADDC73 + +Count = 739 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DBF128CCC0D64D3E3D778FEF7380D924F + +Count = 740 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D121C56D789E1A95B926DA339FF882D16 + +Count = 741 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D176F28A87E60C1681EE63A7B57B27A10 + +Count = 742 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D933E711AF54F57545D2893CB02BADC1C + +Count = 743 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D5DE302B9BD4DE39C22C3C6E39C7B9630 + +Count = 744 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D866C7BA65D959ACC811A6D4C33AF7272 + +Count = 745 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D4E8F604F5569A8B6BEFCD8F46A532FF6 + +Count = 746 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DBD3480714E67218E1F69CA24579BD056 + +Count = 747 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DECB4137C0F4E02FE38E801AA3FD8283F + +Count = 748 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DBE84C0D53A98203255F23CFD738C2D3A + +Count = 749 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DBB4ABDBA8453F5B58610DB0D36AF1CB9 + +Count = 750 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D93BCE19B36619A3C8153A471BF2D5E26 + +Count = 751 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DF1169E8B450E88437556F46877F57D48 + +Count = 752 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DB99B9EB5446CB455AF3ED6E1365E4CEC + +Count = 753 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D76B9B77C001DC7D4C8005F32377A5373 + +Count = 754 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D07412BAD8416C853D2A55CE11B9217C6 + +Count = 755 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D3E024D0650D6BD9010175178625784E8 + +Count = 756 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D0EDC9902A5FEF0A5AABC92CC1FE77D51 + +Count = 757 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D56A737665CA8368AA477A5CEEF3670EE + +Count = 758 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D60594A71D0E68D36413F087BF76B0D4F + +Count = 759 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DFF9B19D87D74E4237532BCA2681D58AE + +Count = 760 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F9F02DA748370296F34EA79F4E5497D6D + +Count = 761 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F5AFD0B9BB5F726161049211C92A727C9 + +Count = 762 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F9FEF0030CDA2C38D14B80D874B673281 + +Count = 763 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F063E9B9809824E84FA40A88775CBBD95 + +Count = 764 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F0BEB3BB1DA1111AEDC735F5A70FA9161 + +Count = 765 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9FE7F6FF32743BA90FDC74C9A824A411ED + +Count = 766 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F9E367F83E2E9B163F7E17EE2C2BD42D6 + +Count = 767 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F12864C1FC48F3462F2D9543C525B4FF1 + +Count = 768 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F50AC61743C01879814D12B00A1B5BCBC + +Count = 769 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F08DFE882472FD4E5B7E57B962279014E + +Count = 770 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9FA4B8F6D842EB2D995519E7CAD609CDD8 + +Count = 771 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F96320DA4F7CB37C5D5FA45BF918EFAD3 + +Count = 772 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F747FB0C81AAF8F8D841464E9432EB4EF + +Count = 773 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9FD9716AD39E2AF535C101392784AB0BB6 + +Count = 774 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9FDC0214AC69AB9D064D8AA0652C915CB0 + +Count = 775 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F58534D1EE2840B3A0E4409D57999FABC + +Count = 776 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F968E3EBDAA86BFF271AF5CFDE758B090 + +Count = 777 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F4D0147A24A5EC6A2D276F752488C54D2 + +Count = 778 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F85E25C4B42A2F4D8ED9042EA11700956 + +Count = 779 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F7659BC7559AC7DE04C05503A2CB8F6F6 + +Count = 780 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F27D92F7818855E906B849BB444FB0E9F + +Count = 781 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F75E9FCD12D537C5C069EA6E308AF0B9A + +Count = 782 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F702781BE9398A9DBD57C41134D8C3A19 + +Count = 783 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F58D1DD9F21AAC652D23F3E6FC40E7886 + +Count = 784 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F3A7BA28F52C5D42D263A6E760CD65BE8 + +Count = 785 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F72F6A2B153A7E83BFC524CFF4D7D6A4C + +Count = 786 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9FBDD48B7817D69BBA9B6CC52C4C5975D3 + +Count = 787 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9FCC2C17A993DD943D81C9C6FF60B13166 + +Count = 788 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9FF56F7102471DE1FE437BCB661974A248 + +Count = 789 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9FC5B1A506B235ACCBF9D008D264C45BF1 + +Count = 790 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F9DCA0B624B636AE4F71B3FD09415564E + +Count = 791 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9FAB347675C72DD158125392658C482BEF + +Count = 792 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F34F625DC6ABFB84D265E26BC133E7E0E + +Count = 793 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FEB338400A1628D9BDBA44BD09814A472 + +Count = 794 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F2ECC55EF97E582E2FF071338EFFAFED6 + +Count = 795 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FEBDE5E44EFB06779FBF63FA3363AEB9E + +Count = 796 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F720FC5EC2B90EA70150E9AA30896648A + +Count = 797 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F7FDA65C5F803B55A333D6D7E0DA7487E + +Count = 798 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F93C7A14656290DFB333AFB8C59F9C8F2 + +Count = 799 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FEA0721F7C0FB159718AF4CC6BFE09BC9 + +Count = 800 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F66B7126BE69D90961D9766182F0696EE + +Count = 801 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F249D3F001E13236CFB9F1924DCE865A3 + +Count = 802 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F7CEEB6F6653D701158AB49B25F24D851 + +Count = 803 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FD089A8AC60F9896DBA57D5EEAB5414C7 + +Count = 804 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FE20353D0D5D993313AB4779BECD323CC + +Count = 805 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F004EEEBC38BD2B796B5A56CD3E736DF0 + +Count = 806 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FAD4034A7BC3851C12E4F0B03F9F6D2A9 + +Count = 807 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FA8334AD84BB939F2A2C4924151CC85AF + +Count = 808 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F2C62136AC096AFCEE10A3BF104C423A3 + +Count = 809 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FE2BF60C988941B069EE16ED99A05698F + +Count = 810 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F393019D6684C62563D38C57635D18DCD + +Count = 811 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FF1D3023F60B0502C02DE70CE6C2DD049 + +Count = 812 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F0268E2017BBED914A34B621E51E52FE9 + +Count = 813 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F53E8710C3A97FA6484CAA99039A6D780 + +Count = 814 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F01D8A2A50F41D8A8E9D094C775F2D285 + +Count = 815 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F0416DFCAB18A0D2F3A32733730D1E306 + +Count = 816 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F2CE083EB03B862A63D710C4BB953A199 + +Count = 817 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F4E4AFCFB70D770D9C9745C52718B82F7 + +Count = 818 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F06C7FCC571B54CCF131C7EDB3020B353 + +Count = 819 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FC9E5D50C35C43F4E7422F7083104ACCC + +Count = 820 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FB81D49DDB1CF30C96E87F4DB1DECE879 + +Count = 821 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F815E2F76650F450AAC35F94264297B57 + +Count = 822 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FB180FB729027083F169E3AF6199982EE + +Count = 823 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FE9FB55166971CE1018550DF4E9488F51 + +Count = 824 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FDF052801E53F75ACFD1DA041F115F2F0 + +Count = 825 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F40C77BA848AD1CB9C91014986E63A711 + +Count = 826 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C64EED4250F2974316283EDF1239D4504 + +Count = 827 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CA11105CA39AE7B484620B51954731FA0 + +Count = 828 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C64030E6141FB9ED342D199828DB30AE8 + +Count = 829 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CFDD295C985DB13DAAC293C82B31F85FC + +Count = 830 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CF00735E056484CF08A1ACB5FB62EA908 + +Count = 831 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C1C1AF163F862F4518A1D5DADE2702984 + +Count = 832 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C65DA71D26EB0EC3DA188EAE704697ABF + +Count = 833 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CE96A424E48D6693CA4B0C039948F7798 + +Count = 834 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CAB406F25B058DAC642B8BF05676184D5 + +Count = 835 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CF333E6D3CB7689BBE18CEF93E4AD3927 + +Count = 836 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C5F54F889CEB270C7037073CF10DDF5B1 + +Count = 837 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C6DDE03F57B926A9B8393D1BA575AC2BA + +Count = 838 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C8F93BE9996F6D2D3D27DF0EC85FA8C86 + +Count = 839 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C229D64821273A86B9768AD22427F33DF + +Count = 840 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C27EE1AFDE5F2C0581BE33460EA4564D9 + +Count = 841 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CA3BF434F6EDD5664582D9DD0BF4DC2D5 + +Count = 842 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C6D6230EC26DFE2AC27C6C8F8218C88F9 + +Count = 843 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CB6ED49F3C6079BFC841F63578E586CBB + +Count = 844 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C7E0E521ACEFBA986BBF9D6EFD7A4313F + +Count = 845 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C8DB5B224D5F520BE1A6CC43FEA6CCE9F + +Count = 846 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CDC35212994DC03CE3DED0FB1822F36F6 + +Count = 847 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C8E05F280A10A210250F732E6CE7B33F3 + +Count = 848 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C8BCB8FEF1FC1F4858315D5168B580270 + +Count = 849 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CA33DD3CEADF39B0C8456AA6A02DA40EF + +Count = 850 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CC197ACDEDE9C89737053FA73CA026381 + +Count = 851 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C891AACE0DFFEB565AA3BD8FA8BA95225 + +Count = 852 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C463885299B8FC6E4CD0551298A8D4DBA + +Count = 853 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C37C019F81F84C963D7A052FAA665090F + +Count = 854 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C0E837F53CB44BCA015125F63DFA09A21 + +Count = 855 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C3E5DAB573E6CF195AFB99CD7A2106398 + +Count = 856 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C66260533C73A37BAA172ABD552C16E27 + +Count = 857 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C50D878244B748C06443A06604A9C1386 + +Count = 858 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CCF1A2B8DE6E6E5137037B2B9D5EA4667 + +Count = 859 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA07F036BA47E86F5A423E3F84EB9C614F + +Count = 860 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAC20FE755716F6023669D676C9C723BEB + +Count = 861 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA071DECFE093A85B8626C4BF745B22EA3 + +Count = 862 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA9ECC7756CD1A08B18C94EEF77B1EA1B7 + +Count = 863 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA9319D77F1E89579BAAA7192A7E2F8D43 + +Count = 864 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA7F0413FCB0A3EF3AAAA08FD82A710DCF + +Count = 865 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA06C4934D2671F75681353892CC685EF4 + +Count = 866 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA8A74A0D100177257840D124C5C8E53D3 + +Count = 867 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAC85E8DBAF899C1AD62056D70AF60A09E + +Count = 868 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA902D044C83B792D0C1313DE62CAC1D6C + +Count = 869 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA3C4A1A1686736BAC23CDA1BAD8DCD1FA + +Count = 870 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA0EC0E16A335371F0A32E03CF9F5BE6F1 + +Count = 871 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAEC8D5C06DE37C9B8F2C022994DFBA8CD + +Count = 872 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA4183861D5AB2B300B7D57F578A7E1794 + +Count = 873 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA44F0F862AD33DB333B5EE61522444092 + +Count = 874 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAC0A1A1D0261C4D0F78904FA5774CE69E + +Count = 875 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA0E7CD2736E1EF9C7077B1A8DE98DACB2 + +Count = 876 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAD5F3AB6C8EC68097A4A2B122465948F0 + +Count = 877 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA1D10B085863AB2ED9B44049A1FA51574 + +Count = 878 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAEEAB50BB9D343BD53AD1164A226DEAD4 + +Count = 879 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBABF2BC3B6DC1D18A51D50DDC44A2E12BD + +Count = 880 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAED1B101FE9CB3A69704AE093067A17B8 + +Count = 881 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAE8D56D705700EFEEA3A807634359263B + +Count = 882 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAC0233151E5328067A4EB781FCADB64A4 + +Count = 883 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAA2894E41965D921850EE2806020347CA + +Count = 884 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAEA044E7F973FAE0E8A860A8F43A8766E + +Count = 885 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA252667B6D34EDD8FEDB8835C428C69F1 + +Count = 886 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA54DEFB675745D208F71D808F6E642D44 + +Count = 887 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA6D9D9DCC8385A7CB35AF8D1617A1BE6A + +Count = 888 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA5D4349C876ADEAFE8F044EA26A1147D3 + +Count = 889 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA0538E7AC8FFB2CD181CF79A09AC04A6C + +Count = 890 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA33C69ABB03B5976D6487D415829D37CD + +Count = 891 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAAC04C912AE27FE78508A60CC1DEB622C + +Count = 892 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA250F0927D72D857E36CAD703B28EF139FA + +Count = 893 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25CAF6F6381B02714FEE745B5AF91F635E + +Count = 894 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA250FE4FD93635794D4EA8577C120DF7616 + +Count = 895 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259635663BA77719DD047DD2C11E73F902 + +Count = 896 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259BE0C61274E446F7224E251C1B42D5F6 + +Count = 897 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA2577FD0291DACEFE562249B3EE4F1C557A + +Count = 898 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA250E3D82204C1CE63A09DC04A4A9050641 + +Count = 899 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25828DB1BC6A7A633B0CE42E7A39E30B66 + +Count = 900 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25C0A79CD792F4D0C1EAEC5146CA0DF82B + +Count = 901 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA2598D41521E9DA83BC49D801D049C145D9 + +Count = 902 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA2534B30B7BEC1E7AC0AB249D8CBDB1894F + +Count = 903 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA250639F007593E609C2BC73FF9FA36BE44 + +Count = 904 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25E4744D6BB45AD8D47A291EAF2896F078 + +Count = 905 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25497A977030DFA26C3F3C4361EF134F21 + +Count = 906 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA254C09E90FC75ECA5FB3B7DA2347291827 + +Count = 907 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25C858B0BD4C715C63F07973931221BE2B + +Count = 908 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA250685C31E0473E8AB8F9226BB8CE0F407 + +Count = 909 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25DD0ABA01E4AB91FB2C4B8D1423341045 + +Count = 910 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA2515E9A1E8EC57A38113AD38AC7AC84DC1 + +Count = 911 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25E65241D6F7592AB9B2382A7C4700B261 + +Count = 912 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25B7D2D2DBB67009C995B9E1F22F434A08 + +Count = 913 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25E5E2017283A62B05F8A3DCA563174F0D + +Count = 914 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25E02C7C1D3D6DFE822B413B5526347E8E + +Count = 915 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25C8DA203C8F5F910B2C024429AFB63C11 + +Count = 916 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25AA705F2CFC308374D8071430676E1F7F + +Count = 917 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25E2FD5F12FD52BF62026F36B926C52EDB + +Count = 918 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA252DDF76DBB923CCE36551BF6A27E13144 + +Count = 919 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA255C27EA0A3D28C3647FF4BCB90B0975F1 + +Count = 920 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA2565648CA1E9E8B6A7BD46B12072CCE6DF + +Count = 921 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA2555BA58A51CC0FB9207ED72940F7C1F66 + +Count = 922 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA250DC1F6C1E5963DBD09264596FFAD12D9 + +Count = 923 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA253B3F8BD669D88601EC6EE823E7F06F78 + +Count = 924 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25A4FDD87FC44AEF14D8635CFA78863A99 + +Count = 925 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DCE72A8718C1BF9A53B646BE0293BB8CF + +Count = 926 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D0B8D799EBA9CF6DC1FC733085ED5E26B + +Count = 927 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DCE9F7235C2C913471B361F938715F723 + +Count = 928 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D574EE99D06E99E4EF5CEBA93B9B97837 + +Count = 929 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D5A9B49B4D57AC164D3FD4D4EBC8854C3 + +Count = 930 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DB6868D377B5079C5D3FADBBCE8D6D44F + +Count = 931 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DCF460D86ED8261A9F86F6CF60ECF8774 + +Count = 932 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D43F63E1ACBE4E4A8FD5746289E298A53 + +Count = 933 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D01DC1371336A57521B5F39146DC7791E + +Count = 934 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D59AF9A874844042FB86B6982EE0BC4EC + +Count = 935 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DF5C884DD4D80FD535A97F5DE1A7B087A + +Count = 936 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DC7427FA1F8A0E70FDA7457AB5DFC3F71 + +Count = 937 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D250FC2CD15C45F478B9A76FD8F5C714D + +Count = 938 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D880118D6914125FFCE8F2B3348D9CE14 + +Count = 939 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D8D7266A966C04DCC4204B271E0E39912 + +Count = 940 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D09233F1BEDEFDBF001CA1BC1B5EB3F1E + +Count = 941 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DC7FE4CB8A5ED6F387E214EE92B2A7532 + +Count = 942 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D1C7135A745351668DDF8E54684FE9170 + +Count = 943 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DD4922E4E4DC92412E21E50FEDD02CCF4 + +Count = 944 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D2729CE7056C7AD2A438B422EE0CA3354 + +Count = 945 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D76A95D7D17EE8E5A640A89A08889CB3D + +Count = 946 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D24998ED42238AC960910B4F7C4DDCE38 + +Count = 947 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D2157F3BB9CF37911DAF2530781FEFFBB + +Count = 948 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D09A1AF9A2EC11698DDB12C7B087CBD24 + +Count = 949 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D6B0BD08A5DAE04E729B47C62C0A49E4A + +Count = 950 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D2386D0B45CCC38F1F3DC5EEB810FAFEE + +Count = 951 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DECA4F97D18BD4B7094E2D738802BB071 + +Count = 952 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D9D5C65AC9CB644F78E47D4EBACC3F4C4 + +Count = 953 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DA41F0307487631344CF5D972D50667EA + +Count = 954 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D94C1D703BD5E7C01F65E1AC6A8B69E53 + +Count = 955 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DCCBA79674408BA2EF8952DC4586793EC + +Count = 956 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DFA440470C84601921DDD8071403AEE4D + +Count = 957 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D658657D965D4688729D034A8DF4CBBAC + +Count = 958 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB4AE2A91E60E75157A9577109369DB8DF + +Count = 959 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB8F1D78F156605E2E8DF429E14173E27B + +Count = 960 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB4A0F735A2E35BBB58905057A98B3F733 + +Count = 961 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABD3DEE8F2EA1536BC67FDA07AA61F7827 + +Count = 962 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABDE0B48DB3986699641CE57A7A32E54D3 + +Count = 963 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB32168C5897ACD13741C9C155F770D45F + +Count = 964 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB4BD60CE9017EC95B6A5C761F11698764 + +Count = 965 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABC7663F7527184C5A6F645CC1818F8A43 + +Count = 966 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB854C121EDF96FFA0896C23FD7261790E + +Count = 967 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABDD3F9BE8A4B8ACDD2A58736BF1ADC4FC + +Count = 968 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB715885B2A17C55A1C8A4EF3705DD086A + +Count = 969 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB43D27ECE145C4FFD48474D42425A3F61 + +Count = 970 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABA19FC3A2F938F7B519A96C1490FA715D + +Count = 971 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB0C9119B97DBD8D0D5CBC31DA577FCE04 + +Count = 972 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB09E267C68A3CE53ED037A898FF459902 + +Count = 973 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB8DB33E740113730293F90128AA4D3F0E + +Count = 974 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB436E4DD74911C7CAEC125400348C7522 + +Count = 975 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB98E134C8A9C9BE9A4FCBFFAF9B589160 + +Count = 976 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB50022F21A1358CE0702D4A17C2A4CCE4 + +Count = 977 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABA3B9CF1FBA3B05D8D1B858C7FF6C3344 + +Count = 978 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABF2395C12FB1226A8F6399349972FCB2D + +Count = 979 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABA0098FBBCEC404649B23AE1EDB7BCE28 + +Count = 980 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABA5C7F2D4700FD1E348C149EE9E58FFAB + +Count = 981 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB8D31AEF5C23DBE6A4F82369217DABD34 + +Count = 982 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABEF9BD1E5B152AC15BB87668BDF029E5A + +Count = 983 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABA716D1DBB030900361EF44029EA9AFFE + +Count = 984 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6834F812F441E38206D1CDD19F8DB061 + +Count = 985 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB19CC64C3704AEC051C74CE02B365F4D4 + +Count = 986 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB208F0268A48A99C6DEC6C39BCAA067FA + +Count = 987 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB1051D66C51A2D4F3646D002FB7109E43 + +Count = 988 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB482A7808A8F412DC6AA6372D47C193FC + +Count = 989 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB7ED4051F24BAA9608FEE9A985F9CEE5D + +Count = 990 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABE11656B68928C075BBE32E41C0EABBBC + +Count = 991 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F4D70746F2D2879F989505D58F7ACA95C + +Count = 992 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F888FA5801BAF7680ADF305B08042F3F8 + +Count = 993 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F4D9DAE2B63FA931BA902292B5982E6B0 + +Count = 994 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FD44C3583A7DA1E1247FA8C2B672E69A4 + +Count = 995 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FD99995AA7449413861C97BF6621F4550 + +Count = 996 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F35845129DA63F99961CEED043641C5DC + +Count = 997 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F4C44D1984CB1E1F54A5B5A4ED05896E7 + +Count = 998 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FC0F4E2046AD764F44F63709040BE9BC0 + +Count = 999 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F82DECF6F9259D70EA96B0FACB350688D + +Count = 1000 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FDAAD4699E97784730A5F5F3A309CD57F + +Count = 1001 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F76CA58C3ECB37D0FE8A3C366C4EC19E9 + +Count = 1002 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F4440A3BF5993675368406113836B2EE2 + +Count = 1003 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FA60D1ED3B4F7DF1B39AE404551CB60DE + +Count = 1004 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F0B03C4C83072A5A37CBB1D8B964EDF87 + +Count = 1005 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F0E70BAB7C7F3CD90F03084C93E748881 + +Count = 1006 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F8A21E3054CDC5BACB3FE2D796B7C2E8D + +Count = 1007 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F44FC90A604DEEF64CC157851F5BD64A1 + +Count = 1008 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F9F73E9B9E40696346FCCD3FE5A6980E3 + +Count = 1009 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F5790F250ECFAA44E502A66460395DD67 + +Count = 1010 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FA42B126EF7F42D76F1BF74963E5D22C7 + +Count = 1011 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FF5AB8163B6DD0E06D63EBF18561EDAAE + +Count = 1012 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FA79B52CA830B2CCABB24824F1A4ADFAB + +Count = 1013 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FA2552FA53DC0F94D68C665BF5F69EE28 + +Count = 1014 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F8AA373848FF296C46F851AC3D6EBACB7 + +Count = 1015 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FE8090C94FC9D84BB9B804ADA1E338FD9 + +Count = 1016 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FA0840CAAFDFFB8AD41E868535F98BE7D + +Count = 1017 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F6FA62563B98ECB2C26D6E1805EBCA1E2 + +Count = 1018 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F1E5EB9B23D85C4AB3C73E2537254E557 + +Count = 1019 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F271DDF19E945B168FEC1EFCA0B917679 + +Count = 1020 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F17C30B1D1C6DFC5D446A2C7E76218FC0 + +Count = 1021 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F4FB8A579E53B3A724AA11B7C86F0827F + +Count = 1022 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7946D86E697581CEAFE9B6C99EADFFDE + +Count = 1023 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FE6848BC7C4E7E8DB9BE4021001DBAA3F + +Count = 1024 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E7E4CC94143EC866BA90EF8B4A00D3652 + +Count = 1025 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EBBB318AE756B89128DADA05CD7E36CF6 + +Count = 1026 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E7EA113050D3E6C89895C8CC70E2379BE + +Count = 1027 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EE77088ADC91EE18067A429C7308FF6AA + +Count = 1028 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EEAA528841A8DBEAA4197DE1A35BEDA5E + +Count = 1029 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E06B8EC07B4A7060B419048E861E05AD2 + +Count = 1030 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E7F786CB622751E676A05FFA287F909E9 + +Count = 1031 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EF3C85F2A04139B666F3DD57C171F04CE + +Count = 1032 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EB1E27241FC9D289C8935AA40E4F1F783 + +Count = 1033 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EE991FBB787B37BE12A01FAD6673D4A71 + +Count = 1034 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E45F6E5ED8277829DC8FD668A934D86E7 + +Count = 1035 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E777C1E91375798C1481EC4FFD4CAB1EC + +Count = 1036 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E9531A3FDDA33208919F0E5A9066AFFD0 + +Count = 1037 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E383F79E65EB65A315CE5B867C1EF4089 + +Count = 1038 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E3D4C0799A9373202D06E212569D5178F + +Count = 1039 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EB91D5E2B2218A43E93A088953CDDB183 + +Count = 1040 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E77C02D886A1A10F6EC4BDDBDA21CFBAF + +Count = 1041 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EAC4F54978AC269A64F9276120DC81FED + +Count = 1042 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E64AC4F7E823E5BDC7074C3AA54344269 + +Count = 1043 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E9717AF409930D2E4D1E1D17A69FCBDC9 + +Count = 1044 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EC6973C4DD819F194F6601AF401BF45A0 + +Count = 1045 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E94A7EFE4EDCFD3589B7A27A34DEB40A5 + +Count = 1046 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E9169928B530406DF4898C05308C87126 + +Count = 1047 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EB99FCEAAE13669564FDBBF2F814A33B9 + +Count = 1048 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EDB35B1BA92597B29BBDEEF36499210D7 + +Count = 1049 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E93B8B184933B473F61B6CDBF08392173 + +Count = 1050 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5C9A984DD74A34BE0688446C091D3EEC + +Count = 1051 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E2D62049C53413B391C2D47BF25F57A59 + +Count = 1052 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E1421623787814EFADE9F4A265C30E977 + +Count = 1053 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E24FFB63372A903CF64348992218010CE + +Count = 1054 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E7C8418578BFFC5E06AFFBE90D1511D71 + +Count = 1055 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E4A7A654007B17E5C8FB71325C90C60D0 + +Count = 1056 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7ED5B836E9AA231749BBBAA7FC567A3531 + +Count = 1057 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BDD94B5A9DC1B1E0E4B67D163F605735C + +Count = 1058 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B186B6446EA9C11776FC4898B81EB29F8 + +Count = 1059 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BDD796FED92C9F4EC6B35A510582B3CB0 + +Count = 1060 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B44A8F44556E979E585CD00106687B3A4 + +Count = 1061 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B497D546C857A26CFA3FEF7CD63B69F50 + +Count = 1062 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001020304 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BA56090EF2B509E6EA3F9613F37E81FDC + +Count = 1063 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BDCA0105EBD828602886CD675D1F14CE7 + +Count = 1064 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203040506 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B501023C29BE403038D54FCAB411741C0 + +Count = 1065 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001020304050607 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B123A0EA9636AB0F96B5C8397B2F9B28D + +Count = 1066 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B4A49875F1844E384C868D30131350F7F + +Count = 1067 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203040506070809 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BE62E99051D801AF82A944F5DC545C3E9 + +Count = 1068 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BD4A46279A8A000A4AA77ED2882C2F4E2 + +Count = 1069 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B36E9DF1545C4B8ECFB99CC7E5062BADE + +Count = 1070 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B9BE7050EC141C254BE8C91B097E70587 + +Count = 1071 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B9E947B7136C0AA67320708F23FDD5281 + +Count = 1072 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B1AC522C3BDEF3C5B71C9A1426AD5F48D + +Count = 1073 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BD4185160F5ED88930E22F46AF414BEA1 + +Count = 1074 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B0F97287F1535F1C3ADFB5FC55BC05AE3 + +Count = 1075 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BC77433961DC9C3B9921DEA7D023C0767 + +Count = 1076 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B34CFD3A806C74A813388F8AD3FF4F8C7 + +Count = 1077 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B654F40A547EE69F11409332357B700AE + +Count = 1078 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B377F930C72384B3D79130E741BE305AB + +Count = 1079 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B32B1EE63CCF39EBAAAF1E9845EC03428 + +Count = 1080 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B1A47B2427EC1F133ADB296F8D74276B7 + +Count = 1081 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B78EDCD520DAEE34C59B7C6E11F9A55D9 + +Count = 1082 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B3060CD6C0CCCDF5A83DFE4685E31647D + +Count = 1083 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BFF42E4A548BDACDBE4E16DBB5F157BE2 + +Count = 1084 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B8EBA7874CCB6A35CFE446E6873FD3F57 + +Count = 1085 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BB7F91EDF1876D69F3CF663F10A38AC79 + +Count = 1086 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B8727CADBED5E9BAA865DA045778855C0 + +Count = 1087 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BDF5C64BF14085D85889697478759587F + +Count = 1088 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BE9A219A89846E6396DDE3AF29F0425DE + +Count = 1089 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B76604A0135D48F2C59D38E2B0072703F + diff --git a/elephant/Implementations/crypto_aead/elephant200v1/ref/LWC_AEAD_KAT_128_96.txt b/elephant/Implementations/crypto_aead/elephant200v1/ref/LWC_AEAD_KAT_128_96.txt deleted file mode 100644 index d17b858..0000000 --- a/elephant/Implementations/crypto_aead/elephant200v1/ref/LWC_AEAD_KAT_128_96.txt +++ /dev/null @@ -1,7623 +0,0 @@ -Count = 1 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = -CT = F15ACBDAAD35B3172B71A67F6D61743E - -Count = 2 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00 -CT = 34A51A359BB2BC6E0FD2FE971A8F2E9A - -Count = 3 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001 -CT = F1B7119EE3E759F50B23D20CC34F3BD2 - -Count = 4 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102 -CT = 68668A3627C7D4FCE5DB770CFDE3B4C6 - -Count = 5 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203 -CT = 65B32A1FF4548BD6C3E880D1F8D29832 - -Count = 6 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001020304 -CT = 89AEEE9C5A7E3377C3EF1623AC8C18BE - -Count = 7 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405 -CT = F06E6E2DCCAC2B1BE87AA1694A954B85 - -Count = 8 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203040506 -CT = 7CDE5DB1EACAAE1AED428BB7DA7346A2 - -Count = 9 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001020304050607 -CT = 3EF470DA12441DE00B4AF48B299DB5EF - -Count = 10 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708 -CT = 6687F92C696A4E9DA87EA41DAA51081D - -Count = 11 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203040506070809 -CT = CAE0E7766CAEB7E14A8238415E21C48B - -Count = 12 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A -CT = F86A1C0AD98EADBDCA619A3419A6F380 - -Count = 13 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B -CT = 1A27A16634EA15F59B8FBB62CB06BDBC - -Count = 14 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C -CT = B7297B7DB06F6F4DDE9AE6AC0C8302E5 - -Count = 15 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D -CT = B25A050247EE077E52117FEEA4B955E3 - -Count = 16 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E -CT = 360B5CB0CCC1914211DFD65EF1B1F3EF - -Count = 17 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F -CT = F8D62F1384C3258A6E3483766F70B9C3 - -Count = 18 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2359560C641B5CDACDED28D9C0A45D81 - -Count = 19 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = EBBA4DE56CE76EA0F20B9D6199580005 - -Count = 20 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 1801ADDB77E9E798539E8FB1A490FFA5 - -Count = 21 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 49813ED636C0C4E8741F443FCCD307CC - -Count = 22 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 1BB1ED7F0316E62419057968808702C9 - -Count = 23 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 1E7F9010BDDD33A3CAE79E98C5A4334A - -Count = 24 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 3689CC310FEF5C2ACDA4E1E44C2671D5 - -Count = 25 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 5423B3217C804E5539A1B1FD84FE52BB - -Count = 26 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 1CAEB31F7DE27243E3C99374C555631F - -Count = 27 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = D38C9AD6399301C284F71AA7C4717C80 - -Count = 28 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = A2740607BD980E459E521974E8993835 - -Count = 29 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9B3760AC69587B865CE014ED915CAB1B - -Count = 30 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = ABE9B4A89C7036B3E64BD759ECEC52A2 - -Count = 31 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = F3921ACC6526F09CE880E05B1C3D5F1D - -Count = 32 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C56C67DBE9684B200DC84DEE046022BC - -Count = 33 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 5AAE347244FA223539C5F9379B16775D - -Count = 34 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = -CT = 75F797289653F5E1F298E281E32386CFCC - -Count = 35 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00 -CT = 753268F9796572EE8BBC41D90B54689568 - -Count = 36 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001 -CT = 75F77AF2D21D270B10B8B0F5908DA88020 - -Count = 37 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102 -CT = 756EAB697AD907861956485090B3040F34 - -Count = 38 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203 -CT = 75637EC9530A94D933707BA74DB63523C0 - -Count = 39 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001020304 -CT = 758F630DD0A4BE6192707C31BFE26BA34C - -Count = 40 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405 -CT = 75F6A38D61326C79FE5BE986F50472F077 - -Count = 41 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203040506 -CT = 757A13BEFD140AFCFF5ED1AC2B9494FD50 - -Count = 42 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001020304050607 -CT = 7538399396EC844F05B8D9D317677A0E1D - -Count = 43 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708 -CT = 75604A1A6097AA1C781BED8381E4B6B3EF - -Count = 44 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203040506070809 -CT = 75CC2D043A926EE504F9111FDD10C67F79 - -Count = 45 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A -CT = 75FEA7FF46274EFF5879F2BDA857414872 - -Count = 46 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B -CT = 751CEA422ACA2A4710281C9CFE85E1064E - -Count = 47 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C -CT = 75B1E498314EAF3DA86D09C1304264B917 - -Count = 48 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D -CT = 75B497E64EB92E559BE1825872EA5EEE11 - -Count = 49 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E -CT = 7530C6BFFC3201C3A7A24CF1C2BF56481D - -Count = 50 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F -CT = 75FE1BCC5F7A03776FDDA7A4EA21970231 - -Count = 51 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 752594B5409ADB0E3F7E7E0F458E43E673 - -Count = 52 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75ED77AEA992273C454198BAFDD7BFBBF7 - -Count = 53 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 751ECC4E978929B57DE00DA82DEA774457 - -Count = 54 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 754F4CDD9AC800960DC78C63A38234BC3E - -Count = 55 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 751D7C0E33FDD6B4C1AA965EF4CE60B93B - -Count = 56 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 7518B2735C431D61467974B9048B4388B8 - -Count = 57 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 7530442F7DF12F0ECF7E37C67802C1CA27 - -Count = 58 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 7552EE506D82401CB08A329661CA19E949 - -Count = 59 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 751A635053832220A6505AB4E88BB2D8ED - -Count = 60 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75D541799AC753532737643D3B8A96C772 - -Count = 61 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75A4B9E54B43585CA02DC13EE8A67E83C7 - -Count = 62 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 759DFA83E097982963EF733371DFBB10E9 - -Count = 63 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75AD2457E462B0645655D8F0C5A20BE950 - -Count = 64 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F55FF9809BE6A2795B13C7C752DAE4EF - -Count = 65 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75C3A1849717A819C5BE5B6A724A87994E - -Count = 66 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 755C63D73EBA3A70D08A56DEABD5F1CCAF - -Count = 67 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = -CT = 75F8800643012C02E88E68F12495367A7CBF - -Count = 68 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00 -CT = 75F845F992EE1A85E7F74C527C7D4194261B - -Count = 69 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001 -CT = 75F880EB994562D0026C48A350E698543353 - -Count = 70 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102 -CT = 75F8193A02EDA6F08F65A65BF5E6A6F8BC47 - -Count = 71 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203 -CT = 75F814EFA2C47563D04F8068023BA3C990B3 - -Count = 72 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001020304 -CT = 75F8F8F26647DB4968EE806F94C9F797103F - -Count = 73 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405 -CT = 75F88132E6F64D9B7082ABFA2383118E4304 - -Count = 74 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203040506 -CT = 75F80D82D56A6BFDF583AEC2095D81684E23 - -Count = 75 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001020304050607 -CT = 75F84FA8F8019373467948CA76617286BD6E - -Count = 76 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708 -CT = 75F817DB71F7E85D1504EBFE26F7F14A009C - -Count = 77 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203040506070809 -CT = 75F8BBBC6FADED99EC780902BAAB053ACC0A - -Count = 78 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A -CT = 75F8893694D158B9F62489E118DE42BDFB01 - -Count = 79 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B -CT = 75F86B7B29BDB5DD4E6CD80F3988901DB53D - -Count = 80 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C -CT = 75F8C675F3A6315834D49D1A644657980A64 - -Count = 81 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D -CT = 75F8C3068DD9C6D95CE71191FD04FFA25D62 - -Count = 82 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E -CT = 75F84757D46B4DF6CADB525F54B4AAAAFB6E - -Count = 83 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8898AA7C805F47E132DB4019C346BB142 - -Count = 84 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F85205DED7E52C07438E6DAA339BBF5500 - -Count = 85 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F89AE6C53EEDD03539B18B1F8BC2430884 - -Count = 86 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8695D2500F6DEBC01101E0D5BFF8BF724 - -Count = 87 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F838DDB60DB7F79F71379FC6D597C80F4D - -Count = 88 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F86AED65A48221BDBD5A85FB82DB9C0A48 - -Count = 89 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F86F2318CB3CEA683A89671C729EBF3BCB - -Count = 90 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F847D544EA8ED807B38E24630E173D7954 - -Count = 91 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8257F3BFAFDB715CC7A213317DFE55A3A - -Count = 92 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F86DF23BC4FCD529DAA049119E9E4E6B9E - -Count = 93 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8A2D0120DB8A45A5BC777984D9F6A7401 - -Count = 94 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8D3288EDC3CAF55DCDDD29B9EB38230B4 - -Count = 95 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8EA6BE877E86F201F1F609607CA47A39A - -Count = 96 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8DAB53C731D476D2AA5CB55B3B7F75A23 - -Count = 97 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F882CE9217E411AB05AB0062B14726579C - -Count = 98 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8B430EF00685F10B94E48CF045F7B2A3D - -Count = 99 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F82BF2BCA9C5CD79AC7A457BDDC00D7FDC - -Count = 100 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = -CT = 75F8BD3516DE07D6044CA2EDC2B2770E1DA70A - -Count = 101 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00 -CT = 75F8BDF0E90FE8E08343DBC961EA9F79F3FDAE - -Count = 102 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001 -CT = 75F8BD35FB044398D6A640CD90C604A033E8E6 - -Count = 103 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102 -CT = 75F8BDAC2A9FEB5CF62B49236863049E9F67F2 - -Count = 104 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203 -CT = 75F8BDA1FF3FC28F657463055B94D99BAE4B06 - -Count = 105 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001020304 -CT = 75F8BD4DE2FB41214FCCC2055C022BCFF0CB8A - -Count = 106 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405 -CT = 75F8BD34227BF0B79DD4AE2EC9B56129E998B1 - -Count = 107 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203040506 -CT = 75F8BDB892486C91FB51AF2BF19FBFB90F9596 - -Count = 108 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001020304050607 -CT = 75F8BDFAB865076975E255CDF9E0834AE166DB - -Count = 109 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708 -CT = 75F8BDA2CBECF1125BB1286ECDB015C92DDB29 - -Count = 110 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203040506070809 -CT = 75F8BD0EACF2AB179F48548C312C493D5D17BF - -Count = 111 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A -CT = 75F8BD3C2609D7A2BF52080CD28E3C7ADA20B4 - -Count = 112 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B -CT = 75F8BDDE6BB4BB4FDBEA405D3CAF6AA87A6E88 - -Count = 113 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C -CT = 75F8BD73656EA0CB5E90F81829F2A46FFFD1D1 - -Count = 114 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D -CT = 75F8BD761610DF3CDFF8CB94A26BE6C7C586D7 - -Count = 115 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BDF247496DB7F06EF7D76CC25692CD20DB - -Count = 116 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD3C9A3ACEFFF2DA3FA887977E0C0C6AF7 - -Count = 117 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BDE71543D11F2AA36F0B5E3CD1A3D88EB5 - -Count = 118 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD2FF6583817D6911534B88969FA24D331 - -Count = 119 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BDDC4DB8060CD8182D952D9BB9C7EC2C91 - -Count = 120 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD8DCD2B0B4DF13B5DB2AC5037AFAFD4F8 - -Count = 121 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BDDFFDF8A278271991DFB66D60E3FBD1FD - -Count = 122 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BDDA3385CDC6ECCC160C548A90A6D8E07E - -Count = 123 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BDF2C5D9EC74DEA39F0B17F5EC2F5AA2E1 - -Count = 124 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD906FA6FC07B1B1E0FF12A5F5E782818F - -Count = 125 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BDD8E2A6C206D38DF6257A877CA629B02B - -Count = 126 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD17C08F0B42A2FE7742440EAFA70DAFB4 - -Count = 127 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD663813DAC6A9F1F058E10D7C8BE5EB01 - -Count = 128 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD5F7B7571126984339A5300E5F220782F - -Count = 129 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD6FA5A175E741C90620F8C3518F908196 - -Count = 130 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD37DE0F111E170F292E33F4537F418C29 - -Count = 131 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD012072069259B495CB7B59E6671CF188 - -Count = 132 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD9EE221AF3FCBDD80FF76ED3FF86AA469 - -Count = 133 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = -CT = 75F8BD7F52BDA7B96A4B5D488D71E517A1DC1495 - -Count = 134 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00 -CT = 75F8BD7F974276565CCC5231A9D2BDFFD6324E31 - -Count = 135 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001 -CT = 75F8BD7F52507DFD2499B7AAAD2391640FF25B79 - -Count = 136 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102 -CT = 75F8BD7FCB81E655E0B93AA343DB3464315ED46D - -Count = 137 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203 -CT = 75F8BD7FC654467C332A658965E8C3B9346FF899 - -Count = 138 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001020304 -CT = 75F8BD7F2A4982FF9D00DD2865EF554B60317815 - -Count = 139 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405 -CT = 75F8BD7F5389024E0BD2C5444E7AE20186282B2E - -Count = 140 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203040506 -CT = 75F8BD7FDF3931D22DB440454B42C8DF16CE2609 - -Count = 141 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001020304050607 -CT = 75F8BD7F9D131CB9D53AF3BFAD4AB7E3E520D544 - -Count = 142 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708 -CT = 75F8BD7FC560954FAE14A0C20E7EE77566EC68B6 - -Count = 143 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203040506070809 -CT = 75F8BD7F69078B15ABD059BEEC827B29929CA420 - -Count = 144 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A -CT = 75F8BD7F5B8D70691EF043E26C61D95CD51B932B - -Count = 145 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B -CT = 75F8BD7FB9C0CD05F394FBAA3D8FF80A07BBDD17 - -Count = 146 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C -CT = 75F8BD7F14CE171E77118112789AA5C4C03E624E - -Count = 147 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F11BD69618090E921F4113C8668043548 - -Count = 148 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F95EC30D30BBF7F1DB7DF95363D0C9344 - -Count = 149 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F5B31437043BDCBD5C834C01EA3CDD968 - -Count = 150 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F80BE3A6FA365B2856BED6BB10C193D2A - -Count = 151 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F485D2186AB9980FF540BDE0955E560AE - -Count = 152 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7FBBE6C1B8B09709C7F59ECCD9682D9F0E - -Count = 153 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7FEA6652B5F1BE2AB7D21F0757006E6767 - -Count = 154 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7FB856811CC468087BBF053A004C3A6262 - -Count = 155 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7FBD98FC737AA3DDFC6CE7DDF0091953E1 - -Count = 156 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F956EA052C891B2756BA4A28C809B117E - -Count = 157 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7FF7C4DF42BBFEA00A9FA1F29548433210 - -Count = 158 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7FBF49DF7CBA9C9C1C45C9D01C09E803B4 - -Count = 159 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F706BF6B5FEEDEF9D22F759CF08CC1C2B - -Count = 160 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F01936A647AE6E01A38525A1C2424589E - -Count = 161 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F38D00CCFAE2695D9FAE057855DE1CBB0 - -Count = 162 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F080ED8CB5B0ED8EC404B943120513209 - -Count = 163 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F507576AFA2581EC34E80A333D0803FB6 - -Count = 164 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F668B0BB82E16A57FABC80E86C8DD4217 - -Count = 165 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7FF94958118384CC6A9FC5BA5F57AB17F6 - -Count = 166 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = -CT = 75F8BD7F4713632EDC7CD5ADE3F56280918D754F0F - -Count = 167 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00 -CT = 75F8BD7F47D69CFF334A52A29AD1C1D879FA9B15AB - -Count = 168 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001 -CT = 75F8BD7F47138EF49832074701D530F4E2235B00E3 - -Count = 169 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102 -CT = 75F8BD7F478A5F6F30F627CA083BC851E21DF78FF7 - -Count = 170 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203 -CT = 75F8BD7F47878ACF1925B495221DFBA63F18C6A303 - -Count = 171 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001020304 -CT = 75F8BD7F476B970B9A8B9E2D831DFC30CD4C98238F - -Count = 172 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405 -CT = 75F8BD7F4712578B2B1D4C35EF36698787AA8170B4 - -Count = 173 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203040506 -CT = 75F8BD7F479EE7B8B73B2AB0EE3351AD593A677D93 - -Count = 174 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001020304050607 -CT = 75F8BD7F47DCCD95DCC3A40314D559D265C9898EDE - -Count = 175 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708 -CT = 75F8BD7F4784BE1C2AB88A5069766D82F34A45332C - -Count = 176 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203040506070809 -CT = 75F8BD7F4728D90270BD4EA91594911EAFBE35FFBA - -Count = 177 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A -CT = 75F8BD7F471A53F90C086EB3491472BCDAF9B2C8B1 - -Count = 178 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B -CT = 75F8BD7F47F81E4460E50A0B01459C9D8C2B12868D - -Count = 179 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4755109E7B618F71B90089C042EC9739D4 - -Count = 180 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F475063E004960E198A8C02590044AD6ED2 - -Count = 181 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F47D432B9B61D218FB6CFCCF0B011A5C8DE - -Count = 182 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F471AEFCA1555233B7EB027A5988F6482F2 - -Count = 183 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F47C160B30AB5FB422E13FE0E3720B066B0 - -Count = 184 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F470983A8E3BD0770542C18BB8F794C3B34 - -Count = 185 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F47FA3848DDA609F96C8D8DA95F4484C494 - -Count = 186 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F47ABB8DBD0E720DA1CAA0C62D12CC73CFD - -Count = 187 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F47F9880879D2F6F8D0C7165F86609339F8 - -Count = 188 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F47FC4675166C3D2D5714F4B87625B0087B - -Count = 189 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F47D4B02937DE0F42DE13B7C70AAC324AE4 - -Count = 190 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F47B61A5627AD6050A1E7B2971364EA698A - -Count = 191 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F47FE975619AC026CB73DDAB59A2541582E - -Count = 192 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4731B57FD0E8731F365AE43C49246547B1 - -Count = 193 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F47404DE3016C7810B140413F9A088D0304 - -Count = 194 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F47790E85AAB8B8657282F332037148902A - -Count = 195 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4749D051AE4D9028473858F1B70CF86993 - -Count = 196 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4711ABFFCAB4C6EE683693C6B5FC29642C - -Count = 197 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F47275582DD388855D4D3DB6B00E474198D - -Count = 198 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F47B897D174951A3CC1E7D6DFD97B024C6C - -Count = 199 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = -CT = 75F8BD7F4702B4A392153FB14CC7B698E976C1B4204A - -Count = 200 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00 -CT = 75F8BD7F4702715C43FA093643BE923BB19EB65A7AEE - -Count = 201 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001 -CT = 75F8BD7F4702B44E48517163A62596CA9D056F9A6FA6 - -Count = 202 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102 -CT = 75F8BD7F47022D9FD3F9B5432B2C783238055136E0B2 - -Count = 203 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203 -CT = 75F8BD7F4702204A73D066D074065E01CFD85407CC46 - -Count = 204 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001020304 -CT = 75F8BD7F4702CC57B753C8FACCA75E06592A00594CCA - -Count = 205 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405 -CT = 75F8BD7F4702B59737E25E28D4CB7593EE60E6401FF1 - -Count = 206 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203040506 -CT = 75F8BD7F47023927047E784E51CA70ABC4BE76A612D6 - -Count = 207 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001020304050607 -CT = 75F8BD7F47027B0D291580C0E23096A3BB828548E19B - -Count = 208 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708 -CT = 75F8BD7F4702237EA0E3FBEEB14D3597EB1406845C69 - -Count = 209 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203040506070809 -CT = 75F8BD7F47028F19BEB9FE2A4831D76B7748F2F490FF - -Count = 210 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A -CT = 75F8BD7F4702BD9345C54B0A526D5788D53DB573A7F4 - -Count = 211 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B -CT = 75F8BD7F47025FDEF8A9A66EEA250666F46B67D3E9C8 - -Count = 212 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702F2D022B222EB909D4373A9A5A0565691 - -Count = 213 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702F7A35CCDD56AF8AECFF830E7086C0197 - -Count = 214 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F470273F2057F5E456E928C3699575D64A79B - -Count = 215 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702BD2F76DC1647DA5AF3DDCC7FC3A5EDB7 - -Count = 216 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F470266A00FC3F69FA30A500467D06C7109F5 - -Count = 217 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702AE43142AFE6391706FE2D268358D5471 - -Count = 218 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F47025DF8F414E56D1848CE77C0B80845ABD1 - -Count = 219 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F47020C786719A4443B38E9F60B36600653B8 - -Count = 220 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F47025E48B4B0919219F484EC36612C5256BD - -Count = 221 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F47025B86C9DF2F59CC73570ED1916971673E - -Count = 222 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702737095FE9D6BA3FA504DAEEDE0F325A1 - -Count = 223 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F470211DAEAEEEE04B185A448FEF4282B06CF - -Count = 224 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F47025957EAD0EF668D937E20DC7D6980376B - -Count = 225 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F47029675C319AB17FE12191E55AE68A428F4 - -Count = 226 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702E78D5FC82F1CF19503BB567D444C6C41 - -Count = 227 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702DECE3963FBDC8456C1095BE43D89FF6F - -Count = 228 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EE10ED670EF4C9637BA29850403906D6 - -Count = 229 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702B66B4303F7A20F4C7569AF52B0E80B69 - -Count = 230 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F470280953E147BECB4F0902102E7A8B576C8 - -Count = 231 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F47021F576DBDD67EDDE5A42CB63E37C32329 - -Count = 232 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = -CT = 75F8BD7F4702EA437F55891181F70BDE51D1422E2BA8FE - -Count = 233 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00 -CT = 75F8BD7F4702EA868084662706F872FAF289AA59C5F25A - -Count = 234 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001 -CT = 75F8BD7F4702EA43928FCD5F531DE9FE03A5318005E712 - -Count = 235 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102 -CT = 75F8BD7F4702EADA4314659B7390E010FB0031BEA96806 - -Count = 236 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203 -CT = 75F8BD7F4702EAD796B44C48E0CFCA36C8F7ECBB9844F2 - -Count = 237 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001020304 -CT = 75F8BD7F4702EA3B8B70CFE6CA776B36CF611EEFC6C47E - -Count = 238 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405 -CT = 75F8BD7F4702EA424BF07E70186F071D5AD65409DF9745 - -Count = 239 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203040506 -CT = 75F8BD7F4702EACEFBC3E2567EEA061862FC8A99399A62 - -Count = 240 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001020304050607 -CT = 75F8BD7F4702EA8CD1EE89AEF059FCFE6A83B66AD7692F - -Count = 241 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708 -CT = 75F8BD7F4702EAD4A2677FD5DE0A815D5ED320E91BD4DD - -Count = 242 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203040506070809 -CT = 75F8BD7F4702EA78C57925D01AF3FDBFA24F7C1D6B184B - -Count = 243 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A -CT = 75F8BD7F4702EA4A4F8259653AE9A13F41ED095AEC2F40 - -Count = 244 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EAA8023F35885E51E96EAFCC5F884C617C - -Count = 245 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA050CE52E0CDB2B512BBA91914FC9DE25 - -Count = 246 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA007F9B51FB5A4362A73108D3E7F38923 - -Count = 247 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA842EC2E37075D55EE4FFA163B2FB2F2F - -Count = 248 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA4AF3B140387761969B14F44B2C3A6503 - -Count = 249 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA917CC85FD8AF18C638CD5FE483EE8141 - -Count = 250 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA599FD3B6D0532ABC072BEA5CDA12DCC5 - -Count = 251 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EAAA243388CB5DA384A6BEF88CE7DA2365 - -Count = 252 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EAFBA4A0858A7480F4813F33028F99DB0C - -Count = 253 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EAA994732CBFA2A238EC250E55C3CDDE09 - -Count = 254 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EAAC5A0E43016977BF3FC7E9A586EEEF8A - -Count = 255 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA84AC5262B35B1836388496D90F6CAD15 - -Count = 256 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EAE6062D72C0340A49CC81C6C0C7B48E7B - -Count = 257 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EAAE8B2D4CC156365F16E9E449861FBFDF - -Count = 258 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA61A90485852745DE71D76D9A873BA040 - -Count = 259 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA10519854012C4A596B726E49ABD3E4F5 - -Count = 260 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA2912FEFFD5EC3F9AA9C063D0D21677DB - -Count = 261 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA19CC2AFB20C472AF136BA064AFA68E62 - -Count = 262 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA41B7849FD992B4801DA097665F7783DD - -Count = 263 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA7749F98855DC0F3CF8E83AD3472AFE7C - -Count = 264 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EAE88BAA21F84E6629CCE58E0AD85CAB9D - -Count = 265 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = -CT = 75F8BD7F4702EA536D5F65A0813549A46484341041EB4E4D - -Count = 266 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00 -CT = 75F8BD7F4702EA53A8A0B44FB7B246DD40276CF8360514E9 - -Count = 267 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001 -CT = 75F8BD7F4702EA536DB2BFE4CFE7A34644D64063EFC501A1 - -Count = 268 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102 -CT = 75F8BD7F4702EA53F463244C0BC72E4FAA2EE563D1698EB5 - -Count = 269 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203 -CT = 75F8BD7F4702EA53F9B68465D85471658C1D12BED458A241 - -Count = 270 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001020304 -CT = 75F8BD7F4702EA5315AB40E6767EC9C48C1A844C800622CD - -Count = 271 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405 -CT = 75F8BD7F4702EA536C6BC057E0ACD1A8A78F3306661F71F6 - -Count = 272 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203040506 -CT = 75F8BD7F4702EA53E0DBF3CBC6CA54A9A2B719D8F6F97CD1 - -Count = 273 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001020304050607 -CT = 75F8BD7F4702EA53A2F1DEA03E44E75344BF66E405178F9C - -Count = 274 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708 -CT = 75F8BD7F4702EA53FA825756456AB42EE78B367286DB326E - -Count = 275 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203040506070809 -CT = 75F8BD7F4702EA5356E5490C40AE4D520577AA2E72ABFEF8 - -Count = 276 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A -CT = 75F8BD7F4702EA53646FB270F58E570E8594085B352CC9F3 - -Count = 277 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA5386220F1C18EAEF46D47A290DE78C87CF - -Count = 278 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA532B2CD5079C6F95FE916F74C320093896 - -Count = 279 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA532E5FAB786BEEFDCD1DE4ED8188336F90 - -Count = 280 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA53AA0EF2CAE0C16BF15E2A4431DD3BC99C - -Count = 281 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA5364D38169A8C3DF3921C1111943FA83B0 - -Count = 282 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA53BF5CF876481BA6698218BAB6EC2E67F2 - -Count = 283 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA5377BFE39F40E79413BDFE0F0EB5D23A76 - -Count = 284 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA53840403A15BE91D2B1C6B1DDE881AC5D6 - -Count = 285 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA53D58490AC1AC03E5B3BEAD650E0593DBF - -Count = 286 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA5387B443052F161C9756F0EB07AC0D38BA - -Count = 287 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA53827A3E6A91DDC91085120CF7E92E0939 - -Count = 288 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA53AA8C624B23EFA6998251738B60AC4BA6 - -Count = 289 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA53C8261D5B5080B4E676542392A87468C8 - -Count = 290 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA5380AB1D6551E288F0AC3C011BE9DF596C - -Count = 291 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA534F8934AC1593FB71CB0288C8E8FB46F3 - -Count = 292 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA533E71A87D9198F4F6D1A78B1BC4130246 - -Count = 293 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA530732CED64558813513158682BDD69168 - -Count = 294 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA5337EC1AD2B070CC00A9BE4536C06668D1 - -Count = 295 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA536F97B4B649260A2FA775723430B7656E - -Count = 296 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535969C9A1C568B193423DDF8128EA18CF - -Count = 297 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA53C6AB9A0868FAD88676306B58B79C4D2E - -Count = 298 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = -CT = 75F8BD7F4702EA535ACD2EE4E235206302B93720871498261B - -Count = 299 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00 -CT = 75F8BD7F4702EA535A08D1350D03A76C7B9D94786F63767CBF - -Count = 300 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001 -CT = 75F8BD7F4702EA535ACDC33EA67BF289E0996554F4BAB669F7 - -Count = 301 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102 -CT = 75F8BD7F4702EA535A5412A50EBFD204E9779DF1F4841AE6E3 - -Count = 302 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203 -CT = 75F8BD7F4702EA535A59C705276C415BC351AE0629812BCA17 - -Count = 303 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001020304 -CT = 75F8BD7F4702EA535AB5DAC1A4C26BE36251A990DBD5754A9B - -Count = 304 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405 -CT = 75F8BD7F4702EA535ACC1A411554B9FB0E7A3C2791336C19A0 - -Count = 305 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203040506 -CT = 75F8BD7F4702EA535A40AA728972DF7E0F7F040D4FA38A1487 - -Count = 306 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A02805FE28A51CDF5990C72735064E7CA - -Count = 307 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A5AF3D614F17F9E883A3822E5D3A85A38 - -Count = 308 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535AF694C84EF4BB67F4D8C4BEB927D896AE - -Count = 309 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535AC41E3332419B7DA858271CCC605FA1A5 - -Count = 310 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A26538E5EACFFC5E009C93D9AB2FFEF99 - -Count = 311 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A8B5D5445287ABF584CDC6054757A50C0 - -Count = 312 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A8E2E2A3ADFFBD76BC057F916DD4007C6 - -Count = 313 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A0A7F738854D44157839950A68848A1CA - -Count = 314 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535AC4A2002B1CD6F59FFC72058E1689EBE6 - -Count = 315 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1F2D7934FC0E8CCF5FABAE21B95D0FA4 - -Count = 316 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535AD7CE62DDF4F2BEB5604D1B99E0A15220 - -Count = 317 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A247582E3EFFC378DC1D80949DD69AD80 - -Count = 318 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A75F511EEAED514FDE659C2C7B52A55E9 - -Count = 319 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A27C5C2479B0336318B43FF90F97E50EC - -Count = 320 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A220BBF2825C8E3B658A11860BC5D616F - -Count = 321 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A0AFDE30997FA8C3F5FE2671C35DF23F0 - -Count = 322 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A68579C19E4959E40ABE73705FD07009E - -Count = 323 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A20DA9C27E5F7A256718F158CBCAC313A - -Count = 324 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535AEFF8B5EEA186D1D716B19C5FBD882EA5 - -Count = 325 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A9E00293F258DDE500C149F8C91606A10 - -Count = 326 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535AA7434F94F14DAB93CEA69215E8A5F93E - -Count = 327 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A979D9B900465E6A6740D51A195150087 - -Count = 328 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535ACFE635F4FD3320897AC666A365C40D38 - -Count = 329 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535AF91848E3717D9B359F8ECB167D997099 - -Count = 330 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A66DA1B4ADCEFF220AB837FCFE2EF2578 - -Count = 331 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = -CT = 75F8BD7F4702EA535A1C305CBEF8FDC04C6B24F5314FEE4BB14E - -Count = 332 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00 -CT = 75F8BD7F4702EA535A1CF5A36F17CB474312005669A799A5EBEA - -Count = 333 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001 -CT = 75F8BD7F4702EA535A1C30B164BCB312A68904A7453C4065FEA2 - -Count = 334 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102 -CT = 75F8BD7F4702EA535A1CA960FF1477322B80EA5FE03C7EC971B6 - -Count = 335 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203 -CT = 75F8BD7F4702EA535A1CA4B55F3DA4A174AACC6C17E17BF85D42 - -Count = 336 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001020304 -CT = 75F8BD7F4702EA535A1C48A89BBE0A8BCC0BCC6B81132FA6DDCE - -Count = 337 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405 -CT = 75F8BD7F4702EA535A1C31681B0F9C59D467E7FE3659C9BF8EF5 - -Count = 338 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CBDD82893BA3F5166E2C61C87595983D2 - -Count = 339 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CFFF205F842B1E29C04CE63BBAAB7709F - -Count = 340 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CA7818C0E399FB1E1A7FA332D297BCD6D - -Count = 341 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1C0BE692543C5B489D4506AF71DD0B01FB - -Count = 342 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1C396C6928897B52C1C5E50D049A8C36F0 - -Count = 343 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CDB21D444641FEA89940B2C52482C78CC - -Count = 344 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1C762F0E5FE09A9031D11E719C8FA9C795 - -Count = 345 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1C735C7020171BF8025D95E8DE27939093 - -Count = 346 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CF70D29929C346E3E1E5B416E729B369F - -Count = 347 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1C39D05A31D436DAF661B01446EC5A7CB3 - -Count = 348 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE25F232E34EEA3A6C269BFE9438E98F1 - -Count = 349 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1C2ABC38C73C1291DCFD8F0A511A72C575 - -Count = 350 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CD907D8F9271C18E45C1A188127BA3AD5 - -Count = 351 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1C88874BF466353B947B9BD30F4FF9C2BC - -Count = 352 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CDAB7985D53E319581681EE5803ADC7B9 - -Count = 353 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CDF79E532ED28CCDFC56309A8468EF63A - -Count = 354 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CF78FB9135F1AA356C22076D4CF0CB4A5 - -Count = 355 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1C9525C6032C75B129362526CD07D497CB - -Count = 356 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CDDA8C63D2D178D3FEC4D0444467FA66F - -Count = 357 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1C128AEFF46966FEBE8B738D97475BB9F0 - -Count = 358 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1C63727325ED6DF13991D68E446BB3FD45 - -Count = 359 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1C5A31158E39AD84FA536483DD12766E6B - -Count = 360 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1C6AEFC18ACC85C9CFE9CF40696FC697D2 - -Count = 361 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1C32946FEE35D30FE0E704776B9F179A6D - -Count = 362 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1C046A12F9B99DB45C024CDADE874AE7CC - -Count = 363 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1C9BA84150140FDD4936416E07183CB22D - -Count = 364 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = -CT = 75F8BD7F4702EA535A1CE25C0A2BEADD549AF1B448FE28B6A4CC36 - -Count = 365 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00 -CT = 75F8BD7F4702EA535A1CE299F5FA05EBD3958890EBA6C0C14A9692 - -Count = 366 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001 -CT = 75F8BD7F4702EA535A1CE25CE7F1AE93867013941A8A5B188A83DA - -Count = 367 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102 -CT = 75F8BD7F4702EA535A1CE2C5366A0657A6FD1A7AE22F5B26260CCE - -Count = 368 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE2C8E3CA2F8435A2305CD1D8862317203A - -Count = 369 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE224FE0EAC2A1F1A915CD64E747749A0B6 - -Count = 370 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE25D3E8E1DBCCD02FD7743F93E9150F38D - -Count = 371 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE2D18EBD819AAB87FC727BD3E001B6FEAA - -Count = 372 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE293A490EA622534069473ACDCF2580DE7 - -Count = 373 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE2CBD7191C190B677B3747FC4A7194B015 - -Count = 374 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE267B007461CCF9E07D5BB601685E47C83 - -Count = 375 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE2553AFC3AA9EF845B5558C263C2634B88 - -Count = 376 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE2B7774156448B3C1304B6E33510C305B4 - -Count = 377 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE21A799B4DC00E46AB41A3BEFBD746BAED - -Count = 378 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE21F0AE532378F2E98CD2827B97F7CEDEB - -Count = 379 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE29B5BBC80BCA0B8A48EE68E092A744BE7 - -Count = 380 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE25586CF23F4A20C6CF10DDB21B4B501CB - -Count = 381 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE28E09B63C147A753C52D4708E1B61E589 - -Count = 382 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE246EAADD51C8647466D32C536429DB80D - -Count = 383 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE2B5514DEB0788CE7ECCA7D7E67F5547AD - -Count = 384 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE2E4D1DEE646A1ED0EEB261C681716BFC4 - -Count = 385 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE2B6E10D4F7377CFC2863C213F5B42BAC1 - -Count = 386 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE2B32F7020CDBC1A4555DEC6CF1E618B42 - -Count = 387 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE29BD92C017F8E75CC529DB9B397E3C9DD - -Count = 388 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE2F97353110CE167B3A698E9AA5F3BEAB3 - -Count = 389 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE2B1FE532F0D835BA57CF0CB231E90DB17 - -Count = 390 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE27EDC7AE649F228241BCE42F01FB4C488 - -Count = 391 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE20F24E637CDF927A3016B4123335C803D - -Count = 392 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23667809C19395260C3D94CBA4A991313 - -Count = 393 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE206B95498EC111F5579728F0E3729EAAA - -Count = 394 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE25EC2FAFC1547D97A77B9B80CC7F8E715 - -Count = 395 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE2683C87EB990962C692F115B9DFA59AB4 - -Count = 396 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE2F7FED442349B0BD3A6FCA16040D3CF55 - -Count = 397 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = -CT = 75F8BD7F4702EA535A1CE23E2667F4CAD2004ABC625DDA08BF849DA7 - -Count = 398 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00 -CT = 75F8BD7F4702EA535A1CE23EE3982525E48745C546FE82E0C86AC703 - -Count = 399 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E268A2E8E9CD2A05E420FAE7B11AAD24B - -Count = 400 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23EBF5BB52658F22D57ACF70B7B2F065D5F - -Count = 401 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23EB28E150F8B61727D8AC4FCA62A3771AB - -Count = 402 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E5E93D18C254BCADC8AC36A547E69F127 - -Count = 403 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2753513DB399D2B0A156DD1E9870A21C - -Count = 404 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23EABE362A195FF57B1A46EF7C00896AF3B - -Count = 405 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23EE9C94FCA6D71E44B426688FCFB785C76 - -Count = 406 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23EB1BAC63C165FB736E152D86A78B4E184 - -Count = 407 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E1DDDD866139B4E4A03AE44368CC42D12 - -Count = 408 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2F57231AA6BB5416834DE643CB431A19 - -Count = 409 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23ECD1A9E764BDFEC5ED2A3C71519E35425 - -Count = 410 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E6014446DCF5A96E697B69ADBDE66EB7C - -Count = 411 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E65673A1238DBFED51B3D0399765CBC7A - -Count = 412 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23EE13663A0B3F468E958F3AA2923541A76 - -Count = 413 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2FEB1003FBF6DC212718FF01BD95505A - -Count = 414 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23EF464691C1B2EA57184C154AE1241B418 - -Count = 415 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E3C8772F513D2970BBB27E1164BBDE99C - -Count = 416 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23ECF3C92CB08DC1E331AB2F3C67675163C - -Count = 417 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E9EBC01C649F53D433D3338481E36EE55 - -Count = 418 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23ECC8CD26F7C231F8F5029051F5262EB50 - -Count = 419 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23EC942AF00C2E8CA0883CBE2EF1741DAD3 - -Count = 420 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23EE1B4F32170DAA58184889D939EC3984C - -Count = 421 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E831E8C3103B5B7FE708DCD8A561BBB22 - -Count = 422 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23ECB938C0F02D78BE8AAE5EF0317B08A86 - -Count = 423 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E04B1A5C646A6F869CDDB66D016949519 - -Count = 424 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E75493917C2ADF7EED77E65033A7CD1AC - -Count = 425 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E4C0A5FBC166D822D15CC689A43B94282 - -Count = 426 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E7CD48BB8E345CF18AF67AB2E3E09BB3B - -Count = 427 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E24AF25DC1A130937A1AC9C2CCED8B684 - -Count = 428 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E125158CB965DB28B44E43199D685CB25 - -Count = 429 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E8D930B623BCFDB9E70E9854049F39EC4 - -Count = 430 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = -CT = 75F8BD7F4702EA535A1CE23E2DA4710F232426B4955579426D01DD9895 - -Count = 431 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00 -CT = 75F8BD7F4702EA535A1CE23E2D618EDECC12A1BBEC71DA1A857633C231 - -Count = 432 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E2DA49CD5676AF45E77752B361EAFF3D779 - -Count = 433 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23E2D3D4D4ECFAED4D37E9BD3931E915F586D - -Count = 434 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23E2D3098EEE67D478C54BDE064C3946E7499 - -Count = 435 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E2DDC852A65D36D34F5BDE7F231C030F415 - -Count = 436 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2DA545AAD445BF2C999672457B2629A72E - -Count = 437 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23E2D29F5994863D9A998934A6FA5B6CFAA09 - -Count = 438 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23E2D6BDFB4239B571A627542109945215944 - -Count = 439 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23E2D33AC3DD5E079491FD676400FC6EDE4B6 - -Count = 440 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E2D9FCB238FE5BDB063348ADC53329D2820 - -Count = 441 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2DAD41D8F3509DAA3FB4697E26751A1F2B - -Count = 442 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23E2D4F0C659FBDF91277E5875F70A7BA5117 - -Count = 443 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E2DE202BF84397C68CFA09202BE603FEE4E - -Count = 444 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E2DE771C1FBCEFD00FC2C199BFCC805B948 - -Count = 445 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23E2D6320984945D296C06FD7324C9D0D1F44 - -Count = 446 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2DADFDEBEA0DD02208103C676403CC5568 - -Count = 447 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23E2D767292F5ED085B58B3E5CCCBAC18B12A - -Count = 448 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E2DBE91891CE5F469228C037973F5E4ECAE - -Count = 449 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23E2D4D2A6922FEFAE01A2D966BA3C82C130E - -Count = 450 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E2D1CAAFA2FBFD3C36A0A17A02DA06FEB67 - -Count = 451 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23E2D4E9A29868A05E1A6670D9D7AEC3BEE62 - -Count = 452 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23E2D4B5454E934CE3421B4EF7A8AA918DFE1 - -Count = 453 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23E2D63A208C886FC5BA8B3AC05F6209A9D7E - -Count = 454 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E2D010877D8F59349D747A955EFE842BE10 - -Count = 455 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23E2D498577E6F4F175C19DC17766A9E98FB4 - -Count = 456 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E2D86A75E2FB0800640FAFFFEB5A8CD902B - -Count = 457 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E2DF75FC2FE348B09C7E05AFD668425D49E - -Count = 458 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E2DCE1CA455E04B7C0422E8F0FFFDE047B0 - -Count = 459 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E2DFEC27051156331319843334B8050BE09 - -Count = 460 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E2DA6B9DE35EC35F71E968804497081B3B6 - -Count = 461 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E2D9047A322607B4CA273C0A9FC68DCCE17 - -Count = 462 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E2D0F85F08BCDE925B747CD1D25F7AA9BF6 - -Count = 463 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = -CT = 75F8BD7F4702EA535A1CE23E2D07EFCC1CCFBB3E95C86933C2F38767211B - -Count = 464 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00 -CT = 75F8BD7F4702EA535A1CE23E2D072A33CD208DB99AB14D909A1BF0897BBF - -Count = 465 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E2D07EF21C68BF5EC7F2A4961B68029496EF7 - -Count = 466 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23E2D0776F05D2331CCF223A799138017E5E1E3 - -Count = 467 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23E2D077B25FD0AE25FAD0981AAE45D12D4CD17 - -Count = 468 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E2D07973839894C7515A881AD72AF468A4D9B - -Count = 469 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2D07EEF8B938DAA70DC4AA38C5E5A0931EA0 - -Count = 470 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23E2D0762488AA4FCC188C5AF00EF3B30751387 - -Count = 471 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23E2D072062A7CF044F3B3F49089007C39BE0CA - -Count = 472 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23E2D0778112E397F616842EA3CC09140575D38 - -Count = 473 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E2D07D47630637AA5913E08C05CCDB42791AE - -Count = 474 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2D07E6FCCB1FCF858B628823FEB8F3A0A6A5 - -Count = 475 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23E2D0704B1767322E1332AD9CDDFEE2100E899 - -Count = 476 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E2D07A9BFAC68A66449929CD88220E68557C0 - -Count = 477 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E2D07ACCCD21751E521A110531B624EBF00C6 - -Count = 478 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23E2D07289D8BA5DACAB79D539DB2D21BB7A6CA - -Count = 479 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2D07E640F80692C803552C76E7FA8576ECE6 - -Count = 480 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23E2D073DCF811972107A058FAF4C552AA208A4 - -Count = 481 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E2D07F52C9AF07AEC487FB049F9ED735E5520 - -Count = 482 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23E2D0706977ACE61E2C14711DCEB3D4E96AA80 - -Count = 483 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E2D075717E9C320CBE237365D20B326D552E9 - -Count = 484 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23E2D0705273A6A151DC0FB5B471DE46A8157EC - -Count = 485 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23E2D0700E94705ABD6157C88A5FA142FA2666F - -Count = 486 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23E2D07281F1B2419E47AF58FE68568A62024F0 - -Count = 487 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E2D074AB564346A8B688A7BE3D5716EF8079E - -Count = 488 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23E2D070238640A6BE9549CA18BF7F82F53363A - -Count = 489 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E2D07CD1A4DC32F98271DC6B57E2B2E7729A5 - -Count = 490 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E2D07BCE2D112AB93289ADC107DF8029F6D10 - -Count = 491 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E2D0785A1B7B97F535D591EA270617B5AFE3E - -Count = 492 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E2D07B57F63BD8A7B106CA409B3D506EA0787 - -Count = 493 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E2D07ED04CDD9732DD643AAC284D7F63B0A38 - -Count = 494 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E2D07DBFAB0CEFF636DFF4F8A2962EE667799 - -Count = 495 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E2D074438E36752F104EA7B879DBB71102278 - -Count = 496 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = -CT = 75F8BD7F4702EA535A1CE23E2D079F5030FDAE23A2BED9CF994E56BBE1E9CC - -Count = 497 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00 -CT = 75F8BD7F4702EA535A1CE23E2D079F95CF2C411525B1A0EB3A16BECC0FB368 - -Count = 498 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E2D079F50DD27EA6D70543BEFCB3A2515CFA620 - -Count = 499 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23E2D079FC90CBC42A950D93201339F252B632934 - -Count = 500 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23E2D079FC4D91C6B7AC38618270068F82E5205C0 - -Count = 501 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E2D079F28C4D8E8D4E93EB92707FE0A7A0C854C - -Count = 502 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2D079F51045859423B26D50C9249409C15D677 - -Count = 503 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23E2D079FDDB46BC5645DA3D409AA639E0CF3DB50 - -Count = 504 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23E2D079F9F9E46AE9CD3102EEFA21CA2FF1D281D - -Count = 505 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23E2D079FC7EDCF58E7FD43534C964C347CD195EF - -Count = 506 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E2D079F6B8AD102E239BA2FAE6AD06888A15979 - -Count = 507 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2D079F59002A7E5719A0732E89721DCF266E72 - -Count = 508 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23E2D079FBB4D9712BA7D183B7F67534B1D86204E - -Count = 509 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E2D079F16434D093EF862833A720E85DA039F17 - -Count = 510 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E2D079F13303376C9790AB0B6F997C77239C811 - -Count = 511 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23E2D079F97616AC442569C8CF5373E7727316E1D - -Count = 512 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2D079F59BC19670A5428448ADC6B5FB9F02431 - -Count = 513 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23E2D079F82336078EA8C51142905C0F01624C073 - -Count = 514 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E2D079F4AD07B91E270636E16E375484FD89DF7 - -Count = 515 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23E2D079FB96B9BAFF97EEA56B776679872106257 - -Count = 516 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E2D079FE8EB08A2B857C92690F7AC161A539A3E - -Count = 517 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23E2D079FBADBDB0B8D81EBEAFDED914156079F3B - -Count = 518 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23E2D079FBF15A664334A3E6D2E0F76B11324AEB8 - -Count = 519 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23E2D079F97E3FA45817851E4294C09CD9AA6EC27 - -Count = 520 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E2D079FF5498555F217439BDD4959D4527ECF49 - -Count = 521 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23E2D079FBDC4856BF3757F8D07217B5D13D5FEED - -Count = 522 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E2D079F72E6ACA2B7040C0C601FF28E12F1E172 - -Count = 523 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E2D079F031E3073330F038B7ABAF15D3E19A5C7 - -Count = 524 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E2D079F3A5D56D8E7CF7648B808FCC447DC36E9 - -Count = 525 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E2D079F0A8382DC12E73B7D02A33F703A6CCF50 - -Count = 526 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E2D079F52F82CB8EBB1FD520C680872CABDC2EF - -Count = 527 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E2D079F640651AF67FF46EEE920A5C7D2E0BF4E - -Count = 528 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E2D079FFBC40206CA6D2FFBDD2D111E4D96EAAF - -Count = 529 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = -CT = 75F8BD7F4702EA535A1CE23E2D079F7B9096D461FC1B70AE3938A394172992C0 - -Count = 530 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B5569058ECA9C7FD71D9BFB7C60C7C864 - -Count = 531 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B907B0E25B2C99A4C196AD7E7B907DD2C - -Count = 532 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B09AA958D76E91745F79272E787AB5238 - -Count = 533 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B047F35A4A57A486FD1A1853A829A7ECC - -Count = 534 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E2D079F7BE862F1270B50F0CED1A613C8D6C4FE40 - -Count = 535 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B91A271969D82E8A2FA33A48230DDAD7B - -Count = 536 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B1D12420ABBE46DA3FF0B8E5CA03BA05C - -Count = 537 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B5F386F61436ADE591903F16053D55311 - -Count = 538 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B074BE69738448D24BA37A1F6D019EEE3 - -Count = 539 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E2D079F7BAB2CF8CD3D80745858CB3DAA24692275 - -Count = 540 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B99A603B188A06E04D8289FDF63EE157E - -Count = 541 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B7BEBBEDD65C4D64C89C6BE89B14E5B42 - -Count = 542 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E2D079F7BD6E564C6E141ACF4CCD3E34776CBE41B - -Count = 543 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E2D079F7BD3961AB916C0C4C740587A05DEF1B31D - -Count = 544 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B57C7430B9DEF52FB0396D3B58BF91511 - -Count = 545 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B991A30A8D5EDE6337C7D869D15385F3D - -Count = 546 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B429549B735359F63DFA42D32BAECBB7F - -Count = 547 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B8A76525E3DC9AD19E042988AE310E6FB - -Count = 548 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B79CDB26026C7242141D78A5ADED8195B - -Count = 549 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B284D216D67EE0751665641D4B69BE132 - -Count = 550 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B7A7DF2C45238259D0B4C7C83FACFE437 - -Count = 551 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B7FB38FABECF3F01AD8AE9B73BFECD5B4 - -Count = 552 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B5745D38A5EC19F93DFEDE40F366E972B - -Count = 553 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B35EFAC9A2DAE8DEC2BE8B416FEB6B445 - -Count = 554 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B7D62ACA42CCCB1FAF180969FBF1D85E1 - -Count = 555 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E2D079F7BB240856D68BDC27B96BE1F4CBE399A7E - -Count = 556 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E2D079F7BC3B819BCECB6CDFC8C1B1C9F92D1DECB - -Count = 557 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E2D079F7BFAFB7F173876B83F4EA91106EB144DE5 - -Count = 558 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E2D079F7BCA25AB13CD5EF50AF402D2B296A4B45C - -Count = 559 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B925E057734083325FAC9E5B06675B9E3 - -Count = 560 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E2D079F7BA4A07860B84688991F8148057E28C442 - -Count = 561 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B3B622BC915D4E18C2B8CFCDCE15E91A3 - -Count = 562 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = -CT = 75F8BD7F4702EA535A1CE23E2D079F7B628C9B9BC62D788F90572FED135FE6931B - -Count = 563 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6249644A291BFF80E9738CB5FB2808C9BF - -Count = 564 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B628C76418263AA6572777D9960F1C8DCF7 - -Count = 565 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6215A7DA2AA78AE87B99853C60CF6453E3 - -Count = 566 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6218727A037419B751BFB6CBBDCA557F17 - -Count = 567 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62F46FBE80DA330FF0BFB15D4F9E0BFF9B - -Count = 568 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B628DAF3E314CE1179C9424EA057812ACA0 - -Count = 569 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62011F0DAD6A87929D911CC0DBE8F4A187 - -Count = 570 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62433520C6920921677714BFE71B1A52CA - -Count = 571 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B621B46A930E927721AD420EF7198D6EF38 - -Count = 572 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62B721B76AECE38B6636DC732D6CA623AE - -Count = 573 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6285AB4C1659C3913AB63FD1582B2114A5 - -Count = 574 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6267E6F17AB4A72972E7D1F00EF9815A99 - -Count = 575 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62CAE82B61302253CAA2C4ADC03E04E5C0 - -Count = 576 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62CF9B551EC7A33BF92E4F3482963EB2C6 - -Count = 577 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B624BCA0CAC4C8CADC56D819D32C33614CA - -Count = 578 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6285177F0F048E190D126AC81A5DF75EE6 - -Count = 579 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B625E980610E456605DB1B363B5F223BAA4 - -Count = 580 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62967B1DF9ECAA52278E55D60DABDFE720 - -Count = 581 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6265C0FDC7F7A4DB1F2FC0C4DD96171880 - -Count = 582 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6234406ECAB68DF86F08410F53FE54E0E9 - -Count = 583 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B626670BD63835BDAA3655B3204B200E5EC - -Count = 584 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6263BEC00C3D900F24B6B9D5F4F723D46F - -Count = 585 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B624B489C2D8FA260ADB1FAAA887EA196F0 - -Count = 586 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6229E2E33DFCCD72D245FFFA91B679B59E - -Count = 587 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62616FE303FDAF4EC49F97D818F7D2843A - -Count = 588 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62AE4DCACAB9DE3D45F8A951CBF6F69BA5 - -Count = 589 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62DFB5561B3DD532C2E20C5218DA1EDF10 - -Count = 590 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62E6F630B0E915470120BE5F81A3DB4C3E - -Count = 591 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62D628E4B41C3D0A349A159C35DE6BB587 - -Count = 592 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B628E534AD0E56BCC1B94DEAB372EBAB838 - -Count = 593 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62B8AD37C7692577A77196068236E7C599 - -Count = 594 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62276F646EC4B71EB2459BB25BA9919078 - -Count = 595 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629958B63F3127C40FBA975DE8211515BC0B - -Count = 596 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62999D49EEDE114300C3B3FEB0C962FBE6AF - -Count = 597 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299585BE5756916E558B70F9C52BB3BF3E7 - -Count = 598 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299C18A7EDDAD36685159F7395285977CF3 - -Count = 599 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299CC5FDEF47EA5377B7FC4CE8F80A65007 - -Count = 600 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629920421A77D08F8FDA7FC3587DD4F8D08B - -Count = 601 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629959829AC6465D97B65456EF3732E183B0 - -Count = 602 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299D532A95A603B12B7516EC5E9A2078E97 - -Count = 603 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62999718843198B5A14DB766BAD551E97DDA - -Count = 604 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299CF6B0DC7E39BF2301452EA43D225C028 - -Count = 605 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299630C139DE65F0B4CF6AE761F26550CBE - -Count = 606 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62995186E8E1537F1110764DD46A61D23BB5 - -Count = 607 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299B3CB558DBE1BA95827A3F53CB3727589 - -Count = 608 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62991EC58F963A9ED3E062B6A8F274F7CAD0 - -Count = 609 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62991BB6F1E9CD1FBBD3EE3D31B0DCCD9DD6 - -Count = 610 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62999FE7A85B46302DEFADF3980089C53BDA - -Count = 611 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299513ADBF80E329927D218CD28170471F6 - -Count = 612 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62998AB5A2E7EEEAE07771C16687B8D095B4 - -Count = 613 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62994256B90EE616D20D4E27D33FE12CC830 - -Count = 614 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299B1ED5930FD185B35EFB2C1EFDCE43790 - -Count = 615 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299E06DCA3DBC317845C8330A61B4A7CFF9 - -Count = 616 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299B25D199489E75A89A5293736F8F3CAFC - -Count = 617 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299B79364FB372C8F0E76CBD0C6BDD0FB7F - -Count = 618 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62999F6538DA851EE0877188AFBA3452B9E0 - -Count = 619 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299FDCF47CAF671F2F8858DFFA3FC8A9A8E - -Count = 620 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299B54247F4F713CEEE5FE5DD2ABD21AB2A - -Count = 621 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62997A606E3DB362BD6F38DB54F9BC05B4B5 - -Count = 622 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62990B98F2EC3769B2E8227E572A90EDF000 - -Count = 623 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629932DB9447E3A9C72BE0CC5AB3E928632E - -Count = 624 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62990205404316818A1E5A67990794989A97 - -Count = 625 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62995A7EEE27EFD74C3154ACAE0564499728 - -Count = 626 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62996C8093306399F78DB1E403B07C14EA89 - -Count = 627 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299F342C099CE0B9E9885E9B769E362BF68 - -Count = 628 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62997969C2D9DA08ABA81C8EFB9CDABF0ECC43 - -Count = 629 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979AC3D08353E2CA765AA58C432C8E096E7 - -Count = 630 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979692F039E467942FEAEA9E8A9112083AF - -Count = 631 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979F0FE98368259CFF740514DA92F8C0CBB - -Count = 632 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979FD2B381F51CA90DD6662BA742ABD204F - -Count = 633 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299791136FC9CFFE0287C66652C867EE3A0C3 - -Count = 634 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62997968F67C2D693230104DF09BCC98FAF3F8 - -Count = 635 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979E4464FB14F54B51148C8B112081CFEDF - -Count = 636 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A66C62DAB7DA06EBAEC0CE2EFBF20D92 - -Count = 637 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979FE1FEB2CCCF455960DF49EB8783EB060 - -Count = 638 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299795278F576C930ACEAEF0802E48C4E7CF6 - -Count = 639 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62997960F20E0A7C10B6B66FEBA091CBC94BFD - -Count = 640 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62997982BFB36691740EFE3E0581C7196905C1 - -Count = 641 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299792FB1697D15F174467B10DC09DEECBA98 - -Count = 642 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299792AC21702E2701C75F79B454B76D6ED9E - -Count = 643 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979AE934EB0695F8A49B455ECFB23DE4B92 - -Count = 644 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979604E3D13215D3E81CBBEB9D3BD1F01BE - -Count = 645 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979BBC1440CC18547D16867127C12CBE5FC - -Count = 646 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62997973225FE5C97975AB5781A7C44B37B878 - -Count = 647 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299798099BFDBD277FC93F614B51476FF47D8 - -Count = 648 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979D1192CD6935EDFE3D1957E9A1EBCBFB1 - -Count = 649 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299798329FF7FA688FD2FBC8F43CD52E8BAB4 - -Count = 650 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62997986E78210184328A86F6DA43D17CB8B37 - -Count = 651 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979AE11DE31AA714721682EDB419E49C9A8 - -Count = 652 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979CCBBA121D91E555E9C2B8B585691EAC6 - -Count = 653 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299798436A11FD87C69484643A9D1173ADB62 - -Count = 654 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299794B1488D69C0D1AC9217D2002161EC4FD - -Count = 655 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299793AEC14071806154E3BD823D13AF68048 - -Count = 656 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B62997903AF72ACCCC6608DF96A2E4843331366 - -Count = 657 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299793371A6A839EE2DB843C1EDFC3E83EADF - -Count = 658 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299796B0A08CCC0B8EB974D0ADAFECE52E760 - -Count = 659 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B6299795DF475DB4CF6502BA842774BD60F9AC1 - -Count = 660 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979C2362672E164393E9C4FC3924979CF20 - -Count = 661 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2B9A593097205AA96CD53AB48F8592FAC - -Count = 662 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A27C5A42E64482A5EFE9F0F3A08FB77508 - -Count = 663 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2B948494D3CD74074ED01DF3B56776040 - -Count = 664 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A22099D2E5F8F7CD7D03F97A3B68DBEF54 - -Count = 665 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A22D4C72CC2B64925725CA8DE66DEAC3A0 - -Count = 666 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2C151B64F854E2AF625CD1B1439B4432C - -Count = 667 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2B89136FE139C329A0E58AC5EDFAD1017 - -Count = 668 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A23421056235FAB79B0B6086804F4B1D30 - -Count = 669 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2760B2809CD740461ED68F9BCBCA5EE7D - -Count = 670 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A22E78A1FFB65A571C4E5CA92A3F69538F - -Count = 671 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2821FBFA5B39EAE60ACA03576CB199F19 - -Count = 672 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2B09544D906BEB43C2C4397038C9EA812 - -Count = 673 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A252D8F9B5EBDA0C747DADB6555E3EE62E - -Count = 674 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2FFD623AE6F5F76CC38B8EB9B99BB5977 - -Count = 675 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2FAA55DD198DE1EFFB43372D931810E71 - -Count = 676 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A27EF4046313F188C3F7FDDB696489A87D - -Count = 677 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2B02977C05BF33C0B88168E41FA48E251 - -Count = 678 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A26BA60EDFBB2B455B2BCF25EE559C0613 - -Count = 679 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2A3451536B3D77721142990560C605B97 - -Count = 680 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A250FEF508A8D9FE19B5BC828631A8A437 - -Count = 681 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2017E6605E9F0DD69923D490859EB5C5E - -Count = 682 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2534EB5ACDC26FFA5FF27745F15BF595B - -Count = 683 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A25680C8C362ED2A222CC593AF509C68D8 - -Count = 684 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A27E7694E2D0DF45AB2B86ECD3D91E2A47 - -Count = 685 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A21CDCEBF2A3B057D4DF83BCCA11C60929 - -Count = 686 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A25451EBCCA2D26BC205EB9E43506D388D - -Count = 687 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A29B73C205E6A3184362D5179051492712 - -Count = 688 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2EA8B5ED462A817C4787014437DA163A7 - -Count = 689 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2D3C8387FB6686207BAC219DA0464F089 - -Count = 690 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2E316EC7B43402F320069DA6E79D40930 - -Count = 691 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2BB6D421FBA16E91D0EA2ED6C8905048F - -Count = 692 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A28D933F08365852A1EBEA40D99158792E - -Count = 693 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A212516CA19BCA3BB4DFE7F4000E2E2CCF - -Count = 694 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240434EE6A09FEDD4F51F39952D0B84AB3E - -Count = 695 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A24086B1374FA96ADB8C3B9ACDC57C6AF19A - -Count = 696 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A24043A33CE4D13F3E173F6BE15EA5AAE4D2 - -Count = 697 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240DA72A74C151FB31ED193445E9B066BC6 - -Count = 698 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240D7A70765C68CEC34F7A0B3839E374732 - -Count = 699 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403BBAC3E668A65495F7A72571CA69C7BE - -Count = 700 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240427A4357FE744CF9DC32923B2C709485 - -Count = 701 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240CECA70CBD812C9F8D90AB8E5BC9699A2 - -Count = 702 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2408CE05DA0209C7A023F02C7D94F786AEF - -Count = 703 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240D493D4565BB2297F9C36974FCCB4D71D - -Count = 704 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A24078F4CA0C5E76D0037ECA0B1338C41B8B - -Count = 705 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2404A7E3170EB56CA5FFE29A9667F432C80 - -Count = 706 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240A8338C1C06327217AFC78830ADE362BC - -Count = 707 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240053D560782B708AFEAD2D5FE6A66DDE5 - -Count = 708 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240004E28787536609C66594CBCC25C8AE3 - -Count = 709 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240841F71CAFE19F6A02597E50C97542CEF - -Count = 710 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2404AC20269B61B42685A7CB024099566C3 - -Count = 711 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240914D7B7656C33B38F9A51B8BA6418281 - -Count = 712 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A24059AE609F5E3F0942C643AE33FFBDDF05 - -Count = 713 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240AA1580A14531807A67D6BCE3C27520A5 - -Count = 714 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240FB9513AC0418A30A4057776DAA36D8CC - -Count = 715 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240A9A5C00531CE81C62D4D4A3AE662DDC9 - -Count = 716 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240AC6BBD6A8F055441FEAFADCAA341EC4A - -Count = 717 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240849DE14B3D373BC8F9ECD2B62AC3AED5 - -Count = 718 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240E6379E5B4E5829B70DE982AFE21B8DBB - -Count = 719 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240AEBA9E654F3A15A1D781A026A3B0BC1F - -Count = 720 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2406198B7AC0B4B6620B0BF29F5A294A380 - -Count = 721 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A24010602B7D8F4069A7AA1A2A268E7CE735 - -Count = 722 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A24029234DD65B801C6468A827BFF7B9741B - -Count = 723 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A24019FD99D2AEA85151D203E40B8A098DA2 - -Count = 724 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240418637B657FE977EDCC8D3097AD8801D - -Count = 725 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A24077784AA1DBB02CC239807EBC6285FDBC - -Count = 726 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A240E8BA1908762245D70D8DCA65FDF3A85D - -Count = 727 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D546FE67094BB75016786E3EA9E6A5BCD - -Count = 728 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9190379FA23C7A784325BB02E9840169 - -Count = 729 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D54823C34DA699FE347D4979930441421 - -Count = 730 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DCD53A79C1E4912EAA92C32990EE89B35 - -Count = 731 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DC08607B5CDDA4DC08F1FC5440BD9B7C1 - -Count = 732 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D2C9BC33663F0F5618F1853B65F87374D - -Count = 733 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D555B4387F522ED0DA48DE4FCB99E6476 - -Count = 734 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DD9EB701BD344680CA1B5CE2229786951 - -Count = 735 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9BC15D702BCADBF647BDB11EDA969A1C - -Count = 736 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DC3B2D48650E4888BE489E188595A27EE - -Count = 737 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D6FD5CADC552071F706757DD4AD2AEB78 - -Count = 738 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D5D5F31A0E0006BAB8696DFA1EAADDC73 - -Count = 739 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DBF128CCC0D64D3E3D778FEF7380D924F - -Count = 740 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D121C56D789E1A95B926DA339FF882D16 - -Count = 741 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D176F28A87E60C1681EE63A7B57B27A10 - -Count = 742 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D933E711AF54F57545D2893CB02BADC1C - -Count = 743 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D5DE302B9BD4DE39C22C3C6E39C7B9630 - -Count = 744 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D866C7BA65D959ACC811A6D4C33AF7272 - -Count = 745 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D4E8F604F5569A8B6BEFCD8F46A532FF6 - -Count = 746 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DBD3480714E67218E1F69CA24579BD056 - -Count = 747 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DECB4137C0F4E02FE38E801AA3FD8283F - -Count = 748 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DBE84C0D53A98203255F23CFD738C2D3A - -Count = 749 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DBB4ABDBA8453F5B58610DB0D36AF1CB9 - -Count = 750 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D93BCE19B36619A3C8153A471BF2D5E26 - -Count = 751 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DF1169E8B450E88437556F46877F57D48 - -Count = 752 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DB99B9EB5446CB455AF3ED6E1365E4CEC - -Count = 753 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D76B9B77C001DC7D4C8005F32377A5373 - -Count = 754 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D07412BAD8416C853D2A55CE11B9217C6 - -Count = 755 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D3E024D0650D6BD9010175178625784E8 - -Count = 756 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D0EDC9902A5FEF0A5AABC92CC1FE77D51 - -Count = 757 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D56A737665CA8368AA477A5CEEF3670EE - -Count = 758 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D60594A71D0E68D36413F087BF76B0D4F - -Count = 759 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403DFF9B19D87D74E4237532BCA2681D58AE - -Count = 760 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F9F02DA748370296F34EA79F4E5497D6D - -Count = 761 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F5AFD0B9BB5F726161049211C92A727C9 - -Count = 762 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F9FEF0030CDA2C38D14B80D874B673281 - -Count = 763 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F063E9B9809824E84FA40A88775CBBD95 - -Count = 764 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F0BEB3BB1DA1111AEDC735F5A70FA9161 - -Count = 765 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9FE7F6FF32743BA90FDC74C9A824A411ED - -Count = 766 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F9E367F83E2E9B163F7E17EE2C2BD42D6 - -Count = 767 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F12864C1FC48F3462F2D9543C525B4FF1 - -Count = 768 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F50AC61743C01879814D12B00A1B5BCBC - -Count = 769 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F08DFE882472FD4E5B7E57B962279014E - -Count = 770 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9FA4B8F6D842EB2D995519E7CAD609CDD8 - -Count = 771 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F96320DA4F7CB37C5D5FA45BF918EFAD3 - -Count = 772 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F747FB0C81AAF8F8D841464E9432EB4EF - -Count = 773 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9FD9716AD39E2AF535C101392784AB0BB6 - -Count = 774 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9FDC0214AC69AB9D064D8AA0652C915CB0 - -Count = 775 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F58534D1EE2840B3A0E4409D57999FABC - -Count = 776 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F968E3EBDAA86BFF271AF5CFDE758B090 - -Count = 777 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F4D0147A24A5EC6A2D276F752488C54D2 - -Count = 778 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F85E25C4B42A2F4D8ED9042EA11700956 - -Count = 779 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F7659BC7559AC7DE04C05503A2CB8F6F6 - -Count = 780 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F27D92F7818855E906B849BB444FB0E9F - -Count = 781 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F75E9FCD12D537C5C069EA6E308AF0B9A - -Count = 782 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F702781BE9398A9DBD57C41134D8C3A19 - -Count = 783 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F58D1DD9F21AAC652D23F3E6FC40E7886 - -Count = 784 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F3A7BA28F52C5D42D263A6E760CD65BE8 - -Count = 785 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F72F6A2B153A7E83BFC524CFF4D7D6A4C - -Count = 786 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9FBDD48B7817D69BBA9B6CC52C4C5975D3 - -Count = 787 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9FCC2C17A993DD943D81C9C6FF60B13166 - -Count = 788 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9FF56F7102471DE1FE437BCB661974A248 - -Count = 789 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9FC5B1A506B235ACCBF9D008D264C45BF1 - -Count = 790 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F9DCA0B624B636AE4F71B3FD09415564E - -Count = 791 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9FAB347675C72DD158125392658C482BEF - -Count = 792 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F34F625DC6ABFB84D265E26BC133E7E0E - -Count = 793 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FEB338400A1628D9BDBA44BD09814A472 - -Count = 794 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F2ECC55EF97E582E2FF071338EFFAFED6 - -Count = 795 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FEBDE5E44EFB06779FBF63FA3363AEB9E - -Count = 796 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F720FC5EC2B90EA70150E9AA30896648A - -Count = 797 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F7FDA65C5F803B55A333D6D7E0DA7487E - -Count = 798 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F93C7A14656290DFB333AFB8C59F9C8F2 - -Count = 799 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FEA0721F7C0FB159718AF4CC6BFE09BC9 - -Count = 800 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F66B7126BE69D90961D9766182F0696EE - -Count = 801 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F249D3F001E13236CFB9F1924DCE865A3 - -Count = 802 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F7CEEB6F6653D701158AB49B25F24D851 - -Count = 803 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FD089A8AC60F9896DBA57D5EEAB5414C7 - -Count = 804 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FE20353D0D5D993313AB4779BECD323CC - -Count = 805 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F004EEEBC38BD2B796B5A56CD3E736DF0 - -Count = 806 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FAD4034A7BC3851C12E4F0B03F9F6D2A9 - -Count = 807 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FA8334AD84BB939F2A2C4924151CC85AF - -Count = 808 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F2C62136AC096AFCEE10A3BF104C423A3 - -Count = 809 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FE2BF60C988941B069EE16ED99A05698F - -Count = 810 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F393019D6684C62563D38C57635D18DCD - -Count = 811 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FF1D3023F60B0502C02DE70CE6C2DD049 - -Count = 812 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F0268E2017BBED914A34B621E51E52FE9 - -Count = 813 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F53E8710C3A97FA6484CAA99039A6D780 - -Count = 814 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F01D8A2A50F41D8A8E9D094C775F2D285 - -Count = 815 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F0416DFCAB18A0D2F3A32733730D1E306 - -Count = 816 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F2CE083EB03B862A63D710C4BB953A199 - -Count = 817 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F4E4AFCFB70D770D9C9745C52718B82F7 - -Count = 818 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F06C7FCC571B54CCF131C7EDB3020B353 - -Count = 819 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FC9E5D50C35C43F4E7422F7083104ACCC - -Count = 820 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FB81D49DDB1CF30C96E87F4DB1DECE879 - -Count = 821 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F815E2F76650F450AAC35F94264297B57 - -Count = 822 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FB180FB729027083F169E3AF6199982EE - -Count = 823 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FE9FB55166971CE1018550DF4E9488F51 - -Count = 824 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6FDF052801E53F75ACFD1DA041F115F2F0 - -Count = 825 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F40C77BA848AD1CB9C91014986E63A711 - -Count = 826 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C64EED4250F2974316283EDF1239D4504 - -Count = 827 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CA11105CA39AE7B484620B51954731FA0 - -Count = 828 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C64030E6141FB9ED342D199828DB30AE8 - -Count = 829 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CFDD295C985DB13DAAC293C82B31F85FC - -Count = 830 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CF00735E056484CF08A1ACB5FB62EA908 - -Count = 831 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C1C1AF163F862F4518A1D5DADE2702984 - -Count = 832 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C65DA71D26EB0EC3DA188EAE704697ABF - -Count = 833 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CE96A424E48D6693CA4B0C039948F7798 - -Count = 834 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CAB406F25B058DAC642B8BF05676184D5 - -Count = 835 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CF333E6D3CB7689BBE18CEF93E4AD3927 - -Count = 836 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C5F54F889CEB270C7037073CF10DDF5B1 - -Count = 837 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C6DDE03F57B926A9B8393D1BA575AC2BA - -Count = 838 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C8F93BE9996F6D2D3D27DF0EC85FA8C86 - -Count = 839 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C229D64821273A86B9768AD22427F33DF - -Count = 840 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C27EE1AFDE5F2C0581BE33460EA4564D9 - -Count = 841 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CA3BF434F6EDD5664582D9DD0BF4DC2D5 - -Count = 842 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C6D6230EC26DFE2AC27C6C8F8218C88F9 - -Count = 843 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CB6ED49F3C6079BFC841F63578E586CBB - -Count = 844 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C7E0E521ACEFBA986BBF9D6EFD7A4313F - -Count = 845 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C8DB5B224D5F520BE1A6CC43FEA6CCE9F - -Count = 846 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CDC35212994DC03CE3DED0FB1822F36F6 - -Count = 847 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C8E05F280A10A210250F732E6CE7B33F3 - -Count = 848 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C8BCB8FEF1FC1F4858315D5168B580270 - -Count = 849 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CA33DD3CEADF39B0C8456AA6A02DA40EF - -Count = 850 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CC197ACDEDE9C89737053FA73CA026381 - -Count = 851 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C891AACE0DFFEB565AA3BD8FA8BA95225 - -Count = 852 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C463885299B8FC6E4CD0551298A8D4DBA - -Count = 853 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C37C019F81F84C963D7A052FAA665090F - -Count = 854 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C0E837F53CB44BCA015125F63DFA09A21 - -Count = 855 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C3E5DAB573E6CF195AFB99CD7A2106398 - -Count = 856 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C66260533C73A37BAA172ABD552C16E27 - -Count = 857 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9C50D878244B748C06443A06604A9C1386 - -Count = 858 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CCF1A2B8DE6E6E5137037B2B9D5EA4667 - -Count = 859 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA07F036BA47E86F5A423E3F84EB9C614F - -Count = 860 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAC20FE755716F6023669D676C9C723BEB - -Count = 861 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA071DECFE093A85B8626C4BF745B22EA3 - -Count = 862 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA9ECC7756CD1A08B18C94EEF77B1EA1B7 - -Count = 863 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA9319D77F1E89579BAAA7192A7E2F8D43 - -Count = 864 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA7F0413FCB0A3EF3AAAA08FD82A710DCF - -Count = 865 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA06C4934D2671F75681353892CC685EF4 - -Count = 866 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA8A74A0D100177257840D124C5C8E53D3 - -Count = 867 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAC85E8DBAF899C1AD62056D70AF60A09E - -Count = 868 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA902D044C83B792D0C1313DE62CAC1D6C - -Count = 869 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA3C4A1A1686736BAC23CDA1BAD8DCD1FA - -Count = 870 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA0EC0E16A335371F0A32E03CF9F5BE6F1 - -Count = 871 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAEC8D5C06DE37C9B8F2C022994DFBA8CD - -Count = 872 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA4183861D5AB2B300B7D57F578A7E1794 - -Count = 873 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA44F0F862AD33DB333B5EE61522444092 - -Count = 874 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAC0A1A1D0261C4D0F78904FA5774CE69E - -Count = 875 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA0E7CD2736E1EF9C7077B1A8DE98DACB2 - -Count = 876 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAD5F3AB6C8EC68097A4A2B122465948F0 - -Count = 877 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA1D10B085863AB2ED9B44049A1FA51574 - -Count = 878 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAEEAB50BB9D343BD53AD1164A226DEAD4 - -Count = 879 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBABF2BC3B6DC1D18A51D50DDC44A2E12BD - -Count = 880 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAED1B101FE9CB3A69704AE093067A17B8 - -Count = 881 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAE8D56D705700EFEEA3A807634359263B - -Count = 882 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAC0233151E5328067A4EB781FCADB64A4 - -Count = 883 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAA2894E41965D921850EE2806020347CA - -Count = 884 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAEA044E7F973FAE0E8A860A8F43A8766E - -Count = 885 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA252667B6D34EDD8FEDB8835C428C69F1 - -Count = 886 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA54DEFB675745D208F71D808F6E642D44 - -Count = 887 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA6D9D9DCC8385A7CB35AF8D1617A1BE6A - -Count = 888 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA5D4349C876ADEAFE8F044EA26A1147D3 - -Count = 889 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA0538E7AC8FFB2CD181CF79A09AC04A6C - -Count = 890 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA33C69ABB03B5976D6487D415829D37CD - -Count = 891 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBAAC04C912AE27FE78508A60CC1DEB622C - -Count = 892 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA250F0927D72D857E36CAD703B28EF139FA - -Count = 893 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25CAF6F6381B02714FEE745B5AF91F635E - -Count = 894 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA250FE4FD93635794D4EA8577C120DF7616 - -Count = 895 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259635663BA77719DD047DD2C11E73F902 - -Count = 896 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259BE0C61274E446F7224E251C1B42D5F6 - -Count = 897 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA2577FD0291DACEFE562249B3EE4F1C557A - -Count = 898 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA250E3D82204C1CE63A09DC04A4A9050641 - -Count = 899 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25828DB1BC6A7A633B0CE42E7A39E30B66 - -Count = 900 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25C0A79CD792F4D0C1EAEC5146CA0DF82B - -Count = 901 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA2598D41521E9DA83BC49D801D049C145D9 - -Count = 902 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA2534B30B7BEC1E7AC0AB249D8CBDB1894F - -Count = 903 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA250639F007593E609C2BC73FF9FA36BE44 - -Count = 904 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25E4744D6BB45AD8D47A291EAF2896F078 - -Count = 905 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25497A977030DFA26C3F3C4361EF134F21 - -Count = 906 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA254C09E90FC75ECA5FB3B7DA2347291827 - -Count = 907 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25C858B0BD4C715C63F07973931221BE2B - -Count = 908 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA250685C31E0473E8AB8F9226BB8CE0F407 - -Count = 909 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25DD0ABA01E4AB91FB2C4B8D1423341045 - -Count = 910 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA2515E9A1E8EC57A38113AD38AC7AC84DC1 - -Count = 911 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25E65241D6F7592AB9B2382A7C4700B261 - -Count = 912 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25B7D2D2DBB67009C995B9E1F22F434A08 - -Count = 913 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25E5E2017283A62B05F8A3DCA563174F0D - -Count = 914 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25E02C7C1D3D6DFE822B413B5526347E8E - -Count = 915 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25C8DA203C8F5F910B2C024429AFB63C11 - -Count = 916 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25AA705F2CFC308374D8071430676E1F7F - -Count = 917 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25E2FD5F12FD52BF62026F36B926C52EDB - -Count = 918 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA252DDF76DBB923CCE36551BF6A27E13144 - -Count = 919 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA255C27EA0A3D28C3647FF4BCB90B0975F1 - -Count = 920 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA2565648CA1E9E8B6A7BD46B12072CCE6DF - -Count = 921 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA2555BA58A51CC0FB9207ED72940F7C1F66 - -Count = 922 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA250DC1F6C1E5963DBD09264596FFAD12D9 - -Count = 923 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA253B3F8BD669D88601EC6EE823E7F06F78 - -Count = 924 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA25A4FDD87FC44AEF14D8635CFA78863A99 - -Count = 925 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DCE72A8718C1BF9A53B646BE0293BB8CF - -Count = 926 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D0B8D799EBA9CF6DC1FC733085ED5E26B - -Count = 927 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DCE9F7235C2C913471B361F938715F723 - -Count = 928 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D574EE99D06E99E4EF5CEBA93B9B97837 - -Count = 929 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D5A9B49B4D57AC164D3FD4D4EBC8854C3 - -Count = 930 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DB6868D377B5079C5D3FADBBCE8D6D44F - -Count = 931 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DCF460D86ED8261A9F86F6CF60ECF8774 - -Count = 932 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D43F63E1ACBE4E4A8FD5746289E298A53 - -Count = 933 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D01DC1371336A57521B5F39146DC7791E - -Count = 934 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D59AF9A874844042FB86B6982EE0BC4EC - -Count = 935 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DF5C884DD4D80FD535A97F5DE1A7B087A - -Count = 936 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DC7427FA1F8A0E70FDA7457AB5DFC3F71 - -Count = 937 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D250FC2CD15C45F478B9A76FD8F5C714D - -Count = 938 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D880118D6914125FFCE8F2B3348D9CE14 - -Count = 939 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D8D7266A966C04DCC4204B271E0E39912 - -Count = 940 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D09233F1BEDEFDBF001CA1BC1B5EB3F1E - -Count = 941 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DC7FE4CB8A5ED6F387E214EE92B2A7532 - -Count = 942 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D1C7135A745351668DDF8E54684FE9170 - -Count = 943 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DD4922E4E4DC92412E21E50FEDD02CCF4 - -Count = 944 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D2729CE7056C7AD2A438B422EE0CA3354 - -Count = 945 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D76A95D7D17EE8E5A640A89A08889CB3D - -Count = 946 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D24998ED42238AC960910B4F7C4DDCE38 - -Count = 947 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D2157F3BB9CF37911DAF2530781FEFFBB - -Count = 948 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D09A1AF9A2EC11698DDB12C7B087CBD24 - -Count = 949 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D6B0BD08A5DAE04E729B47C62C0A49E4A - -Count = 950 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D2386D0B45CCC38F1F3DC5EEB810FAFEE - -Count = 951 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DECA4F97D18BD4B7094E2D738802BB071 - -Count = 952 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D9D5C65AC9CB644F78E47D4EBACC3F4C4 - -Count = 953 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DA41F0307487631344CF5D972D50667EA - -Count = 954 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D94C1D703BD5E7C01F65E1AC6A8B69E53 - -Count = 955 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DCCBA79674408BA2EF8952DC4586793EC - -Count = 956 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DFA440470C84601921DDD8071403AEE4D - -Count = 957 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259D658657D965D4688729D034A8DF4CBBAC - -Count = 958 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB4AE2A91E60E75157A9577109369DB8DF - -Count = 959 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB8F1D78F156605E2E8DF429E14173E27B - -Count = 960 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB4A0F735A2E35BBB58905057A98B3F733 - -Count = 961 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABD3DEE8F2EA1536BC67FDA07AA61F7827 - -Count = 962 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABDE0B48DB3986699641CE57A7A32E54D3 - -Count = 963 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB32168C5897ACD13741C9C155F770D45F - -Count = 964 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB4BD60CE9017EC95B6A5C761F11698764 - -Count = 965 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABC7663F7527184C5A6F645CC1818F8A43 - -Count = 966 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB854C121EDF96FFA0896C23FD7261790E - -Count = 967 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABDD3F9BE8A4B8ACDD2A58736BF1ADC4FC - -Count = 968 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB715885B2A17C55A1C8A4EF3705DD086A - -Count = 969 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB43D27ECE145C4FFD48474D42425A3F61 - -Count = 970 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABA19FC3A2F938F7B519A96C1490FA715D - -Count = 971 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB0C9119B97DBD8D0D5CBC31DA577FCE04 - -Count = 972 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB09E267C68A3CE53ED037A898FF459902 - -Count = 973 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB8DB33E740113730293F90128AA4D3F0E - -Count = 974 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB436E4DD74911C7CAEC125400348C7522 - -Count = 975 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB98E134C8A9C9BE9A4FCBFFAF9B589160 - -Count = 976 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB50022F21A1358CE0702D4A17C2A4CCE4 - -Count = 977 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABA3B9CF1FBA3B05D8D1B858C7FF6C3344 - -Count = 978 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABF2395C12FB1226A8F6399349972FCB2D - -Count = 979 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABA0098FBBCEC404649B23AE1EDB7BCE28 - -Count = 980 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABA5C7F2D4700FD1E348C149EE9E58FFAB - -Count = 981 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB8D31AEF5C23DBE6A4F82369217DABD34 - -Count = 982 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABEF9BD1E5B152AC15BB87668BDF029E5A - -Count = 983 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABA716D1DBB030900361EF44029EA9AFFE - -Count = 984 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6834F812F441E38206D1CDD19F8DB061 - -Count = 985 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB19CC64C3704AEC051C74CE02B365F4D4 - -Count = 986 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB208F0268A48A99C6DEC6C39BCAA067FA - -Count = 987 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB1051D66C51A2D4F3646D002FB7109E43 - -Count = 988 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB482A7808A8F412DC6AA6372D47C193FC - -Count = 989 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB7ED4051F24BAA9608FEE9A985F9CEE5D - -Count = 990 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DABE11656B68928C075BBE32E41C0EABBBC - -Count = 991 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F4D70746F2D2879F989505D58F7ACA95C - -Count = 992 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F888FA5801BAF7680ADF305B08042F3F8 - -Count = 993 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F4D9DAE2B63FA931BA902292B5982E6B0 - -Count = 994 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FD44C3583A7DA1E1247FA8C2B672E69A4 - -Count = 995 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FD99995AA7449413861C97BF6621F4550 - -Count = 996 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F35845129DA63F99961CEED043641C5DC - -Count = 997 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F4C44D1984CB1E1F54A5B5A4ED05896E7 - -Count = 998 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FC0F4E2046AD764F44F63709040BE9BC0 - -Count = 999 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F82DECF6F9259D70EA96B0FACB350688D - -Count = 1000 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FDAAD4699E97784730A5F5F3A309CD57F - -Count = 1001 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F76CA58C3ECB37D0FE8A3C366C4EC19E9 - -Count = 1002 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F4440A3BF5993675368406113836B2EE2 - -Count = 1003 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FA60D1ED3B4F7DF1B39AE404551CB60DE - -Count = 1004 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F0B03C4C83072A5A37CBB1D8B964EDF87 - -Count = 1005 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F0E70BAB7C7F3CD90F03084C93E748881 - -Count = 1006 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F8A21E3054CDC5BACB3FE2D796B7C2E8D - -Count = 1007 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F44FC90A604DEEF64CC157851F5BD64A1 - -Count = 1008 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F9F73E9B9E40696346FCCD3FE5A6980E3 - -Count = 1009 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F5790F250ECFAA44E502A66460395DD67 - -Count = 1010 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FA42B126EF7F42D76F1BF74963E5D22C7 - -Count = 1011 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FF5AB8163B6DD0E06D63EBF18561EDAAE - -Count = 1012 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FA79B52CA830B2CCABB24824F1A4ADFAB - -Count = 1013 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FA2552FA53DC0F94D68C665BF5F69EE28 - -Count = 1014 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F8AA373848FF296C46F851AC3D6EBACB7 - -Count = 1015 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FE8090C94FC9D84BB9B804ADA1E338FD9 - -Count = 1016 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FA0840CAAFDFFB8AD41E868535F98BE7D - -Count = 1017 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F6FA62563B98ECB2C26D6E1805EBCA1E2 - -Count = 1018 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F1E5EB9B23D85C4AB3C73E2537254E557 - -Count = 1019 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F271DDF19E945B168FEC1EFCA0B917679 - -Count = 1020 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F17C30B1D1C6DFC5D446A2C7E76218FC0 - -Count = 1021 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F4FB8A579E53B3A724AA11B7C86F0827F - -Count = 1022 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7946D86E697581CEAFE9B6C99EADFFDE - -Count = 1023 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6FE6848BC7C4E7E8DB9BE4021001DBAA3F - -Count = 1024 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E7E4CC94143EC866BA90EF8B4A00D3652 - -Count = 1025 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EBBB318AE756B89128DADA05CD7E36CF6 - -Count = 1026 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E7EA113050D3E6C89895C8CC70E2379BE - -Count = 1027 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EE77088ADC91EE18067A429C7308FF6AA - -Count = 1028 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EEAA528841A8DBEAA4197DE1A35BEDA5E - -Count = 1029 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E06B8EC07B4A7060B419048E861E05AD2 - -Count = 1030 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E7F786CB622751E676A05FFA287F909E9 - -Count = 1031 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EF3C85F2A04139B666F3DD57C171F04CE - -Count = 1032 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EB1E27241FC9D289C8935AA40E4F1F783 - -Count = 1033 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EE991FBB787B37BE12A01FAD6673D4A71 - -Count = 1034 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E45F6E5ED8277829DC8FD668A934D86E7 - -Count = 1035 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E777C1E91375798C1481EC4FFD4CAB1EC - -Count = 1036 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E9531A3FDDA33208919F0E5A9066AFFD0 - -Count = 1037 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E383F79E65EB65A315CE5B867C1EF4089 - -Count = 1038 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E3D4C0799A9373202D06E212569D5178F - -Count = 1039 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EB91D5E2B2218A43E93A088953CDDB183 - -Count = 1040 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E77C02D886A1A10F6EC4BDDBDA21CFBAF - -Count = 1041 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EAC4F54978AC269A64F9276120DC81FED - -Count = 1042 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E64AC4F7E823E5BDC7074C3AA54344269 - -Count = 1043 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E9717AF409930D2E4D1E1D17A69FCBDC9 - -Count = 1044 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EC6973C4DD819F194F6601AF401BF45A0 - -Count = 1045 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E94A7EFE4EDCFD3589B7A27A34DEB40A5 - -Count = 1046 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E9169928B530406DF4898C05308C87126 - -Count = 1047 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EB99FCEAAE13669564FDBBF2F814A33B9 - -Count = 1048 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7EDB35B1BA92597B29BBDEEF36499210D7 - -Count = 1049 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E93B8B184933B473F61B6CDBF08392173 - -Count = 1050 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5C9A984DD74A34BE0688446C091D3EEC - -Count = 1051 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E2D62049C53413B391C2D47BF25F57A59 - -Count = 1052 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E1421623787814EFADE9F4A265C30E977 - -Count = 1053 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E24FFB63372A903CF64348992218010CE - -Count = 1054 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E7C8418578BFFC5E06AFFBE90D1511D71 - -Count = 1055 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E4A7A654007B17E5C8FB71325C90C60D0 - -Count = 1056 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7ED5B836E9AA231749BBBAA7FC567A3531 - -Count = 1057 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BDD94B5A9DC1B1E0E4B67D163F605735C - -Count = 1058 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B186B6446EA9C11776FC4898B81EB29F8 - -Count = 1059 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BDD796FED92C9F4EC6B35A510582B3CB0 - -Count = 1060 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B44A8F44556E979E585CD00106687B3A4 - -Count = 1061 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B497D546C857A26CFA3FEF7CD63B69F50 - -Count = 1062 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BA56090EF2B509E6EA3F9613F37E81FDC - -Count = 1063 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BDCA0105EBD828602886CD675D1F14CE7 - -Count = 1064 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B501023C29BE403038D54FCAB411741C0 - -Count = 1065 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304050607 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B123A0EA9636AB0F96B5C8397B2F9B28D - -Count = 1066 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B4A49875F1844E384C868D30131350F7F - -Count = 1067 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506070809 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BE62E99051D801AF82A944F5DC545C3E9 - -Count = 1068 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BD4A46279A8A000A4AA77ED2882C2F4E2 - -Count = 1069 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B36E9DF1545C4B8ECFB99CC7E5062BADE - -Count = 1070 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B9BE7050EC141C254BE8C91B097E70587 - -Count = 1071 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B9E947B7136C0AA67320708F23FDD5281 - -Count = 1072 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B1AC522C3BDEF3C5B71C9A1426AD5F48D - -Count = 1073 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BD4185160F5ED88930E22F46AF414BEA1 - -Count = 1074 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B0F97287F1535F1C3ADFB5FC55BC05AE3 - -Count = 1075 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BC77433961DC9C3B9921DEA7D023C0767 - -Count = 1076 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B34CFD3A806C74A813388F8AD3FF4F8C7 - -Count = 1077 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B654F40A547EE69F11409332357B700AE - -Count = 1078 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B377F930C72384B3D79130E741BE305AB - -Count = 1079 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B32B1EE63CCF39EBAAAF1E9845EC03428 - -Count = 1080 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B1A47B2427EC1F133ADB296F8D74276B7 - -Count = 1081 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B78EDCD520DAEE34C59B7C6E11F9A55D9 - -Count = 1082 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B3060CD6C0CCCDF5A83DFE4685E31647D - -Count = 1083 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BFF42E4A548BDACDBE4E16DBB5F157BE2 - -Count = 1084 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B8EBA7874CCB6A35CFE446E6873FD3F57 - -Count = 1085 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BB7F91EDF1876D69F3CF663F10A38AC79 - -Count = 1086 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B8727CADBED5E9BAA865DA045778855C0 - -Count = 1087 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BDF5C64BF14085D85889697478759587F - -Count = 1088 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5BE9A219A89846E6396DDE3AF29F0425DE - -Count = 1089 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 75F8BD7F4702EA535A1CE23E2D079F7B629979A2403D9F6F9CBA259DAB6F7E5B76604A0135D48F2C59D38E2B0072703F - diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys/aead-common.c b/elephant/Implementations/crypto_aead/elephant200v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant200v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys/aead-common.h b/elephant/Implementations/crypto_aead/elephant200v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant200v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys/api.h b/elephant/Implementations/crypto_aead/elephant200v1/rhys/api.h new file mode 100644 index 0000000..c3c0a27 --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant200v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 12 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys/elephant.c b/elephant/Implementations/crypto_aead/elephant200v1/rhys/elephant.c new file mode 100644 index 0000000..770f568 --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant200v1/rhys/elephant.c @@ -0,0 +1,881 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "elephant.h" +#include "internal-keccak.h" +#include "internal-spongent.h" +#include + +aead_cipher_t const dumbo_cipher = { + "Dumbo", + DUMBO_KEY_SIZE, + DUMBO_NONCE_SIZE, + DUMBO_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + dumbo_aead_encrypt, + dumbo_aead_decrypt +}; + +aead_cipher_t const jumbo_cipher = { + "Jumbo", + JUMBO_KEY_SIZE, + JUMBO_NONCE_SIZE, + JUMBO_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + jumbo_aead_encrypt, + jumbo_aead_decrypt +}; + +aead_cipher_t const delirium_cipher = { + "Delirium", + DELIRIUM_KEY_SIZE, + DELIRIUM_NONCE_SIZE, + DELIRIUM_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + delirium_aead_encrypt, + delirium_aead_decrypt +}; + +/** + * \brief Applies the Dumbo LFSR to the mask. + * + * \param out The output mask. + * \param in The input mask. + */ +static void dumbo_lfsr + (unsigned char out[SPONGENT160_STATE_SIZE], + const unsigned char in[SPONGENT160_STATE_SIZE]) +{ + unsigned char temp = + leftRotate3_8(in[0]) ^ (in[3] << 7) ^ (in[13] >> 7); + unsigned index; + for (index = 0; index < SPONGENT160_STATE_SIZE - 1; ++index) + out[index] = in[index + 1]; + out[SPONGENT160_STATE_SIZE - 1] = temp; +} + +/** + * \brief Processes the nonce and associated data for Dumbo. + * + * \param state Points to the Spongent-pi[160] state. + * \param mask Points to the initial mask value. + * \param next Points to the next mask value. + * \param tag Points to the ongoing tag that is being computed. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data. + */ +static void dumbo_process_ad + (spongent160_state_t *state, + unsigned char mask[SPONGENT160_STATE_SIZE], + unsigned char next[SPONGENT160_STATE_SIZE], + unsigned char tag[DUMBO_TAG_SIZE], + const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned posn, size; + + /* We need the "previous" and "next" masks in each step. + * Compare the first such values */ + dumbo_lfsr(next, mask); + dumbo_lfsr(next, next); + + /* Absorb the nonce into the state */ + lw_xor_block_2_src(state->B, mask, next, SPONGENT160_STATE_SIZE); + lw_xor_block(state->B, npub, DUMBO_NONCE_SIZE); + + /* Absorb the rest of the associated data */ + posn = DUMBO_NONCE_SIZE; + while (adlen > 0) { + size = SPONGENT160_STATE_SIZE - posn; + if (size <= adlen) { + /* Process a complete block */ + lw_xor_block(state->B + posn, ad, size); + spongent160_permute(state); + lw_xor_block(state->B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state->B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state->B, DUMBO_TAG_SIZE); + dumbo_lfsr(mask, mask); + dumbo_lfsr(next, next); + lw_xor_block_2_src(state->B, mask, next, SPONGENT160_STATE_SIZE); + posn = 0; + } else { + /* Process the partial block at the end of the associated data */ + size = (unsigned)adlen; + lw_xor_block(state->B + posn, ad, size); + posn += size; + } + ad += size; + adlen -= size; + } + + /* Pad and absorb the final block */ + state->B[posn] ^= 0x01; + spongent160_permute(state); + lw_xor_block(state->B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state->B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state->B, DUMBO_TAG_SIZE); +} + +int dumbo_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + spongent160_state_t state; + unsigned char start[SPONGENT160_STATE_SIZE]; + unsigned char mask[SPONGENT160_STATE_SIZE]; + unsigned char next[SPONGENT160_STATE_SIZE]; + unsigned char tag[DUMBO_TAG_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + DUMBO_TAG_SIZE; + + /* Hash the key and generate the initial mask */ + memcpy(state.B, k, DUMBO_KEY_SIZE); + memset(state.B + DUMBO_KEY_SIZE, 0, sizeof(state.B) - DUMBO_KEY_SIZE); + spongent160_permute(&state); + memcpy(mask, state.B, DUMBO_KEY_SIZE); + memset(mask + DUMBO_KEY_SIZE, 0, sizeof(mask) - DUMBO_KEY_SIZE); + memcpy(start, mask, sizeof(mask)); + + /* Tag starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Authenticate the nonce and the associated data */ + dumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); + + /* Reset back to the starting mask for the encryption phase */ + memcpy(mask, start, sizeof(mask)); + + /* Encrypt and authenticate the payload */ + while (mlen >= SPONGENT160_STATE_SIZE) { + /* Encrypt using the current mask */ + memcpy(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, m, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); + memcpy(c, state.B, SPONGENT160_STATE_SIZE); + + /* Authenticate using the next mask */ + dumbo_lfsr(next, mask); + lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, next, SPONGENT160_STATE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state.B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); + + /* Advance to the next block */ + memcpy(mask, next, SPONGENT160_STATE_SIZE); + c += SPONGENT160_STATE_SIZE; + m += SPONGENT160_STATE_SIZE; + mlen -= SPONGENT160_STATE_SIZE; + } + if (mlen > 0) { + /* Encrypt the last block using the current mask */ + unsigned temp = (unsigned)mlen; + memcpy(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, m, temp); + lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); + memcpy(c, state.B, temp); + + /* Authenticate the last block using the next mask */ + dumbo_lfsr(next, mask); + state.B[temp] = 0x01; + memset(state.B + temp + 1, 0, SPONGENT160_STATE_SIZE - temp - 1); + lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, next, SPONGENT160_STATE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state.B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); + c += temp; + } else if (*clen != DUMBO_TAG_SIZE) { + /* Pad and authenticate when the last block is aligned */ + dumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); + state.B[0] ^= 0x01; + spongent160_permute(&state); + lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state.B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); + } + + /* Generate the authentication tag */ + memcpy(c, tag, DUMBO_TAG_SIZE); + return 0; +} + +int dumbo_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + spongent160_state_t state; + unsigned char *mtemp = m; + unsigned char start[SPONGENT160_STATE_SIZE]; + unsigned char mask[SPONGENT160_STATE_SIZE]; + unsigned char next[SPONGENT160_STATE_SIZE]; + unsigned char tag[DUMBO_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < DUMBO_TAG_SIZE) + return -1; + *mlen = clen - DUMBO_TAG_SIZE; + + /* Hash the key and generate the initial mask */ + memcpy(state.B, k, DUMBO_KEY_SIZE); + memset(state.B + DUMBO_KEY_SIZE, 0, sizeof(state.B) - DUMBO_KEY_SIZE); + spongent160_permute(&state); + memcpy(mask, state.B, DUMBO_KEY_SIZE); + memset(mask + DUMBO_KEY_SIZE, 0, sizeof(mask) - DUMBO_KEY_SIZE); + memcpy(start, mask, sizeof(mask)); + + /* Tag starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Authenticate the nonce and the associated data */ + dumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); + + /* Reset back to the starting mask for the encryption phase */ + memcpy(mask, start, sizeof(mask)); + + /* Decrypt and authenticate the payload */ + clen -= DUMBO_TAG_SIZE; + while (clen >= SPONGENT160_STATE_SIZE) { + /* Authenticate using the next mask */ + dumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, c, SPONGENT160_STATE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state.B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); + + /* Decrypt using the current mask */ + memcpy(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block_2_src(m, state.B, c, SPONGENT160_STATE_SIZE); + + /* Advance to the next block */ + memcpy(mask, next, SPONGENT160_STATE_SIZE); + c += SPONGENT160_STATE_SIZE; + m += SPONGENT160_STATE_SIZE; + clen -= SPONGENT160_STATE_SIZE; + } + if (clen > 0) { + /* Authenticate the last block using the next mask */ + unsigned temp = (unsigned)clen; + dumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, c, temp); + state.B[temp] ^= 0x01; + spongent160_permute(&state); + lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state.B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); + + /* Decrypt the last block using the current mask */ + memcpy(state.B, mask, SPONGENT160_STATE_SIZE); + lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); + spongent160_permute(&state); + lw_xor_block(state.B, mask, temp); + lw_xor_block_2_src(m, state.B, c, temp); + c += temp; + } else if (*mlen != 0) { + /* Pad and authenticate when the last block is aligned */ + dumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); + state.B[0] ^= 0x01; + spongent160_permute(&state); + lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); + lw_xor_block(state.B, next, DUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); + } + + /* Check the authentication tag */ + return aead_check_tag(mtemp, *mlen, tag, c, DUMBO_TAG_SIZE); +} + +/** + * \brief Applies the Jumbo LFSR to the mask. + * + * \param out The output mask. + * \param in The input mask. + */ +static void jumbo_lfsr + (unsigned char out[SPONGENT176_STATE_SIZE], + const unsigned char in[SPONGENT176_STATE_SIZE]) +{ + unsigned char temp = + leftRotate1_8(in[0]) ^ (in[3] << 7) ^ (in[19] >> 7); + unsigned index; + for (index = 0; index < SPONGENT176_STATE_SIZE - 1; ++index) + out[index] = in[index + 1]; + out[SPONGENT176_STATE_SIZE - 1] = temp; +} + +/** + * \brief Processes the nonce and associated data for Jumbo. + * + * \param state Points to the Spongent-pi[170] state. + * \param mask Points to the initial mask value. + * \param next Points to the next mask value. + * \param tag Points to the ongoing tag that is being computed. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data. + */ +static void jumbo_process_ad + (spongent176_state_t *state, + unsigned char mask[SPONGENT176_STATE_SIZE], + unsigned char next[SPONGENT176_STATE_SIZE], + unsigned char tag[JUMBO_TAG_SIZE], + const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned posn, size; + + /* We need the "previous" and "next" masks in each step. + * Compare the first such values */ + jumbo_lfsr(next, mask); + jumbo_lfsr(next, next); + + /* Absorb the nonce into the state */ + lw_xor_block_2_src(state->B, mask, next, SPONGENT176_STATE_SIZE); + lw_xor_block(state->B, npub, JUMBO_NONCE_SIZE); + + /* Absorb the rest of the associated data */ + posn = JUMBO_NONCE_SIZE; + while (adlen > 0) { + size = SPONGENT176_STATE_SIZE - posn; + if (size <= adlen) { + /* Process a complete block */ + lw_xor_block(state->B + posn, ad, size); + spongent176_permute(state); + lw_xor_block(state->B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state->B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state->B, JUMBO_TAG_SIZE); + jumbo_lfsr(mask, mask); + jumbo_lfsr(next, next); + lw_xor_block_2_src(state->B, mask, next, SPONGENT176_STATE_SIZE); + posn = 0; + } else { + /* Process the partial block at the end of the associated data */ + size = (unsigned)adlen; + lw_xor_block(state->B + posn, ad, size); + posn += size; + } + ad += size; + adlen -= size; + } + + /* Pad and absorb the final block */ + state->B[posn] ^= 0x01; + spongent176_permute(state); + lw_xor_block(state->B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state->B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state->B, JUMBO_TAG_SIZE); +} + +int jumbo_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + spongent176_state_t state; + unsigned char start[SPONGENT176_STATE_SIZE]; + unsigned char mask[SPONGENT176_STATE_SIZE]; + unsigned char next[SPONGENT176_STATE_SIZE]; + unsigned char tag[JUMBO_TAG_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + JUMBO_TAG_SIZE; + + /* Hash the key and generate the initial mask */ + memcpy(state.B, k, JUMBO_KEY_SIZE); + memset(state.B + JUMBO_KEY_SIZE, 0, sizeof(state.B) - JUMBO_KEY_SIZE); + spongent176_permute(&state); + memcpy(mask, state.B, JUMBO_KEY_SIZE); + memset(mask + JUMBO_KEY_SIZE, 0, sizeof(mask) - JUMBO_KEY_SIZE); + memcpy(start, mask, sizeof(mask)); + + /* Tag starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Authenticate the nonce and the associated data */ + jumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); + + /* Reset back to the starting mask for the encryption phase */ + memcpy(mask, start, sizeof(mask)); + + /* Encrypt and authenticate the payload */ + while (mlen >= SPONGENT176_STATE_SIZE) { + /* Encrypt using the current mask */ + memcpy(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, m, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); + memcpy(c, state.B, SPONGENT176_STATE_SIZE); + + /* Authenticate using the next mask */ + jumbo_lfsr(next, mask); + lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, next, SPONGENT176_STATE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state.B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); + + /* Advance to the next block */ + memcpy(mask, next, SPONGENT176_STATE_SIZE); + c += SPONGENT176_STATE_SIZE; + m += SPONGENT176_STATE_SIZE; + mlen -= SPONGENT176_STATE_SIZE; + } + if (mlen > 0) { + /* Encrypt the last block using the current mask */ + unsigned temp = (unsigned)mlen; + memcpy(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, m, temp); + lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); + memcpy(c, state.B, temp); + + /* Authenticate the last block using the next mask */ + jumbo_lfsr(next, mask); + state.B[temp] = 0x01; + memset(state.B + temp + 1, 0, SPONGENT176_STATE_SIZE - temp - 1); + lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, next, SPONGENT176_STATE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state.B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); + c += temp; + } else if (*clen != JUMBO_TAG_SIZE) { + /* Pad and authenticate when the last block is aligned */ + jumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); + state.B[0] ^= 0x01; + spongent176_permute(&state); + lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state.B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); + } + + /* Generate the authentication tag */ + memcpy(c, tag, JUMBO_TAG_SIZE); + return 0; +} + +int jumbo_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + spongent176_state_t state; + unsigned char *mtemp = m; + unsigned char start[SPONGENT176_STATE_SIZE]; + unsigned char mask[SPONGENT176_STATE_SIZE]; + unsigned char next[SPONGENT176_STATE_SIZE]; + unsigned char tag[JUMBO_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < JUMBO_TAG_SIZE) + return -1; + *mlen = clen - JUMBO_TAG_SIZE; + + /* Hash the key and generate the initial mask */ + memcpy(state.B, k, JUMBO_KEY_SIZE); + memset(state.B + JUMBO_KEY_SIZE, 0, sizeof(state.B) - JUMBO_KEY_SIZE); + spongent176_permute(&state); + memcpy(mask, state.B, JUMBO_KEY_SIZE); + memset(mask + JUMBO_KEY_SIZE, 0, sizeof(mask) - JUMBO_KEY_SIZE); + memcpy(start, mask, sizeof(mask)); + + /* Tag starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Authenticate the nonce and the associated data */ + jumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); + + /* Reset back to the starting mask for the encryption phase */ + memcpy(mask, start, sizeof(mask)); + + /* Decrypt and authenticate the payload */ + clen -= JUMBO_TAG_SIZE; + while (clen >= SPONGENT176_STATE_SIZE) { + /* Authenticate using the next mask */ + jumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, c, SPONGENT176_STATE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state.B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); + + /* Decrypt using the current mask */ + memcpy(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block_2_src(m, state.B, c, SPONGENT176_STATE_SIZE); + + /* Advance to the next block */ + memcpy(mask, next, SPONGENT176_STATE_SIZE); + c += SPONGENT176_STATE_SIZE; + m += SPONGENT176_STATE_SIZE; + clen -= SPONGENT176_STATE_SIZE; + } + if (clen > 0) { + /* Authenticate the last block using the next mask */ + unsigned temp = (unsigned)clen; + jumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, c, temp); + state.B[temp] ^= 0x01; + spongent176_permute(&state); + lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state.B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); + + /* Decrypt the last block using the current mask */ + memcpy(state.B, mask, SPONGENT176_STATE_SIZE); + lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); + spongent176_permute(&state); + lw_xor_block(state.B, mask, temp); + lw_xor_block_2_src(m, state.B, c, temp); + c += temp; + } else if (*mlen != 0) { + /* Pad and authenticate when the last block is aligned */ + jumbo_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); + state.B[0] ^= 0x01; + spongent176_permute(&state); + lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); + lw_xor_block(state.B, next, JUMBO_TAG_SIZE); + lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); + } + + /* Check the authentication tag */ + return aead_check_tag(mtemp, *mlen, tag, c, JUMBO_TAG_SIZE); +} + +/** + * \brief Applies the Delirium LFSR to the mask. + * + * \param out The output mask. + * \param in The input mask. + */ +static void delirium_lfsr + (unsigned char out[KECCAKP_200_STATE_SIZE], + const unsigned char in[KECCAKP_200_STATE_SIZE]) +{ + unsigned char temp = + leftRotate1_8(in[0]) ^ leftRotate1_8(in[2]) ^ (in[13] << 1); + unsigned index; + for (index = 0; index < KECCAKP_200_STATE_SIZE - 1; ++index) + out[index] = in[index + 1]; + out[KECCAKP_200_STATE_SIZE - 1] = temp; +} + +/** + * \brief Processes the nonce and associated data for Delirium. + * + * \param state Points to the Keccak[200] state. + * \param mask Points to the initial mask value. + * \param next Points to the next mask value. + * \param tag Points to the ongoing tag that is being computed. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data. + */ +static void delirium_process_ad + (keccakp_200_state_t *state, + unsigned char mask[KECCAKP_200_STATE_SIZE], + unsigned char next[KECCAKP_200_STATE_SIZE], + unsigned char tag[DELIRIUM_TAG_SIZE], + const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned posn, size; + + /* We need the "previous" and "next" masks in each step. + * Compare the first such values */ + delirium_lfsr(next, mask); + delirium_lfsr(next, next); + + /* Absorb the nonce into the state */ + lw_xor_block_2_src(state->B, mask, next, KECCAKP_200_STATE_SIZE); + lw_xor_block(state->B, npub, DELIRIUM_NONCE_SIZE); + + /* Absorb the rest of the associated data */ + posn = DELIRIUM_NONCE_SIZE; + while (adlen > 0) { + size = KECCAKP_200_STATE_SIZE - posn; + if (size <= adlen) { + /* Process a complete block */ + lw_xor_block(state->B + posn, ad, size); + keccakp_200_permute(state, 18); + lw_xor_block(state->B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state->B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state->B, DELIRIUM_TAG_SIZE); + delirium_lfsr(mask, mask); + delirium_lfsr(next, next); + lw_xor_block_2_src(state->B, mask, next, KECCAKP_200_STATE_SIZE); + posn = 0; + } else { + /* Process the partial block at the end of the associated data */ + size = (unsigned)adlen; + lw_xor_block(state->B + posn, ad, size); + posn += size; + } + ad += size; + adlen -= size; + } + + /* Pad and absorb the final block */ + state->B[posn] ^= 0x01; + keccakp_200_permute(state, 18); + lw_xor_block(state->B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state->B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state->B, DELIRIUM_TAG_SIZE); +} + +int delirium_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + keccakp_200_state_t state; + unsigned char start[KECCAKP_200_STATE_SIZE]; + unsigned char mask[KECCAKP_200_STATE_SIZE]; + unsigned char next[KECCAKP_200_STATE_SIZE]; + unsigned char tag[DELIRIUM_TAG_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + DELIRIUM_TAG_SIZE; + + /* Hash the key and generate the initial mask */ + memcpy(state.B, k, DELIRIUM_KEY_SIZE); + memset(state.B + DELIRIUM_KEY_SIZE, 0, sizeof(state.B) - DELIRIUM_KEY_SIZE); + keccakp_200_permute(&state, 18); + memcpy(mask, state.B, DELIRIUM_KEY_SIZE); + memset(mask + DELIRIUM_KEY_SIZE, 0, sizeof(mask) - DELIRIUM_KEY_SIZE); + memcpy(start, mask, sizeof(mask)); + + /* Tag starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Authenticate the nonce and the associated data */ + delirium_process_ad(&state, mask, next, tag, npub, ad, adlen); + + /* Reset back to the starting mask for the encryption phase */ + memcpy(mask, start, sizeof(mask)); + + /* Encrypt and authenticate the payload */ + while (mlen >= KECCAKP_200_STATE_SIZE) { + /* Encrypt using the current mask */ + memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, m, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); + memcpy(c, state.B, KECCAKP_200_STATE_SIZE); + + /* Authenticate using the next mask */ + delirium_lfsr(next, mask); + lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, next, KECCAKP_200_STATE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); + + /* Advance to the next block */ + memcpy(mask, next, KECCAKP_200_STATE_SIZE); + c += KECCAKP_200_STATE_SIZE; + m += KECCAKP_200_STATE_SIZE; + mlen -= KECCAKP_200_STATE_SIZE; + } + if (mlen > 0) { + /* Encrypt the last block using the current mask */ + unsigned temp = (unsigned)mlen; + memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, m, temp); + lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); + memcpy(c, state.B, temp); + + /* Authenticate the last block using the next mask */ + delirium_lfsr(next, mask); + state.B[temp] = 0x01; + memset(state.B + temp + 1, 0, KECCAKP_200_STATE_SIZE - temp - 1); + lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, next, KECCAKP_200_STATE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); + c += temp; + } else if (*clen != DELIRIUM_TAG_SIZE) { + /* Pad and authenticate when the last block is aligned */ + delirium_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); + state.B[0] ^= 0x01; + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); + } + + /* Generate the authentication tag */ + memcpy(c, tag, DELIRIUM_TAG_SIZE); + return 0; +} + +int delirium_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + keccakp_200_state_t state; + unsigned char *mtemp = m; + unsigned char start[KECCAKP_200_STATE_SIZE]; + unsigned char mask[KECCAKP_200_STATE_SIZE]; + unsigned char next[KECCAKP_200_STATE_SIZE]; + unsigned char tag[DELIRIUM_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < DELIRIUM_TAG_SIZE) + return -1; + *mlen = clen - DELIRIUM_TAG_SIZE; + + /* Hash the key and generate the initial mask */ + memcpy(state.B, k, DELIRIUM_KEY_SIZE); + memset(state.B + DELIRIUM_KEY_SIZE, 0, sizeof(state.B) - DELIRIUM_KEY_SIZE); + keccakp_200_permute(&state, 18); + memcpy(mask, state.B, DELIRIUM_KEY_SIZE); + memset(mask + DELIRIUM_KEY_SIZE, 0, sizeof(mask) - DELIRIUM_KEY_SIZE); + memcpy(start, mask, sizeof(mask)); + + /* Tag starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Authenticate the nonce and the associated data */ + delirium_process_ad(&state, mask, next, tag, npub, ad, adlen); + + /* Reset back to the starting mask for the encryption phase */ + memcpy(mask, start, sizeof(mask)); + + /* Decrypt and authenticate the payload */ + clen -= DELIRIUM_TAG_SIZE; + while (clen >= KECCAKP_200_STATE_SIZE) { + /* Authenticate using the next mask */ + delirium_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, c, KECCAKP_200_STATE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); + + /* Decrypt using the current mask */ + memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block_2_src(m, state.B, c, KECCAKP_200_STATE_SIZE); + + /* Advance to the next block */ + memcpy(mask, next, KECCAKP_200_STATE_SIZE); + c += KECCAKP_200_STATE_SIZE; + m += KECCAKP_200_STATE_SIZE; + clen -= KECCAKP_200_STATE_SIZE; + } + if (clen > 0) { + /* Authenticate the last block using the next mask */ + unsigned temp = (unsigned)clen; + delirium_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, c, temp); + state.B[temp] ^= 0x01; + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); + + /* Decrypt the last block using the current mask */ + memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); + lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, temp); + lw_xor_block_2_src(m, state.B, c, temp); + c += temp; + } else if (*mlen != 0) { + /* Pad and authenticate when the last block is aligned */ + delirium_lfsr(next, mask); + lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); + state.B[0] ^= 0x01; + keccakp_200_permute(&state, 18); + lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); + lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); + lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); + } + + /* Check the authentication tag */ + return aead_check_tag(mtemp, *mlen, tag, c, DELIRIUM_TAG_SIZE); +} diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys/elephant.h b/elephant/Implementations/crypto_aead/elephant200v1/rhys/elephant.h new file mode 100644 index 0000000..f775e3d --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant200v1/rhys/elephant.h @@ -0,0 +1,291 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ELEPHANT_H +#define LWCRYPTO_ELEPHANT_H + +#include "aead-common.h" + +/** + * \file elephant.h + * \brief Elephant authenticated encryption algorithm family. + * + * Elephant is a family of authenticated encryption algorithms based + * around the Spongent-pi and Keccak permutations. + * + * \li Dumbo has a 128-bit key, a 96-bit nonce, and a 64-bit authentication + * tag. It is based around the Spongent-pi[160] permutation. This is + * the primary member of the family. + * \li Jumbo has a 128-bit key, a 96-bit nonce, and a 64-bit authentication + * tag. It is based around the Spongent-pi[176] permutation. + * \li Delirium has a 128-bit key, a 96-bit nonce, and a 128-bit authentication + * tag. It is based around the Keccak[200] permutation. + * + * References: https://www.esat.kuleuven.be/cosic/elephant/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for Dumbo. + */ +#define DUMBO_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Dumbo. + */ +#define DUMBO_TAG_SIZE 8 + +/** + * \brief Size of the nonce for Dumbo. + */ +#define DUMBO_NONCE_SIZE 12 + +/** + * \brief Size of the key for Jumbo. + */ +#define JUMBO_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Jumbo. + */ +#define JUMBO_TAG_SIZE 8 + +/** + * \brief Size of the nonce for Jumbo. + */ +#define JUMBO_NONCE_SIZE 12 + +/** + * \brief Size of the key for Delirium. + */ +#define DELIRIUM_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Delirium. + */ +#define DELIRIUM_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Delirium. + */ +#define DELIRIUM_NONCE_SIZE 12 + +/** + * \brief Meta-information block for the Dumbo cipher. + */ +extern aead_cipher_t const dumbo_cipher; + +/** + * \brief Meta-information block for the Jumbo cipher. + */ +extern aead_cipher_t const jumbo_cipher; + +/** + * \brief Meta-information block for the Delirium cipher. + */ +extern aead_cipher_t const delirium_cipher; + +/** + * \brief Encrypts and authenticates a packet with Dumbo. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa dumbo_aead_decrypt() + */ +int dumbo_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Dumbo. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa dumbo_aead_encrypt() + */ +int dumbo_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Jumbo. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa jumbo_aead_decrypt() + */ +int jumbo_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Jumbo. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa jumbo_aead_encrypt() + */ +int jumbo_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Delirium. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa delirium_aead_decrypt() + */ +int delirium_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Delirium. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa delirium_aead_encrypt() + */ +int delirium_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys/encrypt.c b/elephant/Implementations/crypto_aead/elephant200v1/rhys/encrypt.c new file mode 100644 index 0000000..bf6840c --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant200v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "elephant.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return delirium_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return delirium_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-keccak.c b/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-keccak.c new file mode 100644 index 0000000..c3c4011 --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-keccak.c @@ -0,0 +1,204 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-keccak.h" + +/* Faster method to compute ((x + y) % 5) that avoids the division */ +static unsigned char const addMod5Table[9] = { + 0, 1, 2, 3, 4, 0, 1, 2, 3 +}; +#define addMod5(x, y) (addMod5Table[(x) + (y)]) + +void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds) +{ + static uint8_t const RC[18] = { + 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, + 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, + 0x02, 0x80 + }; + uint8_t B[5][5]; + uint8_t D; + unsigned round; + unsigned index, index2; + for (round = 18 - rounds; round < 18; ++round) { + /* Step mapping theta. The specification mentions two temporary + * arrays of size 5 called C and D. To save a bit of memory, + * we use the first row of B to store C and compute D on the fly */ + for (index = 0; index < 5; ++index) { + B[0][index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; + } + for (index = 0; index < 5; ++index) { + D = B[0][addMod5(index, 4)] ^ + leftRotate1_8(B[0][addMod5(index, 1)]); + for (index2 = 0; index2 < 5; ++index2) + state->A[index2][index] ^= D; + } + + /* Step mapping rho and pi combined into a single step. + * Rotate all lanes by a specific offset and rearrange */ + B[0][0] = state->A[0][0]; + B[1][0] = leftRotate4_8(state->A[0][3]); + B[2][0] = leftRotate1_8(state->A[0][1]); + B[3][0] = leftRotate3_8(state->A[0][4]); + B[4][0] = leftRotate6_8(state->A[0][2]); + B[0][1] = leftRotate4_8(state->A[1][1]); + B[1][1] = leftRotate4_8(state->A[1][4]); + B[2][1] = leftRotate6_8(state->A[1][2]); + B[3][1] = leftRotate4_8(state->A[1][0]); + B[4][1] = leftRotate7_8(state->A[1][3]); + B[0][2] = leftRotate3_8(state->A[2][2]); + B[1][2] = leftRotate3_8(state->A[2][0]); + B[2][2] = leftRotate1_8(state->A[2][3]); + B[3][2] = leftRotate2_8(state->A[2][1]); + B[4][2] = leftRotate7_8(state->A[2][4]); + B[0][3] = leftRotate5_8(state->A[3][3]); + B[1][3] = leftRotate5_8(state->A[3][1]); + B[2][3] = state->A[3][4]; + B[3][3] = leftRotate7_8(state->A[3][2]); + B[4][3] = leftRotate1_8(state->A[3][0]); + B[0][4] = leftRotate6_8(state->A[4][4]); + B[1][4] = leftRotate5_8(state->A[4][2]); + B[2][4] = leftRotate2_8(state->A[4][0]); + B[3][4] = state->A[4][3]; + B[4][4] = leftRotate2_8(state->A[4][1]); + + /* Step mapping chi. Combine each lane with two others in its row */ + for (index = 0; index < 5; ++index) { + for (index2 = 0; index2 < 5; ++index2) { + state->A[index2][index] = + B[index2][index] ^ + ((~B[index2][addMod5(index, 1)]) & + B[index2][addMod5(index, 2)]); + } + } + + /* Step mapping iota. XOR A[0][0] with the round constant */ + state->A[0][0] ^= RC[round]; + } +} + +#if defined(LW_UTIL_LITTLE_ENDIAN) +#define keccakp_400_permute_host keccakp_400_permute +#endif + +/* Keccak-p[400] that assumes that the input is already in host byte order */ +void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) +{ + static uint16_t const RC[20] = { + 0x0001, 0x8082, 0x808A, 0x8000, 0x808B, 0x0001, 0x8081, 0x8009, + 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, + 0x8002, 0x0080, 0x800A, 0x000A + }; + uint16_t B[5][5]; + uint16_t D; + unsigned round; + unsigned index, index2; + for (round = 20 - rounds; round < 20; ++round) { + /* Step mapping theta. The specification mentions two temporary + * arrays of size 5 called C and D. To save a bit of memory, + * we use the first row of B to store C and compute D on the fly */ + for (index = 0; index < 5; ++index) { + B[0][index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; + } + for (index = 0; index < 5; ++index) { + D = B[0][addMod5(index, 4)] ^ + leftRotate1_16(B[0][addMod5(index, 1)]); + for (index2 = 0; index2 < 5; ++index2) + state->A[index2][index] ^= D; + } + + /* Step mapping rho and pi combined into a single step. + * Rotate all lanes by a specific offset and rearrange */ + B[0][0] = state->A[0][0]; + B[1][0] = leftRotate12_16(state->A[0][3]); + B[2][0] = leftRotate1_16 (state->A[0][1]); + B[3][0] = leftRotate11_16(state->A[0][4]); + B[4][0] = leftRotate14_16(state->A[0][2]); + B[0][1] = leftRotate12_16(state->A[1][1]); + B[1][1] = leftRotate4_16 (state->A[1][4]); + B[2][1] = leftRotate6_16 (state->A[1][2]); + B[3][1] = leftRotate4_16 (state->A[1][0]); + B[4][1] = leftRotate7_16 (state->A[1][3]); + B[0][2] = leftRotate11_16(state->A[2][2]); + B[1][2] = leftRotate3_16 (state->A[2][0]); + B[2][2] = leftRotate9_16 (state->A[2][3]); + B[3][2] = leftRotate10_16(state->A[2][1]); + B[4][2] = leftRotate7_16 (state->A[2][4]); + B[0][3] = leftRotate5_16 (state->A[3][3]); + B[1][3] = leftRotate13_16(state->A[3][1]); + B[2][3] = leftRotate8_16 (state->A[3][4]); + B[3][3] = leftRotate15_16(state->A[3][2]); + B[4][3] = leftRotate9_16 (state->A[3][0]); + B[0][4] = leftRotate14_16(state->A[4][4]); + B[1][4] = leftRotate13_16(state->A[4][2]); + B[2][4] = leftRotate2_16 (state->A[4][0]); + B[3][4] = leftRotate8_16 (state->A[4][3]); + B[4][4] = leftRotate2_16 (state->A[4][1]); + + /* Step mapping chi. Combine each lane with two others in its row */ + for (index = 0; index < 5; ++index) { + for (index2 = 0; index2 < 5; ++index2) { + state->A[index2][index] = + B[index2][index] ^ + ((~B[index2][addMod5(index, 1)]) & + B[index2][addMod5(index, 2)]); + } + } + + /* Step mapping iota. XOR A[0][0] with the round constant */ + state->A[0][0] ^= RC[round]; + } +} + +#if !defined(LW_UTIL_LITTLE_ENDIAN) + +/** + * \brief Reverses the bytes in a Keccak-p[400] state. + * + * \param state The Keccak-p[400] state to apply byte-reversal to. + */ +static void keccakp_400_reverse_bytes(keccakp_400_state_t *state) +{ + unsigned index; + unsigned char temp1; + unsigned char temp2; + for (index = 0; index < 50; index += 2) { + temp1 = state->B[index]; + temp2 = state->B[index + 1]; + state->B[index] = temp2; + state->B[index + 1] = temp1; + } +} + +/* Keccak-p[400] that requires byte reversal on input and output */ +void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) +{ + keccakp_400_reverse_bytes(state); + keccakp_400_permute_host(state, rounds); + keccakp_400_reverse_bytes(state); +} + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-keccak.h b/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-keccak.h new file mode 100644 index 0000000..026da50 --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-keccak.h @@ -0,0 +1,88 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_KECCAK_H +#define LW_INTERNAL_KECCAK_H + +#include "internal-util.h" + +/** + * \file internal-keccak.h + * \brief Internal implementation of the Keccak-p permutation. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the state for the Keccak-p[200] permutation. + */ +#define KECCAKP_200_STATE_SIZE 25 + +/** + * \brief Size of the state for the Keccak-p[400] permutation. + */ +#define KECCAKP_400_STATE_SIZE 50 + +/** + * \brief Structure of the internal state of the Keccak-p[200] permutation. + */ +typedef union +{ + uint8_t A[5][5]; /**< Keccak-p[200] state as a 5x5 array of lanes */ + uint8_t B[25]; /**< Keccak-p[200] state as a byte array */ + +} keccakp_200_state_t; + +/** + * \brief Structure of the internal state of the Keccak-p[400] permutation. + */ +typedef union +{ + uint16_t A[5][5]; /**< Keccak-p[400] state as a 5x5 array of lanes */ + uint8_t B[50]; /**< Keccak-p[400] state as a byte array */ + +} keccakp_400_state_t; + +/** + * \brief Permutes the Keccak-p[200] state. + * + * \param state The Keccak-p[200] state to be permuted. + * \param rounds The number of rounds to perform (up to 18). + */ +void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds); + +/** + * \brief Permutes the Keccak-p[400] state, which is assumed to be in + * little-endian byte order. + * + * \param state The Keccak-p[400] state to be permuted. + * \param rounds The number of rounds to perform (up to 20). + */ +void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-spongent.c b/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-spongent.c new file mode 100644 index 0000000..69a8ecb --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-spongent.c @@ -0,0 +1,346 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-spongent.h" + +/** + * \brief Applies the Spongent-pi S-box in parallel to the 8 nibbles + * of a 32-bit word. + * + * \param x3 The input values to the parallel S-boxes. + * + * \return The output values from the parallel S-boxes. + * + * Based on the bit-sliced S-box implementation from here: + * https://github.com/DadaIsCrazy/usuba/blob/master/data/sboxes/spongent.ua + * + * Note that spongent.ua numbers bits from highest to lowest, so x0 is the + * high bit of each nibble and x3 is the low bit. + */ +static uint32_t spongent_sbox(uint32_t x3) +{ + uint32_t q0, q1, q2, q3, t0, t1, t2, t3; + uint32_t x2 = (x3 >> 1); + uint32_t x1 = (x2 >> 1); + uint32_t x0 = (x1 >> 1); + q0 = x0 ^ x2; + q1 = x1 ^ x2; + t0 = q0 & q1; + q2 = ~(x0 ^ x1 ^ x3 ^ t0); + t1 = q2 & ~x0; + q3 = x1 ^ t1; + t2 = q3 & (q3 ^ x2 ^ x3 ^ t0); + t3 = (x2 ^ t0) & ~(x1 ^ t0); + q0 = x1 ^ x2 ^ x3 ^ t2; + q1 = x0 ^ x2 ^ x3 ^ t0 ^ t1; + q2 = x0 ^ x1 ^ x2 ^ t1; + q3 = x0 ^ x3 ^ t0 ^ t3; + return ((q0 << 3) & 0x88888888U) | ((q1 << 2) & 0x44444444U) | + ((q2 << 1) & 0x22222222U) | (q3 & 0x11111111U); +} + +void spongent160_permute(spongent160_state_t *state) +{ + static uint8_t const RC[] = { + /* Round constants for Spongent-pi[160] */ + 0x75, 0xae, 0x6a, 0x56, 0x54, 0x2a, 0x29, 0x94, + 0x53, 0xca, 0x27, 0xe4, 0x4f, 0xf2, 0x1f, 0xf8, + 0x3e, 0x7c, 0x7d, 0xbe, 0x7a, 0x5e, 0x74, 0x2e, + 0x68, 0x16, 0x50, 0x0a, 0x21, 0x84, 0x43, 0xc2, + 0x07, 0xe0, 0x0e, 0x70, 0x1c, 0x38, 0x38, 0x1c, + 0x71, 0x8e, 0x62, 0x46, 0x44, 0x22, 0x09, 0x90, + 0x12, 0x48, 0x24, 0x24, 0x49, 0x92, 0x13, 0xc8, + 0x26, 0x64, 0x4d, 0xb2, 0x1b, 0xd8, 0x36, 0x6c, + 0x6d, 0xb6, 0x5a, 0x5a, 0x35, 0xac, 0x6b, 0xd6, + 0x56, 0x6a, 0x2d, 0xb4, 0x5b, 0xda, 0x37, 0xec, + 0x6f, 0xf6, 0x5e, 0x7a, 0x3d, 0xbc, 0x7b, 0xde, + 0x76, 0x6e, 0x6c, 0x36, 0x58, 0x1a, 0x31, 0x8c, + 0x63, 0xc6, 0x46, 0x62, 0x0d, 0xb0, 0x1a, 0x58, + 0x34, 0x2c, 0x69, 0x96, 0x52, 0x4a, 0x25, 0xa4, + 0x4b, 0xd2, 0x17, 0xe8, 0x2e, 0x74, 0x5d, 0xba, + 0x3b, 0xdc, 0x77, 0xee, 0x6e, 0x76, 0x5c, 0x3a, + 0x39, 0x9c, 0x73, 0xce, 0x66, 0x66, 0x4c, 0x32, + 0x19, 0x98, 0x32, 0x4c, 0x65, 0xa6, 0x4a, 0x52, + 0x15, 0xa8, 0x2a, 0x54, 0x55, 0xaa, 0x2b, 0xd4, + 0x57, 0xea, 0x2f, 0xf4, 0x5f, 0xfa, 0x3f, 0xfc + }; + const uint8_t *rc = RC; + uint32_t x0, x1, x2, x3, x4; + uint32_t t0, t1, t2, t3, t4; + uint8_t round; + + /* Load the state into local variables and convert from little-endian */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = state->W[0]; + x1 = state->W[1]; + x2 = state->W[2]; + x3 = state->W[3]; + x4 = state->W[4]; +#else + x0 = le_load_word32(state->B); + x1 = le_load_word32(state->B + 4); + x2 = le_load_word32(state->B + 8); + x3 = le_load_word32(state->B + 12); + x4 = le_load_word32(state->B + 16); +#endif + + /* Perform the 80 rounds of Spongent-pi[160] */ + for (round = 0; round < 80; ++round, rc += 2) { + /* Add the round constant to front and back of the state */ + x0 ^= rc[0]; + x4 ^= ((uint32_t)(rc[1])) << 24; + + /* Apply the S-box to all 4-bit groups in the state */ + t0 = spongent_sbox(x0); + t1 = spongent_sbox(x1); + t2 = spongent_sbox(x2); + t3 = spongent_sbox(x3); + t4 = spongent_sbox(x4); + + /* Permute the bits of the state. Bit i is moved to (40 * i) % 159 + * for all bits except the last which is left where it is. + * BCP = bit copy, BUP = move bit up, BDN = move bit down */ + #define BCP(x, bit) ((x) & (((uint32_t)1) << (bit))) + #define BUP(x, from, to) \ + (((x) << ((to) - (from))) & (((uint32_t)1) << (to))) + #define BDN(x, from, to) \ + (((x) >> ((from) - (to))) & (((uint32_t)1) << (to))) + x0 = BCP(t0, 0) ^ BDN(t0, 4, 1) ^ BDN(t0, 8, 2) ^ + BDN(t0, 12, 3) ^ BDN(t0, 16, 4) ^ BDN(t0, 20, 5) ^ + BDN(t0, 24, 6) ^ BDN(t0, 28, 7) ^ BUP(t1, 0, 8) ^ + BUP(t1, 4, 9) ^ BUP(t1, 8, 10) ^ BDN(t1, 12, 11) ^ + BDN(t1, 16, 12) ^ BDN(t1, 20, 13) ^ BDN(t1, 24, 14) ^ + BDN(t1, 28, 15) ^ BUP(t2, 0, 16) ^ BUP(t2, 4, 17) ^ + BUP(t2, 8, 18) ^ BUP(t2, 12, 19) ^ BUP(t2, 16, 20) ^ + BUP(t2, 20, 21) ^ BDN(t2, 24, 22) ^ BDN(t2, 28, 23) ^ + BUP(t3, 0, 24) ^ BUP(t3, 4, 25) ^ BUP(t3, 8, 26) ^ + BUP(t3, 12, 27) ^ BUP(t3, 16, 28) ^ BUP(t3, 20, 29) ^ + BUP(t3, 24, 30) ^ BUP(t3, 28, 31); + x1 = BUP(t0, 1, 8) ^ BUP(t0, 5, 9) ^ BUP(t0, 9, 10) ^ + BDN(t0, 13, 11) ^ BDN(t0, 17, 12) ^ BDN(t0, 21, 13) ^ + BDN(t0, 25, 14) ^ BDN(t0, 29, 15) ^ BUP(t1, 1, 16) ^ + BUP(t1, 5, 17) ^ BUP(t1, 9, 18) ^ BUP(t1, 13, 19) ^ + BUP(t1, 17, 20) ^ BCP(t1, 21) ^ BDN(t1, 25, 22) ^ + BDN(t1, 29, 23) ^ BUP(t2, 1, 24) ^ BUP(t2, 5, 25) ^ + BUP(t2, 9, 26) ^ BUP(t2, 13, 27) ^ BUP(t2, 17, 28) ^ + BUP(t2, 21, 29) ^ BUP(t2, 25, 30) ^ BUP(t2, 29, 31) ^ + BCP(t4, 0) ^ BDN(t4, 4, 1) ^ BDN(t4, 8, 2) ^ + BDN(t4, 12, 3) ^ BDN(t4, 16, 4) ^ BDN(t4, 20, 5) ^ + BDN(t4, 24, 6) ^ BDN(t4, 28, 7); + x2 = BUP(t0, 2, 16) ^ BUP(t0, 6, 17) ^ BUP(t0, 10, 18) ^ + BUP(t0, 14, 19) ^ BUP(t0, 18, 20) ^ BDN(t0, 22, 21) ^ + BDN(t0, 26, 22) ^ BDN(t0, 30, 23) ^ BUP(t1, 2, 24) ^ + BUP(t1, 6, 25) ^ BUP(t1, 10, 26) ^ BUP(t1, 14, 27) ^ + BUP(t1, 18, 28) ^ BUP(t1, 22, 29) ^ BUP(t1, 26, 30) ^ + BUP(t1, 30, 31) ^ BDN(t3, 1, 0) ^ BDN(t3, 5, 1) ^ + BDN(t3, 9, 2) ^ BDN(t3, 13, 3) ^ BDN(t3, 17, 4) ^ + BDN(t3, 21, 5) ^ BDN(t3, 25, 6) ^ BDN(t3, 29, 7) ^ + BUP(t4, 1, 8) ^ BUP(t4, 5, 9) ^ BUP(t4, 9, 10) ^ + BDN(t4, 13, 11) ^ BDN(t4, 17, 12) ^ BDN(t4, 21, 13) ^ + BDN(t4, 25, 14) ^ BDN(t4, 29, 15); + x3 = BUP(t0, 3, 24) ^ BUP(t0, 7, 25) ^ BUP(t0, 11, 26) ^ + BUP(t0, 15, 27) ^ BUP(t0, 19, 28) ^ BUP(t0, 23, 29) ^ + BUP(t0, 27, 30) ^ BCP(t0, 31) ^ BDN(t2, 2, 0) ^ + BDN(t2, 6, 1) ^ BDN(t2, 10, 2) ^ BDN(t2, 14, 3) ^ + BDN(t2, 18, 4) ^ BDN(t2, 22, 5) ^ BDN(t2, 26, 6) ^ + BDN(t2, 30, 7) ^ BUP(t3, 2, 8) ^ BUP(t3, 6, 9) ^ + BCP(t3, 10) ^ BDN(t3, 14, 11) ^ BDN(t3, 18, 12) ^ + BDN(t3, 22, 13) ^ BDN(t3, 26, 14) ^ BDN(t3, 30, 15) ^ + BUP(t4, 2, 16) ^ BUP(t4, 6, 17) ^ BUP(t4, 10, 18) ^ + BUP(t4, 14, 19) ^ BUP(t4, 18, 20) ^ BDN(t4, 22, 21) ^ + BDN(t4, 26, 22) ^ BDN(t4, 30, 23); + x4 = BDN(t1, 3, 0) ^ BDN(t1, 7, 1) ^ BDN(t1, 11, 2) ^ + BDN(t1, 15, 3) ^ BDN(t1, 19, 4) ^ BDN(t1, 23, 5) ^ + BDN(t1, 27, 6) ^ BDN(t1, 31, 7) ^ BUP(t2, 3, 8) ^ + BUP(t2, 7, 9) ^ BDN(t2, 11, 10) ^ BDN(t2, 15, 11) ^ + BDN(t2, 19, 12) ^ BDN(t2, 23, 13) ^ BDN(t2, 27, 14) ^ + BDN(t2, 31, 15) ^ BUP(t3, 3, 16) ^ BUP(t3, 7, 17) ^ + BUP(t3, 11, 18) ^ BUP(t3, 15, 19) ^ BUP(t3, 19, 20) ^ + BDN(t3, 23, 21) ^ BDN(t3, 27, 22) ^ BDN(t3, 31, 23) ^ + BUP(t4, 3, 24) ^ BUP(t4, 7, 25) ^ BUP(t4, 11, 26) ^ + BUP(t4, 15, 27) ^ BUP(t4, 19, 28) ^ BUP(t4, 23, 29) ^ + BUP(t4, 27, 30) ^ BCP(t4, 31); + } + + /* Store the local variables back to the state in little-endian order */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->W[0] = x0; + state->W[1] = x1; + state->W[2] = x2; + state->W[3] = x3; + state->W[4] = x4; +#else + le_store_word32(state->B, x0); + le_store_word32(state->B + 4, x1); + le_store_word32(state->B + 8, x2); + le_store_word32(state->B + 12, x3); + le_store_word32(state->B + 16, x4); +#endif +} + +void spongent176_permute(spongent176_state_t *state) +{ + static uint8_t const RC[] = { + /* Round constants for Spongent-pi[176] */ + 0x45, 0xa2, 0x0b, 0xd0, 0x16, 0x68, 0x2c, 0x34, + 0x59, 0x9a, 0x33, 0xcc, 0x67, 0xe6, 0x4e, 0x72, + 0x1d, 0xb8, 0x3a, 0x5c, 0x75, 0xae, 0x6a, 0x56, + 0x54, 0x2a, 0x29, 0x94, 0x53, 0xca, 0x27, 0xe4, + 0x4f, 0xf2, 0x1f, 0xf8, 0x3e, 0x7c, 0x7d, 0xbe, + 0x7a, 0x5e, 0x74, 0x2e, 0x68, 0x16, 0x50, 0x0a, + 0x21, 0x84, 0x43, 0xc2, 0x07, 0xe0, 0x0e, 0x70, + 0x1c, 0x38, 0x38, 0x1c, 0x71, 0x8e, 0x62, 0x46, + 0x44, 0x22, 0x09, 0x90, 0x12, 0x48, 0x24, 0x24, + 0x49, 0x92, 0x13, 0xc8, 0x26, 0x64, 0x4d, 0xb2, + 0x1b, 0xd8, 0x36, 0x6c, 0x6d, 0xb6, 0x5a, 0x5a, + 0x35, 0xac, 0x6b, 0xd6, 0x56, 0x6a, 0x2d, 0xb4, + 0x5b, 0xda, 0x37, 0xec, 0x6f, 0xf6, 0x5e, 0x7a, + 0x3d, 0xbc, 0x7b, 0xde, 0x76, 0x6e, 0x6c, 0x36, + 0x58, 0x1a, 0x31, 0x8c, 0x63, 0xc6, 0x46, 0x62, + 0x0d, 0xb0, 0x1a, 0x58, 0x34, 0x2c, 0x69, 0x96, + 0x52, 0x4a, 0x25, 0xa4, 0x4b, 0xd2, 0x17, 0xe8, + 0x2e, 0x74, 0x5d, 0xba, 0x3b, 0xdc, 0x77, 0xee, + 0x6e, 0x76, 0x5c, 0x3a, 0x39, 0x9c, 0x73, 0xce, + 0x66, 0x66, 0x4c, 0x32, 0x19, 0x98, 0x32, 0x4c, + 0x65, 0xa6, 0x4a, 0x52, 0x15, 0xa8, 0x2a, 0x54, + 0x55, 0xaa, 0x2b, 0xd4, 0x57, 0xea, 0x2f, 0xf4, + 0x5f, 0xfa, 0x3f, 0xfc + }; + const uint8_t *rc = RC; + uint32_t x0, x1, x2, x3, x4, x5; + uint32_t t0, t1, t2, t3, t4, t5; + uint8_t round; + + /* Load the state into local variables and convert from little-endian */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = state->W[0]; + x1 = state->W[1]; + x2 = state->W[2]; + x3 = state->W[3]; + x4 = state->W[4]; + x5 = state->W[5]; +#else + x0 = le_load_word32(state->B); + x1 = le_load_word32(state->B + 4); + x2 = le_load_word32(state->B + 8); + x3 = le_load_word32(state->B + 12); + x4 = le_load_word32(state->B + 16); + x5 = le_load_word16(state->B + 20); /* Last word is only 16 bits */ +#endif + + /* Perform the 90 rounds of Spongent-pi[176] */ + for (round = 0; round < 90; ++round, rc += 2) { + /* Add the round constant to front and back of the state */ + x0 ^= rc[0]; + x5 ^= ((uint32_t)(rc[1])) << 8; + + /* Apply the S-box to all 4-bit groups in the state */ + t0 = spongent_sbox(x0); + t1 = spongent_sbox(x1); + t2 = spongent_sbox(x2); + t3 = spongent_sbox(x3); + t4 = spongent_sbox(x4); + t5 = spongent_sbox(x5); + + /* Permute the bits of the state. Bit i is moved to (44 * i) % 175 + * for all bits except the last which is left where it is. + * BCP = bit copy, BUP = move bit up, BDN = move bit down */ + x0 = BCP(t0, 0) ^ BDN(t0, 4, 1) ^ BDN(t0, 8, 2) ^ + BDN(t0, 12, 3) ^ BDN(t0, 16, 4) ^ BDN(t0, 20, 5) ^ + BDN(t0, 24, 6) ^ BDN(t0, 28, 7) ^ BUP(t1, 0, 8) ^ + BUP(t1, 4, 9) ^ BUP(t1, 8, 10) ^ BDN(t1, 12, 11) ^ + BDN(t1, 16, 12) ^ BDN(t1, 20, 13) ^ BDN(t1, 24, 14) ^ + BDN(t1, 28, 15) ^ BUP(t2, 0, 16) ^ BUP(t2, 4, 17) ^ + BUP(t2, 8, 18) ^ BUP(t2, 12, 19) ^ BUP(t2, 16, 20) ^ + BUP(t2, 20, 21) ^ BDN(t2, 24, 22) ^ BDN(t2, 28, 23) ^ + BUP(t3, 0, 24) ^ BUP(t3, 4, 25) ^ BUP(t3, 8, 26) ^ + BUP(t3, 12, 27) ^ BUP(t3, 16, 28) ^ BUP(t3, 20, 29) ^ + BUP(t3, 24, 30) ^ BUP(t3, 28, 31); + x1 = BUP(t0, 1, 12) ^ BUP(t0, 5, 13) ^ BUP(t0, 9, 14) ^ + BUP(t0, 13, 15) ^ BDN(t0, 17, 16) ^ BDN(t0, 21, 17) ^ + BDN(t0, 25, 18) ^ BDN(t0, 29, 19) ^ BUP(t1, 1, 20) ^ + BUP(t1, 5, 21) ^ BUP(t1, 9, 22) ^ BUP(t1, 13, 23) ^ + BUP(t1, 17, 24) ^ BUP(t1, 21, 25) ^ BUP(t1, 25, 26) ^ + BDN(t1, 29, 27) ^ BUP(t2, 1, 28) ^ BUP(t2, 5, 29) ^ + BUP(t2, 9, 30) ^ BUP(t2, 13, 31) ^ BCP(t4, 0) ^ + BDN(t4, 4, 1) ^ BDN(t4, 8, 2) ^ BDN(t4, 12, 3) ^ + BDN(t4, 16, 4) ^ BDN(t4, 20, 5) ^ BDN(t4, 24, 6) ^ + BDN(t4, 28, 7) ^ BUP(t5, 0, 8) ^ BUP(t5, 4, 9) ^ + BUP(t5, 8, 10) ^ BDN(t5, 12, 11); + x2 = BUP(t0, 2, 24) ^ BUP(t0, 6, 25) ^ BUP(t0, 10, 26) ^ + BUP(t0, 14, 27) ^ BUP(t0, 18, 28) ^ BUP(t0, 22, 29) ^ + BUP(t0, 26, 30) ^ BUP(t0, 30, 31) ^ BDN(t2, 17, 0) ^ + BDN(t2, 21, 1) ^ BDN(t2, 25, 2) ^ BDN(t2, 29, 3) ^ + BUP(t3, 1, 4) ^ BCP(t3, 5) ^ BDN(t3, 9, 6) ^ + BDN(t3, 13, 7) ^ BDN(t3, 17, 8) ^ BDN(t3, 21, 9) ^ + BDN(t3, 25, 10) ^ BDN(t3, 29, 11) ^ BUP(t4, 1, 12) ^ + BUP(t4, 5, 13) ^ BUP(t4, 9, 14) ^ BUP(t4, 13, 15) ^ + BDN(t4, 17, 16) ^ BDN(t4, 21, 17) ^ BDN(t4, 25, 18) ^ + BDN(t4, 29, 19) ^ BUP(t5, 1, 20) ^ BUP(t5, 5, 21) ^ + BUP(t5, 9, 22) ^ BUP(t5, 13, 23); + x3 = BDN(t1, 2, 0) ^ BDN(t1, 6, 1) ^ BDN(t1, 10, 2) ^ + BDN(t1, 14, 3) ^ BDN(t1, 18, 4) ^ BDN(t1, 22, 5) ^ + BDN(t1, 26, 6) ^ BDN(t1, 30, 7) ^ BUP(t2, 2, 8) ^ + BUP(t2, 6, 9) ^ BCP(t2, 10) ^ BDN(t2, 14, 11) ^ + BDN(t2, 18, 12) ^ BDN(t2, 22, 13) ^ BDN(t2, 26, 14) ^ + BDN(t2, 30, 15) ^ BUP(t3, 2, 16) ^ BUP(t3, 6, 17) ^ + BUP(t3, 10, 18) ^ BUP(t3, 14, 19) ^ BUP(t3, 18, 20) ^ + BDN(t3, 22, 21) ^ BDN(t3, 26, 22) ^ BDN(t3, 30, 23) ^ + BUP(t4, 2, 24) ^ BUP(t4, 6, 25) ^ BUP(t4, 10, 26) ^ + BUP(t4, 14, 27) ^ BUP(t4, 18, 28) ^ BUP(t4, 22, 29) ^ + BUP(t4, 26, 30) ^ BUP(t4, 30, 31); + x4 = BUP(t0, 3, 4) ^ BDN(t0, 7, 5) ^ BDN(t0, 11, 6) ^ + BDN(t0, 15, 7) ^ BDN(t0, 19, 8) ^ BDN(t0, 23, 9) ^ + BDN(t0, 27, 10) ^ BDN(t0, 31, 11) ^ BUP(t1, 3, 12) ^ + BUP(t1, 7, 13) ^ BUP(t1, 11, 14) ^ BCP(t1, 15) ^ + BDN(t1, 19, 16) ^ BDN(t1, 23, 17) ^ BDN(t1, 27, 18) ^ + BDN(t1, 31, 19) ^ BUP(t2, 3, 20) ^ BUP(t2, 7, 21) ^ + BUP(t2, 11, 22) ^ BUP(t2, 15, 23) ^ BUP(t2, 19, 24) ^ + BUP(t2, 23, 25) ^ BDN(t2, 27, 26) ^ BDN(t2, 31, 27) ^ + BUP(t3, 3, 28) ^ BUP(t3, 7, 29) ^ BUP(t3, 11, 30) ^ + BUP(t3, 15, 31) ^ BDN(t5, 2, 0) ^ BDN(t5, 6, 1) ^ + BDN(t5, 10, 2) ^ BDN(t5, 14, 3); + x5 = BDN(t3, 19, 0) ^ BDN(t3, 23, 1) ^ BDN(t3, 27, 2) ^ + BDN(t3, 31, 3) ^ BUP(t4, 3, 4) ^ BDN(t4, 7, 5) ^ + BDN(t4, 11, 6) ^ BDN(t4, 15, 7) ^ BDN(t4, 19, 8) ^ + BDN(t4, 23, 9) ^ BDN(t4, 27, 10) ^ BDN(t4, 31, 11) ^ + BUP(t5, 3, 12) ^ BUP(t5, 7, 13) ^ BUP(t5, 11, 14) ^ + BCP(t5, 15); + } + + /* Store the local variables back to the state in little-endian order */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->W[0] = x0; + state->W[1] = x1; + state->W[2] = x2; + state->W[3] = x3; + state->W[4] = x4; + state->W[5] = x5; +#else + le_store_word32(state->B, x0); + le_store_word32(state->B + 4, x1); + le_store_word32(state->B + 8, x2); + le_store_word32(state->B + 12, x3); + le_store_word32(state->B + 16, x4); + le_store_word16(state->B + 20, x5); /* Last word is only 16 bits */ +#endif +} diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-spongent.h b/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-spongent.h new file mode 100644 index 0000000..bb9823f --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-spongent.h @@ -0,0 +1,91 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SPONGENT_H +#define LW_INTERNAL_SPONGENT_H + +#include "internal-util.h" + +/** + * \file internal-spongent.h + * \brief Internal implementation of the Spongent-pi permutation. + * + * References: https://www.esat.kuleuven.be/cosic/elephant/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the Spongent-pi[160] state in bytes. + */ +#define SPONGENT160_STATE_SIZE 20 + +/** + * \brief Size of the Spongent-pi[176] state in bytes. + */ +#define SPONGENT176_STATE_SIZE 22 + +/** + * \brief Structure of the internal state of the Spongent-pi[160] permutation. + */ +typedef union +{ + uint32_t W[5]; /**< Spongent-pi[160] state as 32-bit words */ + uint8_t B[20]; /**< Spongent-pi[160] state as bytes */ + +} spongent160_state_t; + +/** + * \brief Structure of the internal state of the Spongent-pi[176] permutation. + * + * Note: The state is technically only 176 bits, but we increase it to + * 192 bits so that we can use 32-bit word operations to manipulate the + * state. The extra bits in the last word are fixed to zero. + */ +typedef union +{ + uint32_t W[6]; /**< Spongent-pi[176] state as 32-bit words */ + uint8_t B[24]; /**< Spongent-pi[176] state as bytes */ + +} spongent176_state_t; + +/** + * \brief Permutes the Spongent-pi[160] state. + * + * \param state The Spongent-pi[160] state to be permuted. + */ +void spongent160_permute(spongent160_state_t *state); + +/** + * \brief Permutes the Spongent-pi[176] state. + * + * \param state The Spongent-pi[176] state to be permuted. + */ +void spongent176_permute(spongent176_state_t *state); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-util.h b/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/aead-common.c b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/aead-common.h b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/api.h b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/encrypt.c b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/encrypt.c new file mode 100644 index 0000000..daa5139 --- /dev/null +++ b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "estate.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return estate_twegift_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return estate_twegift_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/estate.c b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/estate.c new file mode 100644 index 0000000..355aa92 --- /dev/null +++ b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/estate.c @@ -0,0 +1,196 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "estate.h" +#include "internal-gift128.h" +#include "internal-util.h" +#include + +aead_cipher_t const estate_twegift_cipher = { + "ESTATE_TweGIFT-128", + ESTATE_TWEGIFT_KEY_SIZE, + ESTATE_TWEGIFT_NONCE_SIZE, + ESTATE_TWEGIFT_TAG_SIZE, + AEAD_FLAG_NONE, + estate_twegift_aead_encrypt, + estate_twegift_aead_decrypt +}; + +/** + * \brief Generates the FCBC MAC for a packet using ESTATE_TweGIFT-128. + * + * \param ks The key schedule for TweGIFT-128. + * \param tag Rolling state of the authentication tag. + * \param m Message to be authenticated. + * \param mlen Length of the message to be authenticated; must be >= 1. + * \param tweak1 Tweak value to use when the last block is full. + * \param tweak2 Tweak value to use when the last block is partial. + */ +static void estate_twegift_fcbc + (const gift128n_key_schedule_t *ks, unsigned char tag[16], + const unsigned char *m, unsigned long long mlen, + unsigned char tweak1, unsigned char tweak2) +{ + while (mlen > 16) { + lw_xor_block(tag, m, 16); + gift128n_encrypt(ks, tag, tag); + m += 16; + mlen -= 16; + } + if (mlen == 16) { + lw_xor_block(tag, m, 16); + gift128t_encrypt(ks, tag, tag, tweak1); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block(tag, m, temp); + tag[temp] ^= 0x01; + gift128t_encrypt(ks, tag, tag, tweak2); + } +} + +/** + * \brief Generates the MAC for a packet using ESTATE_TweGIFT-128. + * + * \param ks The key schedule for TweGIFT-128. + * \param tag Rolling state of the authentication tag. + * \param m Message to be authenticated. + * \param mlen Length of the message to be authenticated. + * \param ad Associated data to be authenticated. + * \param adlen Length of the associated data to be authenticated. + */ +static void estate_twegift_authenticate + (const gift128n_key_schedule_t *ks, unsigned char tag[16], + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen) +{ + /* Handle the case where both the message and associated data are empty */ + if (mlen == 0 && adlen == 0) { + gift128t_encrypt(ks, tag, tag, /*tweak=*/8); + return; + } + + /* Encrypt the nonce */ + gift128t_encrypt(ks, tag, tag, /*tweak=*/1); + + /* Compute the FCBC MAC over the associated data */ + if (adlen != 0) { + if (mlen != 0) + estate_twegift_fcbc(ks, tag, ad, adlen, /*tweak1=*/2, /*tweak2=*/3); + else + estate_twegift_fcbc(ks, tag, ad, adlen, /*tweak1=*/6, /*tweak2=*/7); + } + + /* Compute the FCBC MAC over the message data */ + if (mlen != 0) + estate_twegift_fcbc(ks, tag, m, mlen, /*tweak1=*/4, /*tweak2=*/5); +} + +/** + * \brief Encrypts (or decrypts) a payload using ESTATE_TweGIFT-128. + * + * \param ks The key schedule for TweGIFT-128. + * \param tag Pre-computed authentication tag for the packet. + * \param c Ciphertext after encryption. + * \param m Plaintext to be encrypted. + * \param mlen Length of the plaintext to be encrypted. + */ +static void estate_twegift_encrypt + (const gift128n_key_schedule_t *ks, const unsigned char tag[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned char block[16]; + memcpy(block, tag, 16); + while (mlen >= 16) { + gift128n_encrypt(ks, block, block); + lw_xor_block_2_src(c, block, m, 16); + c += 16; + m += 16; + mlen -= 16; + } + if (mlen > 0) { + gift128n_encrypt(ks, block, block); + lw_xor_block_2_src(c, block, m, (unsigned)mlen); + } +} + +int estate_twegift_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + gift128n_key_schedule_t ks; + unsigned char tag[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ESTATE_TWEGIFT_TAG_SIZE; + + /* Set up the key schedule and copy the nonce into the tag */ + if (!gift128n_init(&ks, k, ESTATE_TWEGIFT_KEY_SIZE)) + return -1; + memcpy(tag, npub, 16); + + /* Authenticate the associated data and plaintext */ + estate_twegift_authenticate(&ks, tag, m, mlen, ad, adlen); + + /* Encrypt the plaintext to generate the ciphertext */ + estate_twegift_encrypt(&ks, tag, c, m, mlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, tag, 16); + return 0; +} + +int estate_twegift_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + gift128n_key_schedule_t ks; + unsigned char tag[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ESTATE_TWEGIFT_TAG_SIZE) + return -1; + *mlen = clen - ESTATE_TWEGIFT_TAG_SIZE; + + /* Set up the key schedule and copy the nonce into the tag */ + if (!gift128n_init(&ks, k, ESTATE_TWEGIFT_KEY_SIZE)) + return -1; + memcpy(tag, npub, 16); + + /* Decrypt the ciphertext to generate the plaintext */ + estate_twegift_encrypt(&ks, c + *mlen, m, c, *mlen); + + /* Authenticate the associated data and plaintext */ + estate_twegift_authenticate(&ks, tag, m, *mlen, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, tag, c + *mlen, 16); +} diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/estate.h b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/estate.h new file mode 100644 index 0000000..d38ee16 --- /dev/null +++ b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/estate.h @@ -0,0 +1,137 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ESTATE_H +#define LWCRYPTO_ESTATE_H + +#include "aead-common.h" + +/** + * \file estate.h + * \brief ESTATE authenticated encryption algorithm. + * + * ESTATE_TweGIFT-128 is an authenticated encryption algorithm with a + * 128-bit key, a 128-bit nonce, and a 128-bit tag. It is a two-pass + * algorithm that is built around a tweaked version of the GIFT-128 block + * cipher, the FCBC authentication mode, and the OFB encryption mode. + * + * ESTATE is resistant against nonce reuse as long as the combination + * of the associated data and plaintext is unique. + * + * If a nonce is reused then two packets with the same nonce, associated data, + * and plaintext will encrypt to the same ciphertext. This will leak that + * the same plaintext has been sent for a second time but will not reveal + * the plaintext itself. + * + * The ESTATE family also includes variants build around tweaked versions + * of the AES block cipher. We do not implement those variants in this + * library. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for ESTATE_TweGIFT-128. + */ +#define ESTATE_TWEGIFT_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for ESTATE_TweGIFT-128. + */ +#define ESTATE_TWEGIFT_TAG_SIZE 16 + +/** + * \brief Size of the nonce for ESTATE_TweGIFT-128. + */ +#define ESTATE_TWEGIFT_NONCE_SIZE 16 + +/** + * \brief Meta-information block for the ESTATE_TweGIFT-128 cipher. + */ +extern aead_cipher_t const estate_twegift_cipher; + +/** + * \brief Encrypts and authenticates a packet with ESTATE_TweGIFT-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa estate_twegift_aead_decrypt() + */ +int estate_twegift_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ESTATE_TweGIFT-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa estate_twegift_aead_encrypt() + */ +int estate_twegift_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128.c b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128.c new file mode 100644 index 0000000..681dbc8 --- /dev/null +++ b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128.c @@ -0,0 +1,849 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-gift128.h" +#include "internal-util.h" + +/* Round constants for GIFT-128 in the fixsliced representation */ +static uint32_t const GIFT128_RC[40] = { + 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, + 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, + 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, + 0x03020180, 0x8000002b, 0x10080880, 0x60014000, 0x01400002, 0x02020080, + 0x80000021, 0x10000080, 0x0001c000, 0x51000002, 0x03010180, 0x8000002e, + 0x10088800, 0x60012000, 0x40500002, 0x01030080, 0x80000006, 0x10008808, + 0xc001a000, 0x14500002, 0x01020181, 0x8000001a +}; + +/** + * \brief Swaps bits within two words. + * + * \param a The first word. + * \param b The second word. + * \param mask Mask for the bits to shift. + * \param shift Shift amount in bits. + */ +#define gift128b_swap_move(a, b, mask, shift) \ + do { \ + uint32_t tmp = ((b) ^ ((a) >> (shift))) & (mask); \ + (b) ^= tmp; \ + (a) ^= tmp << (shift); \ + } while (0) + +/** + * \brief Derives the next 10 fixsliced keys in the key schedule. + * + * \param next Points to the buffer to receive the next 10 keys. + * \param prev Points to the buffer holding the previous 10 keys. + * + * The \a next and \a prev buffers are allowed to be the same. + */ +#define gift128b_derive_keys(next, prev) \ + do { \ + /* Key 0 */ \ + uint32_t s = (prev)[0]; \ + uint32_t t = (prev)[1]; \ + gift128b_swap_move(t, t, 0x00003333U, 16); \ + gift128b_swap_move(t, t, 0x55554444U, 1); \ + (next)[0] = t; \ + /* Key 1 */ \ + s = leftRotate8(s & 0x33333333U) | leftRotate16(s & 0xCCCCCCCCU); \ + gift128b_swap_move(s, s, 0x55551100U, 1); \ + (next)[1] = s; \ + /* Key 2 */ \ + s = (prev)[2]; \ + t = (prev)[3]; \ + (next)[2] = ((t >> 4) & 0x0F000F00U) | ((t & 0x0F000F00U) << 4) | \ + ((t >> 6) & 0x00030003U) | ((t & 0x003F003FU) << 2); \ + /* Key 3 */ \ + (next)[3] = ((s >> 6) & 0x03000300U) | ((s & 0x3F003F00U) << 2) | \ + ((s >> 5) & 0x00070007U) | ((s & 0x001F001FU) << 3); \ + /* Key 4 */ \ + s = (prev)[4]; \ + t = (prev)[5]; \ + (next)[4] = leftRotate8(t & 0xAAAAAAAAU) | \ + leftRotate16(t & 0x55555555U); \ + /* Key 5 */ \ + (next)[5] = leftRotate8(s & 0x55555555U) | \ + leftRotate12(s & 0xAAAAAAAAU); \ + /* Key 6 */ \ + s = (prev)[6]; \ + t = (prev)[7]; \ + (next)[6] = ((t >> 2) & 0x03030303U) | ((t & 0x03030303U) << 2) | \ + ((t >> 1) & 0x70707070U) | ((t & 0x10101010U) << 3); \ + /* Key 7 */ \ + (next)[7] = ((s >> 18) & 0x00003030U) | ((s & 0x01010101U) << 3) | \ + ((s >> 14) & 0x0000C0C0U) | ((s & 0x0000E0E0U) << 15) | \ + ((s >> 1) & 0x07070707U) | ((s & 0x00001010U) << 19); \ + /* Key 8 */ \ + s = (prev)[8]; \ + t = (prev)[9]; \ + (next)[8] = ((t >> 4) & 0x0FFF0000U) | ((t & 0x000F0000U) << 12) | \ + ((t >> 8) & 0x000000FFU) | ((t & 0x000000FFU) << 8); \ + /* Key 9 */ \ + (next)[9] = ((s >> 6) & 0x03FF0000U) | ((s & 0x003F0000U) << 10) | \ + ((s >> 4) & 0x00000FFFU) | ((s & 0x0000000FU) << 12); \ + } while (0) + +/** + * \brief Compute the round keys for GIFT-128 in the fixsliced representation. + * + * \param ks Points to the key schedule to initialize. + * \param k0 First key word. + * \param k1 Second key word. + * \param k2 Third key word. + * \param k3 Fourth key word. + */ +static void gift128b_compute_round_keys + (gift128b_key_schedule_t *ks, + uint32_t k0, uint32_t k1, uint32_t k2, uint32_t k3) +{ + unsigned index; + uint32_t temp; + + /* Set the regular key with k0 and k3 pre-swapped for the round function */ + ks->k[0] = k3; + ks->k[1] = k1; + ks->k[2] = k2; + ks->k[3] = k0; + + /* Pre-compute the keys for rounds 3..10 and permute into fixsliced form */ + for (index = 4; index < 20; index += 2) { + ks->k[index] = ks->k[index - 3]; + temp = ks->k[index - 4]; + temp = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + ks->k[index + 1] = temp; + } + for (index = 0; index < 20; index += 10) { + /* Keys 0 and 10 */ + temp = ks->k[index]; + gift128b_swap_move(temp, temp, 0x00550055U, 9); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index] = temp; + + /* Keys 1 and 11 */ + temp = ks->k[index + 1]; + gift128b_swap_move(temp, temp, 0x00550055U, 9); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 1] = temp; + + /* Keys 2 and 12 */ + temp = ks->k[index + 2]; + gift128b_swap_move(temp, temp, 0x11111111U, 3); + gift128b_swap_move(temp, temp, 0x03030303U, 6); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 2] = temp; + + /* Keys 3 and 13 */ + temp = ks->k[index + 3]; + gift128b_swap_move(temp, temp, 0x11111111U, 3); + gift128b_swap_move(temp, temp, 0x03030303U, 6); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 3] = temp; + + /* Keys 4 and 14 */ + temp = ks->k[index + 4]; + gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 4] = temp; + + /* Keys 5 and 15 */ + temp = ks->k[index + 5]; + gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 5] = temp; + + /* Keys 6 and 16 */ + temp = ks->k[index + 6]; + gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); + gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 6] = temp; + + /* Keys 7 and 17 */ + temp = ks->k[index + 7]; + gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); + gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 7] = temp; + + /* Keys 8, 9, 18, and 19 do not need any adjustment */ + } + + /* Derive the fixsliced keys for the remaining rounds 11..40 */ + for (index = 20; index < 80; index += 10) { + gift128b_derive_keys(ks->k + index, ks->k + index - 20); + } +} + +int gift128b_init + (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len) +{ + if (!ks || !key || key_len != 16) + return 0; + gift128b_compute_round_keys + (ks, be_load_word32(key), be_load_word32(key + 4), + be_load_word32(key + 8), be_load_word32(key + 12)); + return 1; +} + +/** + * \brief Performs the GIFT-128 S-box on the bit-sliced state. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_sbox(s0, s1, s2, s3) \ + do { \ + s1 ^= s0 & s2; \ + s0 ^= s1 & s3; \ + s2 ^= s0 | s1; \ + s3 ^= s2; \ + s1 ^= s3; \ + s3 ^= 0xFFFFFFFFU; \ + s2 ^= s0 & s1; \ + } while (0) + +/** + * \brief Performs the inverse of the GIFT-128 S-box on the bit-sliced state. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_sbox(s0, s1, s2, s3) \ + do { \ + s2 ^= s3 & s1; \ + s0 ^= 0xFFFFFFFFU; \ + s1 ^= s0; \ + s0 ^= s2; \ + s2 ^= s3 | s1; \ + s3 ^= s1 & s0; \ + s1 ^= s3 & s2; \ + } while (0) + +/** + * \brief Permutes the GIFT-128 state between the 1st and 2nd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_1(s0, s1, s2, s3) \ + do { \ + s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ + s2 = ((s2 >> 3) & 0x11111111U) | ((s2 & 0x77777777U) << 1); \ + s3 = ((s3 >> 1) & 0x77777777U) | ((s3 & 0x11111111U) << 3); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 2nd and 3rd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_2(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 4) & 0x0FFF0FFFU) | ((s0 & 0x000F000FU) << 12); \ + s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ + s2 = ((s2 >> 12) & 0x000F000FU) | ((s2 & 0x0FFF0FFFU) << 4); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 3rd and 4th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_3(s0, s1, s2, s3) \ + do { \ + gift128b_swap_move(s1, s1, 0x55555555U, 1); \ + s2 = leftRotate16(s2); \ + gift128b_swap_move(s2, s2, 0x00005555U, 1); \ + s3 = leftRotate16(s3); \ + gift128b_swap_move(s3, s3, 0x55550000U, 1); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 4th and 5th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_4(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 6) & 0x03030303U) | ((s0 & 0x3F3F3F3FU) << 2); \ + s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ + s2 = ((s2 >> 2) & 0x3F3F3F3FU) | ((s2 & 0x03030303U) << 6); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 5th and 1st mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_5(s0, s1, s2, s3) \ + do { \ + s1 = leftRotate16(s1); \ + s2 = rightRotate8(s2); \ + s3 = leftRotate8(s3); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 1st and 2nd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_1(s0, s1, s2, s3) \ + do { \ + s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ + s2 = ((s2 >> 1) & 0x77777777U) | ((s2 & 0x11111111U) << 3); \ + s3 = ((s3 >> 3) & 0x11111111U) | ((s3 & 0x77777777U) << 1); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 2nd and 3rd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_2(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 12) & 0x000F000FU) | ((s0 & 0x0FFF0FFFU) << 4); \ + s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ + s2 = ((s2 >> 4) & 0x0FFF0FFFU) | ((s2 & 0x000F000FU) << 12); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 3rd and 4th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_3(s0, s1, s2, s3) \ + do { \ + gift128b_swap_move(s1, s1, 0x55555555U, 1); \ + gift128b_swap_move(s2, s2, 0x00005555U, 1); \ + s2 = leftRotate16(s2); \ + gift128b_swap_move(s3, s3, 0x55550000U, 1); \ + s3 = leftRotate16(s3); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 4th and 5th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_4(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 2) & 0x3F3F3F3FU) | ((s0 & 0x03030303U) << 6); \ + s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ + s2 = ((s2 >> 6) & 0x03030303U) | ((s2 & 0x3F3F3F3FU) << 2); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 5th and 1st mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_5(s0, s1, s2, s3) \ + do { \ + s1 = leftRotate16(s1); \ + s2 = leftRotate8(s2); \ + s3 = rightRotate8(s3); \ + } while (0); + +/** + * \brief Performs five fixsliced encryption rounds for GIFT-128. + * + * \param rk Points to the 10 round keys for these rounds. + * \param rc Points to the round constants for these rounds. + * + * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. + * + * The permutation is restructured so that one of the words each round + * does not need to be permuted, with the others rotating left, up, right, + * and down to keep the bits in line with their non-moving counterparts. + * This reduces the number of shifts required significantly. + * + * At the end of five rounds, the bit ordering will return to the + * original position. We then repeat the process for the next 5 rounds. + */ +#define gift128b_encrypt_5_rounds(rk, rc) \ + do { \ + /* 1st round - S-box, rotate left, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_1(s0, s1, s2, s3); \ + s1 ^= (rk)[0]; \ + s2 ^= (rk)[1]; \ + s0 ^= (rc)[0]; \ + \ + /* 2nd round - S-box, rotate up, add round key */ \ + gift128b_sbox(s3, s1, s2, s0); \ + gift128b_permute_state_2(s0, s1, s2, s3); \ + s1 ^= (rk)[2]; \ + s2 ^= (rk)[3]; \ + s3 ^= (rc)[1]; \ + \ + /* 3rd round - S-box, swap columns, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_3(s0, s1, s2, s3); \ + s1 ^= (rk)[4]; \ + s2 ^= (rk)[5]; \ + s0 ^= (rc)[2]; \ + \ + /* 4th round - S-box, rotate left and swap rows, add round key */ \ + gift128b_sbox(s3, s1, s2, s0); \ + gift128b_permute_state_4(s0, s1, s2, s3); \ + s1 ^= (rk)[6]; \ + s2 ^= (rk)[7]; \ + s3 ^= (rc)[3]; \ + \ + /* 5th round - S-box, rotate up, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_5(s0, s1, s2, s3); \ + s1 ^= (rk)[8]; \ + s2 ^= (rk)[9]; \ + s0 ^= (rc)[4]; \ + \ + /* Swap s0 and s3 in preparation for the next 1st round */ \ + s0 ^= s3; \ + s3 ^= s0; \ + s0 ^= s3; \ + } while (0) + +/** + * \brief Performs five fixsliced decryption rounds for GIFT-128. + * + * \param rk Points to the 10 round keys for these rounds. + * \param rc Points to the round constants for these rounds. + * + * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. + */ +#define gift128b_decrypt_5_rounds(rk, rc) \ + do { \ + /* Swap s0 and s3 in preparation for the next 5th round */ \ + s0 ^= s3; \ + s3 ^= s0; \ + s0 ^= s3; \ + \ + /* 5th round - S-box, rotate down, add round key */ \ + s1 ^= (rk)[8]; \ + s2 ^= (rk)[9]; \ + s0 ^= (rc)[4]; \ + gift128b_inv_permute_state_5(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + \ + /* 4th round - S-box, rotate right and swap rows, add round key */ \ + s1 ^= (rk)[6]; \ + s2 ^= (rk)[7]; \ + s3 ^= (rc)[3]; \ + gift128b_inv_permute_state_4(s0, s1, s2, s3); \ + gift128b_inv_sbox(s0, s1, s2, s3); \ + \ + /* 3rd round - S-box, swap columns, add round key */ \ + s1 ^= (rk)[4]; \ + s2 ^= (rk)[5]; \ + s0 ^= (rc)[2]; \ + gift128b_inv_permute_state_3(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + \ + /* 2nd round - S-box, rotate down, add round key */ \ + s1 ^= (rk)[2]; \ + s2 ^= (rk)[3]; \ + s3 ^= (rc)[1]; \ + gift128b_inv_permute_state_2(s0, s1, s2, s3); \ + gift128b_inv_sbox(s0, s1, s2, s3); \ + \ + /* 1st round - S-box, rotate right, add round key */ \ + s1 ^= (rk)[0]; \ + s2 ^= (rk)[1]; \ + s0 ^= (rc)[0]; \ + gift128b_inv_permute_state_1(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + } while (0) + +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into local variables */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; +} + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +int gift128n_init + (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len) +{ + /* Use the little-endian key byte order from the HYENA submission */ + if (!ks || !key || key_len != 16) + return 0; + gift128b_compute_round_keys + (ks, le_load_word32(key + 12), le_load_word32(key + 8), + le_load_word32(key + 4), le_load_word32(key)); + return 1; +} + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/** + * \brief Converts the GIFT-128 nibble-based representation into word-based. + * + * \param output Output buffer to write the word-based version to. + * \param input Input buffer to read the nibble-based version from. + * + * The \a input and \a output buffers can be the same buffer. + */ +static void gift128n_to_words + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input buffer into 32-bit words. We use the nibble order + * from the HYENA submission to NIST which is byte-reversed with respect + * to the nibble order of the original GIFT-128 paper. Nibble zero is in + * the first byte instead of the last, which means little-endian order. */ + s0 = le_load_word32(input + 12); + s1 = le_load_word32(input + 8); + s2 = le_load_word32(input + 4); + s3 = le_load_word32(input); + + /* Rearrange the bits so that bits 0..3 of each nibble are + * scattered to bytes 0..3 of each word. The permutation is: + * + * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 + * + * Generated with "http://programming.sirrida.de/calcperm.php". + */ + #define PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + PERM_WORDS(s0); + PERM_WORDS(s1); + PERM_WORDS(s2); + PERM_WORDS(s3); + + /* Rearrange the bytes and write them to the output buffer */ + output[0] = (uint8_t)s0; + output[1] = (uint8_t)s1; + output[2] = (uint8_t)s2; + output[3] = (uint8_t)s3; + output[4] = (uint8_t)(s0 >> 8); + output[5] = (uint8_t)(s1 >> 8); + output[6] = (uint8_t)(s2 >> 8); + output[7] = (uint8_t)(s3 >> 8); + output[8] = (uint8_t)(s0 >> 16); + output[9] = (uint8_t)(s1 >> 16); + output[10] = (uint8_t)(s2 >> 16); + output[11] = (uint8_t)(s3 >> 16); + output[12] = (uint8_t)(s0 >> 24); + output[13] = (uint8_t)(s1 >> 24); + output[14] = (uint8_t)(s2 >> 24); + output[15] = (uint8_t)(s3 >> 24); +} + +/** + * \brief Converts the GIFT-128 word-based representation into nibble-based. + * + * \param output Output buffer to write the nibble-based version to. + * \param input Input buffer to read the word-based version from. + */ +static void gift128n_to_nibbles + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input bytes and rearrange them so that s0 contains the + * most significant nibbles and s3 contains the least significant */ + s0 = (((uint32_t)(input[12])) << 24) | + (((uint32_t)(input[8])) << 16) | + (((uint32_t)(input[4])) << 8) | + ((uint32_t)(input[0])); + s1 = (((uint32_t)(input[13])) << 24) | + (((uint32_t)(input[9])) << 16) | + (((uint32_t)(input[5])) << 8) | + ((uint32_t)(input[1])); + s2 = (((uint32_t)(input[14])) << 24) | + (((uint32_t)(input[10])) << 16) | + (((uint32_t)(input[6])) << 8) | + ((uint32_t)(input[2])); + s3 = (((uint32_t)(input[15])) << 24) | + (((uint32_t)(input[11])) << 16) | + (((uint32_t)(input[7])) << 8) | + ((uint32_t)(input[3])); + + /* Apply the inverse of PERM_WORDS() from the function above */ + #define INV_PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x00aa00aa, 7); \ + bit_permute_step(x, 0x0000cccc, 14); \ + bit_permute_step(x, 0x00f000f0, 4); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + INV_PERM_WORDS(s0); + INV_PERM_WORDS(s1); + INV_PERM_WORDS(s2); + INV_PERM_WORDS(s3); + + /* Store the result into the output buffer as 32-bit words */ + le_store_word32(output + 12, s0); + le_store_word32(output + 8, s1); + le_store_word32(output + 4, s2); + le_store_word32(output, s3); +} + +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_encrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_decrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +/* 4-bit tweak values expanded to 32-bit */ +static uint32_t const GIFT128_tweaks[16] = { + 0x00000000, 0xe1e1e1e1, 0xd2d2d2d2, 0x33333333, + 0xb4b4b4b4, 0x55555555, 0x66666666, 0x87878787, + 0x78787878, 0x99999999, 0xaaaaaaaa, 0x4b4b4b4b, + 0xcccccccc, 0x2d2d2d2d, 0x1e1e1e1e, 0xffffffff +}; + +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak) +{ + uint32_t s0, s1, s2, s3, tword; + + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + tword = GIFT128_tweaks[tweak]; + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +void gift128t_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak) +{ + uint32_t s0, s1, s2, s3, tword; + + /* Copy the ciphertext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the first we add the tweak value to the state */ + tword = GIFT128_tweaks[tweak]; + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + + /* Pack the state into the plaintext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128.h b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128.h new file mode 100644 index 0000000..1ac40e5 --- /dev/null +++ b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128.h @@ -0,0 +1,229 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_GIFT128_H +#define LW_INTERNAL_GIFT128_H + +/** + * \file internal-gift128.h + * \brief GIFT-128 block cipher. + * + * There are three versions of GIFT-128 in use within the second round + * submissions to the NIST lightweight cryptography competition. + * + * The most efficient version for 32-bit software implementation is the + * GIFT-128-b bit-sliced version from GIFT-COFB and SUNDAE-GIFT. + * + * The second is the nibble-based version from HYENA. We implement the + * HYENA version as a wrapper around the bit-sliced version. + * + * The third version is a variant on the HYENA nibble-based version that + * includes a 4-bit tweak value for domain separation. It is used by + * the ESTATE submission to NIST. + * + * Technically there is a fourth version of GIFT-128 which is the one that + * appeared in the original GIFT-128 paper. It is almost the same as the + * HYENA version except that the byte ordering is big-endian instead of + * HYENA's little-endian. The original version of GIFT-128 doesn't appear + * in any of the NIST submissions so we don't bother with it in this library. + * + * References: https://eprint.iacr.org/2017/622.pdf, + * https://giftcipher.github.io/gift/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a GIFT-128 block in bytes. + */ +#define GIFT128_BLOCK_SIZE 16 + +/** + * \brief Number of round keys for the fixsliced representation of GIFT-128. + */ +#define GIFT128_ROUND_KEYS 80 + +/** + * \brief Structure of the key schedule for GIFT-128 (bit-sliced). + */ +typedef struct +{ + /** Pre-computed round keys in the fixsliced form */ + uint32_t k[GIFT128_ROUND_KEYS]; + +} gift128b_key_schedule_t; + +/** + * \brief Initializes the key schedule for GIFT-128 (bit-sliced). + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int gift128b_init + (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced and pre-loaded). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version assumes that the input has already been pre-loaded from + * big-endian into host byte order in the supplied word array. The output + * is delivered in the same way. + */ +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]); + +/** + * \brief Decrypts a 128-bit block with GIFT-128 (bit-sliced). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + */ +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Structure of the key schedule for GIFT-128 (nibble-based). + */ +typedef gift128b_key_schedule_t gift128n_key_schedule_t; + +/** + * \brief Initializes the key schedule for GIFT-128 (nibble-based). + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int gift128n_init + (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with GIFT-128 (nibble-based). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + */ +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tweak 4-bit tweak value. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This variant of GIFT-128 is used by the ESTATE submission to the + * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to + * some of the rounds to provide domain separation. If the tweak is + * zero, then this function is identical to gift128n_encrypt(). + */ +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak); + +/** + * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tweak 4-bit tweak value. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This variant of GIFT-128 is used by the ESTATE submission to the + * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to + * some of the rounds to provide domain separation. If the tweak is + * zero, then this function is identical to gift128n_encrypt(). + */ +void gift128t_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-util.h b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/aead-common.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/aead-common.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/api.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/api.h new file mode 100644 index 0000000..3818b25 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 6 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/encrypt.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/encrypt.c new file mode 100644 index 0000000..3741901 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "forkae.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return forkae_paef_128_192_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return forkae_paef_128_192_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/forkae.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/forkae.c new file mode 100644 index 0000000..4a9671a --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/forkae.c @@ -0,0 +1,140 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "forkae.h" +#include "internal-forkskinny.h" +#include "internal-util.h" +#include + +aead_cipher_t const forkae_paef_64_192_cipher = { + "PAEF-ForkSkinny-64-192", + FORKAE_PAEF_64_192_KEY_SIZE, + FORKAE_PAEF_64_192_NONCE_SIZE, + FORKAE_PAEF_64_192_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_64_192_aead_encrypt, + forkae_paef_64_192_aead_decrypt +}; + +aead_cipher_t const forkae_paef_128_192_cipher = { + "PAEF-ForkSkinny-128-192", + FORKAE_PAEF_128_192_KEY_SIZE, + FORKAE_PAEF_128_192_NONCE_SIZE, + FORKAE_PAEF_128_192_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_128_192_aead_encrypt, + forkae_paef_128_192_aead_decrypt +}; + +aead_cipher_t const forkae_paef_128_256_cipher = { + "PAEF-ForkSkinny-128-256", + FORKAE_PAEF_128_256_KEY_SIZE, + FORKAE_PAEF_128_256_NONCE_SIZE, + FORKAE_PAEF_128_256_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_128_256_aead_encrypt, + forkae_paef_128_256_aead_decrypt +}; + +aead_cipher_t const forkae_paef_128_288_cipher = { + "PAEF-ForkSkinny-128-288", + FORKAE_PAEF_128_288_KEY_SIZE, + FORKAE_PAEF_128_288_NONCE_SIZE, + FORKAE_PAEF_128_288_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_128_288_aead_encrypt, + forkae_paef_128_288_aead_decrypt +}; + +aead_cipher_t const forkae_saef_128_192_cipher = { + "SAEF-ForkSkinny-128-192", + FORKAE_SAEF_128_192_KEY_SIZE, + FORKAE_SAEF_128_192_NONCE_SIZE, + FORKAE_SAEF_128_192_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_saef_128_192_aead_encrypt, + forkae_saef_128_192_aead_decrypt +}; + +aead_cipher_t const forkae_saef_128_256_cipher = { + "SAEF-ForkSkinny-128-256", + FORKAE_SAEF_128_256_KEY_SIZE, + FORKAE_SAEF_128_256_NONCE_SIZE, + FORKAE_SAEF_128_256_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_saef_128_256_aead_encrypt, + forkae_saef_128_256_aead_decrypt +}; + +/* PAEF-ForkSkinny-64-192 */ +#define FORKAE_ALG_NAME forkae_paef_64_192 +#define FORKAE_BLOCK_SIZE 8 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_64_192_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 2 +#define FORKAE_TWEAKEY_SIZE 24 +#define FORKAE_BLOCK_FUNC forkskinny_64_192 +#include "internal-forkae-paef.h" + +/* PAEF-ForkSkinny-128-192 */ +#define FORKAE_ALG_NAME forkae_paef_128_192 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_192_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 2 +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-paef.h" + +/* PAEF-ForkSkinny-128-256 */ +#define FORKAE_ALG_NAME forkae_paef_128_256 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_256_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 2 +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-paef.h" + +/* PAEF-ForkSkinny-128-288 */ +#define FORKAE_ALG_NAME forkae_paef_128_288 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_288_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 7 +#define FORKAE_TWEAKEY_SIZE 48 +#define FORKAE_BLOCK_FUNC forkskinny_128_384 +#include "internal-forkae-paef.h" + +/* SAEF-ForkSkinny-128-192 */ +#define FORKAE_ALG_NAME forkae_saef_128_192 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_192_NONCE_SIZE +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_TWEAKEY_REDUCED_SIZE 24 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-saef.h" + +/* SAEF-ForkSkinny-128-256 */ +#define FORKAE_ALG_NAME forkae_saef_128_256 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_256_NONCE_SIZE +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_TWEAKEY_REDUCED_SIZE 32 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-saef.h" diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/forkae.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/forkae.h new file mode 100644 index 0000000..3e27b50 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/forkae.h @@ -0,0 +1,551 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_FORKAE_H +#define LWCRYPTO_FORKAE_H + +#include "aead-common.h" + +/** + * \file forkae.h + * \brief ForkAE authenticated encryption algorithm family. + * + * ForkAE is a family of authenticated encryption algorithms based on a + * modified version of the SKINNY tweakable block cipher. The modifications + * introduce "forking" where each input block produces two output blocks + * for use in encryption and authentication. There are six members in + * the ForkAE family: + * + * \li PAEF-ForkSkinny-64-192 has a 128-bit key, a 48-bit nonce, and a + * 64-bit authentication tag. The associated data and plaintext are + * limited to 216 bytes. + * \li PAEF-ForkSkinny-128-192 has a 128-bit key, a 48-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext are + * limited to 217 bytes. + * \li PAEF-ForkSkinny-128-256 has a 128-bit key, a 112-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext are + * limited to 217 bytes. + * \li PAEF-ForkSkinny-128-288 has a 128-bit key, a 104-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext are + * limited to 257 bytes. This is the primary member of the family. + * \li SAEF-ForkSkinny-128-192 has a 128-bit key, a 56-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext may be + * unlimited in size. + * \li SAEF-ForkSkinny-128-256 has a 128-bit key, a 120-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext may be + * unlimited in size. + * + * The PAEF variants support parallel encryption and decryption for + * higher throughput. The SAEF variants encrypt or decrypt blocks + * sequentially. + * + * ForkAE is designed to be efficient on small packet sizes so most of + * the PAEF algorithms have a limit of 64k or 128k on the amount of + * payload in a single packet. Obviously the input can be split into + * separate packets for larger amounts of data. + * + * References: https://www.esat.kuleuven.be/cosic/forkae/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for PAEF-ForkSkinny-64-192. + */ +#define FORKAE_PAEF_64_192_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-64-192. + */ +#define FORKAE_PAEF_64_192_TAG_SIZE 8 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-64-192. + */ +#define FORKAE_PAEF_64_192_NONCE_SIZE 6 + +/** + * \brief Size of the key for PAEF-ForkSkinny-128-192. + */ +#define FORKAE_PAEF_128_192_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-128-192. + */ +#define FORKAE_PAEF_128_192_TAG_SIZE 16 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-128-192. + */ +#define FORKAE_PAEF_128_192_NONCE_SIZE 6 + +/** + * \brief Size of the key for PAEF-ForkSkinny-128-256. + */ +#define FORKAE_PAEF_128_256_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-128-256. + */ +#define FORKAE_PAEF_128_256_TAG_SIZE 16 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-128-256. + */ +#define FORKAE_PAEF_128_256_NONCE_SIZE 14 + +/** + * \brief Size of the key for PAEF-ForkSkinny-128-288. + */ +#define FORKAE_PAEF_128_288_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-128-288. + */ +#define FORKAE_PAEF_128_288_TAG_SIZE 16 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-128-288. + */ +#define FORKAE_PAEF_128_288_NONCE_SIZE 13 + +/** + * \brief Size of the key for SAEF-ForkSkinny-128-192. + */ +#define FORKAE_SAEF_128_192_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SAEF-ForkSkinny-128-192. + */ +#define FORKAE_SAEF_128_192_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SAEF-ForkSkinny-128-192. + */ +#define FORKAE_SAEF_128_192_NONCE_SIZE 7 + +/** + * \brief Size of the key for SAEF-ForkSkinny-128-256. + */ +#define FORKAE_SAEF_128_256_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SAEF-ForkSkinny-128-256. + */ +#define FORKAE_SAEF_128_256_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SAEF-ForkSkinny-128-256. + */ +#define FORKAE_SAEF_128_256_NONCE_SIZE 15 + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-64-192 cipher. + */ +extern aead_cipher_t const forkae_paef_64_192_cipher; + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-128-192 cipher. + */ +extern aead_cipher_t const forkae_paef_128_192_cipher; + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-128-256 cipher. + */ +extern aead_cipher_t const forkae_paef_128_256_cipher; + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-128-288 cipher. + */ +extern aead_cipher_t const forkae_paef_128_288_cipher; + +/** + * \brief Meta-information block for the SAEF-ForkSkinny-128-192 cipher. + */ +extern aead_cipher_t const forkae_saef_128_192_cipher; + +/** + * \brief Meta-information block for the SAEF-ForkSkinny-128-256 cipher. + */ +extern aead_cipher_t const forkae_saef_128_256_cipher; + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-64-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_64_192_aead_decrypt() + */ +int forkae_paef_64_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-64-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_64_192_aead_encrypt() + */ +int forkae_paef_64_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_128_192_aead_decrypt() + */ +int forkae_paef_128_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_128_192_aead_encrypt() + */ +int forkae_paef_128_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 14 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_128_256_aead_decrypt() + */ +int forkae_paef_128_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 14 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_128_256_aead_encrypt() + */ +int forkae_paef_128_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-288. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 13 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_128_288_aead_decrypt() + */ +int forkae_paef_128_288_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-288. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 13 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_128_288_aead_encrypt() + */ +int forkae_paef_128_288_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 7 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_saef_128_192_aead_decrypt() + */ +int forkae_saef_128_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 7 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_saef_128_192_aead_encrypt() + */ +int forkae_saef_128_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_saef_128_256_aead_decrypt() + */ +int forkae_saef_128_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_saef_128_256_aead_encrypt() + */ +int forkae_saef_128_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-forkae-paef.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-forkae-paef.h new file mode 100644 index 0000000..6f57b2b --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-forkae-paef.h @@ -0,0 +1,273 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +/* We expect a number of macros to be defined before this file + * is included to configure the underlying ForkAE PAEF variant. + * + * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_paef_128_256 + * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). + * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. + * FORKAE_COUNTER_SIZE Size of the counter value for the cipher in bytes. + * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. + * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 + */ +#if defined(FORKAE_ALG_NAME) + +#define FORKAE_CONCAT_INNER(name,suffix) name##suffix +#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) + +/* Limit on the amount of data we can process based on the counter size */ +#define FORKAE_PAEF_DATA_LIMIT \ + ((unsigned long long)((1ULL << (FORKAE_COUNTER_SIZE * 8)) * \ + (FORKAE_BLOCK_SIZE / 8)) - FORKAE_BLOCK_SIZE) + +/* Processes the associated data in PAEF mode */ +STATIC_INLINE void FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter) + (unsigned char tweakey[FORKAE_TWEAKEY_SIZE], + unsigned long long counter, unsigned char domain) +{ + unsigned posn; + counter |= (((unsigned long long)domain) << (FORKAE_COUNTER_SIZE * 8 - 3)); + for (posn = 0; posn < FORKAE_COUNTER_SIZE; ++posn) { + tweakey[16 + FORKAE_NONCE_SIZE + FORKAE_COUNTER_SIZE - 1 - posn] = + (unsigned char)counter; + counter >>= 8; + } +} + +/* Check that the last block is padded correctly; -1 if ok, 0 if not */ +STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (const unsigned char *block, unsigned len) +{ + int check = block[0] ^ 0x80; + while (len > 1) { + --len; + check |= block[len]; + } + return (check - 1) >> 8; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + unsigned long long counter; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + FORKAE_BLOCK_SIZE; + + /* Validate the size of the associated data and plaintext as there + * is a limit on the size of the PAEF counter field */ + if (adlen > FORKAE_PAEF_DATA_LIMIT || mlen > FORKAE_PAEF_DATA_LIMIT) + return -2; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + + /* Tag value starts at zero. We will XOR this with all of the + * intermediate tag values that are calculated for each block */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + counter = 1; + while (adlen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + ++counter; + } + if (adlen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } else if (adlen != 0 || mlen == 0) { + unsigned temp = (unsigned)adlen; + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, sizeof(block) - temp - 1); + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } + + /* If there is no message payload, then generate the tag and we are done */ + if (!mlen) { + memcpy(c, tag, sizeof(tag)); + return 0; + } + + /* Encrypt all plaintext blocks except the last */ + counter = 1; + while (mlen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + mlen -= FORKAE_BLOCK_SIZE; + ++counter; + } + + /* Encrypt the last block and generate the final authentication tag */ + if (mlen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); + } else { + unsigned temp = (unsigned)mlen; + memcpy(block, m, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, sizeof(block) - temp - 1); + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, temp); + } + return 0; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + unsigned char *mtemp = m; + unsigned long long counter; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < FORKAE_BLOCK_SIZE) + return -1; + clen -= FORKAE_BLOCK_SIZE; + *mlen = clen; + + /* Validate the size of the associated data and plaintext as there + * is a limit on the size of the PAEF counter field */ + if (adlen > FORKAE_PAEF_DATA_LIMIT || clen > FORKAE_PAEF_DATA_LIMIT) + return -2; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + + /* Tag value starts at zero. We will XOR this with all of the + * intermediate tag values that are calculated for each block */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + counter = 1; + while (adlen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + ++counter; + } + if (adlen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } else if (adlen != 0 || clen == 0) { + unsigned temp = (unsigned)adlen; + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, sizeof(block) - temp - 1); + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } + + /* If there is no message payload, then check the tag and we are done */ + if (!clen) + return aead_check_tag(m, clen, tag, c, sizeof(tag)); + + /* Decrypt all ciphertext blocks except the last */ + counter = 1; + while (clen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, c); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + clen -= FORKAE_BLOCK_SIZE; + ++counter; + } + + /* Decrypt the last block and check the final authentication tag */ + if (clen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); + lw_xor_block_2_src(m, c, tag, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, m); + return aead_check_tag + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, sizeof(tag)); + } else { + unsigned temp = (unsigned)clen; + unsigned char block2[FORKAE_BLOCK_SIZE]; + int check; + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); + lw_xor_block_2_src(block2, tag, c, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) + (tweakey, block2, block, block2); + check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (block2 + temp, FORKAE_BLOCK_SIZE - temp); + memcpy(m, block2, temp); + return aead_check_tag_precheck + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); + } +} + +#endif /* FORKAE_ALG_NAME */ + +/* Now undefine everything so that we can include this file again for + * another variant on the ForkAE PAEF algorithm */ +#undef FORKAE_ALG_NAME +#undef FORKAE_BLOCK_SIZE +#undef FORKAE_NONCE_SIZE +#undef FORKAE_COUNTER_SIZE +#undef FORKAE_TWEAKEY_SIZE +#undef FORKAE_BLOCK_FUNC +#undef FORKAE_CONCAT_INNER +#undef FORKAE_CONCAT +#undef FORKAE_PAEF_DATA_LIMIT diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-forkae-saef.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-forkae-saef.h new file mode 100644 index 0000000..768bba4 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-forkae-saef.h @@ -0,0 +1,251 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +/* We expect a number of macros to be defined before this file + * is included to configure the underlying ForkAE SAEF variant. + * + * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_saef_128_256 + * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). + * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. + * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. + * FORKAE_REDUCED_TWEAKEY_SIZE Size of the reduced tweakey without padding. + * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 + */ +#if defined(FORKAE_ALG_NAME) + +#define FORKAE_CONCAT_INNER(name,suffix) name##suffix +#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) + +/* Check that the last block is padded correctly; -1 if ok, 0 if not */ +STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (const unsigned char *block, unsigned len) +{ + int check = block[0] ^ 0x80; + while (len > 1) { + --len; + check |= block[len]; + } + return (check - 1) >> 8; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + FORKAE_BLOCK_SIZE; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; + + /* Tag value starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + if (adlen > 0 || mlen == 0) { + while (adlen > FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + } + if (mlen == 0) + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; + if (adlen == FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } else if (adlen != 0 || mlen == 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(tag, ad, temp); + tag[temp] ^= 0x80; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } + } + + /* If there is no message payload, then generate the tag and we are done */ + if (!mlen) { + memcpy(c, tag, sizeof(tag)); + return 0; + } + + /* Encrypt all plaintext blocks except the last */ + while (mlen > FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(tag, block, FORKAE_BLOCK_SIZE); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + mlen -= FORKAE_BLOCK_SIZE; + } + + /* Encrypt the last block and generate the final authentication tag */ + if (mlen == FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); + } else { + unsigned temp = (unsigned)mlen; + memcpy(block, tag, FORKAE_BLOCK_SIZE); + lw_xor_block(block, m, temp); + block[temp] ^= 0x80; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, temp); + } + return 0; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < FORKAE_BLOCK_SIZE) + return -1; + clen -= FORKAE_BLOCK_SIZE; + *mlen = clen; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; + + /* Tag value starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + if (adlen > 0 || clen == 0) { + while (adlen > FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + } + if (clen == 0) + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; + if (adlen == FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } else if (adlen != 0 || clen == 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(tag, ad, temp); + tag[temp] ^= 0x80; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } + } + + /* If there is no message payload, then check the tag and we are done */ + if (!clen) + return aead_check_tag(m, clen, tag, c, sizeof(tag)); + + /* Decrypt all ciphertext blocks except the last */ + while (clen > FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); + lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); + memcpy(tag, block, FORKAE_BLOCK_SIZE); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + clen -= FORKAE_BLOCK_SIZE; + } + + /* Decrypt the last block and check the final authentication tag */ + if (clen == FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); + lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); + return aead_check_tag + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, FORKAE_BLOCK_SIZE); + } else { + unsigned temp = (unsigned)clen; + unsigned char mblock[FORKAE_BLOCK_SIZE]; + int check; + lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) + (tweakey, mblock, block, block); + lw_xor_block(mblock, tag, FORKAE_BLOCK_SIZE); + memcpy(m, mblock, temp); + check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (mblock + temp, FORKAE_BLOCK_SIZE - temp); + return aead_check_tag_precheck + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); + } +} + +#endif /* FORKAE_ALG_NAME */ + +/* Now undefine everything so that we can include this file again for + * another variant on the ForkAE SAEF algorithm */ +#undef FORKAE_ALG_NAME +#undef FORKAE_BLOCK_SIZE +#undef FORKAE_NONCE_SIZE +#undef FORKAE_COUNTER_SIZE +#undef FORKAE_TWEAKEY_SIZE +#undef FORKAE_TWEAKEY_REDUCED_SIZE +#undef FORKAE_BLOCK_FUNC +#undef FORKAE_CONCAT_INNER +#undef FORKAE_CONCAT diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-forkskinny.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-forkskinny.c new file mode 100644 index 0000000..b050ff1 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-forkskinny.c @@ -0,0 +1,988 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-forkskinny.h" +#include "internal-skinnyutil.h" + +/** + * \brief 7-bit round constants for all ForkSkinny block ciphers. + */ +static unsigned char const RC[87] = { + 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7e, 0x7d, + 0x7b, 0x77, 0x6f, 0x5f, 0x3e, 0x7c, 0x79, 0x73, + 0x67, 0x4f, 0x1e, 0x3d, 0x7a, 0x75, 0x6b, 0x57, + 0x2e, 0x5c, 0x38, 0x70, 0x61, 0x43, 0x06, 0x0d, + 0x1b, 0x37, 0x6e, 0x5d, 0x3a, 0x74, 0x69, 0x53, + 0x26, 0x4c, 0x18, 0x31, 0x62, 0x45, 0x0a, 0x15, + 0x2b, 0x56, 0x2c, 0x58, 0x30, 0x60, 0x41, 0x02, + 0x05, 0x0b, 0x17, 0x2f, 0x5e, 0x3c, 0x78, 0x71, + 0x63, 0x47, 0x0e, 0x1d, 0x3b, 0x76, 0x6d, 0x5b, + 0x36, 0x6c, 0x59, 0x32, 0x64, 0x49, 0x12, 0x25, + 0x4a, 0x14, 0x29, 0x52, 0x24, 0x48, 0x10 +}; + +/** + * \brief Number of rounds of ForkSkinny-128-256 before forking. + */ +#define FORKSKINNY_128_256_ROUNDS_BEFORE 21 + +/** + * \brief Number of rounds of ForkSkinny-128-256 after forking. + */ +#define FORKSKINNY_128_256_ROUNDS_AFTER 27 + +/** + * \brief State information for ForkSkinny-128-256. + */ +typedef struct +{ + uint32_t TK1[4]; /**< First part of the tweakey */ + uint32_t TK2[4]; /**< Second part of the tweakey */ + uint32_t S[4]; /**< Current block state */ + +} forkskinny_128_256_state_t; + +/** + * \brief Applies one round of ForkSkinny-128-256. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_256_round + (forkskinny_128_256_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Apply the S-box to all cells in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(state->TK1); + skinny128_permute_tk(state->TK2); + skinny128_LFSR2(state->TK2[0]); + skinny128_LFSR2(state->TK2[1]); +} + +void forkskinny_128_256_encrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_256_state_t state; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Run all of the rounds before the forking point */ + for (round = 0; round < FORKSKINNY_128_256_ROUNDS_BEFORE; ++round) { + forkskinny_128_256_round(&state, round); + } + + /* Determine which output blocks we need */ + if (output_left && output_right) { + /* We need both outputs so save the state at the forking point */ + uint32_t F[4]; + F[0] = state.S[0]; + F[1] = state.S[1]; + F[2] = state.S[2]; + F[3] = state.S[3]; + + /* Generate the right output block */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { + forkskinny_128_256_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + + /* Restore the state at the forking point */ + state.S[0] = F[0]; + state.S[1] = F[1]; + state.S[2] = F[2]; + state.S[3] = F[3]; + } + if (output_left) { + /* Generate the left output block */ + state.S[0] ^= 0x08040201U; /* Branching constant */ + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { + forkskinny_128_256_round(&state, round); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + } else { + /* We only need the right output block */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { + forkskinny_128_256_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + } +} + +/** + * \brief Applies one round of ForkSkinny-128-256 in reverse. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_256_inv_round + (forkskinny_128_256_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Permute TK1 and TK2 for the next round */ + skinny128_inv_LFSR2(state->TK2[0]); + skinny128_inv_LFSR2(state->TK2[1]); + skinny128_inv_permute_tk(state->TK1); + skinny128_inv_permute_tk(state->TK2); + + /* Inverse mix of the columns */ + temp = s0; + s0 = s1; + s1 = s2; + s2 = s3; + s3 = temp ^ s2; + s2 ^= s0; + s1 ^= s2; + + /* Shift the cells in the rows left, which moves the cell + * values down closer to the LSB. That is, we do a right + * rotate on the word to rotate the cells in the word left */ + s1 = rightRotate8(s1); + s2 = rightRotate16(s2); + s3 = rightRotate24(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all cells in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; +} + +void forkskinny_128_256_decrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_256_state_t state; + forkskinny_128_256_state_t fstate; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Fast-forward the tweakey to the end of the key schedule */ + for (round = 0; round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { + skinny128_permute_tk(state.TK1); + skinny128_permute_tk(state.TK2); + skinny128_LFSR2(state.TK2[0]); + skinny128_LFSR2(state.TK2[1]); + } + + /* Perform the "after" rounds on the input to get back + * to the forking point in the cipher */ + for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER * 2); + round > (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); --round) { + forkskinny_128_256_inv_round(&state, round - 1); + } + + /* Remove the branching constant */ + state.S[0] ^= 0x08040201U; + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + + /* Roll the tweakey back another "after" rounds */ + for (round = 0; round < FORKSKINNY_128_256_ROUNDS_AFTER; ++round) { + skinny128_inv_LFSR2(state.TK2[0]); + skinny128_inv_LFSR2(state.TK2[1]); + skinny128_inv_permute_tk(state.TK1); + skinny128_inv_permute_tk(state.TK2); + } + + /* Save the state and the tweakey at the forking point */ + fstate = state; + + /* Generate the left output block after another "before" rounds */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; round > 0; --round) { + forkskinny_128_256_inv_round(&state, round - 1); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + + /* Generate the right output block by going forward "after" + * rounds from the forking point */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { + forkskinny_128_256_round(&fstate, round); + } + le_store_word32(output_right, fstate.S[0]); + le_store_word32(output_right + 4, fstate.S[1]); + le_store_word32(output_right + 8, fstate.S[2]); + le_store_word32(output_right + 12, fstate.S[3]); +} + +/** + * \brief Number of rounds of ForkSkinny-128-384 before forking. + */ +#define FORKSKINNY_128_384_ROUNDS_BEFORE 25 + +/** + * \brief Number of rounds of ForkSkinny-128-384 after forking. + */ +#define FORKSKINNY_128_384_ROUNDS_AFTER 31 + +/** + * \brief State information for ForkSkinny-128-384. + */ +typedef struct +{ + uint32_t TK1[4]; /**< First part of the tweakey */ + uint32_t TK2[4]; /**< Second part of the tweakey */ + uint32_t TK3[4]; /**< Third part of the tweakey */ + uint32_t S[4]; /**< Current block state */ + +} forkskinny_128_384_state_t; + +/** + * \brief Applies one round of ForkSkinny-128-384. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_384_round + (forkskinny_128_384_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Apply the S-box to all cells in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(state->TK1); + skinny128_permute_tk(state->TK2); + skinny128_permute_tk(state->TK3); + skinny128_LFSR2(state->TK2[0]); + skinny128_LFSR2(state->TK2[1]); + skinny128_LFSR3(state->TK3[0]); + skinny128_LFSR3(state->TK3[1]); +} + +void forkskinny_128_384_encrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_384_state_t state; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.TK3[0] = le_load_word32(key + 32); + state.TK3[1] = le_load_word32(key + 36); + state.TK3[2] = le_load_word32(key + 40); + state.TK3[3] = le_load_word32(key + 44); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Run all of the rounds before the forking point */ + for (round = 0; round < FORKSKINNY_128_384_ROUNDS_BEFORE; ++round) { + forkskinny_128_384_round(&state, round); + } + + /* Determine which output blocks we need */ + if (output_left && output_right) { + /* We need both outputs so save the state at the forking point */ + uint32_t F[4]; + F[0] = state.S[0]; + F[1] = state.S[1]; + F[2] = state.S[2]; + F[3] = state.S[3]; + + /* Generate the right output block */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { + forkskinny_128_384_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + + /* Restore the state at the forking point */ + state.S[0] = F[0]; + state.S[1] = F[1]; + state.S[2] = F[2]; + state.S[3] = F[3]; + } + if (output_left) { + /* Generate the left output block */ + state.S[0] ^= 0x08040201U; /* Branching constant */ + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { + forkskinny_128_384_round(&state, round); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + } else { + /* We only need the right output block */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { + forkskinny_128_384_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + } +} + +/** + * \brief Applies one round of ForkSkinny-128-384 in reverse. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_384_inv_round + (forkskinny_128_384_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Permute TK1 and TK2 for the next round */ + skinny128_inv_LFSR2(state->TK2[0]); + skinny128_inv_LFSR2(state->TK2[1]); + skinny128_inv_LFSR3(state->TK3[0]); + skinny128_inv_LFSR3(state->TK3[1]); + skinny128_inv_permute_tk(state->TK1); + skinny128_inv_permute_tk(state->TK2); + skinny128_inv_permute_tk(state->TK3); + + /* Inverse mix of the columns */ + temp = s0; + s0 = s1; + s1 = s2; + s2 = s3; + s3 = temp ^ s2; + s2 ^= s0; + s1 ^= s2; + + /* Shift the cells in the rows left, which moves the cell + * values down closer to the LSB. That is, we do a right + * rotate on the word to rotate the cells in the word left */ + s1 = rightRotate8(s1); + s2 = rightRotate16(s2); + s3 = rightRotate24(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all cells in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; +} + +void forkskinny_128_384_decrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_384_state_t state; + forkskinny_128_384_state_t fstate; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.TK3[0] = le_load_word32(key + 32); + state.TK3[1] = le_load_word32(key + 36); + state.TK3[2] = le_load_word32(key + 40); + state.TK3[3] = le_load_word32(key + 44); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Fast-forward the tweakey to the end of the key schedule */ + for (round = 0; round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { + skinny128_permute_tk(state.TK1); + skinny128_permute_tk(state.TK2); + skinny128_permute_tk(state.TK3); + skinny128_LFSR2(state.TK2[0]); + skinny128_LFSR2(state.TK2[1]); + skinny128_LFSR3(state.TK3[0]); + skinny128_LFSR3(state.TK3[1]); + } + + /* Perform the "after" rounds on the input to get back + * to the forking point in the cipher */ + for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER * 2); + round > (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); --round) { + forkskinny_128_384_inv_round(&state, round - 1); + } + + /* Remove the branching constant */ + state.S[0] ^= 0x08040201U; + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + + /* Roll the tweakey back another "after" rounds */ + for (round = 0; round < FORKSKINNY_128_384_ROUNDS_AFTER; ++round) { + skinny128_inv_LFSR2(state.TK2[0]); + skinny128_inv_LFSR2(state.TK2[1]); + skinny128_inv_LFSR3(state.TK3[0]); + skinny128_inv_LFSR3(state.TK3[1]); + skinny128_inv_permute_tk(state.TK1); + skinny128_inv_permute_tk(state.TK2); + skinny128_inv_permute_tk(state.TK3); + } + + /* Save the state and the tweakey at the forking point */ + fstate = state; + + /* Generate the left output block after another "before" rounds */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; round > 0; --round) { + forkskinny_128_384_inv_round(&state, round - 1); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + + /* Generate the right output block by going forward "after" + * rounds from the forking point */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { + forkskinny_128_384_round(&fstate, round); + } + le_store_word32(output_right, fstate.S[0]); + le_store_word32(output_right + 4, fstate.S[1]); + le_store_word32(output_right + 8, fstate.S[2]); + le_store_word32(output_right + 12, fstate.S[3]); +} + +/** + * \brief Number of rounds of ForkSkinny-64-192 before forking. + */ +#define FORKSKINNY_64_192_ROUNDS_BEFORE 17 + +/** + * \brief Number of rounds of ForkSkinny-64-192 after forking. + */ +#define FORKSKINNY_64_192_ROUNDS_AFTER 23 + +/** + * \brief State information for ForkSkinny-64-192. + */ +typedef struct +{ + uint16_t TK1[4]; /**< First part of the tweakey */ + uint16_t TK2[4]; /**< Second part of the tweakey */ + uint16_t TK3[4]; /**< Third part of the tweakey */ + uint16_t S[4]; /**< Current block state */ + +} forkskinny_64_192_state_t; + +/** + * \brief Applies one round of ForkSkinny-64-192. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + * + * Note: The cells of each row are order in big-endian nibble order + * so it is easiest to manage the rows in bit-endian byte order. + */ +static void forkskinny_64_192_round + (forkskinny_64_192_state_t *state, unsigned round) +{ + uint16_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Apply the S-box to all cells in the state */ + skinny64_sbox(s0); + skinny64_sbox(s1); + skinny64_sbox(s2); + skinny64_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + ((rc & 0x0F) << 12) ^ 0x0020; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ + ((rc & 0x70) << 8); + s2 ^= 0x2000; + + /* Shift the cells in the rows right */ + s1 = rightRotate4_16(s1); + s2 = rightRotate8_16(s2); + s3 = rightRotate12_16(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny64_permute_tk(state->TK1); + skinny64_permute_tk(state->TK2); + skinny64_permute_tk(state->TK3); + skinny64_LFSR2(state->TK2[0]); + skinny64_LFSR2(state->TK2[1]); + skinny64_LFSR3(state->TK3[0]); + skinny64_LFSR3(state->TK3[1]); +} + +void forkskinny_64_192_encrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_64_192_state_t state; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = be_load_word16(key); + state.TK1[1] = be_load_word16(key + 2); + state.TK1[2] = be_load_word16(key + 4); + state.TK1[3] = be_load_word16(key + 6); + state.TK2[0] = be_load_word16(key + 8); + state.TK2[1] = be_load_word16(key + 10); + state.TK2[2] = be_load_word16(key + 12); + state.TK2[3] = be_load_word16(key + 14); + state.TK3[0] = be_load_word16(key + 16); + state.TK3[1] = be_load_word16(key + 18); + state.TK3[2] = be_load_word16(key + 20); + state.TK3[3] = be_load_word16(key + 22); + state.S[0] = be_load_word16(input); + state.S[1] = be_load_word16(input + 2); + state.S[2] = be_load_word16(input + 4); + state.S[3] = be_load_word16(input + 6); + + /* Run all of the rounds before the forking point */ + for (round = 0; round < FORKSKINNY_64_192_ROUNDS_BEFORE; ++round) { + forkskinny_64_192_round(&state, round); + } + + /* Determine which output blocks we need */ + if (output_left && output_right) { + /* We need both outputs so save the state at the forking point */ + uint16_t F[4]; + F[0] = state.S[0]; + F[1] = state.S[1]; + F[2] = state.S[2]; + F[3] = state.S[3]; + + /* Generate the right output block */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { + forkskinny_64_192_round(&state, round); + } + be_store_word16(output_right, state.S[0]); + be_store_word16(output_right + 2, state.S[1]); + be_store_word16(output_right + 4, state.S[2]); + be_store_word16(output_right + 6, state.S[3]); + + /* Restore the state at the forking point */ + state.S[0] = F[0]; + state.S[1] = F[1]; + state.S[2] = F[2]; + state.S[3] = F[3]; + } + if (output_left) { + /* Generate the left output block */ + state.S[0] ^= 0x1249U; /* Branching constant */ + state.S[1] ^= 0x36daU; + state.S[2] ^= 0x5b7fU; + state.S[3] ^= 0xec81U; + for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { + forkskinny_64_192_round(&state, round); + } + be_store_word16(output_left, state.S[0]); + be_store_word16(output_left + 2, state.S[1]); + be_store_word16(output_left + 4, state.S[2]); + be_store_word16(output_left + 6, state.S[3]); + } else { + /* We only need the right output block */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { + forkskinny_64_192_round(&state, round); + } + be_store_word16(output_right, state.S[0]); + be_store_word16(output_right + 2, state.S[1]); + be_store_word16(output_right + 4, state.S[2]); + be_store_word16(output_right + 6, state.S[3]); + } +} + +/** + * \brief Applies one round of ForkSkinny-64-192 in reverse. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_64_192_inv_round + (forkskinny_64_192_state_t *state, unsigned round) +{ + uint16_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny64_inv_LFSR2(state->TK2[0]); + skinny64_inv_LFSR2(state->TK2[1]); + skinny64_inv_LFSR3(state->TK3[0]); + skinny64_inv_LFSR3(state->TK3[1]); + skinny64_inv_permute_tk(state->TK1); + skinny64_inv_permute_tk(state->TK2); + skinny64_inv_permute_tk(state->TK3); + + /* Inverse mix of the columns */ + temp = s0; + s0 = s1; + s1 = s2; + s2 = s3; + s3 = temp ^ s2; + s2 ^= s0; + s1 ^= s2; + + /* Shift the cells in the rows left */ + s1 = leftRotate4_16(s1); + s2 = leftRotate8_16(s2); + s3 = leftRotate12_16(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + ((rc & 0x0F) << 12) ^ 0x0020; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ + ((rc & 0x70) << 8); + s2 ^= 0x2000; + + /* Apply the inverse of the S-box to all cells in the state */ + skinny64_inv_sbox(s0); + skinny64_inv_sbox(s1); + skinny64_inv_sbox(s2); + skinny64_inv_sbox(s3); + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; +} + +void forkskinny_64_192_decrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_64_192_state_t state; + forkskinny_64_192_state_t fstate; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = be_load_word16(key); + state.TK1[1] = be_load_word16(key + 2); + state.TK1[2] = be_load_word16(key + 4); + state.TK1[3] = be_load_word16(key + 6); + state.TK2[0] = be_load_word16(key + 8); + state.TK2[1] = be_load_word16(key + 10); + state.TK2[2] = be_load_word16(key + 12); + state.TK2[3] = be_load_word16(key + 14); + state.TK3[0] = be_load_word16(key + 16); + state.TK3[1] = be_load_word16(key + 18); + state.TK3[2] = be_load_word16(key + 20); + state.TK3[3] = be_load_word16(key + 22); + state.S[0] = be_load_word16(input); + state.S[1] = be_load_word16(input + 2); + state.S[2] = be_load_word16(input + 4); + state.S[3] = be_load_word16(input + 6); + + /* Fast-forward the tweakey to the end of the key schedule */ + for (round = 0; round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { + skinny64_permute_tk(state.TK1); + skinny64_permute_tk(state.TK2); + skinny64_permute_tk(state.TK3); + skinny64_LFSR2(state.TK2[0]); + skinny64_LFSR2(state.TK2[1]); + skinny64_LFSR3(state.TK3[0]); + skinny64_LFSR3(state.TK3[1]); + } + + /* Perform the "after" rounds on the input to get back + * to the forking point in the cipher */ + for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER * 2); + round > (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); --round) { + forkskinny_64_192_inv_round(&state, round - 1); + } + + /* Remove the branching constant */ + state.S[0] ^= 0x1249U; + state.S[1] ^= 0x36daU; + state.S[2] ^= 0x5b7fU; + state.S[3] ^= 0xec81U; + + /* Roll the tweakey back another "after" rounds */ + for (round = 0; round < FORKSKINNY_64_192_ROUNDS_AFTER; ++round) { + skinny64_inv_LFSR2(state.TK2[0]); + skinny64_inv_LFSR2(state.TK2[1]); + skinny64_inv_LFSR3(state.TK3[0]); + skinny64_inv_LFSR3(state.TK3[1]); + skinny64_inv_permute_tk(state.TK1); + skinny64_inv_permute_tk(state.TK2); + skinny64_inv_permute_tk(state.TK3); + } + + /* Save the state and the tweakey at the forking point */ + fstate = state; + + /* Generate the left output block after another "before" rounds */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; round > 0; --round) { + forkskinny_64_192_inv_round(&state, round - 1); + } + be_store_word16(output_left, state.S[0]); + be_store_word16(output_left + 2, state.S[1]); + be_store_word16(output_left + 4, state.S[2]); + be_store_word16(output_left + 6, state.S[3]); + + /* Generate the right output block by going forward "after" + * rounds from the forking point */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { + forkskinny_64_192_round(&fstate, round); + } + be_store_word16(output_right, fstate.S[0]); + be_store_word16(output_right + 2, fstate.S[1]); + be_store_word16(output_right + 4, fstate.S[2]); + be_store_word16(output_right + 6, fstate.S[3]); +} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-forkskinny.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-forkskinny.h new file mode 100644 index 0000000..0c1a707 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-forkskinny.h @@ -0,0 +1,141 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_FORKSKINNY_H +#define LW_INTERNAL_FORKSKINNY_H + +/** + * \file internal-forkskinny.h + * \brief ForkSkinny block cipher family. + * + * ForkSkinny is a modified version of the SKINNY block cipher that + * supports "forking": half-way through the rounds the cipher is + * forked in two different directions to produce two different outputs. + * + * References: https://www.esat.kuleuven.be/cosic/forkae/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts a block of plaintext with ForkSkinny-128-256. + * + * \param key 256-bit tweakey for ForkSkinny-128-256. + * \param output_left Left output block for the ciphertext, or NULL if + * the left output is not required. + * \param output_right Right output block for the authentication tag, + * or NULL if the right output is not required. + * \param input 128-bit input plaintext block. + * + * ForkSkinny-128-192 also uses this function with a padded tweakey. + */ +void forkskinny_128_256_encrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Decrypts a block of ciphertext with ForkSkinny-128-256. + * + * \param key 256-bit tweakey for ForkSkinny-128-256. + * \param output_left Left output block, which is the plaintext. + * \param output_right Right output block for the authentication tag. + * \param input 128-bit input ciphertext block. + * + * Both output blocks will be populated; neither is optional. + */ +void forkskinny_128_256_decrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Encrypts a block of plaintext with ForkSkinny-128-384. + * + * \param key 384-bit tweakey for ForkSkinny-128-384. + * \param output_left Left output block for the ciphertext, or NULL if + * the left output is not required. + * \param output_right Right output block for the authentication tag, + * or NULL if the right output is not required. + * \param input 128-bit input plaintext block. + * + * ForkSkinny-128-288 also uses this function with a padded tweakey. + */ +void forkskinny_128_384_encrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Decrypts a block of ciphertext with ForkSkinny-128-384. + * + * \param key 384-bit tweakey for ForkSkinny-128-384. + * \param output_left Left output block, which is the plaintext. + * \param output_right Right output block for the authentication tag. + * \param input 128-bit input ciphertext block. + * + * Both output blocks will be populated; neither is optional. + */ +void forkskinny_128_384_decrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Encrypts a block of input with ForkSkinny-64-192. + * + * \param key 192-bit tweakey for ForkSkinny-64-192. + * \param output_left First output block, or NULL if left is not required. + * \param output_right Second output block, or NULL if right is not required. + * \param input 64-bit input block. + */ +/** + * \brief Encrypts a block of plaintext with ForkSkinny-64-192. + * + * \param key 192-bit tweakey for ForkSkinny-64-192. + * \param output_left Left output block for the ciphertext, or NULL if + * the left output is not required. + * \param output_right Right output block for the authentication tag, + * or NULL if the right output is not required. + * \param input 64-bit input plaintext block. + */ +void forkskinny_64_192_encrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Decrypts a block of ciphertext with ForkSkinny-64-192. + * + * \param key 192-bit tweakey for ForkSkinny-64-192. + * \param output_left Left output block, which is the plaintext. + * \param output_right Right output block for the authentication tag. + * \param input 64-bit input ciphertext block. + * + * Both output blocks will be populated; neither is optional. + */ +void forkskinny_64_192_decrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-skinnyutil.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-skinnyutil.h new file mode 100644 index 0000000..83136cb --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-skinnyutil.h @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNYUTIL_H +#define LW_INTERNAL_SKINNYUTIL_H + +/** + * \file internal-skinnyutil.h + * \brief Utilities to help implement SKINNY and its variants. + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond skinnyutil */ + +/* Utilities for implementing SKINNY-128 */ + +#define skinny128_LFSR2(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ + (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ + } while (0) + + +#define skinny128_LFSR3(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ + (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) +#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) + +#define skinny128_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint32_t row2 = tk[2]; \ + uint32_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 16) | (row3 >> 16); \ + tk[0] = ((row2 >> 8) & 0x000000FFU) | \ + ((row2 << 16) & 0x00FF0000U) | \ + ( row3 & 0xFF00FF00U); \ + tk[1] = ((row2 >> 16) & 0x000000FFU) | \ + (row2 & 0xFF000000U) | \ + ((row3 << 8) & 0x0000FF00U) | \ + ( row3 & 0x00FF0000U); \ + } while (0) + +#define skinny128_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint32_t row0 = tk[0]; \ + uint32_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 >> 16) & 0x000000FFU) | \ + ((row0 << 8) & 0x0000FF00U) | \ + ((row1 << 16) & 0x00FF0000U) | \ + ( row1 & 0xFF000000U); \ + tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ + ((row0 << 16) & 0xFF000000U) | \ + ((row1 >> 16) & 0x000000FFU) | \ + ((row1 << 8) & 0x00FF0000U); \ + } while (0) + +/* + * Apply the SKINNY sbox. The original version from the specification is + * equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE(x) + * ((((x) & 0x01010101U) << 2) | + * (((x) & 0x06060606U) << 5) | + * (((x) & 0x20202020U) >> 5) | + * (((x) & 0xC8C8C8C8U) >> 2) | + * (((x) & 0x10101010U) >> 1)) + * + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * return SBOX_SWAP(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ + y = (((x >> 5) & (x << 1)) & 0x04040404U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ + x = ((x & 0x08080808U) << 1) | \ + ((x & 0x32323232U) << 2) | \ + ((x & 0x01010101U) << 5) | \ + ((x & 0x80808080U) >> 6) | \ + ((x & 0x40404040U) >> 4) | \ + ((x & 0x04040404U) >> 2); \ +} while (0) + +/* + * Apply the inverse of the SKINNY sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE_INV(x) + * ((((x) & 0x08080808U) << 1) | + * (((x) & 0x32323232U) << 2) | + * (((x) & 0x01010101U) << 5) | + * (((x) & 0xC0C0C0C0U) >> 5) | + * (((x) & 0x04040404U) >> 2)) + * + * x = SBOX_SWAP(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_inv_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ + x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ + y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ + x = ((x & 0x01010101U) << 2) | \ + ((x & 0x04040404U) << 4) | \ + ((x & 0x02020202U) << 6) | \ + ((x & 0x20202020U) >> 5) | \ + ((x & 0xC8C8C8C8U) >> 2) | \ + ((x & 0x10101010U) >> 1); \ +} while (0) + +/* Utilities for implementing SKINNY-64 */ + +#define skinny64_LFSR2(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ + } while (0) + +#define skinny64_LFSR3(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) +#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) + +#define skinny64_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint16_t row2 = tk[2]; \ + uint16_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 8) | (row3 >> 8); \ + tk[0] = ((row2 << 4) & 0xF000U) | \ + ((row2 >> 8) & 0x00F0U) | \ + ( row3 & 0x0F0FU); \ + tk[1] = ((row2 << 8) & 0xF000U) | \ + ((row3 >> 4) & 0x0F00U) | \ + ( row3 & 0x00F0U) | \ + ( row2 & 0x000FU); \ + } while (0) + +#define skinny64_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint16_t row0 = tk[0]; \ + uint16_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 << 8) & 0xF000U) | \ + ((row0 >> 4) & 0x0F00U) | \ + ((row1 >> 8) & 0x00F0U) | \ + ( row1 & 0x000FU); \ + tk[3] = ((row1 << 8) & 0xF000U) | \ + ((row0 << 8) & 0x0F00U) | \ + ((row1 >> 4) & 0x00F0U) | \ + ((row0 >> 8) & 0x000FU); \ + } while (0) + +/* + * Apply the SKINNY-64 sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT(x) + * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_SHIFT steps to be performed with one final rotation. + * This reduces the number of required shift operations from 14 to 10. + * + * We can further reduce the number of NOT operations from 4 to 2 + * using the technique from https://github.com/kste/skinny_avx to + * convert NOR-XOR operations into AND-XOR operations by converting + * the S-box into its NOT-inverse. + */ +#define skinny64_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ + x = ~x; \ + x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ +} while (0) + +/* + * Apply the inverse of the SKINNY-64 sbox. The original version + * from the specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT_INV(x) + * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * return SBOX_MIX(x); + */ +#define skinny64_inv_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = ~x; \ + x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ +} while (0) + +/** @endcond */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-util.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/aead-common.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/aead-common.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/api.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/api.h new file mode 100644 index 0000000..6c701b5 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 14 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/encrypt.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/encrypt.c new file mode 100644 index 0000000..be76f9b --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "forkae.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return forkae_paef_128_256_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return forkae_paef_128_256_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/forkae.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/forkae.c new file mode 100644 index 0000000..4a9671a --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/forkae.c @@ -0,0 +1,140 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "forkae.h" +#include "internal-forkskinny.h" +#include "internal-util.h" +#include + +aead_cipher_t const forkae_paef_64_192_cipher = { + "PAEF-ForkSkinny-64-192", + FORKAE_PAEF_64_192_KEY_SIZE, + FORKAE_PAEF_64_192_NONCE_SIZE, + FORKAE_PAEF_64_192_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_64_192_aead_encrypt, + forkae_paef_64_192_aead_decrypt +}; + +aead_cipher_t const forkae_paef_128_192_cipher = { + "PAEF-ForkSkinny-128-192", + FORKAE_PAEF_128_192_KEY_SIZE, + FORKAE_PAEF_128_192_NONCE_SIZE, + FORKAE_PAEF_128_192_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_128_192_aead_encrypt, + forkae_paef_128_192_aead_decrypt +}; + +aead_cipher_t const forkae_paef_128_256_cipher = { + "PAEF-ForkSkinny-128-256", + FORKAE_PAEF_128_256_KEY_SIZE, + FORKAE_PAEF_128_256_NONCE_SIZE, + FORKAE_PAEF_128_256_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_128_256_aead_encrypt, + forkae_paef_128_256_aead_decrypt +}; + +aead_cipher_t const forkae_paef_128_288_cipher = { + "PAEF-ForkSkinny-128-288", + FORKAE_PAEF_128_288_KEY_SIZE, + FORKAE_PAEF_128_288_NONCE_SIZE, + FORKAE_PAEF_128_288_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_128_288_aead_encrypt, + forkae_paef_128_288_aead_decrypt +}; + +aead_cipher_t const forkae_saef_128_192_cipher = { + "SAEF-ForkSkinny-128-192", + FORKAE_SAEF_128_192_KEY_SIZE, + FORKAE_SAEF_128_192_NONCE_SIZE, + FORKAE_SAEF_128_192_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_saef_128_192_aead_encrypt, + forkae_saef_128_192_aead_decrypt +}; + +aead_cipher_t const forkae_saef_128_256_cipher = { + "SAEF-ForkSkinny-128-256", + FORKAE_SAEF_128_256_KEY_SIZE, + FORKAE_SAEF_128_256_NONCE_SIZE, + FORKAE_SAEF_128_256_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_saef_128_256_aead_encrypt, + forkae_saef_128_256_aead_decrypt +}; + +/* PAEF-ForkSkinny-64-192 */ +#define FORKAE_ALG_NAME forkae_paef_64_192 +#define FORKAE_BLOCK_SIZE 8 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_64_192_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 2 +#define FORKAE_TWEAKEY_SIZE 24 +#define FORKAE_BLOCK_FUNC forkskinny_64_192 +#include "internal-forkae-paef.h" + +/* PAEF-ForkSkinny-128-192 */ +#define FORKAE_ALG_NAME forkae_paef_128_192 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_192_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 2 +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-paef.h" + +/* PAEF-ForkSkinny-128-256 */ +#define FORKAE_ALG_NAME forkae_paef_128_256 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_256_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 2 +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-paef.h" + +/* PAEF-ForkSkinny-128-288 */ +#define FORKAE_ALG_NAME forkae_paef_128_288 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_288_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 7 +#define FORKAE_TWEAKEY_SIZE 48 +#define FORKAE_BLOCK_FUNC forkskinny_128_384 +#include "internal-forkae-paef.h" + +/* SAEF-ForkSkinny-128-192 */ +#define FORKAE_ALG_NAME forkae_saef_128_192 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_192_NONCE_SIZE +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_TWEAKEY_REDUCED_SIZE 24 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-saef.h" + +/* SAEF-ForkSkinny-128-256 */ +#define FORKAE_ALG_NAME forkae_saef_128_256 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_256_NONCE_SIZE +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_TWEAKEY_REDUCED_SIZE 32 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-saef.h" diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/forkae.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/forkae.h new file mode 100644 index 0000000..3e27b50 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/forkae.h @@ -0,0 +1,551 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_FORKAE_H +#define LWCRYPTO_FORKAE_H + +#include "aead-common.h" + +/** + * \file forkae.h + * \brief ForkAE authenticated encryption algorithm family. + * + * ForkAE is a family of authenticated encryption algorithms based on a + * modified version of the SKINNY tweakable block cipher. The modifications + * introduce "forking" where each input block produces two output blocks + * for use in encryption and authentication. There are six members in + * the ForkAE family: + * + * \li PAEF-ForkSkinny-64-192 has a 128-bit key, a 48-bit nonce, and a + * 64-bit authentication tag. The associated data and plaintext are + * limited to 216 bytes. + * \li PAEF-ForkSkinny-128-192 has a 128-bit key, a 48-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext are + * limited to 217 bytes. + * \li PAEF-ForkSkinny-128-256 has a 128-bit key, a 112-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext are + * limited to 217 bytes. + * \li PAEF-ForkSkinny-128-288 has a 128-bit key, a 104-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext are + * limited to 257 bytes. This is the primary member of the family. + * \li SAEF-ForkSkinny-128-192 has a 128-bit key, a 56-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext may be + * unlimited in size. + * \li SAEF-ForkSkinny-128-256 has a 128-bit key, a 120-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext may be + * unlimited in size. + * + * The PAEF variants support parallel encryption and decryption for + * higher throughput. The SAEF variants encrypt or decrypt blocks + * sequentially. + * + * ForkAE is designed to be efficient on small packet sizes so most of + * the PAEF algorithms have a limit of 64k or 128k on the amount of + * payload in a single packet. Obviously the input can be split into + * separate packets for larger amounts of data. + * + * References: https://www.esat.kuleuven.be/cosic/forkae/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for PAEF-ForkSkinny-64-192. + */ +#define FORKAE_PAEF_64_192_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-64-192. + */ +#define FORKAE_PAEF_64_192_TAG_SIZE 8 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-64-192. + */ +#define FORKAE_PAEF_64_192_NONCE_SIZE 6 + +/** + * \brief Size of the key for PAEF-ForkSkinny-128-192. + */ +#define FORKAE_PAEF_128_192_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-128-192. + */ +#define FORKAE_PAEF_128_192_TAG_SIZE 16 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-128-192. + */ +#define FORKAE_PAEF_128_192_NONCE_SIZE 6 + +/** + * \brief Size of the key for PAEF-ForkSkinny-128-256. + */ +#define FORKAE_PAEF_128_256_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-128-256. + */ +#define FORKAE_PAEF_128_256_TAG_SIZE 16 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-128-256. + */ +#define FORKAE_PAEF_128_256_NONCE_SIZE 14 + +/** + * \brief Size of the key for PAEF-ForkSkinny-128-288. + */ +#define FORKAE_PAEF_128_288_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-128-288. + */ +#define FORKAE_PAEF_128_288_TAG_SIZE 16 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-128-288. + */ +#define FORKAE_PAEF_128_288_NONCE_SIZE 13 + +/** + * \brief Size of the key for SAEF-ForkSkinny-128-192. + */ +#define FORKAE_SAEF_128_192_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SAEF-ForkSkinny-128-192. + */ +#define FORKAE_SAEF_128_192_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SAEF-ForkSkinny-128-192. + */ +#define FORKAE_SAEF_128_192_NONCE_SIZE 7 + +/** + * \brief Size of the key for SAEF-ForkSkinny-128-256. + */ +#define FORKAE_SAEF_128_256_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SAEF-ForkSkinny-128-256. + */ +#define FORKAE_SAEF_128_256_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SAEF-ForkSkinny-128-256. + */ +#define FORKAE_SAEF_128_256_NONCE_SIZE 15 + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-64-192 cipher. + */ +extern aead_cipher_t const forkae_paef_64_192_cipher; + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-128-192 cipher. + */ +extern aead_cipher_t const forkae_paef_128_192_cipher; + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-128-256 cipher. + */ +extern aead_cipher_t const forkae_paef_128_256_cipher; + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-128-288 cipher. + */ +extern aead_cipher_t const forkae_paef_128_288_cipher; + +/** + * \brief Meta-information block for the SAEF-ForkSkinny-128-192 cipher. + */ +extern aead_cipher_t const forkae_saef_128_192_cipher; + +/** + * \brief Meta-information block for the SAEF-ForkSkinny-128-256 cipher. + */ +extern aead_cipher_t const forkae_saef_128_256_cipher; + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-64-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_64_192_aead_decrypt() + */ +int forkae_paef_64_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-64-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_64_192_aead_encrypt() + */ +int forkae_paef_64_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_128_192_aead_decrypt() + */ +int forkae_paef_128_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_128_192_aead_encrypt() + */ +int forkae_paef_128_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 14 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_128_256_aead_decrypt() + */ +int forkae_paef_128_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 14 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_128_256_aead_encrypt() + */ +int forkae_paef_128_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-288. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 13 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_128_288_aead_decrypt() + */ +int forkae_paef_128_288_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-288. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 13 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_128_288_aead_encrypt() + */ +int forkae_paef_128_288_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 7 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_saef_128_192_aead_decrypt() + */ +int forkae_saef_128_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 7 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_saef_128_192_aead_encrypt() + */ +int forkae_saef_128_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_saef_128_256_aead_decrypt() + */ +int forkae_saef_128_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_saef_128_256_aead_encrypt() + */ +int forkae_saef_128_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-forkae-paef.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-forkae-paef.h new file mode 100644 index 0000000..6f57b2b --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-forkae-paef.h @@ -0,0 +1,273 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +/* We expect a number of macros to be defined before this file + * is included to configure the underlying ForkAE PAEF variant. + * + * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_paef_128_256 + * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). + * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. + * FORKAE_COUNTER_SIZE Size of the counter value for the cipher in bytes. + * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. + * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 + */ +#if defined(FORKAE_ALG_NAME) + +#define FORKAE_CONCAT_INNER(name,suffix) name##suffix +#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) + +/* Limit on the amount of data we can process based on the counter size */ +#define FORKAE_PAEF_DATA_LIMIT \ + ((unsigned long long)((1ULL << (FORKAE_COUNTER_SIZE * 8)) * \ + (FORKAE_BLOCK_SIZE / 8)) - FORKAE_BLOCK_SIZE) + +/* Processes the associated data in PAEF mode */ +STATIC_INLINE void FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter) + (unsigned char tweakey[FORKAE_TWEAKEY_SIZE], + unsigned long long counter, unsigned char domain) +{ + unsigned posn; + counter |= (((unsigned long long)domain) << (FORKAE_COUNTER_SIZE * 8 - 3)); + for (posn = 0; posn < FORKAE_COUNTER_SIZE; ++posn) { + tweakey[16 + FORKAE_NONCE_SIZE + FORKAE_COUNTER_SIZE - 1 - posn] = + (unsigned char)counter; + counter >>= 8; + } +} + +/* Check that the last block is padded correctly; -1 if ok, 0 if not */ +STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (const unsigned char *block, unsigned len) +{ + int check = block[0] ^ 0x80; + while (len > 1) { + --len; + check |= block[len]; + } + return (check - 1) >> 8; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + unsigned long long counter; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + FORKAE_BLOCK_SIZE; + + /* Validate the size of the associated data and plaintext as there + * is a limit on the size of the PAEF counter field */ + if (adlen > FORKAE_PAEF_DATA_LIMIT || mlen > FORKAE_PAEF_DATA_LIMIT) + return -2; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + + /* Tag value starts at zero. We will XOR this with all of the + * intermediate tag values that are calculated for each block */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + counter = 1; + while (adlen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + ++counter; + } + if (adlen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } else if (adlen != 0 || mlen == 0) { + unsigned temp = (unsigned)adlen; + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, sizeof(block) - temp - 1); + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } + + /* If there is no message payload, then generate the tag and we are done */ + if (!mlen) { + memcpy(c, tag, sizeof(tag)); + return 0; + } + + /* Encrypt all plaintext blocks except the last */ + counter = 1; + while (mlen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + mlen -= FORKAE_BLOCK_SIZE; + ++counter; + } + + /* Encrypt the last block and generate the final authentication tag */ + if (mlen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); + } else { + unsigned temp = (unsigned)mlen; + memcpy(block, m, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, sizeof(block) - temp - 1); + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, temp); + } + return 0; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + unsigned char *mtemp = m; + unsigned long long counter; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < FORKAE_BLOCK_SIZE) + return -1; + clen -= FORKAE_BLOCK_SIZE; + *mlen = clen; + + /* Validate the size of the associated data and plaintext as there + * is a limit on the size of the PAEF counter field */ + if (adlen > FORKAE_PAEF_DATA_LIMIT || clen > FORKAE_PAEF_DATA_LIMIT) + return -2; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + + /* Tag value starts at zero. We will XOR this with all of the + * intermediate tag values that are calculated for each block */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + counter = 1; + while (adlen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + ++counter; + } + if (adlen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } else if (adlen != 0 || clen == 0) { + unsigned temp = (unsigned)adlen; + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, sizeof(block) - temp - 1); + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } + + /* If there is no message payload, then check the tag and we are done */ + if (!clen) + return aead_check_tag(m, clen, tag, c, sizeof(tag)); + + /* Decrypt all ciphertext blocks except the last */ + counter = 1; + while (clen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, c); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + clen -= FORKAE_BLOCK_SIZE; + ++counter; + } + + /* Decrypt the last block and check the final authentication tag */ + if (clen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); + lw_xor_block_2_src(m, c, tag, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, m); + return aead_check_tag + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, sizeof(tag)); + } else { + unsigned temp = (unsigned)clen; + unsigned char block2[FORKAE_BLOCK_SIZE]; + int check; + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); + lw_xor_block_2_src(block2, tag, c, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) + (tweakey, block2, block, block2); + check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (block2 + temp, FORKAE_BLOCK_SIZE - temp); + memcpy(m, block2, temp); + return aead_check_tag_precheck + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); + } +} + +#endif /* FORKAE_ALG_NAME */ + +/* Now undefine everything so that we can include this file again for + * another variant on the ForkAE PAEF algorithm */ +#undef FORKAE_ALG_NAME +#undef FORKAE_BLOCK_SIZE +#undef FORKAE_NONCE_SIZE +#undef FORKAE_COUNTER_SIZE +#undef FORKAE_TWEAKEY_SIZE +#undef FORKAE_BLOCK_FUNC +#undef FORKAE_CONCAT_INNER +#undef FORKAE_CONCAT +#undef FORKAE_PAEF_DATA_LIMIT diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-forkae-saef.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-forkae-saef.h new file mode 100644 index 0000000..768bba4 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-forkae-saef.h @@ -0,0 +1,251 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +/* We expect a number of macros to be defined before this file + * is included to configure the underlying ForkAE SAEF variant. + * + * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_saef_128_256 + * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). + * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. + * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. + * FORKAE_REDUCED_TWEAKEY_SIZE Size of the reduced tweakey without padding. + * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 + */ +#if defined(FORKAE_ALG_NAME) + +#define FORKAE_CONCAT_INNER(name,suffix) name##suffix +#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) + +/* Check that the last block is padded correctly; -1 if ok, 0 if not */ +STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (const unsigned char *block, unsigned len) +{ + int check = block[0] ^ 0x80; + while (len > 1) { + --len; + check |= block[len]; + } + return (check - 1) >> 8; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + FORKAE_BLOCK_SIZE; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; + + /* Tag value starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + if (adlen > 0 || mlen == 0) { + while (adlen > FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + } + if (mlen == 0) + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; + if (adlen == FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } else if (adlen != 0 || mlen == 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(tag, ad, temp); + tag[temp] ^= 0x80; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } + } + + /* If there is no message payload, then generate the tag and we are done */ + if (!mlen) { + memcpy(c, tag, sizeof(tag)); + return 0; + } + + /* Encrypt all plaintext blocks except the last */ + while (mlen > FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(tag, block, FORKAE_BLOCK_SIZE); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + mlen -= FORKAE_BLOCK_SIZE; + } + + /* Encrypt the last block and generate the final authentication tag */ + if (mlen == FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); + } else { + unsigned temp = (unsigned)mlen; + memcpy(block, tag, FORKAE_BLOCK_SIZE); + lw_xor_block(block, m, temp); + block[temp] ^= 0x80; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, temp); + } + return 0; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < FORKAE_BLOCK_SIZE) + return -1; + clen -= FORKAE_BLOCK_SIZE; + *mlen = clen; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; + + /* Tag value starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + if (adlen > 0 || clen == 0) { + while (adlen > FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + } + if (clen == 0) + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; + if (adlen == FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } else if (adlen != 0 || clen == 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(tag, ad, temp); + tag[temp] ^= 0x80; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } + } + + /* If there is no message payload, then check the tag and we are done */ + if (!clen) + return aead_check_tag(m, clen, tag, c, sizeof(tag)); + + /* Decrypt all ciphertext blocks except the last */ + while (clen > FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); + lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); + memcpy(tag, block, FORKAE_BLOCK_SIZE); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + clen -= FORKAE_BLOCK_SIZE; + } + + /* Decrypt the last block and check the final authentication tag */ + if (clen == FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); + lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); + return aead_check_tag + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, FORKAE_BLOCK_SIZE); + } else { + unsigned temp = (unsigned)clen; + unsigned char mblock[FORKAE_BLOCK_SIZE]; + int check; + lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) + (tweakey, mblock, block, block); + lw_xor_block(mblock, tag, FORKAE_BLOCK_SIZE); + memcpy(m, mblock, temp); + check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (mblock + temp, FORKAE_BLOCK_SIZE - temp); + return aead_check_tag_precheck + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); + } +} + +#endif /* FORKAE_ALG_NAME */ + +/* Now undefine everything so that we can include this file again for + * another variant on the ForkAE SAEF algorithm */ +#undef FORKAE_ALG_NAME +#undef FORKAE_BLOCK_SIZE +#undef FORKAE_NONCE_SIZE +#undef FORKAE_COUNTER_SIZE +#undef FORKAE_TWEAKEY_SIZE +#undef FORKAE_TWEAKEY_REDUCED_SIZE +#undef FORKAE_BLOCK_FUNC +#undef FORKAE_CONCAT_INNER +#undef FORKAE_CONCAT diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-forkskinny.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-forkskinny.c new file mode 100644 index 0000000..b050ff1 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-forkskinny.c @@ -0,0 +1,988 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-forkskinny.h" +#include "internal-skinnyutil.h" + +/** + * \brief 7-bit round constants for all ForkSkinny block ciphers. + */ +static unsigned char const RC[87] = { + 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7e, 0x7d, + 0x7b, 0x77, 0x6f, 0x5f, 0x3e, 0x7c, 0x79, 0x73, + 0x67, 0x4f, 0x1e, 0x3d, 0x7a, 0x75, 0x6b, 0x57, + 0x2e, 0x5c, 0x38, 0x70, 0x61, 0x43, 0x06, 0x0d, + 0x1b, 0x37, 0x6e, 0x5d, 0x3a, 0x74, 0x69, 0x53, + 0x26, 0x4c, 0x18, 0x31, 0x62, 0x45, 0x0a, 0x15, + 0x2b, 0x56, 0x2c, 0x58, 0x30, 0x60, 0x41, 0x02, + 0x05, 0x0b, 0x17, 0x2f, 0x5e, 0x3c, 0x78, 0x71, + 0x63, 0x47, 0x0e, 0x1d, 0x3b, 0x76, 0x6d, 0x5b, + 0x36, 0x6c, 0x59, 0x32, 0x64, 0x49, 0x12, 0x25, + 0x4a, 0x14, 0x29, 0x52, 0x24, 0x48, 0x10 +}; + +/** + * \brief Number of rounds of ForkSkinny-128-256 before forking. + */ +#define FORKSKINNY_128_256_ROUNDS_BEFORE 21 + +/** + * \brief Number of rounds of ForkSkinny-128-256 after forking. + */ +#define FORKSKINNY_128_256_ROUNDS_AFTER 27 + +/** + * \brief State information for ForkSkinny-128-256. + */ +typedef struct +{ + uint32_t TK1[4]; /**< First part of the tweakey */ + uint32_t TK2[4]; /**< Second part of the tweakey */ + uint32_t S[4]; /**< Current block state */ + +} forkskinny_128_256_state_t; + +/** + * \brief Applies one round of ForkSkinny-128-256. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_256_round + (forkskinny_128_256_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Apply the S-box to all cells in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(state->TK1); + skinny128_permute_tk(state->TK2); + skinny128_LFSR2(state->TK2[0]); + skinny128_LFSR2(state->TK2[1]); +} + +void forkskinny_128_256_encrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_256_state_t state; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Run all of the rounds before the forking point */ + for (round = 0; round < FORKSKINNY_128_256_ROUNDS_BEFORE; ++round) { + forkskinny_128_256_round(&state, round); + } + + /* Determine which output blocks we need */ + if (output_left && output_right) { + /* We need both outputs so save the state at the forking point */ + uint32_t F[4]; + F[0] = state.S[0]; + F[1] = state.S[1]; + F[2] = state.S[2]; + F[3] = state.S[3]; + + /* Generate the right output block */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { + forkskinny_128_256_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + + /* Restore the state at the forking point */ + state.S[0] = F[0]; + state.S[1] = F[1]; + state.S[2] = F[2]; + state.S[3] = F[3]; + } + if (output_left) { + /* Generate the left output block */ + state.S[0] ^= 0x08040201U; /* Branching constant */ + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { + forkskinny_128_256_round(&state, round); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + } else { + /* We only need the right output block */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { + forkskinny_128_256_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + } +} + +/** + * \brief Applies one round of ForkSkinny-128-256 in reverse. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_256_inv_round + (forkskinny_128_256_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Permute TK1 and TK2 for the next round */ + skinny128_inv_LFSR2(state->TK2[0]); + skinny128_inv_LFSR2(state->TK2[1]); + skinny128_inv_permute_tk(state->TK1); + skinny128_inv_permute_tk(state->TK2); + + /* Inverse mix of the columns */ + temp = s0; + s0 = s1; + s1 = s2; + s2 = s3; + s3 = temp ^ s2; + s2 ^= s0; + s1 ^= s2; + + /* Shift the cells in the rows left, which moves the cell + * values down closer to the LSB. That is, we do a right + * rotate on the word to rotate the cells in the word left */ + s1 = rightRotate8(s1); + s2 = rightRotate16(s2); + s3 = rightRotate24(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all cells in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; +} + +void forkskinny_128_256_decrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_256_state_t state; + forkskinny_128_256_state_t fstate; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Fast-forward the tweakey to the end of the key schedule */ + for (round = 0; round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { + skinny128_permute_tk(state.TK1); + skinny128_permute_tk(state.TK2); + skinny128_LFSR2(state.TK2[0]); + skinny128_LFSR2(state.TK2[1]); + } + + /* Perform the "after" rounds on the input to get back + * to the forking point in the cipher */ + for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER * 2); + round > (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); --round) { + forkskinny_128_256_inv_round(&state, round - 1); + } + + /* Remove the branching constant */ + state.S[0] ^= 0x08040201U; + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + + /* Roll the tweakey back another "after" rounds */ + for (round = 0; round < FORKSKINNY_128_256_ROUNDS_AFTER; ++round) { + skinny128_inv_LFSR2(state.TK2[0]); + skinny128_inv_LFSR2(state.TK2[1]); + skinny128_inv_permute_tk(state.TK1); + skinny128_inv_permute_tk(state.TK2); + } + + /* Save the state and the tweakey at the forking point */ + fstate = state; + + /* Generate the left output block after another "before" rounds */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; round > 0; --round) { + forkskinny_128_256_inv_round(&state, round - 1); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + + /* Generate the right output block by going forward "after" + * rounds from the forking point */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { + forkskinny_128_256_round(&fstate, round); + } + le_store_word32(output_right, fstate.S[0]); + le_store_word32(output_right + 4, fstate.S[1]); + le_store_word32(output_right + 8, fstate.S[2]); + le_store_word32(output_right + 12, fstate.S[3]); +} + +/** + * \brief Number of rounds of ForkSkinny-128-384 before forking. + */ +#define FORKSKINNY_128_384_ROUNDS_BEFORE 25 + +/** + * \brief Number of rounds of ForkSkinny-128-384 after forking. + */ +#define FORKSKINNY_128_384_ROUNDS_AFTER 31 + +/** + * \brief State information for ForkSkinny-128-384. + */ +typedef struct +{ + uint32_t TK1[4]; /**< First part of the tweakey */ + uint32_t TK2[4]; /**< Second part of the tweakey */ + uint32_t TK3[4]; /**< Third part of the tweakey */ + uint32_t S[4]; /**< Current block state */ + +} forkskinny_128_384_state_t; + +/** + * \brief Applies one round of ForkSkinny-128-384. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_384_round + (forkskinny_128_384_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Apply the S-box to all cells in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(state->TK1); + skinny128_permute_tk(state->TK2); + skinny128_permute_tk(state->TK3); + skinny128_LFSR2(state->TK2[0]); + skinny128_LFSR2(state->TK2[1]); + skinny128_LFSR3(state->TK3[0]); + skinny128_LFSR3(state->TK3[1]); +} + +void forkskinny_128_384_encrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_384_state_t state; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.TK3[0] = le_load_word32(key + 32); + state.TK3[1] = le_load_word32(key + 36); + state.TK3[2] = le_load_word32(key + 40); + state.TK3[3] = le_load_word32(key + 44); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Run all of the rounds before the forking point */ + for (round = 0; round < FORKSKINNY_128_384_ROUNDS_BEFORE; ++round) { + forkskinny_128_384_round(&state, round); + } + + /* Determine which output blocks we need */ + if (output_left && output_right) { + /* We need both outputs so save the state at the forking point */ + uint32_t F[4]; + F[0] = state.S[0]; + F[1] = state.S[1]; + F[2] = state.S[2]; + F[3] = state.S[3]; + + /* Generate the right output block */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { + forkskinny_128_384_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + + /* Restore the state at the forking point */ + state.S[0] = F[0]; + state.S[1] = F[1]; + state.S[2] = F[2]; + state.S[3] = F[3]; + } + if (output_left) { + /* Generate the left output block */ + state.S[0] ^= 0x08040201U; /* Branching constant */ + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { + forkskinny_128_384_round(&state, round); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + } else { + /* We only need the right output block */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { + forkskinny_128_384_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + } +} + +/** + * \brief Applies one round of ForkSkinny-128-384 in reverse. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_384_inv_round + (forkskinny_128_384_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Permute TK1 and TK2 for the next round */ + skinny128_inv_LFSR2(state->TK2[0]); + skinny128_inv_LFSR2(state->TK2[1]); + skinny128_inv_LFSR3(state->TK3[0]); + skinny128_inv_LFSR3(state->TK3[1]); + skinny128_inv_permute_tk(state->TK1); + skinny128_inv_permute_tk(state->TK2); + skinny128_inv_permute_tk(state->TK3); + + /* Inverse mix of the columns */ + temp = s0; + s0 = s1; + s1 = s2; + s2 = s3; + s3 = temp ^ s2; + s2 ^= s0; + s1 ^= s2; + + /* Shift the cells in the rows left, which moves the cell + * values down closer to the LSB. That is, we do a right + * rotate on the word to rotate the cells in the word left */ + s1 = rightRotate8(s1); + s2 = rightRotate16(s2); + s3 = rightRotate24(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all cells in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; +} + +void forkskinny_128_384_decrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_384_state_t state; + forkskinny_128_384_state_t fstate; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.TK3[0] = le_load_word32(key + 32); + state.TK3[1] = le_load_word32(key + 36); + state.TK3[2] = le_load_word32(key + 40); + state.TK3[3] = le_load_word32(key + 44); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Fast-forward the tweakey to the end of the key schedule */ + for (round = 0; round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { + skinny128_permute_tk(state.TK1); + skinny128_permute_tk(state.TK2); + skinny128_permute_tk(state.TK3); + skinny128_LFSR2(state.TK2[0]); + skinny128_LFSR2(state.TK2[1]); + skinny128_LFSR3(state.TK3[0]); + skinny128_LFSR3(state.TK3[1]); + } + + /* Perform the "after" rounds on the input to get back + * to the forking point in the cipher */ + for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER * 2); + round > (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); --round) { + forkskinny_128_384_inv_round(&state, round - 1); + } + + /* Remove the branching constant */ + state.S[0] ^= 0x08040201U; + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + + /* Roll the tweakey back another "after" rounds */ + for (round = 0; round < FORKSKINNY_128_384_ROUNDS_AFTER; ++round) { + skinny128_inv_LFSR2(state.TK2[0]); + skinny128_inv_LFSR2(state.TK2[1]); + skinny128_inv_LFSR3(state.TK3[0]); + skinny128_inv_LFSR3(state.TK3[1]); + skinny128_inv_permute_tk(state.TK1); + skinny128_inv_permute_tk(state.TK2); + skinny128_inv_permute_tk(state.TK3); + } + + /* Save the state and the tweakey at the forking point */ + fstate = state; + + /* Generate the left output block after another "before" rounds */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; round > 0; --round) { + forkskinny_128_384_inv_round(&state, round - 1); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + + /* Generate the right output block by going forward "after" + * rounds from the forking point */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { + forkskinny_128_384_round(&fstate, round); + } + le_store_word32(output_right, fstate.S[0]); + le_store_word32(output_right + 4, fstate.S[1]); + le_store_word32(output_right + 8, fstate.S[2]); + le_store_word32(output_right + 12, fstate.S[3]); +} + +/** + * \brief Number of rounds of ForkSkinny-64-192 before forking. + */ +#define FORKSKINNY_64_192_ROUNDS_BEFORE 17 + +/** + * \brief Number of rounds of ForkSkinny-64-192 after forking. + */ +#define FORKSKINNY_64_192_ROUNDS_AFTER 23 + +/** + * \brief State information for ForkSkinny-64-192. + */ +typedef struct +{ + uint16_t TK1[4]; /**< First part of the tweakey */ + uint16_t TK2[4]; /**< Second part of the tweakey */ + uint16_t TK3[4]; /**< Third part of the tweakey */ + uint16_t S[4]; /**< Current block state */ + +} forkskinny_64_192_state_t; + +/** + * \brief Applies one round of ForkSkinny-64-192. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + * + * Note: The cells of each row are order in big-endian nibble order + * so it is easiest to manage the rows in bit-endian byte order. + */ +static void forkskinny_64_192_round + (forkskinny_64_192_state_t *state, unsigned round) +{ + uint16_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Apply the S-box to all cells in the state */ + skinny64_sbox(s0); + skinny64_sbox(s1); + skinny64_sbox(s2); + skinny64_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + ((rc & 0x0F) << 12) ^ 0x0020; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ + ((rc & 0x70) << 8); + s2 ^= 0x2000; + + /* Shift the cells in the rows right */ + s1 = rightRotate4_16(s1); + s2 = rightRotate8_16(s2); + s3 = rightRotate12_16(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny64_permute_tk(state->TK1); + skinny64_permute_tk(state->TK2); + skinny64_permute_tk(state->TK3); + skinny64_LFSR2(state->TK2[0]); + skinny64_LFSR2(state->TK2[1]); + skinny64_LFSR3(state->TK3[0]); + skinny64_LFSR3(state->TK3[1]); +} + +void forkskinny_64_192_encrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_64_192_state_t state; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = be_load_word16(key); + state.TK1[1] = be_load_word16(key + 2); + state.TK1[2] = be_load_word16(key + 4); + state.TK1[3] = be_load_word16(key + 6); + state.TK2[0] = be_load_word16(key + 8); + state.TK2[1] = be_load_word16(key + 10); + state.TK2[2] = be_load_word16(key + 12); + state.TK2[3] = be_load_word16(key + 14); + state.TK3[0] = be_load_word16(key + 16); + state.TK3[1] = be_load_word16(key + 18); + state.TK3[2] = be_load_word16(key + 20); + state.TK3[3] = be_load_word16(key + 22); + state.S[0] = be_load_word16(input); + state.S[1] = be_load_word16(input + 2); + state.S[2] = be_load_word16(input + 4); + state.S[3] = be_load_word16(input + 6); + + /* Run all of the rounds before the forking point */ + for (round = 0; round < FORKSKINNY_64_192_ROUNDS_BEFORE; ++round) { + forkskinny_64_192_round(&state, round); + } + + /* Determine which output blocks we need */ + if (output_left && output_right) { + /* We need both outputs so save the state at the forking point */ + uint16_t F[4]; + F[0] = state.S[0]; + F[1] = state.S[1]; + F[2] = state.S[2]; + F[3] = state.S[3]; + + /* Generate the right output block */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { + forkskinny_64_192_round(&state, round); + } + be_store_word16(output_right, state.S[0]); + be_store_word16(output_right + 2, state.S[1]); + be_store_word16(output_right + 4, state.S[2]); + be_store_word16(output_right + 6, state.S[3]); + + /* Restore the state at the forking point */ + state.S[0] = F[0]; + state.S[1] = F[1]; + state.S[2] = F[2]; + state.S[3] = F[3]; + } + if (output_left) { + /* Generate the left output block */ + state.S[0] ^= 0x1249U; /* Branching constant */ + state.S[1] ^= 0x36daU; + state.S[2] ^= 0x5b7fU; + state.S[3] ^= 0xec81U; + for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { + forkskinny_64_192_round(&state, round); + } + be_store_word16(output_left, state.S[0]); + be_store_word16(output_left + 2, state.S[1]); + be_store_word16(output_left + 4, state.S[2]); + be_store_word16(output_left + 6, state.S[3]); + } else { + /* We only need the right output block */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { + forkskinny_64_192_round(&state, round); + } + be_store_word16(output_right, state.S[0]); + be_store_word16(output_right + 2, state.S[1]); + be_store_word16(output_right + 4, state.S[2]); + be_store_word16(output_right + 6, state.S[3]); + } +} + +/** + * \brief Applies one round of ForkSkinny-64-192 in reverse. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_64_192_inv_round + (forkskinny_64_192_state_t *state, unsigned round) +{ + uint16_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny64_inv_LFSR2(state->TK2[0]); + skinny64_inv_LFSR2(state->TK2[1]); + skinny64_inv_LFSR3(state->TK3[0]); + skinny64_inv_LFSR3(state->TK3[1]); + skinny64_inv_permute_tk(state->TK1); + skinny64_inv_permute_tk(state->TK2); + skinny64_inv_permute_tk(state->TK3); + + /* Inverse mix of the columns */ + temp = s0; + s0 = s1; + s1 = s2; + s2 = s3; + s3 = temp ^ s2; + s2 ^= s0; + s1 ^= s2; + + /* Shift the cells in the rows left */ + s1 = leftRotate4_16(s1); + s2 = leftRotate8_16(s2); + s3 = leftRotate12_16(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + ((rc & 0x0F) << 12) ^ 0x0020; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ + ((rc & 0x70) << 8); + s2 ^= 0x2000; + + /* Apply the inverse of the S-box to all cells in the state */ + skinny64_inv_sbox(s0); + skinny64_inv_sbox(s1); + skinny64_inv_sbox(s2); + skinny64_inv_sbox(s3); + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; +} + +void forkskinny_64_192_decrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_64_192_state_t state; + forkskinny_64_192_state_t fstate; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = be_load_word16(key); + state.TK1[1] = be_load_word16(key + 2); + state.TK1[2] = be_load_word16(key + 4); + state.TK1[3] = be_load_word16(key + 6); + state.TK2[0] = be_load_word16(key + 8); + state.TK2[1] = be_load_word16(key + 10); + state.TK2[2] = be_load_word16(key + 12); + state.TK2[3] = be_load_word16(key + 14); + state.TK3[0] = be_load_word16(key + 16); + state.TK3[1] = be_load_word16(key + 18); + state.TK3[2] = be_load_word16(key + 20); + state.TK3[3] = be_load_word16(key + 22); + state.S[0] = be_load_word16(input); + state.S[1] = be_load_word16(input + 2); + state.S[2] = be_load_word16(input + 4); + state.S[3] = be_load_word16(input + 6); + + /* Fast-forward the tweakey to the end of the key schedule */ + for (round = 0; round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { + skinny64_permute_tk(state.TK1); + skinny64_permute_tk(state.TK2); + skinny64_permute_tk(state.TK3); + skinny64_LFSR2(state.TK2[0]); + skinny64_LFSR2(state.TK2[1]); + skinny64_LFSR3(state.TK3[0]); + skinny64_LFSR3(state.TK3[1]); + } + + /* Perform the "after" rounds on the input to get back + * to the forking point in the cipher */ + for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER * 2); + round > (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); --round) { + forkskinny_64_192_inv_round(&state, round - 1); + } + + /* Remove the branching constant */ + state.S[0] ^= 0x1249U; + state.S[1] ^= 0x36daU; + state.S[2] ^= 0x5b7fU; + state.S[3] ^= 0xec81U; + + /* Roll the tweakey back another "after" rounds */ + for (round = 0; round < FORKSKINNY_64_192_ROUNDS_AFTER; ++round) { + skinny64_inv_LFSR2(state.TK2[0]); + skinny64_inv_LFSR2(state.TK2[1]); + skinny64_inv_LFSR3(state.TK3[0]); + skinny64_inv_LFSR3(state.TK3[1]); + skinny64_inv_permute_tk(state.TK1); + skinny64_inv_permute_tk(state.TK2); + skinny64_inv_permute_tk(state.TK3); + } + + /* Save the state and the tweakey at the forking point */ + fstate = state; + + /* Generate the left output block after another "before" rounds */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; round > 0; --round) { + forkskinny_64_192_inv_round(&state, round - 1); + } + be_store_word16(output_left, state.S[0]); + be_store_word16(output_left + 2, state.S[1]); + be_store_word16(output_left + 4, state.S[2]); + be_store_word16(output_left + 6, state.S[3]); + + /* Generate the right output block by going forward "after" + * rounds from the forking point */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { + forkskinny_64_192_round(&fstate, round); + } + be_store_word16(output_right, fstate.S[0]); + be_store_word16(output_right + 2, fstate.S[1]); + be_store_word16(output_right + 4, fstate.S[2]); + be_store_word16(output_right + 6, fstate.S[3]); +} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-forkskinny.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-forkskinny.h new file mode 100644 index 0000000..0c1a707 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-forkskinny.h @@ -0,0 +1,141 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_FORKSKINNY_H +#define LW_INTERNAL_FORKSKINNY_H + +/** + * \file internal-forkskinny.h + * \brief ForkSkinny block cipher family. + * + * ForkSkinny is a modified version of the SKINNY block cipher that + * supports "forking": half-way through the rounds the cipher is + * forked in two different directions to produce two different outputs. + * + * References: https://www.esat.kuleuven.be/cosic/forkae/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts a block of plaintext with ForkSkinny-128-256. + * + * \param key 256-bit tweakey for ForkSkinny-128-256. + * \param output_left Left output block for the ciphertext, or NULL if + * the left output is not required. + * \param output_right Right output block for the authentication tag, + * or NULL if the right output is not required. + * \param input 128-bit input plaintext block. + * + * ForkSkinny-128-192 also uses this function with a padded tweakey. + */ +void forkskinny_128_256_encrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Decrypts a block of ciphertext with ForkSkinny-128-256. + * + * \param key 256-bit tweakey for ForkSkinny-128-256. + * \param output_left Left output block, which is the plaintext. + * \param output_right Right output block for the authentication tag. + * \param input 128-bit input ciphertext block. + * + * Both output blocks will be populated; neither is optional. + */ +void forkskinny_128_256_decrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Encrypts a block of plaintext with ForkSkinny-128-384. + * + * \param key 384-bit tweakey for ForkSkinny-128-384. + * \param output_left Left output block for the ciphertext, or NULL if + * the left output is not required. + * \param output_right Right output block for the authentication tag, + * or NULL if the right output is not required. + * \param input 128-bit input plaintext block. + * + * ForkSkinny-128-288 also uses this function with a padded tweakey. + */ +void forkskinny_128_384_encrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Decrypts a block of ciphertext with ForkSkinny-128-384. + * + * \param key 384-bit tweakey for ForkSkinny-128-384. + * \param output_left Left output block, which is the plaintext. + * \param output_right Right output block for the authentication tag. + * \param input 128-bit input ciphertext block. + * + * Both output blocks will be populated; neither is optional. + */ +void forkskinny_128_384_decrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Encrypts a block of input with ForkSkinny-64-192. + * + * \param key 192-bit tweakey for ForkSkinny-64-192. + * \param output_left First output block, or NULL if left is not required. + * \param output_right Second output block, or NULL if right is not required. + * \param input 64-bit input block. + */ +/** + * \brief Encrypts a block of plaintext with ForkSkinny-64-192. + * + * \param key 192-bit tweakey for ForkSkinny-64-192. + * \param output_left Left output block for the ciphertext, or NULL if + * the left output is not required. + * \param output_right Right output block for the authentication tag, + * or NULL if the right output is not required. + * \param input 64-bit input plaintext block. + */ +void forkskinny_64_192_encrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Decrypts a block of ciphertext with ForkSkinny-64-192. + * + * \param key 192-bit tweakey for ForkSkinny-64-192. + * \param output_left Left output block, which is the plaintext. + * \param output_right Right output block for the authentication tag. + * \param input 64-bit input ciphertext block. + * + * Both output blocks will be populated; neither is optional. + */ +void forkskinny_64_192_decrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-skinnyutil.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-skinnyutil.h new file mode 100644 index 0000000..83136cb --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-skinnyutil.h @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNYUTIL_H +#define LW_INTERNAL_SKINNYUTIL_H + +/** + * \file internal-skinnyutil.h + * \brief Utilities to help implement SKINNY and its variants. + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond skinnyutil */ + +/* Utilities for implementing SKINNY-128 */ + +#define skinny128_LFSR2(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ + (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ + } while (0) + + +#define skinny128_LFSR3(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ + (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) +#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) + +#define skinny128_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint32_t row2 = tk[2]; \ + uint32_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 16) | (row3 >> 16); \ + tk[0] = ((row2 >> 8) & 0x000000FFU) | \ + ((row2 << 16) & 0x00FF0000U) | \ + ( row3 & 0xFF00FF00U); \ + tk[1] = ((row2 >> 16) & 0x000000FFU) | \ + (row2 & 0xFF000000U) | \ + ((row3 << 8) & 0x0000FF00U) | \ + ( row3 & 0x00FF0000U); \ + } while (0) + +#define skinny128_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint32_t row0 = tk[0]; \ + uint32_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 >> 16) & 0x000000FFU) | \ + ((row0 << 8) & 0x0000FF00U) | \ + ((row1 << 16) & 0x00FF0000U) | \ + ( row1 & 0xFF000000U); \ + tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ + ((row0 << 16) & 0xFF000000U) | \ + ((row1 >> 16) & 0x000000FFU) | \ + ((row1 << 8) & 0x00FF0000U); \ + } while (0) + +/* + * Apply the SKINNY sbox. The original version from the specification is + * equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE(x) + * ((((x) & 0x01010101U) << 2) | + * (((x) & 0x06060606U) << 5) | + * (((x) & 0x20202020U) >> 5) | + * (((x) & 0xC8C8C8C8U) >> 2) | + * (((x) & 0x10101010U) >> 1)) + * + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * return SBOX_SWAP(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ + y = (((x >> 5) & (x << 1)) & 0x04040404U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ + x = ((x & 0x08080808U) << 1) | \ + ((x & 0x32323232U) << 2) | \ + ((x & 0x01010101U) << 5) | \ + ((x & 0x80808080U) >> 6) | \ + ((x & 0x40404040U) >> 4) | \ + ((x & 0x04040404U) >> 2); \ +} while (0) + +/* + * Apply the inverse of the SKINNY sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE_INV(x) + * ((((x) & 0x08080808U) << 1) | + * (((x) & 0x32323232U) << 2) | + * (((x) & 0x01010101U) << 5) | + * (((x) & 0xC0C0C0C0U) >> 5) | + * (((x) & 0x04040404U) >> 2)) + * + * x = SBOX_SWAP(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_inv_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ + x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ + y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ + x = ((x & 0x01010101U) << 2) | \ + ((x & 0x04040404U) << 4) | \ + ((x & 0x02020202U) << 6) | \ + ((x & 0x20202020U) >> 5) | \ + ((x & 0xC8C8C8C8U) >> 2) | \ + ((x & 0x10101010U) >> 1); \ +} while (0) + +/* Utilities for implementing SKINNY-64 */ + +#define skinny64_LFSR2(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ + } while (0) + +#define skinny64_LFSR3(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) +#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) + +#define skinny64_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint16_t row2 = tk[2]; \ + uint16_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 8) | (row3 >> 8); \ + tk[0] = ((row2 << 4) & 0xF000U) | \ + ((row2 >> 8) & 0x00F0U) | \ + ( row3 & 0x0F0FU); \ + tk[1] = ((row2 << 8) & 0xF000U) | \ + ((row3 >> 4) & 0x0F00U) | \ + ( row3 & 0x00F0U) | \ + ( row2 & 0x000FU); \ + } while (0) + +#define skinny64_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint16_t row0 = tk[0]; \ + uint16_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 << 8) & 0xF000U) | \ + ((row0 >> 4) & 0x0F00U) | \ + ((row1 >> 8) & 0x00F0U) | \ + ( row1 & 0x000FU); \ + tk[3] = ((row1 << 8) & 0xF000U) | \ + ((row0 << 8) & 0x0F00U) | \ + ((row1 >> 4) & 0x00F0U) | \ + ((row0 >> 8) & 0x000FU); \ + } while (0) + +/* + * Apply the SKINNY-64 sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT(x) + * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_SHIFT steps to be performed with one final rotation. + * This reduces the number of required shift operations from 14 to 10. + * + * We can further reduce the number of NOT operations from 4 to 2 + * using the technique from https://github.com/kste/skinny_avx to + * convert NOR-XOR operations into AND-XOR operations by converting + * the S-box into its NOT-inverse. + */ +#define skinny64_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ + x = ~x; \ + x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ +} while (0) + +/* + * Apply the inverse of the SKINNY-64 sbox. The original version + * from the specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT_INV(x) + * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * return SBOX_MIX(x); + */ +#define skinny64_inv_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = ~x; \ + x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ +} while (0) + +/** @endcond */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-util.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/aead-common.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/aead-common.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/api.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/api.h new file mode 100644 index 0000000..500c2c7 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 13 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/encrypt.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/encrypt.c new file mode 100644 index 0000000..b23be7f --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "forkae.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return forkae_paef_128_288_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return forkae_paef_128_288_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/forkae.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/forkae.c new file mode 100644 index 0000000..4a9671a --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/forkae.c @@ -0,0 +1,140 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "forkae.h" +#include "internal-forkskinny.h" +#include "internal-util.h" +#include + +aead_cipher_t const forkae_paef_64_192_cipher = { + "PAEF-ForkSkinny-64-192", + FORKAE_PAEF_64_192_KEY_SIZE, + FORKAE_PAEF_64_192_NONCE_SIZE, + FORKAE_PAEF_64_192_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_64_192_aead_encrypt, + forkae_paef_64_192_aead_decrypt +}; + +aead_cipher_t const forkae_paef_128_192_cipher = { + "PAEF-ForkSkinny-128-192", + FORKAE_PAEF_128_192_KEY_SIZE, + FORKAE_PAEF_128_192_NONCE_SIZE, + FORKAE_PAEF_128_192_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_128_192_aead_encrypt, + forkae_paef_128_192_aead_decrypt +}; + +aead_cipher_t const forkae_paef_128_256_cipher = { + "PAEF-ForkSkinny-128-256", + FORKAE_PAEF_128_256_KEY_SIZE, + FORKAE_PAEF_128_256_NONCE_SIZE, + FORKAE_PAEF_128_256_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_128_256_aead_encrypt, + forkae_paef_128_256_aead_decrypt +}; + +aead_cipher_t const forkae_paef_128_288_cipher = { + "PAEF-ForkSkinny-128-288", + FORKAE_PAEF_128_288_KEY_SIZE, + FORKAE_PAEF_128_288_NONCE_SIZE, + FORKAE_PAEF_128_288_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_128_288_aead_encrypt, + forkae_paef_128_288_aead_decrypt +}; + +aead_cipher_t const forkae_saef_128_192_cipher = { + "SAEF-ForkSkinny-128-192", + FORKAE_SAEF_128_192_KEY_SIZE, + FORKAE_SAEF_128_192_NONCE_SIZE, + FORKAE_SAEF_128_192_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_saef_128_192_aead_encrypt, + forkae_saef_128_192_aead_decrypt +}; + +aead_cipher_t const forkae_saef_128_256_cipher = { + "SAEF-ForkSkinny-128-256", + FORKAE_SAEF_128_256_KEY_SIZE, + FORKAE_SAEF_128_256_NONCE_SIZE, + FORKAE_SAEF_128_256_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_saef_128_256_aead_encrypt, + forkae_saef_128_256_aead_decrypt +}; + +/* PAEF-ForkSkinny-64-192 */ +#define FORKAE_ALG_NAME forkae_paef_64_192 +#define FORKAE_BLOCK_SIZE 8 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_64_192_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 2 +#define FORKAE_TWEAKEY_SIZE 24 +#define FORKAE_BLOCK_FUNC forkskinny_64_192 +#include "internal-forkae-paef.h" + +/* PAEF-ForkSkinny-128-192 */ +#define FORKAE_ALG_NAME forkae_paef_128_192 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_192_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 2 +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-paef.h" + +/* PAEF-ForkSkinny-128-256 */ +#define FORKAE_ALG_NAME forkae_paef_128_256 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_256_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 2 +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-paef.h" + +/* PAEF-ForkSkinny-128-288 */ +#define FORKAE_ALG_NAME forkae_paef_128_288 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_288_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 7 +#define FORKAE_TWEAKEY_SIZE 48 +#define FORKAE_BLOCK_FUNC forkskinny_128_384 +#include "internal-forkae-paef.h" + +/* SAEF-ForkSkinny-128-192 */ +#define FORKAE_ALG_NAME forkae_saef_128_192 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_192_NONCE_SIZE +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_TWEAKEY_REDUCED_SIZE 24 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-saef.h" + +/* SAEF-ForkSkinny-128-256 */ +#define FORKAE_ALG_NAME forkae_saef_128_256 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_256_NONCE_SIZE +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_TWEAKEY_REDUCED_SIZE 32 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-saef.h" diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/forkae.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/forkae.h new file mode 100644 index 0000000..3e27b50 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/forkae.h @@ -0,0 +1,551 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_FORKAE_H +#define LWCRYPTO_FORKAE_H + +#include "aead-common.h" + +/** + * \file forkae.h + * \brief ForkAE authenticated encryption algorithm family. + * + * ForkAE is a family of authenticated encryption algorithms based on a + * modified version of the SKINNY tweakable block cipher. The modifications + * introduce "forking" where each input block produces two output blocks + * for use in encryption and authentication. There are six members in + * the ForkAE family: + * + * \li PAEF-ForkSkinny-64-192 has a 128-bit key, a 48-bit nonce, and a + * 64-bit authentication tag. The associated data and plaintext are + * limited to 216 bytes. + * \li PAEF-ForkSkinny-128-192 has a 128-bit key, a 48-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext are + * limited to 217 bytes. + * \li PAEF-ForkSkinny-128-256 has a 128-bit key, a 112-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext are + * limited to 217 bytes. + * \li PAEF-ForkSkinny-128-288 has a 128-bit key, a 104-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext are + * limited to 257 bytes. This is the primary member of the family. + * \li SAEF-ForkSkinny-128-192 has a 128-bit key, a 56-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext may be + * unlimited in size. + * \li SAEF-ForkSkinny-128-256 has a 128-bit key, a 120-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext may be + * unlimited in size. + * + * The PAEF variants support parallel encryption and decryption for + * higher throughput. The SAEF variants encrypt or decrypt blocks + * sequentially. + * + * ForkAE is designed to be efficient on small packet sizes so most of + * the PAEF algorithms have a limit of 64k or 128k on the amount of + * payload in a single packet. Obviously the input can be split into + * separate packets for larger amounts of data. + * + * References: https://www.esat.kuleuven.be/cosic/forkae/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for PAEF-ForkSkinny-64-192. + */ +#define FORKAE_PAEF_64_192_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-64-192. + */ +#define FORKAE_PAEF_64_192_TAG_SIZE 8 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-64-192. + */ +#define FORKAE_PAEF_64_192_NONCE_SIZE 6 + +/** + * \brief Size of the key for PAEF-ForkSkinny-128-192. + */ +#define FORKAE_PAEF_128_192_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-128-192. + */ +#define FORKAE_PAEF_128_192_TAG_SIZE 16 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-128-192. + */ +#define FORKAE_PAEF_128_192_NONCE_SIZE 6 + +/** + * \brief Size of the key for PAEF-ForkSkinny-128-256. + */ +#define FORKAE_PAEF_128_256_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-128-256. + */ +#define FORKAE_PAEF_128_256_TAG_SIZE 16 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-128-256. + */ +#define FORKAE_PAEF_128_256_NONCE_SIZE 14 + +/** + * \brief Size of the key for PAEF-ForkSkinny-128-288. + */ +#define FORKAE_PAEF_128_288_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-128-288. + */ +#define FORKAE_PAEF_128_288_TAG_SIZE 16 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-128-288. + */ +#define FORKAE_PAEF_128_288_NONCE_SIZE 13 + +/** + * \brief Size of the key for SAEF-ForkSkinny-128-192. + */ +#define FORKAE_SAEF_128_192_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SAEF-ForkSkinny-128-192. + */ +#define FORKAE_SAEF_128_192_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SAEF-ForkSkinny-128-192. + */ +#define FORKAE_SAEF_128_192_NONCE_SIZE 7 + +/** + * \brief Size of the key for SAEF-ForkSkinny-128-256. + */ +#define FORKAE_SAEF_128_256_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SAEF-ForkSkinny-128-256. + */ +#define FORKAE_SAEF_128_256_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SAEF-ForkSkinny-128-256. + */ +#define FORKAE_SAEF_128_256_NONCE_SIZE 15 + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-64-192 cipher. + */ +extern aead_cipher_t const forkae_paef_64_192_cipher; + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-128-192 cipher. + */ +extern aead_cipher_t const forkae_paef_128_192_cipher; + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-128-256 cipher. + */ +extern aead_cipher_t const forkae_paef_128_256_cipher; + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-128-288 cipher. + */ +extern aead_cipher_t const forkae_paef_128_288_cipher; + +/** + * \brief Meta-information block for the SAEF-ForkSkinny-128-192 cipher. + */ +extern aead_cipher_t const forkae_saef_128_192_cipher; + +/** + * \brief Meta-information block for the SAEF-ForkSkinny-128-256 cipher. + */ +extern aead_cipher_t const forkae_saef_128_256_cipher; + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-64-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_64_192_aead_decrypt() + */ +int forkae_paef_64_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-64-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_64_192_aead_encrypt() + */ +int forkae_paef_64_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_128_192_aead_decrypt() + */ +int forkae_paef_128_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_128_192_aead_encrypt() + */ +int forkae_paef_128_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 14 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_128_256_aead_decrypt() + */ +int forkae_paef_128_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 14 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_128_256_aead_encrypt() + */ +int forkae_paef_128_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-288. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 13 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_128_288_aead_decrypt() + */ +int forkae_paef_128_288_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-288. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 13 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_128_288_aead_encrypt() + */ +int forkae_paef_128_288_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 7 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_saef_128_192_aead_decrypt() + */ +int forkae_saef_128_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 7 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_saef_128_192_aead_encrypt() + */ +int forkae_saef_128_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_saef_128_256_aead_decrypt() + */ +int forkae_saef_128_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_saef_128_256_aead_encrypt() + */ +int forkae_saef_128_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-forkae-paef.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-forkae-paef.h new file mode 100644 index 0000000..6f57b2b --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-forkae-paef.h @@ -0,0 +1,273 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +/* We expect a number of macros to be defined before this file + * is included to configure the underlying ForkAE PAEF variant. + * + * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_paef_128_256 + * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). + * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. + * FORKAE_COUNTER_SIZE Size of the counter value for the cipher in bytes. + * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. + * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 + */ +#if defined(FORKAE_ALG_NAME) + +#define FORKAE_CONCAT_INNER(name,suffix) name##suffix +#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) + +/* Limit on the amount of data we can process based on the counter size */ +#define FORKAE_PAEF_DATA_LIMIT \ + ((unsigned long long)((1ULL << (FORKAE_COUNTER_SIZE * 8)) * \ + (FORKAE_BLOCK_SIZE / 8)) - FORKAE_BLOCK_SIZE) + +/* Processes the associated data in PAEF mode */ +STATIC_INLINE void FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter) + (unsigned char tweakey[FORKAE_TWEAKEY_SIZE], + unsigned long long counter, unsigned char domain) +{ + unsigned posn; + counter |= (((unsigned long long)domain) << (FORKAE_COUNTER_SIZE * 8 - 3)); + for (posn = 0; posn < FORKAE_COUNTER_SIZE; ++posn) { + tweakey[16 + FORKAE_NONCE_SIZE + FORKAE_COUNTER_SIZE - 1 - posn] = + (unsigned char)counter; + counter >>= 8; + } +} + +/* Check that the last block is padded correctly; -1 if ok, 0 if not */ +STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (const unsigned char *block, unsigned len) +{ + int check = block[0] ^ 0x80; + while (len > 1) { + --len; + check |= block[len]; + } + return (check - 1) >> 8; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + unsigned long long counter; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + FORKAE_BLOCK_SIZE; + + /* Validate the size of the associated data and plaintext as there + * is a limit on the size of the PAEF counter field */ + if (adlen > FORKAE_PAEF_DATA_LIMIT || mlen > FORKAE_PAEF_DATA_LIMIT) + return -2; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + + /* Tag value starts at zero. We will XOR this with all of the + * intermediate tag values that are calculated for each block */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + counter = 1; + while (adlen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + ++counter; + } + if (adlen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } else if (adlen != 0 || mlen == 0) { + unsigned temp = (unsigned)adlen; + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, sizeof(block) - temp - 1); + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } + + /* If there is no message payload, then generate the tag and we are done */ + if (!mlen) { + memcpy(c, tag, sizeof(tag)); + return 0; + } + + /* Encrypt all plaintext blocks except the last */ + counter = 1; + while (mlen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + mlen -= FORKAE_BLOCK_SIZE; + ++counter; + } + + /* Encrypt the last block and generate the final authentication tag */ + if (mlen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); + } else { + unsigned temp = (unsigned)mlen; + memcpy(block, m, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, sizeof(block) - temp - 1); + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, temp); + } + return 0; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + unsigned char *mtemp = m; + unsigned long long counter; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < FORKAE_BLOCK_SIZE) + return -1; + clen -= FORKAE_BLOCK_SIZE; + *mlen = clen; + + /* Validate the size of the associated data and plaintext as there + * is a limit on the size of the PAEF counter field */ + if (adlen > FORKAE_PAEF_DATA_LIMIT || clen > FORKAE_PAEF_DATA_LIMIT) + return -2; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + + /* Tag value starts at zero. We will XOR this with all of the + * intermediate tag values that are calculated for each block */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + counter = 1; + while (adlen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + ++counter; + } + if (adlen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } else if (adlen != 0 || clen == 0) { + unsigned temp = (unsigned)adlen; + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, sizeof(block) - temp - 1); + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } + + /* If there is no message payload, then check the tag and we are done */ + if (!clen) + return aead_check_tag(m, clen, tag, c, sizeof(tag)); + + /* Decrypt all ciphertext blocks except the last */ + counter = 1; + while (clen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, c); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + clen -= FORKAE_BLOCK_SIZE; + ++counter; + } + + /* Decrypt the last block and check the final authentication tag */ + if (clen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); + lw_xor_block_2_src(m, c, tag, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, m); + return aead_check_tag + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, sizeof(tag)); + } else { + unsigned temp = (unsigned)clen; + unsigned char block2[FORKAE_BLOCK_SIZE]; + int check; + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); + lw_xor_block_2_src(block2, tag, c, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) + (tweakey, block2, block, block2); + check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (block2 + temp, FORKAE_BLOCK_SIZE - temp); + memcpy(m, block2, temp); + return aead_check_tag_precheck + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); + } +} + +#endif /* FORKAE_ALG_NAME */ + +/* Now undefine everything so that we can include this file again for + * another variant on the ForkAE PAEF algorithm */ +#undef FORKAE_ALG_NAME +#undef FORKAE_BLOCK_SIZE +#undef FORKAE_NONCE_SIZE +#undef FORKAE_COUNTER_SIZE +#undef FORKAE_TWEAKEY_SIZE +#undef FORKAE_BLOCK_FUNC +#undef FORKAE_CONCAT_INNER +#undef FORKAE_CONCAT +#undef FORKAE_PAEF_DATA_LIMIT diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-forkae-saef.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-forkae-saef.h new file mode 100644 index 0000000..768bba4 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-forkae-saef.h @@ -0,0 +1,251 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +/* We expect a number of macros to be defined before this file + * is included to configure the underlying ForkAE SAEF variant. + * + * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_saef_128_256 + * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). + * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. + * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. + * FORKAE_REDUCED_TWEAKEY_SIZE Size of the reduced tweakey without padding. + * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 + */ +#if defined(FORKAE_ALG_NAME) + +#define FORKAE_CONCAT_INNER(name,suffix) name##suffix +#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) + +/* Check that the last block is padded correctly; -1 if ok, 0 if not */ +STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (const unsigned char *block, unsigned len) +{ + int check = block[0] ^ 0x80; + while (len > 1) { + --len; + check |= block[len]; + } + return (check - 1) >> 8; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + FORKAE_BLOCK_SIZE; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; + + /* Tag value starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + if (adlen > 0 || mlen == 0) { + while (adlen > FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + } + if (mlen == 0) + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; + if (adlen == FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } else if (adlen != 0 || mlen == 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(tag, ad, temp); + tag[temp] ^= 0x80; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } + } + + /* If there is no message payload, then generate the tag and we are done */ + if (!mlen) { + memcpy(c, tag, sizeof(tag)); + return 0; + } + + /* Encrypt all plaintext blocks except the last */ + while (mlen > FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(tag, block, FORKAE_BLOCK_SIZE); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + mlen -= FORKAE_BLOCK_SIZE; + } + + /* Encrypt the last block and generate the final authentication tag */ + if (mlen == FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); + } else { + unsigned temp = (unsigned)mlen; + memcpy(block, tag, FORKAE_BLOCK_SIZE); + lw_xor_block(block, m, temp); + block[temp] ^= 0x80; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, temp); + } + return 0; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < FORKAE_BLOCK_SIZE) + return -1; + clen -= FORKAE_BLOCK_SIZE; + *mlen = clen; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; + + /* Tag value starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + if (adlen > 0 || clen == 0) { + while (adlen > FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + } + if (clen == 0) + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; + if (adlen == FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } else if (adlen != 0 || clen == 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(tag, ad, temp); + tag[temp] ^= 0x80; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } + } + + /* If there is no message payload, then check the tag and we are done */ + if (!clen) + return aead_check_tag(m, clen, tag, c, sizeof(tag)); + + /* Decrypt all ciphertext blocks except the last */ + while (clen > FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); + lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); + memcpy(tag, block, FORKAE_BLOCK_SIZE); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + clen -= FORKAE_BLOCK_SIZE; + } + + /* Decrypt the last block and check the final authentication tag */ + if (clen == FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); + lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); + return aead_check_tag + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, FORKAE_BLOCK_SIZE); + } else { + unsigned temp = (unsigned)clen; + unsigned char mblock[FORKAE_BLOCK_SIZE]; + int check; + lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) + (tweakey, mblock, block, block); + lw_xor_block(mblock, tag, FORKAE_BLOCK_SIZE); + memcpy(m, mblock, temp); + check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (mblock + temp, FORKAE_BLOCK_SIZE - temp); + return aead_check_tag_precheck + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); + } +} + +#endif /* FORKAE_ALG_NAME */ + +/* Now undefine everything so that we can include this file again for + * another variant on the ForkAE SAEF algorithm */ +#undef FORKAE_ALG_NAME +#undef FORKAE_BLOCK_SIZE +#undef FORKAE_NONCE_SIZE +#undef FORKAE_COUNTER_SIZE +#undef FORKAE_TWEAKEY_SIZE +#undef FORKAE_TWEAKEY_REDUCED_SIZE +#undef FORKAE_BLOCK_FUNC +#undef FORKAE_CONCAT_INNER +#undef FORKAE_CONCAT diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-forkskinny.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-forkskinny.c new file mode 100644 index 0000000..b050ff1 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-forkskinny.c @@ -0,0 +1,988 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-forkskinny.h" +#include "internal-skinnyutil.h" + +/** + * \brief 7-bit round constants for all ForkSkinny block ciphers. + */ +static unsigned char const RC[87] = { + 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7e, 0x7d, + 0x7b, 0x77, 0x6f, 0x5f, 0x3e, 0x7c, 0x79, 0x73, + 0x67, 0x4f, 0x1e, 0x3d, 0x7a, 0x75, 0x6b, 0x57, + 0x2e, 0x5c, 0x38, 0x70, 0x61, 0x43, 0x06, 0x0d, + 0x1b, 0x37, 0x6e, 0x5d, 0x3a, 0x74, 0x69, 0x53, + 0x26, 0x4c, 0x18, 0x31, 0x62, 0x45, 0x0a, 0x15, + 0x2b, 0x56, 0x2c, 0x58, 0x30, 0x60, 0x41, 0x02, + 0x05, 0x0b, 0x17, 0x2f, 0x5e, 0x3c, 0x78, 0x71, + 0x63, 0x47, 0x0e, 0x1d, 0x3b, 0x76, 0x6d, 0x5b, + 0x36, 0x6c, 0x59, 0x32, 0x64, 0x49, 0x12, 0x25, + 0x4a, 0x14, 0x29, 0x52, 0x24, 0x48, 0x10 +}; + +/** + * \brief Number of rounds of ForkSkinny-128-256 before forking. + */ +#define FORKSKINNY_128_256_ROUNDS_BEFORE 21 + +/** + * \brief Number of rounds of ForkSkinny-128-256 after forking. + */ +#define FORKSKINNY_128_256_ROUNDS_AFTER 27 + +/** + * \brief State information for ForkSkinny-128-256. + */ +typedef struct +{ + uint32_t TK1[4]; /**< First part of the tweakey */ + uint32_t TK2[4]; /**< Second part of the tweakey */ + uint32_t S[4]; /**< Current block state */ + +} forkskinny_128_256_state_t; + +/** + * \brief Applies one round of ForkSkinny-128-256. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_256_round + (forkskinny_128_256_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Apply the S-box to all cells in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(state->TK1); + skinny128_permute_tk(state->TK2); + skinny128_LFSR2(state->TK2[0]); + skinny128_LFSR2(state->TK2[1]); +} + +void forkskinny_128_256_encrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_256_state_t state; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Run all of the rounds before the forking point */ + for (round = 0; round < FORKSKINNY_128_256_ROUNDS_BEFORE; ++round) { + forkskinny_128_256_round(&state, round); + } + + /* Determine which output blocks we need */ + if (output_left && output_right) { + /* We need both outputs so save the state at the forking point */ + uint32_t F[4]; + F[0] = state.S[0]; + F[1] = state.S[1]; + F[2] = state.S[2]; + F[3] = state.S[3]; + + /* Generate the right output block */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { + forkskinny_128_256_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + + /* Restore the state at the forking point */ + state.S[0] = F[0]; + state.S[1] = F[1]; + state.S[2] = F[2]; + state.S[3] = F[3]; + } + if (output_left) { + /* Generate the left output block */ + state.S[0] ^= 0x08040201U; /* Branching constant */ + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { + forkskinny_128_256_round(&state, round); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + } else { + /* We only need the right output block */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { + forkskinny_128_256_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + } +} + +/** + * \brief Applies one round of ForkSkinny-128-256 in reverse. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_256_inv_round + (forkskinny_128_256_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Permute TK1 and TK2 for the next round */ + skinny128_inv_LFSR2(state->TK2[0]); + skinny128_inv_LFSR2(state->TK2[1]); + skinny128_inv_permute_tk(state->TK1); + skinny128_inv_permute_tk(state->TK2); + + /* Inverse mix of the columns */ + temp = s0; + s0 = s1; + s1 = s2; + s2 = s3; + s3 = temp ^ s2; + s2 ^= s0; + s1 ^= s2; + + /* Shift the cells in the rows left, which moves the cell + * values down closer to the LSB. That is, we do a right + * rotate on the word to rotate the cells in the word left */ + s1 = rightRotate8(s1); + s2 = rightRotate16(s2); + s3 = rightRotate24(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all cells in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; +} + +void forkskinny_128_256_decrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_256_state_t state; + forkskinny_128_256_state_t fstate; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Fast-forward the tweakey to the end of the key schedule */ + for (round = 0; round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { + skinny128_permute_tk(state.TK1); + skinny128_permute_tk(state.TK2); + skinny128_LFSR2(state.TK2[0]); + skinny128_LFSR2(state.TK2[1]); + } + + /* Perform the "after" rounds on the input to get back + * to the forking point in the cipher */ + for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER * 2); + round > (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); --round) { + forkskinny_128_256_inv_round(&state, round - 1); + } + + /* Remove the branching constant */ + state.S[0] ^= 0x08040201U; + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + + /* Roll the tweakey back another "after" rounds */ + for (round = 0; round < FORKSKINNY_128_256_ROUNDS_AFTER; ++round) { + skinny128_inv_LFSR2(state.TK2[0]); + skinny128_inv_LFSR2(state.TK2[1]); + skinny128_inv_permute_tk(state.TK1); + skinny128_inv_permute_tk(state.TK2); + } + + /* Save the state and the tweakey at the forking point */ + fstate = state; + + /* Generate the left output block after another "before" rounds */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; round > 0; --round) { + forkskinny_128_256_inv_round(&state, round - 1); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + + /* Generate the right output block by going forward "after" + * rounds from the forking point */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { + forkskinny_128_256_round(&fstate, round); + } + le_store_word32(output_right, fstate.S[0]); + le_store_word32(output_right + 4, fstate.S[1]); + le_store_word32(output_right + 8, fstate.S[2]); + le_store_word32(output_right + 12, fstate.S[3]); +} + +/** + * \brief Number of rounds of ForkSkinny-128-384 before forking. + */ +#define FORKSKINNY_128_384_ROUNDS_BEFORE 25 + +/** + * \brief Number of rounds of ForkSkinny-128-384 after forking. + */ +#define FORKSKINNY_128_384_ROUNDS_AFTER 31 + +/** + * \brief State information for ForkSkinny-128-384. + */ +typedef struct +{ + uint32_t TK1[4]; /**< First part of the tweakey */ + uint32_t TK2[4]; /**< Second part of the tweakey */ + uint32_t TK3[4]; /**< Third part of the tweakey */ + uint32_t S[4]; /**< Current block state */ + +} forkskinny_128_384_state_t; + +/** + * \brief Applies one round of ForkSkinny-128-384. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_384_round + (forkskinny_128_384_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Apply the S-box to all cells in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(state->TK1); + skinny128_permute_tk(state->TK2); + skinny128_permute_tk(state->TK3); + skinny128_LFSR2(state->TK2[0]); + skinny128_LFSR2(state->TK2[1]); + skinny128_LFSR3(state->TK3[0]); + skinny128_LFSR3(state->TK3[1]); +} + +void forkskinny_128_384_encrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_384_state_t state; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.TK3[0] = le_load_word32(key + 32); + state.TK3[1] = le_load_word32(key + 36); + state.TK3[2] = le_load_word32(key + 40); + state.TK3[3] = le_load_word32(key + 44); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Run all of the rounds before the forking point */ + for (round = 0; round < FORKSKINNY_128_384_ROUNDS_BEFORE; ++round) { + forkskinny_128_384_round(&state, round); + } + + /* Determine which output blocks we need */ + if (output_left && output_right) { + /* We need both outputs so save the state at the forking point */ + uint32_t F[4]; + F[0] = state.S[0]; + F[1] = state.S[1]; + F[2] = state.S[2]; + F[3] = state.S[3]; + + /* Generate the right output block */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { + forkskinny_128_384_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + + /* Restore the state at the forking point */ + state.S[0] = F[0]; + state.S[1] = F[1]; + state.S[2] = F[2]; + state.S[3] = F[3]; + } + if (output_left) { + /* Generate the left output block */ + state.S[0] ^= 0x08040201U; /* Branching constant */ + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { + forkskinny_128_384_round(&state, round); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + } else { + /* We only need the right output block */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { + forkskinny_128_384_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + } +} + +/** + * \brief Applies one round of ForkSkinny-128-384 in reverse. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_384_inv_round + (forkskinny_128_384_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Permute TK1 and TK2 for the next round */ + skinny128_inv_LFSR2(state->TK2[0]); + skinny128_inv_LFSR2(state->TK2[1]); + skinny128_inv_LFSR3(state->TK3[0]); + skinny128_inv_LFSR3(state->TK3[1]); + skinny128_inv_permute_tk(state->TK1); + skinny128_inv_permute_tk(state->TK2); + skinny128_inv_permute_tk(state->TK3); + + /* Inverse mix of the columns */ + temp = s0; + s0 = s1; + s1 = s2; + s2 = s3; + s3 = temp ^ s2; + s2 ^= s0; + s1 ^= s2; + + /* Shift the cells in the rows left, which moves the cell + * values down closer to the LSB. That is, we do a right + * rotate on the word to rotate the cells in the word left */ + s1 = rightRotate8(s1); + s2 = rightRotate16(s2); + s3 = rightRotate24(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all cells in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; +} + +void forkskinny_128_384_decrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_384_state_t state; + forkskinny_128_384_state_t fstate; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.TK3[0] = le_load_word32(key + 32); + state.TK3[1] = le_load_word32(key + 36); + state.TK3[2] = le_load_word32(key + 40); + state.TK3[3] = le_load_word32(key + 44); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Fast-forward the tweakey to the end of the key schedule */ + for (round = 0; round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { + skinny128_permute_tk(state.TK1); + skinny128_permute_tk(state.TK2); + skinny128_permute_tk(state.TK3); + skinny128_LFSR2(state.TK2[0]); + skinny128_LFSR2(state.TK2[1]); + skinny128_LFSR3(state.TK3[0]); + skinny128_LFSR3(state.TK3[1]); + } + + /* Perform the "after" rounds on the input to get back + * to the forking point in the cipher */ + for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER * 2); + round > (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); --round) { + forkskinny_128_384_inv_round(&state, round - 1); + } + + /* Remove the branching constant */ + state.S[0] ^= 0x08040201U; + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + + /* Roll the tweakey back another "after" rounds */ + for (round = 0; round < FORKSKINNY_128_384_ROUNDS_AFTER; ++round) { + skinny128_inv_LFSR2(state.TK2[0]); + skinny128_inv_LFSR2(state.TK2[1]); + skinny128_inv_LFSR3(state.TK3[0]); + skinny128_inv_LFSR3(state.TK3[1]); + skinny128_inv_permute_tk(state.TK1); + skinny128_inv_permute_tk(state.TK2); + skinny128_inv_permute_tk(state.TK3); + } + + /* Save the state and the tweakey at the forking point */ + fstate = state; + + /* Generate the left output block after another "before" rounds */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; round > 0; --round) { + forkskinny_128_384_inv_round(&state, round - 1); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + + /* Generate the right output block by going forward "after" + * rounds from the forking point */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { + forkskinny_128_384_round(&fstate, round); + } + le_store_word32(output_right, fstate.S[0]); + le_store_word32(output_right + 4, fstate.S[1]); + le_store_word32(output_right + 8, fstate.S[2]); + le_store_word32(output_right + 12, fstate.S[3]); +} + +/** + * \brief Number of rounds of ForkSkinny-64-192 before forking. + */ +#define FORKSKINNY_64_192_ROUNDS_BEFORE 17 + +/** + * \brief Number of rounds of ForkSkinny-64-192 after forking. + */ +#define FORKSKINNY_64_192_ROUNDS_AFTER 23 + +/** + * \brief State information for ForkSkinny-64-192. + */ +typedef struct +{ + uint16_t TK1[4]; /**< First part of the tweakey */ + uint16_t TK2[4]; /**< Second part of the tweakey */ + uint16_t TK3[4]; /**< Third part of the tweakey */ + uint16_t S[4]; /**< Current block state */ + +} forkskinny_64_192_state_t; + +/** + * \brief Applies one round of ForkSkinny-64-192. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + * + * Note: The cells of each row are order in big-endian nibble order + * so it is easiest to manage the rows in bit-endian byte order. + */ +static void forkskinny_64_192_round + (forkskinny_64_192_state_t *state, unsigned round) +{ + uint16_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Apply the S-box to all cells in the state */ + skinny64_sbox(s0); + skinny64_sbox(s1); + skinny64_sbox(s2); + skinny64_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + ((rc & 0x0F) << 12) ^ 0x0020; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ + ((rc & 0x70) << 8); + s2 ^= 0x2000; + + /* Shift the cells in the rows right */ + s1 = rightRotate4_16(s1); + s2 = rightRotate8_16(s2); + s3 = rightRotate12_16(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny64_permute_tk(state->TK1); + skinny64_permute_tk(state->TK2); + skinny64_permute_tk(state->TK3); + skinny64_LFSR2(state->TK2[0]); + skinny64_LFSR2(state->TK2[1]); + skinny64_LFSR3(state->TK3[0]); + skinny64_LFSR3(state->TK3[1]); +} + +void forkskinny_64_192_encrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_64_192_state_t state; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = be_load_word16(key); + state.TK1[1] = be_load_word16(key + 2); + state.TK1[2] = be_load_word16(key + 4); + state.TK1[3] = be_load_word16(key + 6); + state.TK2[0] = be_load_word16(key + 8); + state.TK2[1] = be_load_word16(key + 10); + state.TK2[2] = be_load_word16(key + 12); + state.TK2[3] = be_load_word16(key + 14); + state.TK3[0] = be_load_word16(key + 16); + state.TK3[1] = be_load_word16(key + 18); + state.TK3[2] = be_load_word16(key + 20); + state.TK3[3] = be_load_word16(key + 22); + state.S[0] = be_load_word16(input); + state.S[1] = be_load_word16(input + 2); + state.S[2] = be_load_word16(input + 4); + state.S[3] = be_load_word16(input + 6); + + /* Run all of the rounds before the forking point */ + for (round = 0; round < FORKSKINNY_64_192_ROUNDS_BEFORE; ++round) { + forkskinny_64_192_round(&state, round); + } + + /* Determine which output blocks we need */ + if (output_left && output_right) { + /* We need both outputs so save the state at the forking point */ + uint16_t F[4]; + F[0] = state.S[0]; + F[1] = state.S[1]; + F[2] = state.S[2]; + F[3] = state.S[3]; + + /* Generate the right output block */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { + forkskinny_64_192_round(&state, round); + } + be_store_word16(output_right, state.S[0]); + be_store_word16(output_right + 2, state.S[1]); + be_store_word16(output_right + 4, state.S[2]); + be_store_word16(output_right + 6, state.S[3]); + + /* Restore the state at the forking point */ + state.S[0] = F[0]; + state.S[1] = F[1]; + state.S[2] = F[2]; + state.S[3] = F[3]; + } + if (output_left) { + /* Generate the left output block */ + state.S[0] ^= 0x1249U; /* Branching constant */ + state.S[1] ^= 0x36daU; + state.S[2] ^= 0x5b7fU; + state.S[3] ^= 0xec81U; + for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { + forkskinny_64_192_round(&state, round); + } + be_store_word16(output_left, state.S[0]); + be_store_word16(output_left + 2, state.S[1]); + be_store_word16(output_left + 4, state.S[2]); + be_store_word16(output_left + 6, state.S[3]); + } else { + /* We only need the right output block */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { + forkskinny_64_192_round(&state, round); + } + be_store_word16(output_right, state.S[0]); + be_store_word16(output_right + 2, state.S[1]); + be_store_word16(output_right + 4, state.S[2]); + be_store_word16(output_right + 6, state.S[3]); + } +} + +/** + * \brief Applies one round of ForkSkinny-64-192 in reverse. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_64_192_inv_round + (forkskinny_64_192_state_t *state, unsigned round) +{ + uint16_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny64_inv_LFSR2(state->TK2[0]); + skinny64_inv_LFSR2(state->TK2[1]); + skinny64_inv_LFSR3(state->TK3[0]); + skinny64_inv_LFSR3(state->TK3[1]); + skinny64_inv_permute_tk(state->TK1); + skinny64_inv_permute_tk(state->TK2); + skinny64_inv_permute_tk(state->TK3); + + /* Inverse mix of the columns */ + temp = s0; + s0 = s1; + s1 = s2; + s2 = s3; + s3 = temp ^ s2; + s2 ^= s0; + s1 ^= s2; + + /* Shift the cells in the rows left */ + s1 = leftRotate4_16(s1); + s2 = leftRotate8_16(s2); + s3 = leftRotate12_16(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + ((rc & 0x0F) << 12) ^ 0x0020; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ + ((rc & 0x70) << 8); + s2 ^= 0x2000; + + /* Apply the inverse of the S-box to all cells in the state */ + skinny64_inv_sbox(s0); + skinny64_inv_sbox(s1); + skinny64_inv_sbox(s2); + skinny64_inv_sbox(s3); + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; +} + +void forkskinny_64_192_decrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_64_192_state_t state; + forkskinny_64_192_state_t fstate; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = be_load_word16(key); + state.TK1[1] = be_load_word16(key + 2); + state.TK1[2] = be_load_word16(key + 4); + state.TK1[3] = be_load_word16(key + 6); + state.TK2[0] = be_load_word16(key + 8); + state.TK2[1] = be_load_word16(key + 10); + state.TK2[2] = be_load_word16(key + 12); + state.TK2[3] = be_load_word16(key + 14); + state.TK3[0] = be_load_word16(key + 16); + state.TK3[1] = be_load_word16(key + 18); + state.TK3[2] = be_load_word16(key + 20); + state.TK3[3] = be_load_word16(key + 22); + state.S[0] = be_load_word16(input); + state.S[1] = be_load_word16(input + 2); + state.S[2] = be_load_word16(input + 4); + state.S[3] = be_load_word16(input + 6); + + /* Fast-forward the tweakey to the end of the key schedule */ + for (round = 0; round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { + skinny64_permute_tk(state.TK1); + skinny64_permute_tk(state.TK2); + skinny64_permute_tk(state.TK3); + skinny64_LFSR2(state.TK2[0]); + skinny64_LFSR2(state.TK2[1]); + skinny64_LFSR3(state.TK3[0]); + skinny64_LFSR3(state.TK3[1]); + } + + /* Perform the "after" rounds on the input to get back + * to the forking point in the cipher */ + for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER * 2); + round > (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); --round) { + forkskinny_64_192_inv_round(&state, round - 1); + } + + /* Remove the branching constant */ + state.S[0] ^= 0x1249U; + state.S[1] ^= 0x36daU; + state.S[2] ^= 0x5b7fU; + state.S[3] ^= 0xec81U; + + /* Roll the tweakey back another "after" rounds */ + for (round = 0; round < FORKSKINNY_64_192_ROUNDS_AFTER; ++round) { + skinny64_inv_LFSR2(state.TK2[0]); + skinny64_inv_LFSR2(state.TK2[1]); + skinny64_inv_LFSR3(state.TK3[0]); + skinny64_inv_LFSR3(state.TK3[1]); + skinny64_inv_permute_tk(state.TK1); + skinny64_inv_permute_tk(state.TK2); + skinny64_inv_permute_tk(state.TK3); + } + + /* Save the state and the tweakey at the forking point */ + fstate = state; + + /* Generate the left output block after another "before" rounds */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; round > 0; --round) { + forkskinny_64_192_inv_round(&state, round - 1); + } + be_store_word16(output_left, state.S[0]); + be_store_word16(output_left + 2, state.S[1]); + be_store_word16(output_left + 4, state.S[2]); + be_store_word16(output_left + 6, state.S[3]); + + /* Generate the right output block by going forward "after" + * rounds from the forking point */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { + forkskinny_64_192_round(&fstate, round); + } + be_store_word16(output_right, fstate.S[0]); + be_store_word16(output_right + 2, fstate.S[1]); + be_store_word16(output_right + 4, fstate.S[2]); + be_store_word16(output_right + 6, fstate.S[3]); +} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-forkskinny.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-forkskinny.h new file mode 100644 index 0000000..0c1a707 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-forkskinny.h @@ -0,0 +1,141 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_FORKSKINNY_H +#define LW_INTERNAL_FORKSKINNY_H + +/** + * \file internal-forkskinny.h + * \brief ForkSkinny block cipher family. + * + * ForkSkinny is a modified version of the SKINNY block cipher that + * supports "forking": half-way through the rounds the cipher is + * forked in two different directions to produce two different outputs. + * + * References: https://www.esat.kuleuven.be/cosic/forkae/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts a block of plaintext with ForkSkinny-128-256. + * + * \param key 256-bit tweakey for ForkSkinny-128-256. + * \param output_left Left output block for the ciphertext, or NULL if + * the left output is not required. + * \param output_right Right output block for the authentication tag, + * or NULL if the right output is not required. + * \param input 128-bit input plaintext block. + * + * ForkSkinny-128-192 also uses this function with a padded tweakey. + */ +void forkskinny_128_256_encrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Decrypts a block of ciphertext with ForkSkinny-128-256. + * + * \param key 256-bit tweakey for ForkSkinny-128-256. + * \param output_left Left output block, which is the plaintext. + * \param output_right Right output block for the authentication tag. + * \param input 128-bit input ciphertext block. + * + * Both output blocks will be populated; neither is optional. + */ +void forkskinny_128_256_decrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Encrypts a block of plaintext with ForkSkinny-128-384. + * + * \param key 384-bit tweakey for ForkSkinny-128-384. + * \param output_left Left output block for the ciphertext, or NULL if + * the left output is not required. + * \param output_right Right output block for the authentication tag, + * or NULL if the right output is not required. + * \param input 128-bit input plaintext block. + * + * ForkSkinny-128-288 also uses this function with a padded tweakey. + */ +void forkskinny_128_384_encrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Decrypts a block of ciphertext with ForkSkinny-128-384. + * + * \param key 384-bit tweakey for ForkSkinny-128-384. + * \param output_left Left output block, which is the plaintext. + * \param output_right Right output block for the authentication tag. + * \param input 128-bit input ciphertext block. + * + * Both output blocks will be populated; neither is optional. + */ +void forkskinny_128_384_decrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Encrypts a block of input with ForkSkinny-64-192. + * + * \param key 192-bit tweakey for ForkSkinny-64-192. + * \param output_left First output block, or NULL if left is not required. + * \param output_right Second output block, or NULL if right is not required. + * \param input 64-bit input block. + */ +/** + * \brief Encrypts a block of plaintext with ForkSkinny-64-192. + * + * \param key 192-bit tweakey for ForkSkinny-64-192. + * \param output_left Left output block for the ciphertext, or NULL if + * the left output is not required. + * \param output_right Right output block for the authentication tag, + * or NULL if the right output is not required. + * \param input 64-bit input plaintext block. + */ +void forkskinny_64_192_encrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Decrypts a block of ciphertext with ForkSkinny-64-192. + * + * \param key 192-bit tweakey for ForkSkinny-64-192. + * \param output_left Left output block, which is the plaintext. + * \param output_right Right output block for the authentication tag. + * \param input 64-bit input ciphertext block. + * + * Both output blocks will be populated; neither is optional. + */ +void forkskinny_64_192_decrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-skinnyutil.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-skinnyutil.h new file mode 100644 index 0000000..83136cb --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-skinnyutil.h @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNYUTIL_H +#define LW_INTERNAL_SKINNYUTIL_H + +/** + * \file internal-skinnyutil.h + * \brief Utilities to help implement SKINNY and its variants. + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond skinnyutil */ + +/* Utilities for implementing SKINNY-128 */ + +#define skinny128_LFSR2(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ + (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ + } while (0) + + +#define skinny128_LFSR3(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ + (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) +#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) + +#define skinny128_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint32_t row2 = tk[2]; \ + uint32_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 16) | (row3 >> 16); \ + tk[0] = ((row2 >> 8) & 0x000000FFU) | \ + ((row2 << 16) & 0x00FF0000U) | \ + ( row3 & 0xFF00FF00U); \ + tk[1] = ((row2 >> 16) & 0x000000FFU) | \ + (row2 & 0xFF000000U) | \ + ((row3 << 8) & 0x0000FF00U) | \ + ( row3 & 0x00FF0000U); \ + } while (0) + +#define skinny128_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint32_t row0 = tk[0]; \ + uint32_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 >> 16) & 0x000000FFU) | \ + ((row0 << 8) & 0x0000FF00U) | \ + ((row1 << 16) & 0x00FF0000U) | \ + ( row1 & 0xFF000000U); \ + tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ + ((row0 << 16) & 0xFF000000U) | \ + ((row1 >> 16) & 0x000000FFU) | \ + ((row1 << 8) & 0x00FF0000U); \ + } while (0) + +/* + * Apply the SKINNY sbox. The original version from the specification is + * equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE(x) + * ((((x) & 0x01010101U) << 2) | + * (((x) & 0x06060606U) << 5) | + * (((x) & 0x20202020U) >> 5) | + * (((x) & 0xC8C8C8C8U) >> 2) | + * (((x) & 0x10101010U) >> 1)) + * + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * return SBOX_SWAP(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ + y = (((x >> 5) & (x << 1)) & 0x04040404U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ + x = ((x & 0x08080808U) << 1) | \ + ((x & 0x32323232U) << 2) | \ + ((x & 0x01010101U) << 5) | \ + ((x & 0x80808080U) >> 6) | \ + ((x & 0x40404040U) >> 4) | \ + ((x & 0x04040404U) >> 2); \ +} while (0) + +/* + * Apply the inverse of the SKINNY sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE_INV(x) + * ((((x) & 0x08080808U) << 1) | + * (((x) & 0x32323232U) << 2) | + * (((x) & 0x01010101U) << 5) | + * (((x) & 0xC0C0C0C0U) >> 5) | + * (((x) & 0x04040404U) >> 2)) + * + * x = SBOX_SWAP(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_inv_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ + x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ + y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ + x = ((x & 0x01010101U) << 2) | \ + ((x & 0x04040404U) << 4) | \ + ((x & 0x02020202U) << 6) | \ + ((x & 0x20202020U) >> 5) | \ + ((x & 0xC8C8C8C8U) >> 2) | \ + ((x & 0x10101010U) >> 1); \ +} while (0) + +/* Utilities for implementing SKINNY-64 */ + +#define skinny64_LFSR2(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ + } while (0) + +#define skinny64_LFSR3(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) +#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) + +#define skinny64_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint16_t row2 = tk[2]; \ + uint16_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 8) | (row3 >> 8); \ + tk[0] = ((row2 << 4) & 0xF000U) | \ + ((row2 >> 8) & 0x00F0U) | \ + ( row3 & 0x0F0FU); \ + tk[1] = ((row2 << 8) & 0xF000U) | \ + ((row3 >> 4) & 0x0F00U) | \ + ( row3 & 0x00F0U) | \ + ( row2 & 0x000FU); \ + } while (0) + +#define skinny64_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint16_t row0 = tk[0]; \ + uint16_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 << 8) & 0xF000U) | \ + ((row0 >> 4) & 0x0F00U) | \ + ((row1 >> 8) & 0x00F0U) | \ + ( row1 & 0x000FU); \ + tk[3] = ((row1 << 8) & 0xF000U) | \ + ((row0 << 8) & 0x0F00U) | \ + ((row1 >> 4) & 0x00F0U) | \ + ((row0 >> 8) & 0x000FU); \ + } while (0) + +/* + * Apply the SKINNY-64 sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT(x) + * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_SHIFT steps to be performed with one final rotation. + * This reduces the number of required shift operations from 14 to 10. + * + * We can further reduce the number of NOT operations from 4 to 2 + * using the technique from https://github.com/kste/skinny_avx to + * convert NOR-XOR operations into AND-XOR operations by converting + * the S-box into its NOT-inverse. + */ +#define skinny64_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ + x = ~x; \ + x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ +} while (0) + +/* + * Apply the inverse of the SKINNY-64 sbox. The original version + * from the specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT_INV(x) + * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * return SBOX_MIX(x); + */ +#define skinny64_inv_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = ~x; \ + x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ +} while (0) + +/** @endcond */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-util.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/aead-common.c b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/aead-common.h b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/api.h b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/api.h new file mode 100644 index 0000000..f04cc58 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 6 +#define CRYPTO_ABYTES 8 +#define CRYPTO_NOOVERLAP 1 diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/encrypt.c b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/encrypt.c new file mode 100644 index 0000000..275b77e --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "forkae.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return forkae_paef_64_192_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return forkae_paef_64_192_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/forkae.c b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/forkae.c new file mode 100644 index 0000000..4a9671a --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/forkae.c @@ -0,0 +1,140 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "forkae.h" +#include "internal-forkskinny.h" +#include "internal-util.h" +#include + +aead_cipher_t const forkae_paef_64_192_cipher = { + "PAEF-ForkSkinny-64-192", + FORKAE_PAEF_64_192_KEY_SIZE, + FORKAE_PAEF_64_192_NONCE_SIZE, + FORKAE_PAEF_64_192_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_64_192_aead_encrypt, + forkae_paef_64_192_aead_decrypt +}; + +aead_cipher_t const forkae_paef_128_192_cipher = { + "PAEF-ForkSkinny-128-192", + FORKAE_PAEF_128_192_KEY_SIZE, + FORKAE_PAEF_128_192_NONCE_SIZE, + FORKAE_PAEF_128_192_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_128_192_aead_encrypt, + forkae_paef_128_192_aead_decrypt +}; + +aead_cipher_t const forkae_paef_128_256_cipher = { + "PAEF-ForkSkinny-128-256", + FORKAE_PAEF_128_256_KEY_SIZE, + FORKAE_PAEF_128_256_NONCE_SIZE, + FORKAE_PAEF_128_256_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_128_256_aead_encrypt, + forkae_paef_128_256_aead_decrypt +}; + +aead_cipher_t const forkae_paef_128_288_cipher = { + "PAEF-ForkSkinny-128-288", + FORKAE_PAEF_128_288_KEY_SIZE, + FORKAE_PAEF_128_288_NONCE_SIZE, + FORKAE_PAEF_128_288_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_128_288_aead_encrypt, + forkae_paef_128_288_aead_decrypt +}; + +aead_cipher_t const forkae_saef_128_192_cipher = { + "SAEF-ForkSkinny-128-192", + FORKAE_SAEF_128_192_KEY_SIZE, + FORKAE_SAEF_128_192_NONCE_SIZE, + FORKAE_SAEF_128_192_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_saef_128_192_aead_encrypt, + forkae_saef_128_192_aead_decrypt +}; + +aead_cipher_t const forkae_saef_128_256_cipher = { + "SAEF-ForkSkinny-128-256", + FORKAE_SAEF_128_256_KEY_SIZE, + FORKAE_SAEF_128_256_NONCE_SIZE, + FORKAE_SAEF_128_256_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_saef_128_256_aead_encrypt, + forkae_saef_128_256_aead_decrypt +}; + +/* PAEF-ForkSkinny-64-192 */ +#define FORKAE_ALG_NAME forkae_paef_64_192 +#define FORKAE_BLOCK_SIZE 8 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_64_192_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 2 +#define FORKAE_TWEAKEY_SIZE 24 +#define FORKAE_BLOCK_FUNC forkskinny_64_192 +#include "internal-forkae-paef.h" + +/* PAEF-ForkSkinny-128-192 */ +#define FORKAE_ALG_NAME forkae_paef_128_192 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_192_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 2 +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-paef.h" + +/* PAEF-ForkSkinny-128-256 */ +#define FORKAE_ALG_NAME forkae_paef_128_256 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_256_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 2 +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-paef.h" + +/* PAEF-ForkSkinny-128-288 */ +#define FORKAE_ALG_NAME forkae_paef_128_288 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_288_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 7 +#define FORKAE_TWEAKEY_SIZE 48 +#define FORKAE_BLOCK_FUNC forkskinny_128_384 +#include "internal-forkae-paef.h" + +/* SAEF-ForkSkinny-128-192 */ +#define FORKAE_ALG_NAME forkae_saef_128_192 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_192_NONCE_SIZE +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_TWEAKEY_REDUCED_SIZE 24 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-saef.h" + +/* SAEF-ForkSkinny-128-256 */ +#define FORKAE_ALG_NAME forkae_saef_128_256 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_256_NONCE_SIZE +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_TWEAKEY_REDUCED_SIZE 32 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-saef.h" diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/forkae.h b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/forkae.h new file mode 100644 index 0000000..3e27b50 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/forkae.h @@ -0,0 +1,551 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_FORKAE_H +#define LWCRYPTO_FORKAE_H + +#include "aead-common.h" + +/** + * \file forkae.h + * \brief ForkAE authenticated encryption algorithm family. + * + * ForkAE is a family of authenticated encryption algorithms based on a + * modified version of the SKINNY tweakable block cipher. The modifications + * introduce "forking" where each input block produces two output blocks + * for use in encryption and authentication. There are six members in + * the ForkAE family: + * + * \li PAEF-ForkSkinny-64-192 has a 128-bit key, a 48-bit nonce, and a + * 64-bit authentication tag. The associated data and plaintext are + * limited to 216 bytes. + * \li PAEF-ForkSkinny-128-192 has a 128-bit key, a 48-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext are + * limited to 217 bytes. + * \li PAEF-ForkSkinny-128-256 has a 128-bit key, a 112-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext are + * limited to 217 bytes. + * \li PAEF-ForkSkinny-128-288 has a 128-bit key, a 104-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext are + * limited to 257 bytes. This is the primary member of the family. + * \li SAEF-ForkSkinny-128-192 has a 128-bit key, a 56-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext may be + * unlimited in size. + * \li SAEF-ForkSkinny-128-256 has a 128-bit key, a 120-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext may be + * unlimited in size. + * + * The PAEF variants support parallel encryption and decryption for + * higher throughput. The SAEF variants encrypt or decrypt blocks + * sequentially. + * + * ForkAE is designed to be efficient on small packet sizes so most of + * the PAEF algorithms have a limit of 64k or 128k on the amount of + * payload in a single packet. Obviously the input can be split into + * separate packets for larger amounts of data. + * + * References: https://www.esat.kuleuven.be/cosic/forkae/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for PAEF-ForkSkinny-64-192. + */ +#define FORKAE_PAEF_64_192_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-64-192. + */ +#define FORKAE_PAEF_64_192_TAG_SIZE 8 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-64-192. + */ +#define FORKAE_PAEF_64_192_NONCE_SIZE 6 + +/** + * \brief Size of the key for PAEF-ForkSkinny-128-192. + */ +#define FORKAE_PAEF_128_192_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-128-192. + */ +#define FORKAE_PAEF_128_192_TAG_SIZE 16 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-128-192. + */ +#define FORKAE_PAEF_128_192_NONCE_SIZE 6 + +/** + * \brief Size of the key for PAEF-ForkSkinny-128-256. + */ +#define FORKAE_PAEF_128_256_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-128-256. + */ +#define FORKAE_PAEF_128_256_TAG_SIZE 16 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-128-256. + */ +#define FORKAE_PAEF_128_256_NONCE_SIZE 14 + +/** + * \brief Size of the key for PAEF-ForkSkinny-128-288. + */ +#define FORKAE_PAEF_128_288_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-128-288. + */ +#define FORKAE_PAEF_128_288_TAG_SIZE 16 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-128-288. + */ +#define FORKAE_PAEF_128_288_NONCE_SIZE 13 + +/** + * \brief Size of the key for SAEF-ForkSkinny-128-192. + */ +#define FORKAE_SAEF_128_192_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SAEF-ForkSkinny-128-192. + */ +#define FORKAE_SAEF_128_192_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SAEF-ForkSkinny-128-192. + */ +#define FORKAE_SAEF_128_192_NONCE_SIZE 7 + +/** + * \brief Size of the key for SAEF-ForkSkinny-128-256. + */ +#define FORKAE_SAEF_128_256_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SAEF-ForkSkinny-128-256. + */ +#define FORKAE_SAEF_128_256_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SAEF-ForkSkinny-128-256. + */ +#define FORKAE_SAEF_128_256_NONCE_SIZE 15 + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-64-192 cipher. + */ +extern aead_cipher_t const forkae_paef_64_192_cipher; + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-128-192 cipher. + */ +extern aead_cipher_t const forkae_paef_128_192_cipher; + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-128-256 cipher. + */ +extern aead_cipher_t const forkae_paef_128_256_cipher; + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-128-288 cipher. + */ +extern aead_cipher_t const forkae_paef_128_288_cipher; + +/** + * \brief Meta-information block for the SAEF-ForkSkinny-128-192 cipher. + */ +extern aead_cipher_t const forkae_saef_128_192_cipher; + +/** + * \brief Meta-information block for the SAEF-ForkSkinny-128-256 cipher. + */ +extern aead_cipher_t const forkae_saef_128_256_cipher; + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-64-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_64_192_aead_decrypt() + */ +int forkae_paef_64_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-64-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_64_192_aead_encrypt() + */ +int forkae_paef_64_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_128_192_aead_decrypt() + */ +int forkae_paef_128_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_128_192_aead_encrypt() + */ +int forkae_paef_128_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 14 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_128_256_aead_decrypt() + */ +int forkae_paef_128_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 14 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_128_256_aead_encrypt() + */ +int forkae_paef_128_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-288. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 13 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_128_288_aead_decrypt() + */ +int forkae_paef_128_288_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-288. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 13 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_128_288_aead_encrypt() + */ +int forkae_paef_128_288_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 7 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_saef_128_192_aead_decrypt() + */ +int forkae_saef_128_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 7 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_saef_128_192_aead_encrypt() + */ +int forkae_saef_128_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_saef_128_256_aead_decrypt() + */ +int forkae_saef_128_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_saef_128_256_aead_encrypt() + */ +int forkae_saef_128_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-forkae-paef.h b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-forkae-paef.h new file mode 100644 index 0000000..6f57b2b --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-forkae-paef.h @@ -0,0 +1,273 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +/* We expect a number of macros to be defined before this file + * is included to configure the underlying ForkAE PAEF variant. + * + * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_paef_128_256 + * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). + * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. + * FORKAE_COUNTER_SIZE Size of the counter value for the cipher in bytes. + * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. + * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 + */ +#if defined(FORKAE_ALG_NAME) + +#define FORKAE_CONCAT_INNER(name,suffix) name##suffix +#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) + +/* Limit on the amount of data we can process based on the counter size */ +#define FORKAE_PAEF_DATA_LIMIT \ + ((unsigned long long)((1ULL << (FORKAE_COUNTER_SIZE * 8)) * \ + (FORKAE_BLOCK_SIZE / 8)) - FORKAE_BLOCK_SIZE) + +/* Processes the associated data in PAEF mode */ +STATIC_INLINE void FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter) + (unsigned char tweakey[FORKAE_TWEAKEY_SIZE], + unsigned long long counter, unsigned char domain) +{ + unsigned posn; + counter |= (((unsigned long long)domain) << (FORKAE_COUNTER_SIZE * 8 - 3)); + for (posn = 0; posn < FORKAE_COUNTER_SIZE; ++posn) { + tweakey[16 + FORKAE_NONCE_SIZE + FORKAE_COUNTER_SIZE - 1 - posn] = + (unsigned char)counter; + counter >>= 8; + } +} + +/* Check that the last block is padded correctly; -1 if ok, 0 if not */ +STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (const unsigned char *block, unsigned len) +{ + int check = block[0] ^ 0x80; + while (len > 1) { + --len; + check |= block[len]; + } + return (check - 1) >> 8; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + unsigned long long counter; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + FORKAE_BLOCK_SIZE; + + /* Validate the size of the associated data and plaintext as there + * is a limit on the size of the PAEF counter field */ + if (adlen > FORKAE_PAEF_DATA_LIMIT || mlen > FORKAE_PAEF_DATA_LIMIT) + return -2; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + + /* Tag value starts at zero. We will XOR this with all of the + * intermediate tag values that are calculated for each block */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + counter = 1; + while (adlen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + ++counter; + } + if (adlen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } else if (adlen != 0 || mlen == 0) { + unsigned temp = (unsigned)adlen; + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, sizeof(block) - temp - 1); + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } + + /* If there is no message payload, then generate the tag and we are done */ + if (!mlen) { + memcpy(c, tag, sizeof(tag)); + return 0; + } + + /* Encrypt all plaintext blocks except the last */ + counter = 1; + while (mlen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + mlen -= FORKAE_BLOCK_SIZE; + ++counter; + } + + /* Encrypt the last block and generate the final authentication tag */ + if (mlen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); + } else { + unsigned temp = (unsigned)mlen; + memcpy(block, m, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, sizeof(block) - temp - 1); + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, temp); + } + return 0; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + unsigned char *mtemp = m; + unsigned long long counter; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < FORKAE_BLOCK_SIZE) + return -1; + clen -= FORKAE_BLOCK_SIZE; + *mlen = clen; + + /* Validate the size of the associated data and plaintext as there + * is a limit on the size of the PAEF counter field */ + if (adlen > FORKAE_PAEF_DATA_LIMIT || clen > FORKAE_PAEF_DATA_LIMIT) + return -2; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + + /* Tag value starts at zero. We will XOR this with all of the + * intermediate tag values that are calculated for each block */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + counter = 1; + while (adlen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + ++counter; + } + if (adlen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } else if (adlen != 0 || clen == 0) { + unsigned temp = (unsigned)adlen; + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, sizeof(block) - temp - 1); + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } + + /* If there is no message payload, then check the tag and we are done */ + if (!clen) + return aead_check_tag(m, clen, tag, c, sizeof(tag)); + + /* Decrypt all ciphertext blocks except the last */ + counter = 1; + while (clen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, c); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + clen -= FORKAE_BLOCK_SIZE; + ++counter; + } + + /* Decrypt the last block and check the final authentication tag */ + if (clen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); + lw_xor_block_2_src(m, c, tag, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, m); + return aead_check_tag + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, sizeof(tag)); + } else { + unsigned temp = (unsigned)clen; + unsigned char block2[FORKAE_BLOCK_SIZE]; + int check; + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); + lw_xor_block_2_src(block2, tag, c, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) + (tweakey, block2, block, block2); + check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (block2 + temp, FORKAE_BLOCK_SIZE - temp); + memcpy(m, block2, temp); + return aead_check_tag_precheck + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); + } +} + +#endif /* FORKAE_ALG_NAME */ + +/* Now undefine everything so that we can include this file again for + * another variant on the ForkAE PAEF algorithm */ +#undef FORKAE_ALG_NAME +#undef FORKAE_BLOCK_SIZE +#undef FORKAE_NONCE_SIZE +#undef FORKAE_COUNTER_SIZE +#undef FORKAE_TWEAKEY_SIZE +#undef FORKAE_BLOCK_FUNC +#undef FORKAE_CONCAT_INNER +#undef FORKAE_CONCAT +#undef FORKAE_PAEF_DATA_LIMIT diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-forkae-saef.h b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-forkae-saef.h new file mode 100644 index 0000000..768bba4 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-forkae-saef.h @@ -0,0 +1,251 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +/* We expect a number of macros to be defined before this file + * is included to configure the underlying ForkAE SAEF variant. + * + * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_saef_128_256 + * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). + * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. + * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. + * FORKAE_REDUCED_TWEAKEY_SIZE Size of the reduced tweakey without padding. + * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 + */ +#if defined(FORKAE_ALG_NAME) + +#define FORKAE_CONCAT_INNER(name,suffix) name##suffix +#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) + +/* Check that the last block is padded correctly; -1 if ok, 0 if not */ +STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (const unsigned char *block, unsigned len) +{ + int check = block[0] ^ 0x80; + while (len > 1) { + --len; + check |= block[len]; + } + return (check - 1) >> 8; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + FORKAE_BLOCK_SIZE; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; + + /* Tag value starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + if (adlen > 0 || mlen == 0) { + while (adlen > FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + } + if (mlen == 0) + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; + if (adlen == FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } else if (adlen != 0 || mlen == 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(tag, ad, temp); + tag[temp] ^= 0x80; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } + } + + /* If there is no message payload, then generate the tag and we are done */ + if (!mlen) { + memcpy(c, tag, sizeof(tag)); + return 0; + } + + /* Encrypt all plaintext blocks except the last */ + while (mlen > FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(tag, block, FORKAE_BLOCK_SIZE); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + mlen -= FORKAE_BLOCK_SIZE; + } + + /* Encrypt the last block and generate the final authentication tag */ + if (mlen == FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); + } else { + unsigned temp = (unsigned)mlen; + memcpy(block, tag, FORKAE_BLOCK_SIZE); + lw_xor_block(block, m, temp); + block[temp] ^= 0x80; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, temp); + } + return 0; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < FORKAE_BLOCK_SIZE) + return -1; + clen -= FORKAE_BLOCK_SIZE; + *mlen = clen; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; + + /* Tag value starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + if (adlen > 0 || clen == 0) { + while (adlen > FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + } + if (clen == 0) + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; + if (adlen == FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } else if (adlen != 0 || clen == 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(tag, ad, temp); + tag[temp] ^= 0x80; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } + } + + /* If there is no message payload, then check the tag and we are done */ + if (!clen) + return aead_check_tag(m, clen, tag, c, sizeof(tag)); + + /* Decrypt all ciphertext blocks except the last */ + while (clen > FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); + lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); + memcpy(tag, block, FORKAE_BLOCK_SIZE); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + clen -= FORKAE_BLOCK_SIZE; + } + + /* Decrypt the last block and check the final authentication tag */ + if (clen == FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); + lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); + return aead_check_tag + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, FORKAE_BLOCK_SIZE); + } else { + unsigned temp = (unsigned)clen; + unsigned char mblock[FORKAE_BLOCK_SIZE]; + int check; + lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) + (tweakey, mblock, block, block); + lw_xor_block(mblock, tag, FORKAE_BLOCK_SIZE); + memcpy(m, mblock, temp); + check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (mblock + temp, FORKAE_BLOCK_SIZE - temp); + return aead_check_tag_precheck + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); + } +} + +#endif /* FORKAE_ALG_NAME */ + +/* Now undefine everything so that we can include this file again for + * another variant on the ForkAE SAEF algorithm */ +#undef FORKAE_ALG_NAME +#undef FORKAE_BLOCK_SIZE +#undef FORKAE_NONCE_SIZE +#undef FORKAE_COUNTER_SIZE +#undef FORKAE_TWEAKEY_SIZE +#undef FORKAE_TWEAKEY_REDUCED_SIZE +#undef FORKAE_BLOCK_FUNC +#undef FORKAE_CONCAT_INNER +#undef FORKAE_CONCAT diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-forkskinny.c b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-forkskinny.c new file mode 100644 index 0000000..b050ff1 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-forkskinny.c @@ -0,0 +1,988 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-forkskinny.h" +#include "internal-skinnyutil.h" + +/** + * \brief 7-bit round constants for all ForkSkinny block ciphers. + */ +static unsigned char const RC[87] = { + 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7e, 0x7d, + 0x7b, 0x77, 0x6f, 0x5f, 0x3e, 0x7c, 0x79, 0x73, + 0x67, 0x4f, 0x1e, 0x3d, 0x7a, 0x75, 0x6b, 0x57, + 0x2e, 0x5c, 0x38, 0x70, 0x61, 0x43, 0x06, 0x0d, + 0x1b, 0x37, 0x6e, 0x5d, 0x3a, 0x74, 0x69, 0x53, + 0x26, 0x4c, 0x18, 0x31, 0x62, 0x45, 0x0a, 0x15, + 0x2b, 0x56, 0x2c, 0x58, 0x30, 0x60, 0x41, 0x02, + 0x05, 0x0b, 0x17, 0x2f, 0x5e, 0x3c, 0x78, 0x71, + 0x63, 0x47, 0x0e, 0x1d, 0x3b, 0x76, 0x6d, 0x5b, + 0x36, 0x6c, 0x59, 0x32, 0x64, 0x49, 0x12, 0x25, + 0x4a, 0x14, 0x29, 0x52, 0x24, 0x48, 0x10 +}; + +/** + * \brief Number of rounds of ForkSkinny-128-256 before forking. + */ +#define FORKSKINNY_128_256_ROUNDS_BEFORE 21 + +/** + * \brief Number of rounds of ForkSkinny-128-256 after forking. + */ +#define FORKSKINNY_128_256_ROUNDS_AFTER 27 + +/** + * \brief State information for ForkSkinny-128-256. + */ +typedef struct +{ + uint32_t TK1[4]; /**< First part of the tweakey */ + uint32_t TK2[4]; /**< Second part of the tweakey */ + uint32_t S[4]; /**< Current block state */ + +} forkskinny_128_256_state_t; + +/** + * \brief Applies one round of ForkSkinny-128-256. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_256_round + (forkskinny_128_256_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Apply the S-box to all cells in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(state->TK1); + skinny128_permute_tk(state->TK2); + skinny128_LFSR2(state->TK2[0]); + skinny128_LFSR2(state->TK2[1]); +} + +void forkskinny_128_256_encrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_256_state_t state; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Run all of the rounds before the forking point */ + for (round = 0; round < FORKSKINNY_128_256_ROUNDS_BEFORE; ++round) { + forkskinny_128_256_round(&state, round); + } + + /* Determine which output blocks we need */ + if (output_left && output_right) { + /* We need both outputs so save the state at the forking point */ + uint32_t F[4]; + F[0] = state.S[0]; + F[1] = state.S[1]; + F[2] = state.S[2]; + F[3] = state.S[3]; + + /* Generate the right output block */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { + forkskinny_128_256_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + + /* Restore the state at the forking point */ + state.S[0] = F[0]; + state.S[1] = F[1]; + state.S[2] = F[2]; + state.S[3] = F[3]; + } + if (output_left) { + /* Generate the left output block */ + state.S[0] ^= 0x08040201U; /* Branching constant */ + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { + forkskinny_128_256_round(&state, round); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + } else { + /* We only need the right output block */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { + forkskinny_128_256_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + } +} + +/** + * \brief Applies one round of ForkSkinny-128-256 in reverse. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_256_inv_round + (forkskinny_128_256_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Permute TK1 and TK2 for the next round */ + skinny128_inv_LFSR2(state->TK2[0]); + skinny128_inv_LFSR2(state->TK2[1]); + skinny128_inv_permute_tk(state->TK1); + skinny128_inv_permute_tk(state->TK2); + + /* Inverse mix of the columns */ + temp = s0; + s0 = s1; + s1 = s2; + s2 = s3; + s3 = temp ^ s2; + s2 ^= s0; + s1 ^= s2; + + /* Shift the cells in the rows left, which moves the cell + * values down closer to the LSB. That is, we do a right + * rotate on the word to rotate the cells in the word left */ + s1 = rightRotate8(s1); + s2 = rightRotate16(s2); + s3 = rightRotate24(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all cells in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; +} + +void forkskinny_128_256_decrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_256_state_t state; + forkskinny_128_256_state_t fstate; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Fast-forward the tweakey to the end of the key schedule */ + for (round = 0; round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { + skinny128_permute_tk(state.TK1); + skinny128_permute_tk(state.TK2); + skinny128_LFSR2(state.TK2[0]); + skinny128_LFSR2(state.TK2[1]); + } + + /* Perform the "after" rounds on the input to get back + * to the forking point in the cipher */ + for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER * 2); + round > (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); --round) { + forkskinny_128_256_inv_round(&state, round - 1); + } + + /* Remove the branching constant */ + state.S[0] ^= 0x08040201U; + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + + /* Roll the tweakey back another "after" rounds */ + for (round = 0; round < FORKSKINNY_128_256_ROUNDS_AFTER; ++round) { + skinny128_inv_LFSR2(state.TK2[0]); + skinny128_inv_LFSR2(state.TK2[1]); + skinny128_inv_permute_tk(state.TK1); + skinny128_inv_permute_tk(state.TK2); + } + + /* Save the state and the tweakey at the forking point */ + fstate = state; + + /* Generate the left output block after another "before" rounds */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; round > 0; --round) { + forkskinny_128_256_inv_round(&state, round - 1); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + + /* Generate the right output block by going forward "after" + * rounds from the forking point */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { + forkskinny_128_256_round(&fstate, round); + } + le_store_word32(output_right, fstate.S[0]); + le_store_word32(output_right + 4, fstate.S[1]); + le_store_word32(output_right + 8, fstate.S[2]); + le_store_word32(output_right + 12, fstate.S[3]); +} + +/** + * \brief Number of rounds of ForkSkinny-128-384 before forking. + */ +#define FORKSKINNY_128_384_ROUNDS_BEFORE 25 + +/** + * \brief Number of rounds of ForkSkinny-128-384 after forking. + */ +#define FORKSKINNY_128_384_ROUNDS_AFTER 31 + +/** + * \brief State information for ForkSkinny-128-384. + */ +typedef struct +{ + uint32_t TK1[4]; /**< First part of the tweakey */ + uint32_t TK2[4]; /**< Second part of the tweakey */ + uint32_t TK3[4]; /**< Third part of the tweakey */ + uint32_t S[4]; /**< Current block state */ + +} forkskinny_128_384_state_t; + +/** + * \brief Applies one round of ForkSkinny-128-384. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_384_round + (forkskinny_128_384_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Apply the S-box to all cells in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(state->TK1); + skinny128_permute_tk(state->TK2); + skinny128_permute_tk(state->TK3); + skinny128_LFSR2(state->TK2[0]); + skinny128_LFSR2(state->TK2[1]); + skinny128_LFSR3(state->TK3[0]); + skinny128_LFSR3(state->TK3[1]); +} + +void forkskinny_128_384_encrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_384_state_t state; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.TK3[0] = le_load_word32(key + 32); + state.TK3[1] = le_load_word32(key + 36); + state.TK3[2] = le_load_word32(key + 40); + state.TK3[3] = le_load_word32(key + 44); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Run all of the rounds before the forking point */ + for (round = 0; round < FORKSKINNY_128_384_ROUNDS_BEFORE; ++round) { + forkskinny_128_384_round(&state, round); + } + + /* Determine which output blocks we need */ + if (output_left && output_right) { + /* We need both outputs so save the state at the forking point */ + uint32_t F[4]; + F[0] = state.S[0]; + F[1] = state.S[1]; + F[2] = state.S[2]; + F[3] = state.S[3]; + + /* Generate the right output block */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { + forkskinny_128_384_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + + /* Restore the state at the forking point */ + state.S[0] = F[0]; + state.S[1] = F[1]; + state.S[2] = F[2]; + state.S[3] = F[3]; + } + if (output_left) { + /* Generate the left output block */ + state.S[0] ^= 0x08040201U; /* Branching constant */ + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { + forkskinny_128_384_round(&state, round); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + } else { + /* We only need the right output block */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { + forkskinny_128_384_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + } +} + +/** + * \brief Applies one round of ForkSkinny-128-384 in reverse. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_384_inv_round + (forkskinny_128_384_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Permute TK1 and TK2 for the next round */ + skinny128_inv_LFSR2(state->TK2[0]); + skinny128_inv_LFSR2(state->TK2[1]); + skinny128_inv_LFSR3(state->TK3[0]); + skinny128_inv_LFSR3(state->TK3[1]); + skinny128_inv_permute_tk(state->TK1); + skinny128_inv_permute_tk(state->TK2); + skinny128_inv_permute_tk(state->TK3); + + /* Inverse mix of the columns */ + temp = s0; + s0 = s1; + s1 = s2; + s2 = s3; + s3 = temp ^ s2; + s2 ^= s0; + s1 ^= s2; + + /* Shift the cells in the rows left, which moves the cell + * values down closer to the LSB. That is, we do a right + * rotate on the word to rotate the cells in the word left */ + s1 = rightRotate8(s1); + s2 = rightRotate16(s2); + s3 = rightRotate24(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all cells in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; +} + +void forkskinny_128_384_decrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_384_state_t state; + forkskinny_128_384_state_t fstate; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.TK3[0] = le_load_word32(key + 32); + state.TK3[1] = le_load_word32(key + 36); + state.TK3[2] = le_load_word32(key + 40); + state.TK3[3] = le_load_word32(key + 44); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Fast-forward the tweakey to the end of the key schedule */ + for (round = 0; round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { + skinny128_permute_tk(state.TK1); + skinny128_permute_tk(state.TK2); + skinny128_permute_tk(state.TK3); + skinny128_LFSR2(state.TK2[0]); + skinny128_LFSR2(state.TK2[1]); + skinny128_LFSR3(state.TK3[0]); + skinny128_LFSR3(state.TK3[1]); + } + + /* Perform the "after" rounds on the input to get back + * to the forking point in the cipher */ + for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER * 2); + round > (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); --round) { + forkskinny_128_384_inv_round(&state, round - 1); + } + + /* Remove the branching constant */ + state.S[0] ^= 0x08040201U; + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + + /* Roll the tweakey back another "after" rounds */ + for (round = 0; round < FORKSKINNY_128_384_ROUNDS_AFTER; ++round) { + skinny128_inv_LFSR2(state.TK2[0]); + skinny128_inv_LFSR2(state.TK2[1]); + skinny128_inv_LFSR3(state.TK3[0]); + skinny128_inv_LFSR3(state.TK3[1]); + skinny128_inv_permute_tk(state.TK1); + skinny128_inv_permute_tk(state.TK2); + skinny128_inv_permute_tk(state.TK3); + } + + /* Save the state and the tweakey at the forking point */ + fstate = state; + + /* Generate the left output block after another "before" rounds */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; round > 0; --round) { + forkskinny_128_384_inv_round(&state, round - 1); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + + /* Generate the right output block by going forward "after" + * rounds from the forking point */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { + forkskinny_128_384_round(&fstate, round); + } + le_store_word32(output_right, fstate.S[0]); + le_store_word32(output_right + 4, fstate.S[1]); + le_store_word32(output_right + 8, fstate.S[2]); + le_store_word32(output_right + 12, fstate.S[3]); +} + +/** + * \brief Number of rounds of ForkSkinny-64-192 before forking. + */ +#define FORKSKINNY_64_192_ROUNDS_BEFORE 17 + +/** + * \brief Number of rounds of ForkSkinny-64-192 after forking. + */ +#define FORKSKINNY_64_192_ROUNDS_AFTER 23 + +/** + * \brief State information for ForkSkinny-64-192. + */ +typedef struct +{ + uint16_t TK1[4]; /**< First part of the tweakey */ + uint16_t TK2[4]; /**< Second part of the tweakey */ + uint16_t TK3[4]; /**< Third part of the tweakey */ + uint16_t S[4]; /**< Current block state */ + +} forkskinny_64_192_state_t; + +/** + * \brief Applies one round of ForkSkinny-64-192. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + * + * Note: The cells of each row are order in big-endian nibble order + * so it is easiest to manage the rows in bit-endian byte order. + */ +static void forkskinny_64_192_round + (forkskinny_64_192_state_t *state, unsigned round) +{ + uint16_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Apply the S-box to all cells in the state */ + skinny64_sbox(s0); + skinny64_sbox(s1); + skinny64_sbox(s2); + skinny64_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + ((rc & 0x0F) << 12) ^ 0x0020; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ + ((rc & 0x70) << 8); + s2 ^= 0x2000; + + /* Shift the cells in the rows right */ + s1 = rightRotate4_16(s1); + s2 = rightRotate8_16(s2); + s3 = rightRotate12_16(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny64_permute_tk(state->TK1); + skinny64_permute_tk(state->TK2); + skinny64_permute_tk(state->TK3); + skinny64_LFSR2(state->TK2[0]); + skinny64_LFSR2(state->TK2[1]); + skinny64_LFSR3(state->TK3[0]); + skinny64_LFSR3(state->TK3[1]); +} + +void forkskinny_64_192_encrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_64_192_state_t state; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = be_load_word16(key); + state.TK1[1] = be_load_word16(key + 2); + state.TK1[2] = be_load_word16(key + 4); + state.TK1[3] = be_load_word16(key + 6); + state.TK2[0] = be_load_word16(key + 8); + state.TK2[1] = be_load_word16(key + 10); + state.TK2[2] = be_load_word16(key + 12); + state.TK2[3] = be_load_word16(key + 14); + state.TK3[0] = be_load_word16(key + 16); + state.TK3[1] = be_load_word16(key + 18); + state.TK3[2] = be_load_word16(key + 20); + state.TK3[3] = be_load_word16(key + 22); + state.S[0] = be_load_word16(input); + state.S[1] = be_load_word16(input + 2); + state.S[2] = be_load_word16(input + 4); + state.S[3] = be_load_word16(input + 6); + + /* Run all of the rounds before the forking point */ + for (round = 0; round < FORKSKINNY_64_192_ROUNDS_BEFORE; ++round) { + forkskinny_64_192_round(&state, round); + } + + /* Determine which output blocks we need */ + if (output_left && output_right) { + /* We need both outputs so save the state at the forking point */ + uint16_t F[4]; + F[0] = state.S[0]; + F[1] = state.S[1]; + F[2] = state.S[2]; + F[3] = state.S[3]; + + /* Generate the right output block */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { + forkskinny_64_192_round(&state, round); + } + be_store_word16(output_right, state.S[0]); + be_store_word16(output_right + 2, state.S[1]); + be_store_word16(output_right + 4, state.S[2]); + be_store_word16(output_right + 6, state.S[3]); + + /* Restore the state at the forking point */ + state.S[0] = F[0]; + state.S[1] = F[1]; + state.S[2] = F[2]; + state.S[3] = F[3]; + } + if (output_left) { + /* Generate the left output block */ + state.S[0] ^= 0x1249U; /* Branching constant */ + state.S[1] ^= 0x36daU; + state.S[2] ^= 0x5b7fU; + state.S[3] ^= 0xec81U; + for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { + forkskinny_64_192_round(&state, round); + } + be_store_word16(output_left, state.S[0]); + be_store_word16(output_left + 2, state.S[1]); + be_store_word16(output_left + 4, state.S[2]); + be_store_word16(output_left + 6, state.S[3]); + } else { + /* We only need the right output block */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { + forkskinny_64_192_round(&state, round); + } + be_store_word16(output_right, state.S[0]); + be_store_word16(output_right + 2, state.S[1]); + be_store_word16(output_right + 4, state.S[2]); + be_store_word16(output_right + 6, state.S[3]); + } +} + +/** + * \brief Applies one round of ForkSkinny-64-192 in reverse. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_64_192_inv_round + (forkskinny_64_192_state_t *state, unsigned round) +{ + uint16_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny64_inv_LFSR2(state->TK2[0]); + skinny64_inv_LFSR2(state->TK2[1]); + skinny64_inv_LFSR3(state->TK3[0]); + skinny64_inv_LFSR3(state->TK3[1]); + skinny64_inv_permute_tk(state->TK1); + skinny64_inv_permute_tk(state->TK2); + skinny64_inv_permute_tk(state->TK3); + + /* Inverse mix of the columns */ + temp = s0; + s0 = s1; + s1 = s2; + s2 = s3; + s3 = temp ^ s2; + s2 ^= s0; + s1 ^= s2; + + /* Shift the cells in the rows left */ + s1 = leftRotate4_16(s1); + s2 = leftRotate8_16(s2); + s3 = leftRotate12_16(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + ((rc & 0x0F) << 12) ^ 0x0020; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ + ((rc & 0x70) << 8); + s2 ^= 0x2000; + + /* Apply the inverse of the S-box to all cells in the state */ + skinny64_inv_sbox(s0); + skinny64_inv_sbox(s1); + skinny64_inv_sbox(s2); + skinny64_inv_sbox(s3); + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; +} + +void forkskinny_64_192_decrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_64_192_state_t state; + forkskinny_64_192_state_t fstate; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = be_load_word16(key); + state.TK1[1] = be_load_word16(key + 2); + state.TK1[2] = be_load_word16(key + 4); + state.TK1[3] = be_load_word16(key + 6); + state.TK2[0] = be_load_word16(key + 8); + state.TK2[1] = be_load_word16(key + 10); + state.TK2[2] = be_load_word16(key + 12); + state.TK2[3] = be_load_word16(key + 14); + state.TK3[0] = be_load_word16(key + 16); + state.TK3[1] = be_load_word16(key + 18); + state.TK3[2] = be_load_word16(key + 20); + state.TK3[3] = be_load_word16(key + 22); + state.S[0] = be_load_word16(input); + state.S[1] = be_load_word16(input + 2); + state.S[2] = be_load_word16(input + 4); + state.S[3] = be_load_word16(input + 6); + + /* Fast-forward the tweakey to the end of the key schedule */ + for (round = 0; round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { + skinny64_permute_tk(state.TK1); + skinny64_permute_tk(state.TK2); + skinny64_permute_tk(state.TK3); + skinny64_LFSR2(state.TK2[0]); + skinny64_LFSR2(state.TK2[1]); + skinny64_LFSR3(state.TK3[0]); + skinny64_LFSR3(state.TK3[1]); + } + + /* Perform the "after" rounds on the input to get back + * to the forking point in the cipher */ + for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER * 2); + round > (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); --round) { + forkskinny_64_192_inv_round(&state, round - 1); + } + + /* Remove the branching constant */ + state.S[0] ^= 0x1249U; + state.S[1] ^= 0x36daU; + state.S[2] ^= 0x5b7fU; + state.S[3] ^= 0xec81U; + + /* Roll the tweakey back another "after" rounds */ + for (round = 0; round < FORKSKINNY_64_192_ROUNDS_AFTER; ++round) { + skinny64_inv_LFSR2(state.TK2[0]); + skinny64_inv_LFSR2(state.TK2[1]); + skinny64_inv_LFSR3(state.TK3[0]); + skinny64_inv_LFSR3(state.TK3[1]); + skinny64_inv_permute_tk(state.TK1); + skinny64_inv_permute_tk(state.TK2); + skinny64_inv_permute_tk(state.TK3); + } + + /* Save the state and the tweakey at the forking point */ + fstate = state; + + /* Generate the left output block after another "before" rounds */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; round > 0; --round) { + forkskinny_64_192_inv_round(&state, round - 1); + } + be_store_word16(output_left, state.S[0]); + be_store_word16(output_left + 2, state.S[1]); + be_store_word16(output_left + 4, state.S[2]); + be_store_word16(output_left + 6, state.S[3]); + + /* Generate the right output block by going forward "after" + * rounds from the forking point */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { + forkskinny_64_192_round(&fstate, round); + } + be_store_word16(output_right, fstate.S[0]); + be_store_word16(output_right + 2, fstate.S[1]); + be_store_word16(output_right + 4, fstate.S[2]); + be_store_word16(output_right + 6, fstate.S[3]); +} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-forkskinny.h b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-forkskinny.h new file mode 100644 index 0000000..0c1a707 --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-forkskinny.h @@ -0,0 +1,141 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_FORKSKINNY_H +#define LW_INTERNAL_FORKSKINNY_H + +/** + * \file internal-forkskinny.h + * \brief ForkSkinny block cipher family. + * + * ForkSkinny is a modified version of the SKINNY block cipher that + * supports "forking": half-way through the rounds the cipher is + * forked in two different directions to produce two different outputs. + * + * References: https://www.esat.kuleuven.be/cosic/forkae/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts a block of plaintext with ForkSkinny-128-256. + * + * \param key 256-bit tweakey for ForkSkinny-128-256. + * \param output_left Left output block for the ciphertext, or NULL if + * the left output is not required. + * \param output_right Right output block for the authentication tag, + * or NULL if the right output is not required. + * \param input 128-bit input plaintext block. + * + * ForkSkinny-128-192 also uses this function with a padded tweakey. + */ +void forkskinny_128_256_encrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Decrypts a block of ciphertext with ForkSkinny-128-256. + * + * \param key 256-bit tweakey for ForkSkinny-128-256. + * \param output_left Left output block, which is the plaintext. + * \param output_right Right output block for the authentication tag. + * \param input 128-bit input ciphertext block. + * + * Both output blocks will be populated; neither is optional. + */ +void forkskinny_128_256_decrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Encrypts a block of plaintext with ForkSkinny-128-384. + * + * \param key 384-bit tweakey for ForkSkinny-128-384. + * \param output_left Left output block for the ciphertext, or NULL if + * the left output is not required. + * \param output_right Right output block for the authentication tag, + * or NULL if the right output is not required. + * \param input 128-bit input plaintext block. + * + * ForkSkinny-128-288 also uses this function with a padded tweakey. + */ +void forkskinny_128_384_encrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Decrypts a block of ciphertext with ForkSkinny-128-384. + * + * \param key 384-bit tweakey for ForkSkinny-128-384. + * \param output_left Left output block, which is the plaintext. + * \param output_right Right output block for the authentication tag. + * \param input 128-bit input ciphertext block. + * + * Both output blocks will be populated; neither is optional. + */ +void forkskinny_128_384_decrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Encrypts a block of input with ForkSkinny-64-192. + * + * \param key 192-bit tweakey for ForkSkinny-64-192. + * \param output_left First output block, or NULL if left is not required. + * \param output_right Second output block, or NULL if right is not required. + * \param input 64-bit input block. + */ +/** + * \brief Encrypts a block of plaintext with ForkSkinny-64-192. + * + * \param key 192-bit tweakey for ForkSkinny-64-192. + * \param output_left Left output block for the ciphertext, or NULL if + * the left output is not required. + * \param output_right Right output block for the authentication tag, + * or NULL if the right output is not required. + * \param input 64-bit input plaintext block. + */ +void forkskinny_64_192_encrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Decrypts a block of ciphertext with ForkSkinny-64-192. + * + * \param key 192-bit tweakey for ForkSkinny-64-192. + * \param output_left Left output block, which is the plaintext. + * \param output_right Right output block for the authentication tag. + * \param input 64-bit input ciphertext block. + * + * Both output blocks will be populated; neither is optional. + */ +void forkskinny_64_192_decrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-skinnyutil.h b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-skinnyutil.h new file mode 100644 index 0000000..83136cb --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-skinnyutil.h @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNYUTIL_H +#define LW_INTERNAL_SKINNYUTIL_H + +/** + * \file internal-skinnyutil.h + * \brief Utilities to help implement SKINNY and its variants. + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond skinnyutil */ + +/* Utilities for implementing SKINNY-128 */ + +#define skinny128_LFSR2(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ + (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ + } while (0) + + +#define skinny128_LFSR3(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ + (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) +#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) + +#define skinny128_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint32_t row2 = tk[2]; \ + uint32_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 16) | (row3 >> 16); \ + tk[0] = ((row2 >> 8) & 0x000000FFU) | \ + ((row2 << 16) & 0x00FF0000U) | \ + ( row3 & 0xFF00FF00U); \ + tk[1] = ((row2 >> 16) & 0x000000FFU) | \ + (row2 & 0xFF000000U) | \ + ((row3 << 8) & 0x0000FF00U) | \ + ( row3 & 0x00FF0000U); \ + } while (0) + +#define skinny128_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint32_t row0 = tk[0]; \ + uint32_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 >> 16) & 0x000000FFU) | \ + ((row0 << 8) & 0x0000FF00U) | \ + ((row1 << 16) & 0x00FF0000U) | \ + ( row1 & 0xFF000000U); \ + tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ + ((row0 << 16) & 0xFF000000U) | \ + ((row1 >> 16) & 0x000000FFU) | \ + ((row1 << 8) & 0x00FF0000U); \ + } while (0) + +/* + * Apply the SKINNY sbox. The original version from the specification is + * equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE(x) + * ((((x) & 0x01010101U) << 2) | + * (((x) & 0x06060606U) << 5) | + * (((x) & 0x20202020U) >> 5) | + * (((x) & 0xC8C8C8C8U) >> 2) | + * (((x) & 0x10101010U) >> 1)) + * + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * return SBOX_SWAP(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ + y = (((x >> 5) & (x << 1)) & 0x04040404U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ + x = ((x & 0x08080808U) << 1) | \ + ((x & 0x32323232U) << 2) | \ + ((x & 0x01010101U) << 5) | \ + ((x & 0x80808080U) >> 6) | \ + ((x & 0x40404040U) >> 4) | \ + ((x & 0x04040404U) >> 2); \ +} while (0) + +/* + * Apply the inverse of the SKINNY sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE_INV(x) + * ((((x) & 0x08080808U) << 1) | + * (((x) & 0x32323232U) << 2) | + * (((x) & 0x01010101U) << 5) | + * (((x) & 0xC0C0C0C0U) >> 5) | + * (((x) & 0x04040404U) >> 2)) + * + * x = SBOX_SWAP(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_inv_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ + x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ + y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ + x = ((x & 0x01010101U) << 2) | \ + ((x & 0x04040404U) << 4) | \ + ((x & 0x02020202U) << 6) | \ + ((x & 0x20202020U) >> 5) | \ + ((x & 0xC8C8C8C8U) >> 2) | \ + ((x & 0x10101010U) >> 1); \ +} while (0) + +/* Utilities for implementing SKINNY-64 */ + +#define skinny64_LFSR2(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ + } while (0) + +#define skinny64_LFSR3(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) +#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) + +#define skinny64_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint16_t row2 = tk[2]; \ + uint16_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 8) | (row3 >> 8); \ + tk[0] = ((row2 << 4) & 0xF000U) | \ + ((row2 >> 8) & 0x00F0U) | \ + ( row3 & 0x0F0FU); \ + tk[1] = ((row2 << 8) & 0xF000U) | \ + ((row3 >> 4) & 0x0F00U) | \ + ( row3 & 0x00F0U) | \ + ( row2 & 0x000FU); \ + } while (0) + +#define skinny64_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint16_t row0 = tk[0]; \ + uint16_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 << 8) & 0xF000U) | \ + ((row0 >> 4) & 0x0F00U) | \ + ((row1 >> 8) & 0x00F0U) | \ + ( row1 & 0x000FU); \ + tk[3] = ((row1 << 8) & 0xF000U) | \ + ((row0 << 8) & 0x0F00U) | \ + ((row1 >> 4) & 0x00F0U) | \ + ((row0 >> 8) & 0x000FU); \ + } while (0) + +/* + * Apply the SKINNY-64 sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT(x) + * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_SHIFT steps to be performed with one final rotation. + * This reduces the number of required shift operations from 14 to 10. + * + * We can further reduce the number of NOT operations from 4 to 2 + * using the technique from https://github.com/kste/skinny_avx to + * convert NOR-XOR operations into AND-XOR operations by converting + * the S-box into its NOT-inverse. + */ +#define skinny64_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ + x = ~x; \ + x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ +} while (0) + +/* + * Apply the inverse of the SKINNY-64 sbox. The original version + * from the specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT_INV(x) + * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * return SBOX_MIX(x); + */ +#define skinny64_inv_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = ~x; \ + x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ +} while (0) + +/** @endcond */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-util.h b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/aead-common.c b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/aead-common.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/api.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/api.h new file mode 100644 index 0000000..40ffe7c --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 7 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/encrypt.c b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/encrypt.c new file mode 100644 index 0000000..5cbb412 --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "forkae.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return forkae_saef_128_192_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return forkae_saef_128_192_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/forkae.c b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/forkae.c new file mode 100644 index 0000000..4a9671a --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/forkae.c @@ -0,0 +1,140 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "forkae.h" +#include "internal-forkskinny.h" +#include "internal-util.h" +#include + +aead_cipher_t const forkae_paef_64_192_cipher = { + "PAEF-ForkSkinny-64-192", + FORKAE_PAEF_64_192_KEY_SIZE, + FORKAE_PAEF_64_192_NONCE_SIZE, + FORKAE_PAEF_64_192_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_64_192_aead_encrypt, + forkae_paef_64_192_aead_decrypt +}; + +aead_cipher_t const forkae_paef_128_192_cipher = { + "PAEF-ForkSkinny-128-192", + FORKAE_PAEF_128_192_KEY_SIZE, + FORKAE_PAEF_128_192_NONCE_SIZE, + FORKAE_PAEF_128_192_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_128_192_aead_encrypt, + forkae_paef_128_192_aead_decrypt +}; + +aead_cipher_t const forkae_paef_128_256_cipher = { + "PAEF-ForkSkinny-128-256", + FORKAE_PAEF_128_256_KEY_SIZE, + FORKAE_PAEF_128_256_NONCE_SIZE, + FORKAE_PAEF_128_256_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_128_256_aead_encrypt, + forkae_paef_128_256_aead_decrypt +}; + +aead_cipher_t const forkae_paef_128_288_cipher = { + "PAEF-ForkSkinny-128-288", + FORKAE_PAEF_128_288_KEY_SIZE, + FORKAE_PAEF_128_288_NONCE_SIZE, + FORKAE_PAEF_128_288_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_128_288_aead_encrypt, + forkae_paef_128_288_aead_decrypt +}; + +aead_cipher_t const forkae_saef_128_192_cipher = { + "SAEF-ForkSkinny-128-192", + FORKAE_SAEF_128_192_KEY_SIZE, + FORKAE_SAEF_128_192_NONCE_SIZE, + FORKAE_SAEF_128_192_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_saef_128_192_aead_encrypt, + forkae_saef_128_192_aead_decrypt +}; + +aead_cipher_t const forkae_saef_128_256_cipher = { + "SAEF-ForkSkinny-128-256", + FORKAE_SAEF_128_256_KEY_SIZE, + FORKAE_SAEF_128_256_NONCE_SIZE, + FORKAE_SAEF_128_256_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_saef_128_256_aead_encrypt, + forkae_saef_128_256_aead_decrypt +}; + +/* PAEF-ForkSkinny-64-192 */ +#define FORKAE_ALG_NAME forkae_paef_64_192 +#define FORKAE_BLOCK_SIZE 8 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_64_192_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 2 +#define FORKAE_TWEAKEY_SIZE 24 +#define FORKAE_BLOCK_FUNC forkskinny_64_192 +#include "internal-forkae-paef.h" + +/* PAEF-ForkSkinny-128-192 */ +#define FORKAE_ALG_NAME forkae_paef_128_192 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_192_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 2 +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-paef.h" + +/* PAEF-ForkSkinny-128-256 */ +#define FORKAE_ALG_NAME forkae_paef_128_256 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_256_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 2 +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-paef.h" + +/* PAEF-ForkSkinny-128-288 */ +#define FORKAE_ALG_NAME forkae_paef_128_288 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_288_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 7 +#define FORKAE_TWEAKEY_SIZE 48 +#define FORKAE_BLOCK_FUNC forkskinny_128_384 +#include "internal-forkae-paef.h" + +/* SAEF-ForkSkinny-128-192 */ +#define FORKAE_ALG_NAME forkae_saef_128_192 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_192_NONCE_SIZE +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_TWEAKEY_REDUCED_SIZE 24 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-saef.h" + +/* SAEF-ForkSkinny-128-256 */ +#define FORKAE_ALG_NAME forkae_saef_128_256 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_256_NONCE_SIZE +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_TWEAKEY_REDUCED_SIZE 32 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-saef.h" diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/forkae.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/forkae.h new file mode 100644 index 0000000..3e27b50 --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/forkae.h @@ -0,0 +1,551 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_FORKAE_H +#define LWCRYPTO_FORKAE_H + +#include "aead-common.h" + +/** + * \file forkae.h + * \brief ForkAE authenticated encryption algorithm family. + * + * ForkAE is a family of authenticated encryption algorithms based on a + * modified version of the SKINNY tweakable block cipher. The modifications + * introduce "forking" where each input block produces two output blocks + * for use in encryption and authentication. There are six members in + * the ForkAE family: + * + * \li PAEF-ForkSkinny-64-192 has a 128-bit key, a 48-bit nonce, and a + * 64-bit authentication tag. The associated data and plaintext are + * limited to 216 bytes. + * \li PAEF-ForkSkinny-128-192 has a 128-bit key, a 48-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext are + * limited to 217 bytes. + * \li PAEF-ForkSkinny-128-256 has a 128-bit key, a 112-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext are + * limited to 217 bytes. + * \li PAEF-ForkSkinny-128-288 has a 128-bit key, a 104-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext are + * limited to 257 bytes. This is the primary member of the family. + * \li SAEF-ForkSkinny-128-192 has a 128-bit key, a 56-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext may be + * unlimited in size. + * \li SAEF-ForkSkinny-128-256 has a 128-bit key, a 120-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext may be + * unlimited in size. + * + * The PAEF variants support parallel encryption and decryption for + * higher throughput. The SAEF variants encrypt or decrypt blocks + * sequentially. + * + * ForkAE is designed to be efficient on small packet sizes so most of + * the PAEF algorithms have a limit of 64k or 128k on the amount of + * payload in a single packet. Obviously the input can be split into + * separate packets for larger amounts of data. + * + * References: https://www.esat.kuleuven.be/cosic/forkae/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for PAEF-ForkSkinny-64-192. + */ +#define FORKAE_PAEF_64_192_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-64-192. + */ +#define FORKAE_PAEF_64_192_TAG_SIZE 8 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-64-192. + */ +#define FORKAE_PAEF_64_192_NONCE_SIZE 6 + +/** + * \brief Size of the key for PAEF-ForkSkinny-128-192. + */ +#define FORKAE_PAEF_128_192_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-128-192. + */ +#define FORKAE_PAEF_128_192_TAG_SIZE 16 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-128-192. + */ +#define FORKAE_PAEF_128_192_NONCE_SIZE 6 + +/** + * \brief Size of the key for PAEF-ForkSkinny-128-256. + */ +#define FORKAE_PAEF_128_256_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-128-256. + */ +#define FORKAE_PAEF_128_256_TAG_SIZE 16 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-128-256. + */ +#define FORKAE_PAEF_128_256_NONCE_SIZE 14 + +/** + * \brief Size of the key for PAEF-ForkSkinny-128-288. + */ +#define FORKAE_PAEF_128_288_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-128-288. + */ +#define FORKAE_PAEF_128_288_TAG_SIZE 16 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-128-288. + */ +#define FORKAE_PAEF_128_288_NONCE_SIZE 13 + +/** + * \brief Size of the key for SAEF-ForkSkinny-128-192. + */ +#define FORKAE_SAEF_128_192_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SAEF-ForkSkinny-128-192. + */ +#define FORKAE_SAEF_128_192_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SAEF-ForkSkinny-128-192. + */ +#define FORKAE_SAEF_128_192_NONCE_SIZE 7 + +/** + * \brief Size of the key for SAEF-ForkSkinny-128-256. + */ +#define FORKAE_SAEF_128_256_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SAEF-ForkSkinny-128-256. + */ +#define FORKAE_SAEF_128_256_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SAEF-ForkSkinny-128-256. + */ +#define FORKAE_SAEF_128_256_NONCE_SIZE 15 + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-64-192 cipher. + */ +extern aead_cipher_t const forkae_paef_64_192_cipher; + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-128-192 cipher. + */ +extern aead_cipher_t const forkae_paef_128_192_cipher; + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-128-256 cipher. + */ +extern aead_cipher_t const forkae_paef_128_256_cipher; + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-128-288 cipher. + */ +extern aead_cipher_t const forkae_paef_128_288_cipher; + +/** + * \brief Meta-information block for the SAEF-ForkSkinny-128-192 cipher. + */ +extern aead_cipher_t const forkae_saef_128_192_cipher; + +/** + * \brief Meta-information block for the SAEF-ForkSkinny-128-256 cipher. + */ +extern aead_cipher_t const forkae_saef_128_256_cipher; + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-64-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_64_192_aead_decrypt() + */ +int forkae_paef_64_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-64-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_64_192_aead_encrypt() + */ +int forkae_paef_64_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_128_192_aead_decrypt() + */ +int forkae_paef_128_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_128_192_aead_encrypt() + */ +int forkae_paef_128_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 14 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_128_256_aead_decrypt() + */ +int forkae_paef_128_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 14 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_128_256_aead_encrypt() + */ +int forkae_paef_128_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-288. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 13 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_128_288_aead_decrypt() + */ +int forkae_paef_128_288_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-288. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 13 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_128_288_aead_encrypt() + */ +int forkae_paef_128_288_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 7 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_saef_128_192_aead_decrypt() + */ +int forkae_saef_128_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 7 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_saef_128_192_aead_encrypt() + */ +int forkae_saef_128_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_saef_128_256_aead_decrypt() + */ +int forkae_saef_128_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_saef_128_256_aead_encrypt() + */ +int forkae_saef_128_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-forkae-paef.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-forkae-paef.h new file mode 100644 index 0000000..6f57b2b --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-forkae-paef.h @@ -0,0 +1,273 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +/* We expect a number of macros to be defined before this file + * is included to configure the underlying ForkAE PAEF variant. + * + * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_paef_128_256 + * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). + * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. + * FORKAE_COUNTER_SIZE Size of the counter value for the cipher in bytes. + * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. + * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 + */ +#if defined(FORKAE_ALG_NAME) + +#define FORKAE_CONCAT_INNER(name,suffix) name##suffix +#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) + +/* Limit on the amount of data we can process based on the counter size */ +#define FORKAE_PAEF_DATA_LIMIT \ + ((unsigned long long)((1ULL << (FORKAE_COUNTER_SIZE * 8)) * \ + (FORKAE_BLOCK_SIZE / 8)) - FORKAE_BLOCK_SIZE) + +/* Processes the associated data in PAEF mode */ +STATIC_INLINE void FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter) + (unsigned char tweakey[FORKAE_TWEAKEY_SIZE], + unsigned long long counter, unsigned char domain) +{ + unsigned posn; + counter |= (((unsigned long long)domain) << (FORKAE_COUNTER_SIZE * 8 - 3)); + for (posn = 0; posn < FORKAE_COUNTER_SIZE; ++posn) { + tweakey[16 + FORKAE_NONCE_SIZE + FORKAE_COUNTER_SIZE - 1 - posn] = + (unsigned char)counter; + counter >>= 8; + } +} + +/* Check that the last block is padded correctly; -1 if ok, 0 if not */ +STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (const unsigned char *block, unsigned len) +{ + int check = block[0] ^ 0x80; + while (len > 1) { + --len; + check |= block[len]; + } + return (check - 1) >> 8; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + unsigned long long counter; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + FORKAE_BLOCK_SIZE; + + /* Validate the size of the associated data and plaintext as there + * is a limit on the size of the PAEF counter field */ + if (adlen > FORKAE_PAEF_DATA_LIMIT || mlen > FORKAE_PAEF_DATA_LIMIT) + return -2; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + + /* Tag value starts at zero. We will XOR this with all of the + * intermediate tag values that are calculated for each block */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + counter = 1; + while (adlen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + ++counter; + } + if (adlen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } else if (adlen != 0 || mlen == 0) { + unsigned temp = (unsigned)adlen; + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, sizeof(block) - temp - 1); + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } + + /* If there is no message payload, then generate the tag and we are done */ + if (!mlen) { + memcpy(c, tag, sizeof(tag)); + return 0; + } + + /* Encrypt all plaintext blocks except the last */ + counter = 1; + while (mlen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + mlen -= FORKAE_BLOCK_SIZE; + ++counter; + } + + /* Encrypt the last block and generate the final authentication tag */ + if (mlen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); + } else { + unsigned temp = (unsigned)mlen; + memcpy(block, m, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, sizeof(block) - temp - 1); + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, temp); + } + return 0; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + unsigned char *mtemp = m; + unsigned long long counter; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < FORKAE_BLOCK_SIZE) + return -1; + clen -= FORKAE_BLOCK_SIZE; + *mlen = clen; + + /* Validate the size of the associated data and plaintext as there + * is a limit on the size of the PAEF counter field */ + if (adlen > FORKAE_PAEF_DATA_LIMIT || clen > FORKAE_PAEF_DATA_LIMIT) + return -2; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + + /* Tag value starts at zero. We will XOR this with all of the + * intermediate tag values that are calculated for each block */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + counter = 1; + while (adlen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + ++counter; + } + if (adlen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } else if (adlen != 0 || clen == 0) { + unsigned temp = (unsigned)adlen; + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, sizeof(block) - temp - 1); + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } + + /* If there is no message payload, then check the tag and we are done */ + if (!clen) + return aead_check_tag(m, clen, tag, c, sizeof(tag)); + + /* Decrypt all ciphertext blocks except the last */ + counter = 1; + while (clen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, c); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + clen -= FORKAE_BLOCK_SIZE; + ++counter; + } + + /* Decrypt the last block and check the final authentication tag */ + if (clen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); + lw_xor_block_2_src(m, c, tag, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, m); + return aead_check_tag + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, sizeof(tag)); + } else { + unsigned temp = (unsigned)clen; + unsigned char block2[FORKAE_BLOCK_SIZE]; + int check; + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); + lw_xor_block_2_src(block2, tag, c, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) + (tweakey, block2, block, block2); + check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (block2 + temp, FORKAE_BLOCK_SIZE - temp); + memcpy(m, block2, temp); + return aead_check_tag_precheck + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); + } +} + +#endif /* FORKAE_ALG_NAME */ + +/* Now undefine everything so that we can include this file again for + * another variant on the ForkAE PAEF algorithm */ +#undef FORKAE_ALG_NAME +#undef FORKAE_BLOCK_SIZE +#undef FORKAE_NONCE_SIZE +#undef FORKAE_COUNTER_SIZE +#undef FORKAE_TWEAKEY_SIZE +#undef FORKAE_BLOCK_FUNC +#undef FORKAE_CONCAT_INNER +#undef FORKAE_CONCAT +#undef FORKAE_PAEF_DATA_LIMIT diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-forkae-saef.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-forkae-saef.h new file mode 100644 index 0000000..768bba4 --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-forkae-saef.h @@ -0,0 +1,251 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +/* We expect a number of macros to be defined before this file + * is included to configure the underlying ForkAE SAEF variant. + * + * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_saef_128_256 + * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). + * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. + * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. + * FORKAE_REDUCED_TWEAKEY_SIZE Size of the reduced tweakey without padding. + * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 + */ +#if defined(FORKAE_ALG_NAME) + +#define FORKAE_CONCAT_INNER(name,suffix) name##suffix +#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) + +/* Check that the last block is padded correctly; -1 if ok, 0 if not */ +STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (const unsigned char *block, unsigned len) +{ + int check = block[0] ^ 0x80; + while (len > 1) { + --len; + check |= block[len]; + } + return (check - 1) >> 8; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + FORKAE_BLOCK_SIZE; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; + + /* Tag value starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + if (adlen > 0 || mlen == 0) { + while (adlen > FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + } + if (mlen == 0) + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; + if (adlen == FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } else if (adlen != 0 || mlen == 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(tag, ad, temp); + tag[temp] ^= 0x80; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } + } + + /* If there is no message payload, then generate the tag and we are done */ + if (!mlen) { + memcpy(c, tag, sizeof(tag)); + return 0; + } + + /* Encrypt all plaintext blocks except the last */ + while (mlen > FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(tag, block, FORKAE_BLOCK_SIZE); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + mlen -= FORKAE_BLOCK_SIZE; + } + + /* Encrypt the last block and generate the final authentication tag */ + if (mlen == FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); + } else { + unsigned temp = (unsigned)mlen; + memcpy(block, tag, FORKAE_BLOCK_SIZE); + lw_xor_block(block, m, temp); + block[temp] ^= 0x80; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, temp); + } + return 0; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < FORKAE_BLOCK_SIZE) + return -1; + clen -= FORKAE_BLOCK_SIZE; + *mlen = clen; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; + + /* Tag value starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + if (adlen > 0 || clen == 0) { + while (adlen > FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + } + if (clen == 0) + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; + if (adlen == FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } else if (adlen != 0 || clen == 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(tag, ad, temp); + tag[temp] ^= 0x80; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } + } + + /* If there is no message payload, then check the tag and we are done */ + if (!clen) + return aead_check_tag(m, clen, tag, c, sizeof(tag)); + + /* Decrypt all ciphertext blocks except the last */ + while (clen > FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); + lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); + memcpy(tag, block, FORKAE_BLOCK_SIZE); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + clen -= FORKAE_BLOCK_SIZE; + } + + /* Decrypt the last block and check the final authentication tag */ + if (clen == FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); + lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); + return aead_check_tag + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, FORKAE_BLOCK_SIZE); + } else { + unsigned temp = (unsigned)clen; + unsigned char mblock[FORKAE_BLOCK_SIZE]; + int check; + lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) + (tweakey, mblock, block, block); + lw_xor_block(mblock, tag, FORKAE_BLOCK_SIZE); + memcpy(m, mblock, temp); + check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (mblock + temp, FORKAE_BLOCK_SIZE - temp); + return aead_check_tag_precheck + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); + } +} + +#endif /* FORKAE_ALG_NAME */ + +/* Now undefine everything so that we can include this file again for + * another variant on the ForkAE SAEF algorithm */ +#undef FORKAE_ALG_NAME +#undef FORKAE_BLOCK_SIZE +#undef FORKAE_NONCE_SIZE +#undef FORKAE_COUNTER_SIZE +#undef FORKAE_TWEAKEY_SIZE +#undef FORKAE_TWEAKEY_REDUCED_SIZE +#undef FORKAE_BLOCK_FUNC +#undef FORKAE_CONCAT_INNER +#undef FORKAE_CONCAT diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-forkskinny.c b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-forkskinny.c new file mode 100644 index 0000000..b050ff1 --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-forkskinny.c @@ -0,0 +1,988 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-forkskinny.h" +#include "internal-skinnyutil.h" + +/** + * \brief 7-bit round constants for all ForkSkinny block ciphers. + */ +static unsigned char const RC[87] = { + 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7e, 0x7d, + 0x7b, 0x77, 0x6f, 0x5f, 0x3e, 0x7c, 0x79, 0x73, + 0x67, 0x4f, 0x1e, 0x3d, 0x7a, 0x75, 0x6b, 0x57, + 0x2e, 0x5c, 0x38, 0x70, 0x61, 0x43, 0x06, 0x0d, + 0x1b, 0x37, 0x6e, 0x5d, 0x3a, 0x74, 0x69, 0x53, + 0x26, 0x4c, 0x18, 0x31, 0x62, 0x45, 0x0a, 0x15, + 0x2b, 0x56, 0x2c, 0x58, 0x30, 0x60, 0x41, 0x02, + 0x05, 0x0b, 0x17, 0x2f, 0x5e, 0x3c, 0x78, 0x71, + 0x63, 0x47, 0x0e, 0x1d, 0x3b, 0x76, 0x6d, 0x5b, + 0x36, 0x6c, 0x59, 0x32, 0x64, 0x49, 0x12, 0x25, + 0x4a, 0x14, 0x29, 0x52, 0x24, 0x48, 0x10 +}; + +/** + * \brief Number of rounds of ForkSkinny-128-256 before forking. + */ +#define FORKSKINNY_128_256_ROUNDS_BEFORE 21 + +/** + * \brief Number of rounds of ForkSkinny-128-256 after forking. + */ +#define FORKSKINNY_128_256_ROUNDS_AFTER 27 + +/** + * \brief State information for ForkSkinny-128-256. + */ +typedef struct +{ + uint32_t TK1[4]; /**< First part of the tweakey */ + uint32_t TK2[4]; /**< Second part of the tweakey */ + uint32_t S[4]; /**< Current block state */ + +} forkskinny_128_256_state_t; + +/** + * \brief Applies one round of ForkSkinny-128-256. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_256_round + (forkskinny_128_256_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Apply the S-box to all cells in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(state->TK1); + skinny128_permute_tk(state->TK2); + skinny128_LFSR2(state->TK2[0]); + skinny128_LFSR2(state->TK2[1]); +} + +void forkskinny_128_256_encrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_256_state_t state; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Run all of the rounds before the forking point */ + for (round = 0; round < FORKSKINNY_128_256_ROUNDS_BEFORE; ++round) { + forkskinny_128_256_round(&state, round); + } + + /* Determine which output blocks we need */ + if (output_left && output_right) { + /* We need both outputs so save the state at the forking point */ + uint32_t F[4]; + F[0] = state.S[0]; + F[1] = state.S[1]; + F[2] = state.S[2]; + F[3] = state.S[3]; + + /* Generate the right output block */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { + forkskinny_128_256_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + + /* Restore the state at the forking point */ + state.S[0] = F[0]; + state.S[1] = F[1]; + state.S[2] = F[2]; + state.S[3] = F[3]; + } + if (output_left) { + /* Generate the left output block */ + state.S[0] ^= 0x08040201U; /* Branching constant */ + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { + forkskinny_128_256_round(&state, round); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + } else { + /* We only need the right output block */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { + forkskinny_128_256_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + } +} + +/** + * \brief Applies one round of ForkSkinny-128-256 in reverse. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_256_inv_round + (forkskinny_128_256_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Permute TK1 and TK2 for the next round */ + skinny128_inv_LFSR2(state->TK2[0]); + skinny128_inv_LFSR2(state->TK2[1]); + skinny128_inv_permute_tk(state->TK1); + skinny128_inv_permute_tk(state->TK2); + + /* Inverse mix of the columns */ + temp = s0; + s0 = s1; + s1 = s2; + s2 = s3; + s3 = temp ^ s2; + s2 ^= s0; + s1 ^= s2; + + /* Shift the cells in the rows left, which moves the cell + * values down closer to the LSB. That is, we do a right + * rotate on the word to rotate the cells in the word left */ + s1 = rightRotate8(s1); + s2 = rightRotate16(s2); + s3 = rightRotate24(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all cells in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; +} + +void forkskinny_128_256_decrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_256_state_t state; + forkskinny_128_256_state_t fstate; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Fast-forward the tweakey to the end of the key schedule */ + for (round = 0; round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { + skinny128_permute_tk(state.TK1); + skinny128_permute_tk(state.TK2); + skinny128_LFSR2(state.TK2[0]); + skinny128_LFSR2(state.TK2[1]); + } + + /* Perform the "after" rounds on the input to get back + * to the forking point in the cipher */ + for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER * 2); + round > (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); --round) { + forkskinny_128_256_inv_round(&state, round - 1); + } + + /* Remove the branching constant */ + state.S[0] ^= 0x08040201U; + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + + /* Roll the tweakey back another "after" rounds */ + for (round = 0; round < FORKSKINNY_128_256_ROUNDS_AFTER; ++round) { + skinny128_inv_LFSR2(state.TK2[0]); + skinny128_inv_LFSR2(state.TK2[1]); + skinny128_inv_permute_tk(state.TK1); + skinny128_inv_permute_tk(state.TK2); + } + + /* Save the state and the tweakey at the forking point */ + fstate = state; + + /* Generate the left output block after another "before" rounds */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; round > 0; --round) { + forkskinny_128_256_inv_round(&state, round - 1); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + + /* Generate the right output block by going forward "after" + * rounds from the forking point */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { + forkskinny_128_256_round(&fstate, round); + } + le_store_word32(output_right, fstate.S[0]); + le_store_word32(output_right + 4, fstate.S[1]); + le_store_word32(output_right + 8, fstate.S[2]); + le_store_word32(output_right + 12, fstate.S[3]); +} + +/** + * \brief Number of rounds of ForkSkinny-128-384 before forking. + */ +#define FORKSKINNY_128_384_ROUNDS_BEFORE 25 + +/** + * \brief Number of rounds of ForkSkinny-128-384 after forking. + */ +#define FORKSKINNY_128_384_ROUNDS_AFTER 31 + +/** + * \brief State information for ForkSkinny-128-384. + */ +typedef struct +{ + uint32_t TK1[4]; /**< First part of the tweakey */ + uint32_t TK2[4]; /**< Second part of the tweakey */ + uint32_t TK3[4]; /**< Third part of the tweakey */ + uint32_t S[4]; /**< Current block state */ + +} forkskinny_128_384_state_t; + +/** + * \brief Applies one round of ForkSkinny-128-384. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_384_round + (forkskinny_128_384_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Apply the S-box to all cells in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(state->TK1); + skinny128_permute_tk(state->TK2); + skinny128_permute_tk(state->TK3); + skinny128_LFSR2(state->TK2[0]); + skinny128_LFSR2(state->TK2[1]); + skinny128_LFSR3(state->TK3[0]); + skinny128_LFSR3(state->TK3[1]); +} + +void forkskinny_128_384_encrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_384_state_t state; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.TK3[0] = le_load_word32(key + 32); + state.TK3[1] = le_load_word32(key + 36); + state.TK3[2] = le_load_word32(key + 40); + state.TK3[3] = le_load_word32(key + 44); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Run all of the rounds before the forking point */ + for (round = 0; round < FORKSKINNY_128_384_ROUNDS_BEFORE; ++round) { + forkskinny_128_384_round(&state, round); + } + + /* Determine which output blocks we need */ + if (output_left && output_right) { + /* We need both outputs so save the state at the forking point */ + uint32_t F[4]; + F[0] = state.S[0]; + F[1] = state.S[1]; + F[2] = state.S[2]; + F[3] = state.S[3]; + + /* Generate the right output block */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { + forkskinny_128_384_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + + /* Restore the state at the forking point */ + state.S[0] = F[0]; + state.S[1] = F[1]; + state.S[2] = F[2]; + state.S[3] = F[3]; + } + if (output_left) { + /* Generate the left output block */ + state.S[0] ^= 0x08040201U; /* Branching constant */ + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { + forkskinny_128_384_round(&state, round); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + } else { + /* We only need the right output block */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { + forkskinny_128_384_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + } +} + +/** + * \brief Applies one round of ForkSkinny-128-384 in reverse. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_384_inv_round + (forkskinny_128_384_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Permute TK1 and TK2 for the next round */ + skinny128_inv_LFSR2(state->TK2[0]); + skinny128_inv_LFSR2(state->TK2[1]); + skinny128_inv_LFSR3(state->TK3[0]); + skinny128_inv_LFSR3(state->TK3[1]); + skinny128_inv_permute_tk(state->TK1); + skinny128_inv_permute_tk(state->TK2); + skinny128_inv_permute_tk(state->TK3); + + /* Inverse mix of the columns */ + temp = s0; + s0 = s1; + s1 = s2; + s2 = s3; + s3 = temp ^ s2; + s2 ^= s0; + s1 ^= s2; + + /* Shift the cells in the rows left, which moves the cell + * values down closer to the LSB. That is, we do a right + * rotate on the word to rotate the cells in the word left */ + s1 = rightRotate8(s1); + s2 = rightRotate16(s2); + s3 = rightRotate24(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all cells in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; +} + +void forkskinny_128_384_decrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_384_state_t state; + forkskinny_128_384_state_t fstate; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.TK3[0] = le_load_word32(key + 32); + state.TK3[1] = le_load_word32(key + 36); + state.TK3[2] = le_load_word32(key + 40); + state.TK3[3] = le_load_word32(key + 44); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Fast-forward the tweakey to the end of the key schedule */ + for (round = 0; round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { + skinny128_permute_tk(state.TK1); + skinny128_permute_tk(state.TK2); + skinny128_permute_tk(state.TK3); + skinny128_LFSR2(state.TK2[0]); + skinny128_LFSR2(state.TK2[1]); + skinny128_LFSR3(state.TK3[0]); + skinny128_LFSR3(state.TK3[1]); + } + + /* Perform the "after" rounds on the input to get back + * to the forking point in the cipher */ + for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER * 2); + round > (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); --round) { + forkskinny_128_384_inv_round(&state, round - 1); + } + + /* Remove the branching constant */ + state.S[0] ^= 0x08040201U; + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + + /* Roll the tweakey back another "after" rounds */ + for (round = 0; round < FORKSKINNY_128_384_ROUNDS_AFTER; ++round) { + skinny128_inv_LFSR2(state.TK2[0]); + skinny128_inv_LFSR2(state.TK2[1]); + skinny128_inv_LFSR3(state.TK3[0]); + skinny128_inv_LFSR3(state.TK3[1]); + skinny128_inv_permute_tk(state.TK1); + skinny128_inv_permute_tk(state.TK2); + skinny128_inv_permute_tk(state.TK3); + } + + /* Save the state and the tweakey at the forking point */ + fstate = state; + + /* Generate the left output block after another "before" rounds */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; round > 0; --round) { + forkskinny_128_384_inv_round(&state, round - 1); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + + /* Generate the right output block by going forward "after" + * rounds from the forking point */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { + forkskinny_128_384_round(&fstate, round); + } + le_store_word32(output_right, fstate.S[0]); + le_store_word32(output_right + 4, fstate.S[1]); + le_store_word32(output_right + 8, fstate.S[2]); + le_store_word32(output_right + 12, fstate.S[3]); +} + +/** + * \brief Number of rounds of ForkSkinny-64-192 before forking. + */ +#define FORKSKINNY_64_192_ROUNDS_BEFORE 17 + +/** + * \brief Number of rounds of ForkSkinny-64-192 after forking. + */ +#define FORKSKINNY_64_192_ROUNDS_AFTER 23 + +/** + * \brief State information for ForkSkinny-64-192. + */ +typedef struct +{ + uint16_t TK1[4]; /**< First part of the tweakey */ + uint16_t TK2[4]; /**< Second part of the tweakey */ + uint16_t TK3[4]; /**< Third part of the tweakey */ + uint16_t S[4]; /**< Current block state */ + +} forkskinny_64_192_state_t; + +/** + * \brief Applies one round of ForkSkinny-64-192. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + * + * Note: The cells of each row are order in big-endian nibble order + * so it is easiest to manage the rows in bit-endian byte order. + */ +static void forkskinny_64_192_round + (forkskinny_64_192_state_t *state, unsigned round) +{ + uint16_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Apply the S-box to all cells in the state */ + skinny64_sbox(s0); + skinny64_sbox(s1); + skinny64_sbox(s2); + skinny64_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + ((rc & 0x0F) << 12) ^ 0x0020; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ + ((rc & 0x70) << 8); + s2 ^= 0x2000; + + /* Shift the cells in the rows right */ + s1 = rightRotate4_16(s1); + s2 = rightRotate8_16(s2); + s3 = rightRotate12_16(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny64_permute_tk(state->TK1); + skinny64_permute_tk(state->TK2); + skinny64_permute_tk(state->TK3); + skinny64_LFSR2(state->TK2[0]); + skinny64_LFSR2(state->TK2[1]); + skinny64_LFSR3(state->TK3[0]); + skinny64_LFSR3(state->TK3[1]); +} + +void forkskinny_64_192_encrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_64_192_state_t state; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = be_load_word16(key); + state.TK1[1] = be_load_word16(key + 2); + state.TK1[2] = be_load_word16(key + 4); + state.TK1[3] = be_load_word16(key + 6); + state.TK2[0] = be_load_word16(key + 8); + state.TK2[1] = be_load_word16(key + 10); + state.TK2[2] = be_load_word16(key + 12); + state.TK2[3] = be_load_word16(key + 14); + state.TK3[0] = be_load_word16(key + 16); + state.TK3[1] = be_load_word16(key + 18); + state.TK3[2] = be_load_word16(key + 20); + state.TK3[3] = be_load_word16(key + 22); + state.S[0] = be_load_word16(input); + state.S[1] = be_load_word16(input + 2); + state.S[2] = be_load_word16(input + 4); + state.S[3] = be_load_word16(input + 6); + + /* Run all of the rounds before the forking point */ + for (round = 0; round < FORKSKINNY_64_192_ROUNDS_BEFORE; ++round) { + forkskinny_64_192_round(&state, round); + } + + /* Determine which output blocks we need */ + if (output_left && output_right) { + /* We need both outputs so save the state at the forking point */ + uint16_t F[4]; + F[0] = state.S[0]; + F[1] = state.S[1]; + F[2] = state.S[2]; + F[3] = state.S[3]; + + /* Generate the right output block */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { + forkskinny_64_192_round(&state, round); + } + be_store_word16(output_right, state.S[0]); + be_store_word16(output_right + 2, state.S[1]); + be_store_word16(output_right + 4, state.S[2]); + be_store_word16(output_right + 6, state.S[3]); + + /* Restore the state at the forking point */ + state.S[0] = F[0]; + state.S[1] = F[1]; + state.S[2] = F[2]; + state.S[3] = F[3]; + } + if (output_left) { + /* Generate the left output block */ + state.S[0] ^= 0x1249U; /* Branching constant */ + state.S[1] ^= 0x36daU; + state.S[2] ^= 0x5b7fU; + state.S[3] ^= 0xec81U; + for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { + forkskinny_64_192_round(&state, round); + } + be_store_word16(output_left, state.S[0]); + be_store_word16(output_left + 2, state.S[1]); + be_store_word16(output_left + 4, state.S[2]); + be_store_word16(output_left + 6, state.S[3]); + } else { + /* We only need the right output block */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { + forkskinny_64_192_round(&state, round); + } + be_store_word16(output_right, state.S[0]); + be_store_word16(output_right + 2, state.S[1]); + be_store_word16(output_right + 4, state.S[2]); + be_store_word16(output_right + 6, state.S[3]); + } +} + +/** + * \brief Applies one round of ForkSkinny-64-192 in reverse. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_64_192_inv_round + (forkskinny_64_192_state_t *state, unsigned round) +{ + uint16_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny64_inv_LFSR2(state->TK2[0]); + skinny64_inv_LFSR2(state->TK2[1]); + skinny64_inv_LFSR3(state->TK3[0]); + skinny64_inv_LFSR3(state->TK3[1]); + skinny64_inv_permute_tk(state->TK1); + skinny64_inv_permute_tk(state->TK2); + skinny64_inv_permute_tk(state->TK3); + + /* Inverse mix of the columns */ + temp = s0; + s0 = s1; + s1 = s2; + s2 = s3; + s3 = temp ^ s2; + s2 ^= s0; + s1 ^= s2; + + /* Shift the cells in the rows left */ + s1 = leftRotate4_16(s1); + s2 = leftRotate8_16(s2); + s3 = leftRotate12_16(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + ((rc & 0x0F) << 12) ^ 0x0020; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ + ((rc & 0x70) << 8); + s2 ^= 0x2000; + + /* Apply the inverse of the S-box to all cells in the state */ + skinny64_inv_sbox(s0); + skinny64_inv_sbox(s1); + skinny64_inv_sbox(s2); + skinny64_inv_sbox(s3); + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; +} + +void forkskinny_64_192_decrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_64_192_state_t state; + forkskinny_64_192_state_t fstate; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = be_load_word16(key); + state.TK1[1] = be_load_word16(key + 2); + state.TK1[2] = be_load_word16(key + 4); + state.TK1[3] = be_load_word16(key + 6); + state.TK2[0] = be_load_word16(key + 8); + state.TK2[1] = be_load_word16(key + 10); + state.TK2[2] = be_load_word16(key + 12); + state.TK2[3] = be_load_word16(key + 14); + state.TK3[0] = be_load_word16(key + 16); + state.TK3[1] = be_load_word16(key + 18); + state.TK3[2] = be_load_word16(key + 20); + state.TK3[3] = be_load_word16(key + 22); + state.S[0] = be_load_word16(input); + state.S[1] = be_load_word16(input + 2); + state.S[2] = be_load_word16(input + 4); + state.S[3] = be_load_word16(input + 6); + + /* Fast-forward the tweakey to the end of the key schedule */ + for (round = 0; round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { + skinny64_permute_tk(state.TK1); + skinny64_permute_tk(state.TK2); + skinny64_permute_tk(state.TK3); + skinny64_LFSR2(state.TK2[0]); + skinny64_LFSR2(state.TK2[1]); + skinny64_LFSR3(state.TK3[0]); + skinny64_LFSR3(state.TK3[1]); + } + + /* Perform the "after" rounds on the input to get back + * to the forking point in the cipher */ + for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER * 2); + round > (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); --round) { + forkskinny_64_192_inv_round(&state, round - 1); + } + + /* Remove the branching constant */ + state.S[0] ^= 0x1249U; + state.S[1] ^= 0x36daU; + state.S[2] ^= 0x5b7fU; + state.S[3] ^= 0xec81U; + + /* Roll the tweakey back another "after" rounds */ + for (round = 0; round < FORKSKINNY_64_192_ROUNDS_AFTER; ++round) { + skinny64_inv_LFSR2(state.TK2[0]); + skinny64_inv_LFSR2(state.TK2[1]); + skinny64_inv_LFSR3(state.TK3[0]); + skinny64_inv_LFSR3(state.TK3[1]); + skinny64_inv_permute_tk(state.TK1); + skinny64_inv_permute_tk(state.TK2); + skinny64_inv_permute_tk(state.TK3); + } + + /* Save the state and the tweakey at the forking point */ + fstate = state; + + /* Generate the left output block after another "before" rounds */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; round > 0; --round) { + forkskinny_64_192_inv_round(&state, round - 1); + } + be_store_word16(output_left, state.S[0]); + be_store_word16(output_left + 2, state.S[1]); + be_store_word16(output_left + 4, state.S[2]); + be_store_word16(output_left + 6, state.S[3]); + + /* Generate the right output block by going forward "after" + * rounds from the forking point */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { + forkskinny_64_192_round(&fstate, round); + } + be_store_word16(output_right, fstate.S[0]); + be_store_word16(output_right + 2, fstate.S[1]); + be_store_word16(output_right + 4, fstate.S[2]); + be_store_word16(output_right + 6, fstate.S[3]); +} diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-forkskinny.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-forkskinny.h new file mode 100644 index 0000000..0c1a707 --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-forkskinny.h @@ -0,0 +1,141 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_FORKSKINNY_H +#define LW_INTERNAL_FORKSKINNY_H + +/** + * \file internal-forkskinny.h + * \brief ForkSkinny block cipher family. + * + * ForkSkinny is a modified version of the SKINNY block cipher that + * supports "forking": half-way through the rounds the cipher is + * forked in two different directions to produce two different outputs. + * + * References: https://www.esat.kuleuven.be/cosic/forkae/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts a block of plaintext with ForkSkinny-128-256. + * + * \param key 256-bit tweakey for ForkSkinny-128-256. + * \param output_left Left output block for the ciphertext, or NULL if + * the left output is not required. + * \param output_right Right output block for the authentication tag, + * or NULL if the right output is not required. + * \param input 128-bit input plaintext block. + * + * ForkSkinny-128-192 also uses this function with a padded tweakey. + */ +void forkskinny_128_256_encrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Decrypts a block of ciphertext with ForkSkinny-128-256. + * + * \param key 256-bit tweakey for ForkSkinny-128-256. + * \param output_left Left output block, which is the plaintext. + * \param output_right Right output block for the authentication tag. + * \param input 128-bit input ciphertext block. + * + * Both output blocks will be populated; neither is optional. + */ +void forkskinny_128_256_decrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Encrypts a block of plaintext with ForkSkinny-128-384. + * + * \param key 384-bit tweakey for ForkSkinny-128-384. + * \param output_left Left output block for the ciphertext, or NULL if + * the left output is not required. + * \param output_right Right output block for the authentication tag, + * or NULL if the right output is not required. + * \param input 128-bit input plaintext block. + * + * ForkSkinny-128-288 also uses this function with a padded tweakey. + */ +void forkskinny_128_384_encrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Decrypts a block of ciphertext with ForkSkinny-128-384. + * + * \param key 384-bit tweakey for ForkSkinny-128-384. + * \param output_left Left output block, which is the plaintext. + * \param output_right Right output block for the authentication tag. + * \param input 128-bit input ciphertext block. + * + * Both output blocks will be populated; neither is optional. + */ +void forkskinny_128_384_decrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Encrypts a block of input with ForkSkinny-64-192. + * + * \param key 192-bit tweakey for ForkSkinny-64-192. + * \param output_left First output block, or NULL if left is not required. + * \param output_right Second output block, or NULL if right is not required. + * \param input 64-bit input block. + */ +/** + * \brief Encrypts a block of plaintext with ForkSkinny-64-192. + * + * \param key 192-bit tweakey for ForkSkinny-64-192. + * \param output_left Left output block for the ciphertext, or NULL if + * the left output is not required. + * \param output_right Right output block for the authentication tag, + * or NULL if the right output is not required. + * \param input 64-bit input plaintext block. + */ +void forkskinny_64_192_encrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Decrypts a block of ciphertext with ForkSkinny-64-192. + * + * \param key 192-bit tweakey for ForkSkinny-64-192. + * \param output_left Left output block, which is the plaintext. + * \param output_right Right output block for the authentication tag. + * \param input 64-bit input ciphertext block. + * + * Both output blocks will be populated; neither is optional. + */ +void forkskinny_64_192_decrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-skinnyutil.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-skinnyutil.h new file mode 100644 index 0000000..83136cb --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-skinnyutil.h @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNYUTIL_H +#define LW_INTERNAL_SKINNYUTIL_H + +/** + * \file internal-skinnyutil.h + * \brief Utilities to help implement SKINNY and its variants. + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond skinnyutil */ + +/* Utilities for implementing SKINNY-128 */ + +#define skinny128_LFSR2(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ + (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ + } while (0) + + +#define skinny128_LFSR3(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ + (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) +#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) + +#define skinny128_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint32_t row2 = tk[2]; \ + uint32_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 16) | (row3 >> 16); \ + tk[0] = ((row2 >> 8) & 0x000000FFU) | \ + ((row2 << 16) & 0x00FF0000U) | \ + ( row3 & 0xFF00FF00U); \ + tk[1] = ((row2 >> 16) & 0x000000FFU) | \ + (row2 & 0xFF000000U) | \ + ((row3 << 8) & 0x0000FF00U) | \ + ( row3 & 0x00FF0000U); \ + } while (0) + +#define skinny128_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint32_t row0 = tk[0]; \ + uint32_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 >> 16) & 0x000000FFU) | \ + ((row0 << 8) & 0x0000FF00U) | \ + ((row1 << 16) & 0x00FF0000U) | \ + ( row1 & 0xFF000000U); \ + tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ + ((row0 << 16) & 0xFF000000U) | \ + ((row1 >> 16) & 0x000000FFU) | \ + ((row1 << 8) & 0x00FF0000U); \ + } while (0) + +/* + * Apply the SKINNY sbox. The original version from the specification is + * equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE(x) + * ((((x) & 0x01010101U) << 2) | + * (((x) & 0x06060606U) << 5) | + * (((x) & 0x20202020U) >> 5) | + * (((x) & 0xC8C8C8C8U) >> 2) | + * (((x) & 0x10101010U) >> 1)) + * + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * return SBOX_SWAP(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ + y = (((x >> 5) & (x << 1)) & 0x04040404U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ + x = ((x & 0x08080808U) << 1) | \ + ((x & 0x32323232U) << 2) | \ + ((x & 0x01010101U) << 5) | \ + ((x & 0x80808080U) >> 6) | \ + ((x & 0x40404040U) >> 4) | \ + ((x & 0x04040404U) >> 2); \ +} while (0) + +/* + * Apply the inverse of the SKINNY sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE_INV(x) + * ((((x) & 0x08080808U) << 1) | + * (((x) & 0x32323232U) << 2) | + * (((x) & 0x01010101U) << 5) | + * (((x) & 0xC0C0C0C0U) >> 5) | + * (((x) & 0x04040404U) >> 2)) + * + * x = SBOX_SWAP(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_inv_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ + x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ + y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ + x = ((x & 0x01010101U) << 2) | \ + ((x & 0x04040404U) << 4) | \ + ((x & 0x02020202U) << 6) | \ + ((x & 0x20202020U) >> 5) | \ + ((x & 0xC8C8C8C8U) >> 2) | \ + ((x & 0x10101010U) >> 1); \ +} while (0) + +/* Utilities for implementing SKINNY-64 */ + +#define skinny64_LFSR2(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ + } while (0) + +#define skinny64_LFSR3(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) +#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) + +#define skinny64_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint16_t row2 = tk[2]; \ + uint16_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 8) | (row3 >> 8); \ + tk[0] = ((row2 << 4) & 0xF000U) | \ + ((row2 >> 8) & 0x00F0U) | \ + ( row3 & 0x0F0FU); \ + tk[1] = ((row2 << 8) & 0xF000U) | \ + ((row3 >> 4) & 0x0F00U) | \ + ( row3 & 0x00F0U) | \ + ( row2 & 0x000FU); \ + } while (0) + +#define skinny64_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint16_t row0 = tk[0]; \ + uint16_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 << 8) & 0xF000U) | \ + ((row0 >> 4) & 0x0F00U) | \ + ((row1 >> 8) & 0x00F0U) | \ + ( row1 & 0x000FU); \ + tk[3] = ((row1 << 8) & 0xF000U) | \ + ((row0 << 8) & 0x0F00U) | \ + ((row1 >> 4) & 0x00F0U) | \ + ((row0 >> 8) & 0x000FU); \ + } while (0) + +/* + * Apply the SKINNY-64 sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT(x) + * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_SHIFT steps to be performed with one final rotation. + * This reduces the number of required shift operations from 14 to 10. + * + * We can further reduce the number of NOT operations from 4 to 2 + * using the technique from https://github.com/kste/skinny_avx to + * convert NOR-XOR operations into AND-XOR operations by converting + * the S-box into its NOT-inverse. + */ +#define skinny64_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ + x = ~x; \ + x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ +} while (0) + +/* + * Apply the inverse of the SKINNY-64 sbox. The original version + * from the specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT_INV(x) + * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * return SBOX_MIX(x); + */ +#define skinny64_inv_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = ~x; \ + x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ +} while (0) + +/** @endcond */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-util.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/aead-common.c b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/aead-common.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/api.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/api.h new file mode 100644 index 0000000..86e276c --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 15 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/encrypt.c b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/encrypt.c new file mode 100644 index 0000000..7d59b31 --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "forkae.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return forkae_saef_128_256_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return forkae_saef_128_256_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/forkae.c b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/forkae.c new file mode 100644 index 0000000..4a9671a --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/forkae.c @@ -0,0 +1,140 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "forkae.h" +#include "internal-forkskinny.h" +#include "internal-util.h" +#include + +aead_cipher_t const forkae_paef_64_192_cipher = { + "PAEF-ForkSkinny-64-192", + FORKAE_PAEF_64_192_KEY_SIZE, + FORKAE_PAEF_64_192_NONCE_SIZE, + FORKAE_PAEF_64_192_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_64_192_aead_encrypt, + forkae_paef_64_192_aead_decrypt +}; + +aead_cipher_t const forkae_paef_128_192_cipher = { + "PAEF-ForkSkinny-128-192", + FORKAE_PAEF_128_192_KEY_SIZE, + FORKAE_PAEF_128_192_NONCE_SIZE, + FORKAE_PAEF_128_192_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_128_192_aead_encrypt, + forkae_paef_128_192_aead_decrypt +}; + +aead_cipher_t const forkae_paef_128_256_cipher = { + "PAEF-ForkSkinny-128-256", + FORKAE_PAEF_128_256_KEY_SIZE, + FORKAE_PAEF_128_256_NONCE_SIZE, + FORKAE_PAEF_128_256_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_128_256_aead_encrypt, + forkae_paef_128_256_aead_decrypt +}; + +aead_cipher_t const forkae_paef_128_288_cipher = { + "PAEF-ForkSkinny-128-288", + FORKAE_PAEF_128_288_KEY_SIZE, + FORKAE_PAEF_128_288_NONCE_SIZE, + FORKAE_PAEF_128_288_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_paef_128_288_aead_encrypt, + forkae_paef_128_288_aead_decrypt +}; + +aead_cipher_t const forkae_saef_128_192_cipher = { + "SAEF-ForkSkinny-128-192", + FORKAE_SAEF_128_192_KEY_SIZE, + FORKAE_SAEF_128_192_NONCE_SIZE, + FORKAE_SAEF_128_192_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_saef_128_192_aead_encrypt, + forkae_saef_128_192_aead_decrypt +}; + +aead_cipher_t const forkae_saef_128_256_cipher = { + "SAEF-ForkSkinny-128-256", + FORKAE_SAEF_128_256_KEY_SIZE, + FORKAE_SAEF_128_256_NONCE_SIZE, + FORKAE_SAEF_128_256_TAG_SIZE, + AEAD_FLAG_NONE, + forkae_saef_128_256_aead_encrypt, + forkae_saef_128_256_aead_decrypt +}; + +/* PAEF-ForkSkinny-64-192 */ +#define FORKAE_ALG_NAME forkae_paef_64_192 +#define FORKAE_BLOCK_SIZE 8 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_64_192_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 2 +#define FORKAE_TWEAKEY_SIZE 24 +#define FORKAE_BLOCK_FUNC forkskinny_64_192 +#include "internal-forkae-paef.h" + +/* PAEF-ForkSkinny-128-192 */ +#define FORKAE_ALG_NAME forkae_paef_128_192 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_192_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 2 +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-paef.h" + +/* PAEF-ForkSkinny-128-256 */ +#define FORKAE_ALG_NAME forkae_paef_128_256 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_256_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 2 +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-paef.h" + +/* PAEF-ForkSkinny-128-288 */ +#define FORKAE_ALG_NAME forkae_paef_128_288 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_288_NONCE_SIZE +#define FORKAE_COUNTER_SIZE 7 +#define FORKAE_TWEAKEY_SIZE 48 +#define FORKAE_BLOCK_FUNC forkskinny_128_384 +#include "internal-forkae-paef.h" + +/* SAEF-ForkSkinny-128-192 */ +#define FORKAE_ALG_NAME forkae_saef_128_192 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_192_NONCE_SIZE +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_TWEAKEY_REDUCED_SIZE 24 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-saef.h" + +/* SAEF-ForkSkinny-128-256 */ +#define FORKAE_ALG_NAME forkae_saef_128_256 +#define FORKAE_BLOCK_SIZE 16 +#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_256_NONCE_SIZE +#define FORKAE_TWEAKEY_SIZE 32 +#define FORKAE_TWEAKEY_REDUCED_SIZE 32 +#define FORKAE_BLOCK_FUNC forkskinny_128_256 +#include "internal-forkae-saef.h" diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/forkae.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/forkae.h new file mode 100644 index 0000000..3e27b50 --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/forkae.h @@ -0,0 +1,551 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_FORKAE_H +#define LWCRYPTO_FORKAE_H + +#include "aead-common.h" + +/** + * \file forkae.h + * \brief ForkAE authenticated encryption algorithm family. + * + * ForkAE is a family of authenticated encryption algorithms based on a + * modified version of the SKINNY tweakable block cipher. The modifications + * introduce "forking" where each input block produces two output blocks + * for use in encryption and authentication. There are six members in + * the ForkAE family: + * + * \li PAEF-ForkSkinny-64-192 has a 128-bit key, a 48-bit nonce, and a + * 64-bit authentication tag. The associated data and plaintext are + * limited to 216 bytes. + * \li PAEF-ForkSkinny-128-192 has a 128-bit key, a 48-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext are + * limited to 217 bytes. + * \li PAEF-ForkSkinny-128-256 has a 128-bit key, a 112-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext are + * limited to 217 bytes. + * \li PAEF-ForkSkinny-128-288 has a 128-bit key, a 104-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext are + * limited to 257 bytes. This is the primary member of the family. + * \li SAEF-ForkSkinny-128-192 has a 128-bit key, a 56-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext may be + * unlimited in size. + * \li SAEF-ForkSkinny-128-256 has a 128-bit key, a 120-bit nonce, and a + * 128-bit authentication tag. The associated data and plaintext may be + * unlimited in size. + * + * The PAEF variants support parallel encryption and decryption for + * higher throughput. The SAEF variants encrypt or decrypt blocks + * sequentially. + * + * ForkAE is designed to be efficient on small packet sizes so most of + * the PAEF algorithms have a limit of 64k or 128k on the amount of + * payload in a single packet. Obviously the input can be split into + * separate packets for larger amounts of data. + * + * References: https://www.esat.kuleuven.be/cosic/forkae/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for PAEF-ForkSkinny-64-192. + */ +#define FORKAE_PAEF_64_192_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-64-192. + */ +#define FORKAE_PAEF_64_192_TAG_SIZE 8 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-64-192. + */ +#define FORKAE_PAEF_64_192_NONCE_SIZE 6 + +/** + * \brief Size of the key for PAEF-ForkSkinny-128-192. + */ +#define FORKAE_PAEF_128_192_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-128-192. + */ +#define FORKAE_PAEF_128_192_TAG_SIZE 16 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-128-192. + */ +#define FORKAE_PAEF_128_192_NONCE_SIZE 6 + +/** + * \brief Size of the key for PAEF-ForkSkinny-128-256. + */ +#define FORKAE_PAEF_128_256_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-128-256. + */ +#define FORKAE_PAEF_128_256_TAG_SIZE 16 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-128-256. + */ +#define FORKAE_PAEF_128_256_NONCE_SIZE 14 + +/** + * \brief Size of the key for PAEF-ForkSkinny-128-288. + */ +#define FORKAE_PAEF_128_288_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PAEF-ForkSkinny-128-288. + */ +#define FORKAE_PAEF_128_288_TAG_SIZE 16 + +/** + * \brief Size of the nonce for PAEF-ForkSkinny-128-288. + */ +#define FORKAE_PAEF_128_288_NONCE_SIZE 13 + +/** + * \brief Size of the key for SAEF-ForkSkinny-128-192. + */ +#define FORKAE_SAEF_128_192_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SAEF-ForkSkinny-128-192. + */ +#define FORKAE_SAEF_128_192_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SAEF-ForkSkinny-128-192. + */ +#define FORKAE_SAEF_128_192_NONCE_SIZE 7 + +/** + * \brief Size of the key for SAEF-ForkSkinny-128-256. + */ +#define FORKAE_SAEF_128_256_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SAEF-ForkSkinny-128-256. + */ +#define FORKAE_SAEF_128_256_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SAEF-ForkSkinny-128-256. + */ +#define FORKAE_SAEF_128_256_NONCE_SIZE 15 + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-64-192 cipher. + */ +extern aead_cipher_t const forkae_paef_64_192_cipher; + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-128-192 cipher. + */ +extern aead_cipher_t const forkae_paef_128_192_cipher; + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-128-256 cipher. + */ +extern aead_cipher_t const forkae_paef_128_256_cipher; + +/** + * \brief Meta-information block for the PAEF-ForkSkinny-128-288 cipher. + */ +extern aead_cipher_t const forkae_paef_128_288_cipher; + +/** + * \brief Meta-information block for the SAEF-ForkSkinny-128-192 cipher. + */ +extern aead_cipher_t const forkae_saef_128_192_cipher; + +/** + * \brief Meta-information block for the SAEF-ForkSkinny-128-256 cipher. + */ +extern aead_cipher_t const forkae_saef_128_256_cipher; + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-64-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_64_192_aead_decrypt() + */ +int forkae_paef_64_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-64-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_64_192_aead_encrypt() + */ +int forkae_paef_64_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_128_192_aead_decrypt() + */ +int forkae_paef_128_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 6 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_128_192_aead_encrypt() + */ +int forkae_paef_128_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 14 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_128_256_aead_decrypt() + */ +int forkae_paef_128_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 14 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_128_256_aead_encrypt() + */ +int forkae_paef_128_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-288. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 13 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_paef_128_288_aead_decrypt() + */ +int forkae_paef_128_288_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-288. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 13 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_paef_128_288_aead_encrypt() + */ +int forkae_paef_128_288_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 7 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_saef_128_192_aead_decrypt() + */ +int forkae_saef_128_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 7 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_saef_128_192_aead_encrypt() + */ +int forkae_saef_128_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa forkae_saef_128_256_aead_decrypt() + */ +int forkae_saef_128_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 15 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa forkae_saef_128_256_aead_encrypt() + */ +int forkae_saef_128_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-forkae-paef.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-forkae-paef.h new file mode 100644 index 0000000..6f57b2b --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-forkae-paef.h @@ -0,0 +1,273 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +/* We expect a number of macros to be defined before this file + * is included to configure the underlying ForkAE PAEF variant. + * + * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_paef_128_256 + * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). + * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. + * FORKAE_COUNTER_SIZE Size of the counter value for the cipher in bytes. + * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. + * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 + */ +#if defined(FORKAE_ALG_NAME) + +#define FORKAE_CONCAT_INNER(name,suffix) name##suffix +#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) + +/* Limit on the amount of data we can process based on the counter size */ +#define FORKAE_PAEF_DATA_LIMIT \ + ((unsigned long long)((1ULL << (FORKAE_COUNTER_SIZE * 8)) * \ + (FORKAE_BLOCK_SIZE / 8)) - FORKAE_BLOCK_SIZE) + +/* Processes the associated data in PAEF mode */ +STATIC_INLINE void FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter) + (unsigned char tweakey[FORKAE_TWEAKEY_SIZE], + unsigned long long counter, unsigned char domain) +{ + unsigned posn; + counter |= (((unsigned long long)domain) << (FORKAE_COUNTER_SIZE * 8 - 3)); + for (posn = 0; posn < FORKAE_COUNTER_SIZE; ++posn) { + tweakey[16 + FORKAE_NONCE_SIZE + FORKAE_COUNTER_SIZE - 1 - posn] = + (unsigned char)counter; + counter >>= 8; + } +} + +/* Check that the last block is padded correctly; -1 if ok, 0 if not */ +STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (const unsigned char *block, unsigned len) +{ + int check = block[0] ^ 0x80; + while (len > 1) { + --len; + check |= block[len]; + } + return (check - 1) >> 8; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + unsigned long long counter; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + FORKAE_BLOCK_SIZE; + + /* Validate the size of the associated data and plaintext as there + * is a limit on the size of the PAEF counter field */ + if (adlen > FORKAE_PAEF_DATA_LIMIT || mlen > FORKAE_PAEF_DATA_LIMIT) + return -2; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + + /* Tag value starts at zero. We will XOR this with all of the + * intermediate tag values that are calculated for each block */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + counter = 1; + while (adlen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + ++counter; + } + if (adlen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } else if (adlen != 0 || mlen == 0) { + unsigned temp = (unsigned)adlen; + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, sizeof(block) - temp - 1); + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } + + /* If there is no message payload, then generate the tag and we are done */ + if (!mlen) { + memcpy(c, tag, sizeof(tag)); + return 0; + } + + /* Encrypt all plaintext blocks except the last */ + counter = 1; + while (mlen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + mlen -= FORKAE_BLOCK_SIZE; + ++counter; + } + + /* Encrypt the last block and generate the final authentication tag */ + if (mlen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); + } else { + unsigned temp = (unsigned)mlen; + memcpy(block, m, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, sizeof(block) - temp - 1); + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, temp); + } + return 0; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + unsigned char *mtemp = m; + unsigned long long counter; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < FORKAE_BLOCK_SIZE) + return -1; + clen -= FORKAE_BLOCK_SIZE; + *mlen = clen; + + /* Validate the size of the associated data and plaintext as there + * is a limit on the size of the PAEF counter field */ + if (adlen > FORKAE_PAEF_DATA_LIMIT || clen > FORKAE_PAEF_DATA_LIMIT) + return -2; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + + /* Tag value starts at zero. We will XOR this with all of the + * intermediate tag values that are calculated for each block */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + counter = 1; + while (adlen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + ++counter; + } + if (adlen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } else if (adlen != 0 || clen == 0) { + unsigned temp = (unsigned)adlen; + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, sizeof(block) - temp - 1); + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + } + + /* If there is no message payload, then check the tag and we are done */ + if (!clen) + return aead_check_tag(m, clen, tag, c, sizeof(tag)); + + /* Decrypt all ciphertext blocks except the last */ + counter = 1; + while (clen > FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, c); + lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + clen -= FORKAE_BLOCK_SIZE; + ++counter; + } + + /* Decrypt the last block and check the final authentication tag */ + if (clen == FORKAE_BLOCK_SIZE) { + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); + lw_xor_block_2_src(m, c, tag, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, m); + return aead_check_tag + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, sizeof(tag)); + } else { + unsigned temp = (unsigned)clen; + unsigned char block2[FORKAE_BLOCK_SIZE]; + int check; + FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); + lw_xor_block_2_src(block2, tag, c, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) + (tweakey, block2, block, block2); + check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (block2 + temp, FORKAE_BLOCK_SIZE - temp); + memcpy(m, block2, temp); + return aead_check_tag_precheck + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); + } +} + +#endif /* FORKAE_ALG_NAME */ + +/* Now undefine everything so that we can include this file again for + * another variant on the ForkAE PAEF algorithm */ +#undef FORKAE_ALG_NAME +#undef FORKAE_BLOCK_SIZE +#undef FORKAE_NONCE_SIZE +#undef FORKAE_COUNTER_SIZE +#undef FORKAE_TWEAKEY_SIZE +#undef FORKAE_BLOCK_FUNC +#undef FORKAE_CONCAT_INNER +#undef FORKAE_CONCAT +#undef FORKAE_PAEF_DATA_LIMIT diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-forkae-saef.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-forkae-saef.h new file mode 100644 index 0000000..768bba4 --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-forkae-saef.h @@ -0,0 +1,251 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +/* We expect a number of macros to be defined before this file + * is included to configure the underlying ForkAE SAEF variant. + * + * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_saef_128_256 + * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). + * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. + * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. + * FORKAE_REDUCED_TWEAKEY_SIZE Size of the reduced tweakey without padding. + * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 + */ +#if defined(FORKAE_ALG_NAME) + +#define FORKAE_CONCAT_INNER(name,suffix) name##suffix +#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) + +/* Check that the last block is padded correctly; -1 if ok, 0 if not */ +STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (const unsigned char *block, unsigned len) +{ + int check = block[0] ^ 0x80; + while (len > 1) { + --len; + check |= block[len]; + } + return (check - 1) >> 8; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + FORKAE_BLOCK_SIZE; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; + + /* Tag value starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + if (adlen > 0 || mlen == 0) { + while (adlen > FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + } + if (mlen == 0) + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; + if (adlen == FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } else if (adlen != 0 || mlen == 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(tag, ad, temp); + tag[temp] ^= 0x80; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } + } + + /* If there is no message payload, then generate the tag and we are done */ + if (!mlen) { + memcpy(c, tag, sizeof(tag)); + return 0; + } + + /* Encrypt all plaintext blocks except the last */ + while (mlen > FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(tag, block, FORKAE_BLOCK_SIZE); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + mlen -= FORKAE_BLOCK_SIZE; + } + + /* Encrypt the last block and generate the final authentication tag */ + if (mlen == FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); + } else { + unsigned temp = (unsigned)mlen; + memcpy(block, tag, FORKAE_BLOCK_SIZE); + lw_xor_block(block, m, temp); + block[temp] ^= 0x80; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); + lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); + memcpy(c + FORKAE_BLOCK_SIZE, block, temp); + } + return 0; +} + +int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; + unsigned char tag[FORKAE_BLOCK_SIZE]; + unsigned char block[FORKAE_BLOCK_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < FORKAE_BLOCK_SIZE) + return -1; + clen -= FORKAE_BLOCK_SIZE; + *mlen = clen; + + /* Format the initial tweakey with the key and nonce */ + memcpy(tweakey, k, 16); + memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); + memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, + FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; + + /* Tag value starts at zero */ + memset(tag, 0, sizeof(tag)); + + /* Process the associated data */ + if (adlen > 0 || clen == 0) { + while (adlen > FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + ad += FORKAE_BLOCK_SIZE; + adlen -= FORKAE_BLOCK_SIZE; + } + if (clen == 0) + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; + if (adlen == FORKAE_BLOCK_SIZE) { + lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } else if (adlen != 0 || clen == 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(tag, ad, temp); + tag[temp] ^= 0x80; + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + } + } + + /* If there is no message payload, then check the tag and we are done */ + if (!clen) + return aead_check_tag(m, clen, tag, c, sizeof(tag)); + + /* Decrypt all ciphertext blocks except the last */ + while (clen > FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); + lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); + memcpy(tag, block, FORKAE_BLOCK_SIZE); + memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); + c += FORKAE_BLOCK_SIZE; + m += FORKAE_BLOCK_SIZE; + clen -= FORKAE_BLOCK_SIZE; + } + + /* Decrypt the last block and check the final authentication tag */ + if (clen == FORKAE_BLOCK_SIZE) { + lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); + lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); + return aead_check_tag + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, FORKAE_BLOCK_SIZE); + } else { + unsigned temp = (unsigned)clen; + unsigned char mblock[FORKAE_BLOCK_SIZE]; + int check; + lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); + tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; + FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) + (tweakey, mblock, block, block); + lw_xor_block(mblock, tag, FORKAE_BLOCK_SIZE); + memcpy(m, mblock, temp); + check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) + (mblock + temp, FORKAE_BLOCK_SIZE - temp); + return aead_check_tag_precheck + (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); + } +} + +#endif /* FORKAE_ALG_NAME */ + +/* Now undefine everything so that we can include this file again for + * another variant on the ForkAE SAEF algorithm */ +#undef FORKAE_ALG_NAME +#undef FORKAE_BLOCK_SIZE +#undef FORKAE_NONCE_SIZE +#undef FORKAE_COUNTER_SIZE +#undef FORKAE_TWEAKEY_SIZE +#undef FORKAE_TWEAKEY_REDUCED_SIZE +#undef FORKAE_BLOCK_FUNC +#undef FORKAE_CONCAT_INNER +#undef FORKAE_CONCAT diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-forkskinny.c b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-forkskinny.c new file mode 100644 index 0000000..b050ff1 --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-forkskinny.c @@ -0,0 +1,988 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-forkskinny.h" +#include "internal-skinnyutil.h" + +/** + * \brief 7-bit round constants for all ForkSkinny block ciphers. + */ +static unsigned char const RC[87] = { + 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7e, 0x7d, + 0x7b, 0x77, 0x6f, 0x5f, 0x3e, 0x7c, 0x79, 0x73, + 0x67, 0x4f, 0x1e, 0x3d, 0x7a, 0x75, 0x6b, 0x57, + 0x2e, 0x5c, 0x38, 0x70, 0x61, 0x43, 0x06, 0x0d, + 0x1b, 0x37, 0x6e, 0x5d, 0x3a, 0x74, 0x69, 0x53, + 0x26, 0x4c, 0x18, 0x31, 0x62, 0x45, 0x0a, 0x15, + 0x2b, 0x56, 0x2c, 0x58, 0x30, 0x60, 0x41, 0x02, + 0x05, 0x0b, 0x17, 0x2f, 0x5e, 0x3c, 0x78, 0x71, + 0x63, 0x47, 0x0e, 0x1d, 0x3b, 0x76, 0x6d, 0x5b, + 0x36, 0x6c, 0x59, 0x32, 0x64, 0x49, 0x12, 0x25, + 0x4a, 0x14, 0x29, 0x52, 0x24, 0x48, 0x10 +}; + +/** + * \brief Number of rounds of ForkSkinny-128-256 before forking. + */ +#define FORKSKINNY_128_256_ROUNDS_BEFORE 21 + +/** + * \brief Number of rounds of ForkSkinny-128-256 after forking. + */ +#define FORKSKINNY_128_256_ROUNDS_AFTER 27 + +/** + * \brief State information for ForkSkinny-128-256. + */ +typedef struct +{ + uint32_t TK1[4]; /**< First part of the tweakey */ + uint32_t TK2[4]; /**< Second part of the tweakey */ + uint32_t S[4]; /**< Current block state */ + +} forkskinny_128_256_state_t; + +/** + * \brief Applies one round of ForkSkinny-128-256. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_256_round + (forkskinny_128_256_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Apply the S-box to all cells in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(state->TK1); + skinny128_permute_tk(state->TK2); + skinny128_LFSR2(state->TK2[0]); + skinny128_LFSR2(state->TK2[1]); +} + +void forkskinny_128_256_encrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_256_state_t state; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Run all of the rounds before the forking point */ + for (round = 0; round < FORKSKINNY_128_256_ROUNDS_BEFORE; ++round) { + forkskinny_128_256_round(&state, round); + } + + /* Determine which output blocks we need */ + if (output_left && output_right) { + /* We need both outputs so save the state at the forking point */ + uint32_t F[4]; + F[0] = state.S[0]; + F[1] = state.S[1]; + F[2] = state.S[2]; + F[3] = state.S[3]; + + /* Generate the right output block */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { + forkskinny_128_256_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + + /* Restore the state at the forking point */ + state.S[0] = F[0]; + state.S[1] = F[1]; + state.S[2] = F[2]; + state.S[3] = F[3]; + } + if (output_left) { + /* Generate the left output block */ + state.S[0] ^= 0x08040201U; /* Branching constant */ + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { + forkskinny_128_256_round(&state, round); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + } else { + /* We only need the right output block */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { + forkskinny_128_256_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + } +} + +/** + * \brief Applies one round of ForkSkinny-128-256 in reverse. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_256_inv_round + (forkskinny_128_256_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Permute TK1 and TK2 for the next round */ + skinny128_inv_LFSR2(state->TK2[0]); + skinny128_inv_LFSR2(state->TK2[1]); + skinny128_inv_permute_tk(state->TK1); + skinny128_inv_permute_tk(state->TK2); + + /* Inverse mix of the columns */ + temp = s0; + s0 = s1; + s1 = s2; + s2 = s3; + s3 = temp ^ s2; + s2 ^= s0; + s1 ^= s2; + + /* Shift the cells in the rows left, which moves the cell + * values down closer to the LSB. That is, we do a right + * rotate on the word to rotate the cells in the word left */ + s1 = rightRotate8(s1); + s2 = rightRotate16(s2); + s3 = rightRotate24(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all cells in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; +} + +void forkskinny_128_256_decrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_256_state_t state; + forkskinny_128_256_state_t fstate; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Fast-forward the tweakey to the end of the key schedule */ + for (round = 0; round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { + skinny128_permute_tk(state.TK1); + skinny128_permute_tk(state.TK2); + skinny128_LFSR2(state.TK2[0]); + skinny128_LFSR2(state.TK2[1]); + } + + /* Perform the "after" rounds on the input to get back + * to the forking point in the cipher */ + for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER * 2); + round > (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); --round) { + forkskinny_128_256_inv_round(&state, round - 1); + } + + /* Remove the branching constant */ + state.S[0] ^= 0x08040201U; + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + + /* Roll the tweakey back another "after" rounds */ + for (round = 0; round < FORKSKINNY_128_256_ROUNDS_AFTER; ++round) { + skinny128_inv_LFSR2(state.TK2[0]); + skinny128_inv_LFSR2(state.TK2[1]); + skinny128_inv_permute_tk(state.TK1); + skinny128_inv_permute_tk(state.TK2); + } + + /* Save the state and the tweakey at the forking point */ + fstate = state; + + /* Generate the left output block after another "before" rounds */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; round > 0; --round) { + forkskinny_128_256_inv_round(&state, round - 1); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + + /* Generate the right output block by going forward "after" + * rounds from the forking point */ + for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; + round < (FORKSKINNY_128_256_ROUNDS_BEFORE + + FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { + forkskinny_128_256_round(&fstate, round); + } + le_store_word32(output_right, fstate.S[0]); + le_store_word32(output_right + 4, fstate.S[1]); + le_store_word32(output_right + 8, fstate.S[2]); + le_store_word32(output_right + 12, fstate.S[3]); +} + +/** + * \brief Number of rounds of ForkSkinny-128-384 before forking. + */ +#define FORKSKINNY_128_384_ROUNDS_BEFORE 25 + +/** + * \brief Number of rounds of ForkSkinny-128-384 after forking. + */ +#define FORKSKINNY_128_384_ROUNDS_AFTER 31 + +/** + * \brief State information for ForkSkinny-128-384. + */ +typedef struct +{ + uint32_t TK1[4]; /**< First part of the tweakey */ + uint32_t TK2[4]; /**< Second part of the tweakey */ + uint32_t TK3[4]; /**< Third part of the tweakey */ + uint32_t S[4]; /**< Current block state */ + +} forkskinny_128_384_state_t; + +/** + * \brief Applies one round of ForkSkinny-128-384. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_384_round + (forkskinny_128_384_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Apply the S-box to all cells in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(state->TK1); + skinny128_permute_tk(state->TK2); + skinny128_permute_tk(state->TK3); + skinny128_LFSR2(state->TK2[0]); + skinny128_LFSR2(state->TK2[1]); + skinny128_LFSR3(state->TK3[0]); + skinny128_LFSR3(state->TK3[1]); +} + +void forkskinny_128_384_encrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_384_state_t state; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.TK3[0] = le_load_word32(key + 32); + state.TK3[1] = le_load_word32(key + 36); + state.TK3[2] = le_load_word32(key + 40); + state.TK3[3] = le_load_word32(key + 44); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Run all of the rounds before the forking point */ + for (round = 0; round < FORKSKINNY_128_384_ROUNDS_BEFORE; ++round) { + forkskinny_128_384_round(&state, round); + } + + /* Determine which output blocks we need */ + if (output_left && output_right) { + /* We need both outputs so save the state at the forking point */ + uint32_t F[4]; + F[0] = state.S[0]; + F[1] = state.S[1]; + F[2] = state.S[2]; + F[3] = state.S[3]; + + /* Generate the right output block */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { + forkskinny_128_384_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + + /* Restore the state at the forking point */ + state.S[0] = F[0]; + state.S[1] = F[1]; + state.S[2] = F[2]; + state.S[3] = F[3]; + } + if (output_left) { + /* Generate the left output block */ + state.S[0] ^= 0x08040201U; /* Branching constant */ + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { + forkskinny_128_384_round(&state, round); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + } else { + /* We only need the right output block */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { + forkskinny_128_384_round(&state, round); + } + le_store_word32(output_right, state.S[0]); + le_store_word32(output_right + 4, state.S[1]); + le_store_word32(output_right + 8, state.S[2]); + le_store_word32(output_right + 12, state.S[3]); + } +} + +/** + * \brief Applies one round of ForkSkinny-128-384 in reverse. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_128_384_inv_round + (forkskinny_128_384_state_t *state, unsigned round) +{ + uint32_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Permute TK1 and TK2 for the next round */ + skinny128_inv_LFSR2(state->TK2[0]); + skinny128_inv_LFSR2(state->TK2[1]); + skinny128_inv_LFSR3(state->TK3[0]); + skinny128_inv_LFSR3(state->TK3[1]); + skinny128_inv_permute_tk(state->TK1); + skinny128_inv_permute_tk(state->TK2); + skinny128_inv_permute_tk(state->TK3); + + /* Inverse mix of the columns */ + temp = s0; + s0 = s1; + s1 = s2; + s2 = s3; + s3 = temp ^ s2; + s2 ^= s0; + s1 ^= s2; + + /* Shift the cells in the rows left, which moves the cell + * values down closer to the LSB. That is, we do a right + * rotate on the word to rotate the cells in the word left */ + s1 = rightRotate8(s1); + s2 = rightRotate16(s2); + s3 = rightRotate24(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + (rc & 0x0F) ^ 0x00020000; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all cells in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; +} + +void forkskinny_128_384_decrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_128_384_state_t state; + forkskinny_128_384_state_t fstate; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = le_load_word32(key); + state.TK1[1] = le_load_word32(key + 4); + state.TK1[2] = le_load_word32(key + 8); + state.TK1[3] = le_load_word32(key + 12); + state.TK2[0] = le_load_word32(key + 16); + state.TK2[1] = le_load_word32(key + 20); + state.TK2[2] = le_load_word32(key + 24); + state.TK2[3] = le_load_word32(key + 28); + state.TK3[0] = le_load_word32(key + 32); + state.TK3[1] = le_load_word32(key + 36); + state.TK3[2] = le_load_word32(key + 40); + state.TK3[3] = le_load_word32(key + 44); + state.S[0] = le_load_word32(input); + state.S[1] = le_load_word32(input + 4); + state.S[2] = le_load_word32(input + 8); + state.S[3] = le_load_word32(input + 12); + + /* Fast-forward the tweakey to the end of the key schedule */ + for (round = 0; round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { + skinny128_permute_tk(state.TK1); + skinny128_permute_tk(state.TK2); + skinny128_permute_tk(state.TK3); + skinny128_LFSR2(state.TK2[0]); + skinny128_LFSR2(state.TK2[1]); + skinny128_LFSR3(state.TK3[0]); + skinny128_LFSR3(state.TK3[1]); + } + + /* Perform the "after" rounds on the input to get back + * to the forking point in the cipher */ + for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER * 2); + round > (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); --round) { + forkskinny_128_384_inv_round(&state, round - 1); + } + + /* Remove the branching constant */ + state.S[0] ^= 0x08040201U; + state.S[1] ^= 0x82412010U; + state.S[2] ^= 0x28140a05U; + state.S[3] ^= 0x8844a251U; + + /* Roll the tweakey back another "after" rounds */ + for (round = 0; round < FORKSKINNY_128_384_ROUNDS_AFTER; ++round) { + skinny128_inv_LFSR2(state.TK2[0]); + skinny128_inv_LFSR2(state.TK2[1]); + skinny128_inv_LFSR3(state.TK3[0]); + skinny128_inv_LFSR3(state.TK3[1]); + skinny128_inv_permute_tk(state.TK1); + skinny128_inv_permute_tk(state.TK2); + skinny128_inv_permute_tk(state.TK3); + } + + /* Save the state and the tweakey at the forking point */ + fstate = state; + + /* Generate the left output block after another "before" rounds */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; round > 0; --round) { + forkskinny_128_384_inv_round(&state, round - 1); + } + le_store_word32(output_left, state.S[0]); + le_store_word32(output_left + 4, state.S[1]); + le_store_word32(output_left + 8, state.S[2]); + le_store_word32(output_left + 12, state.S[3]); + + /* Generate the right output block by going forward "after" + * rounds from the forking point */ + for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; + round < (FORKSKINNY_128_384_ROUNDS_BEFORE + + FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { + forkskinny_128_384_round(&fstate, round); + } + le_store_word32(output_right, fstate.S[0]); + le_store_word32(output_right + 4, fstate.S[1]); + le_store_word32(output_right + 8, fstate.S[2]); + le_store_word32(output_right + 12, fstate.S[3]); +} + +/** + * \brief Number of rounds of ForkSkinny-64-192 before forking. + */ +#define FORKSKINNY_64_192_ROUNDS_BEFORE 17 + +/** + * \brief Number of rounds of ForkSkinny-64-192 after forking. + */ +#define FORKSKINNY_64_192_ROUNDS_AFTER 23 + +/** + * \brief State information for ForkSkinny-64-192. + */ +typedef struct +{ + uint16_t TK1[4]; /**< First part of the tweakey */ + uint16_t TK2[4]; /**< Second part of the tweakey */ + uint16_t TK3[4]; /**< Third part of the tweakey */ + uint16_t S[4]; /**< Current block state */ + +} forkskinny_64_192_state_t; + +/** + * \brief Applies one round of ForkSkinny-64-192. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + * + * Note: The cells of each row are order in big-endian nibble order + * so it is easiest to manage the rows in bit-endian byte order. + */ +static void forkskinny_64_192_round + (forkskinny_64_192_state_t *state, unsigned round) +{ + uint16_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Apply the S-box to all cells in the state */ + skinny64_sbox(s0); + skinny64_sbox(s1); + skinny64_sbox(s2); + skinny64_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + ((rc & 0x0F) << 12) ^ 0x0020; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ + ((rc & 0x70) << 8); + s2 ^= 0x2000; + + /* Shift the cells in the rows right */ + s1 = rightRotate4_16(s1); + s2 = rightRotate8_16(s2); + s3 = rightRotate12_16(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny64_permute_tk(state->TK1); + skinny64_permute_tk(state->TK2); + skinny64_permute_tk(state->TK3); + skinny64_LFSR2(state->TK2[0]); + skinny64_LFSR2(state->TK2[1]); + skinny64_LFSR3(state->TK3[0]); + skinny64_LFSR3(state->TK3[1]); +} + +void forkskinny_64_192_encrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_64_192_state_t state; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = be_load_word16(key); + state.TK1[1] = be_load_word16(key + 2); + state.TK1[2] = be_load_word16(key + 4); + state.TK1[3] = be_load_word16(key + 6); + state.TK2[0] = be_load_word16(key + 8); + state.TK2[1] = be_load_word16(key + 10); + state.TK2[2] = be_load_word16(key + 12); + state.TK2[3] = be_load_word16(key + 14); + state.TK3[0] = be_load_word16(key + 16); + state.TK3[1] = be_load_word16(key + 18); + state.TK3[2] = be_load_word16(key + 20); + state.TK3[3] = be_load_word16(key + 22); + state.S[0] = be_load_word16(input); + state.S[1] = be_load_word16(input + 2); + state.S[2] = be_load_word16(input + 4); + state.S[3] = be_load_word16(input + 6); + + /* Run all of the rounds before the forking point */ + for (round = 0; round < FORKSKINNY_64_192_ROUNDS_BEFORE; ++round) { + forkskinny_64_192_round(&state, round); + } + + /* Determine which output blocks we need */ + if (output_left && output_right) { + /* We need both outputs so save the state at the forking point */ + uint16_t F[4]; + F[0] = state.S[0]; + F[1] = state.S[1]; + F[2] = state.S[2]; + F[3] = state.S[3]; + + /* Generate the right output block */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { + forkskinny_64_192_round(&state, round); + } + be_store_word16(output_right, state.S[0]); + be_store_word16(output_right + 2, state.S[1]); + be_store_word16(output_right + 4, state.S[2]); + be_store_word16(output_right + 6, state.S[3]); + + /* Restore the state at the forking point */ + state.S[0] = F[0]; + state.S[1] = F[1]; + state.S[2] = F[2]; + state.S[3] = F[3]; + } + if (output_left) { + /* Generate the left output block */ + state.S[0] ^= 0x1249U; /* Branching constant */ + state.S[1] ^= 0x36daU; + state.S[2] ^= 0x5b7fU; + state.S[3] ^= 0xec81U; + for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { + forkskinny_64_192_round(&state, round); + } + be_store_word16(output_left, state.S[0]); + be_store_word16(output_left + 2, state.S[1]); + be_store_word16(output_left + 4, state.S[2]); + be_store_word16(output_left + 6, state.S[3]); + } else { + /* We only need the right output block */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { + forkskinny_64_192_round(&state, round); + } + be_store_word16(output_right, state.S[0]); + be_store_word16(output_right + 2, state.S[1]); + be_store_word16(output_right + 4, state.S[2]); + be_store_word16(output_right + 6, state.S[3]); + } +} + +/** + * \brief Applies one round of ForkSkinny-64-192 in reverse. + * + * \param state State to apply the round to. + * \param round Number of the round to apply. + */ +static void forkskinny_64_192_inv_round + (forkskinny_64_192_state_t *state, unsigned round) +{ + uint16_t s0, s1, s2, s3, temp; + uint8_t rc; + + /* Load the state into local variables */ + s0 = state->S[0]; + s1 = state->S[1]; + s2 = state->S[2]; + s3 = state->S[3]; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny64_inv_LFSR2(state->TK2[0]); + skinny64_inv_LFSR2(state->TK2[1]); + skinny64_inv_LFSR3(state->TK3[0]); + skinny64_inv_LFSR3(state->TK3[1]); + skinny64_inv_permute_tk(state->TK1); + skinny64_inv_permute_tk(state->TK2); + skinny64_inv_permute_tk(state->TK3); + + /* Inverse mix of the columns */ + temp = s0; + s0 = s1; + s1 = s2; + s2 = s3; + s3 = temp ^ s2; + s2 ^= s0; + s1 ^= s2; + + /* Shift the cells in the rows left */ + s1 = leftRotate4_16(s1); + s2 = leftRotate8_16(s2); + s3 = leftRotate12_16(s3); + + /* XOR the round constant and the subkey for this round */ + rc = RC[round]; + s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ + ((rc & 0x0F) << 12) ^ 0x0020; + s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ + ((rc & 0x70) << 8); + s2 ^= 0x2000; + + /* Apply the inverse of the S-box to all cells in the state */ + skinny64_inv_sbox(s0); + skinny64_inv_sbox(s1); + skinny64_inv_sbox(s2); + skinny64_inv_sbox(s3); + + /* Save the local variables back to the state */ + state->S[0] = s0; + state->S[1] = s1; + state->S[2] = s2; + state->S[3] = s3; +} + +void forkskinny_64_192_decrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input) +{ + forkskinny_64_192_state_t state; + forkskinny_64_192_state_t fstate; + unsigned round; + + /* Unpack the tweakey and the input */ + state.TK1[0] = be_load_word16(key); + state.TK1[1] = be_load_word16(key + 2); + state.TK1[2] = be_load_word16(key + 4); + state.TK1[3] = be_load_word16(key + 6); + state.TK2[0] = be_load_word16(key + 8); + state.TK2[1] = be_load_word16(key + 10); + state.TK2[2] = be_load_word16(key + 12); + state.TK2[3] = be_load_word16(key + 14); + state.TK3[0] = be_load_word16(key + 16); + state.TK3[1] = be_load_word16(key + 18); + state.TK3[2] = be_load_word16(key + 20); + state.TK3[3] = be_load_word16(key + 22); + state.S[0] = be_load_word16(input); + state.S[1] = be_load_word16(input + 2); + state.S[2] = be_load_word16(input + 4); + state.S[3] = be_load_word16(input + 6); + + /* Fast-forward the tweakey to the end of the key schedule */ + for (round = 0; round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { + skinny64_permute_tk(state.TK1); + skinny64_permute_tk(state.TK2); + skinny64_permute_tk(state.TK3); + skinny64_LFSR2(state.TK2[0]); + skinny64_LFSR2(state.TK2[1]); + skinny64_LFSR3(state.TK3[0]); + skinny64_LFSR3(state.TK3[1]); + } + + /* Perform the "after" rounds on the input to get back + * to the forking point in the cipher */ + for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER * 2); + round > (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); --round) { + forkskinny_64_192_inv_round(&state, round - 1); + } + + /* Remove the branching constant */ + state.S[0] ^= 0x1249U; + state.S[1] ^= 0x36daU; + state.S[2] ^= 0x5b7fU; + state.S[3] ^= 0xec81U; + + /* Roll the tweakey back another "after" rounds */ + for (round = 0; round < FORKSKINNY_64_192_ROUNDS_AFTER; ++round) { + skinny64_inv_LFSR2(state.TK2[0]); + skinny64_inv_LFSR2(state.TK2[1]); + skinny64_inv_LFSR3(state.TK3[0]); + skinny64_inv_LFSR3(state.TK3[1]); + skinny64_inv_permute_tk(state.TK1); + skinny64_inv_permute_tk(state.TK2); + skinny64_inv_permute_tk(state.TK3); + } + + /* Save the state and the tweakey at the forking point */ + fstate = state; + + /* Generate the left output block after another "before" rounds */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; round > 0; --round) { + forkskinny_64_192_inv_round(&state, round - 1); + } + be_store_word16(output_left, state.S[0]); + be_store_word16(output_left + 2, state.S[1]); + be_store_word16(output_left + 4, state.S[2]); + be_store_word16(output_left + 6, state.S[3]); + + /* Generate the right output block by going forward "after" + * rounds from the forking point */ + for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; + round < (FORKSKINNY_64_192_ROUNDS_BEFORE + + FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { + forkskinny_64_192_round(&fstate, round); + } + be_store_word16(output_right, fstate.S[0]); + be_store_word16(output_right + 2, fstate.S[1]); + be_store_word16(output_right + 4, fstate.S[2]); + be_store_word16(output_right + 6, fstate.S[3]); +} diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-forkskinny.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-forkskinny.h new file mode 100644 index 0000000..0c1a707 --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-forkskinny.h @@ -0,0 +1,141 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_FORKSKINNY_H +#define LW_INTERNAL_FORKSKINNY_H + +/** + * \file internal-forkskinny.h + * \brief ForkSkinny block cipher family. + * + * ForkSkinny is a modified version of the SKINNY block cipher that + * supports "forking": half-way through the rounds the cipher is + * forked in two different directions to produce two different outputs. + * + * References: https://www.esat.kuleuven.be/cosic/forkae/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts a block of plaintext with ForkSkinny-128-256. + * + * \param key 256-bit tweakey for ForkSkinny-128-256. + * \param output_left Left output block for the ciphertext, or NULL if + * the left output is not required. + * \param output_right Right output block for the authentication tag, + * or NULL if the right output is not required. + * \param input 128-bit input plaintext block. + * + * ForkSkinny-128-192 also uses this function with a padded tweakey. + */ +void forkskinny_128_256_encrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Decrypts a block of ciphertext with ForkSkinny-128-256. + * + * \param key 256-bit tweakey for ForkSkinny-128-256. + * \param output_left Left output block, which is the plaintext. + * \param output_right Right output block for the authentication tag. + * \param input 128-bit input ciphertext block. + * + * Both output blocks will be populated; neither is optional. + */ +void forkskinny_128_256_decrypt + (const unsigned char key[32], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Encrypts a block of plaintext with ForkSkinny-128-384. + * + * \param key 384-bit tweakey for ForkSkinny-128-384. + * \param output_left Left output block for the ciphertext, or NULL if + * the left output is not required. + * \param output_right Right output block for the authentication tag, + * or NULL if the right output is not required. + * \param input 128-bit input plaintext block. + * + * ForkSkinny-128-288 also uses this function with a padded tweakey. + */ +void forkskinny_128_384_encrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Decrypts a block of ciphertext with ForkSkinny-128-384. + * + * \param key 384-bit tweakey for ForkSkinny-128-384. + * \param output_left Left output block, which is the plaintext. + * \param output_right Right output block for the authentication tag. + * \param input 128-bit input ciphertext block. + * + * Both output blocks will be populated; neither is optional. + */ +void forkskinny_128_384_decrypt + (const unsigned char key[48], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Encrypts a block of input with ForkSkinny-64-192. + * + * \param key 192-bit tweakey for ForkSkinny-64-192. + * \param output_left First output block, or NULL if left is not required. + * \param output_right Second output block, or NULL if right is not required. + * \param input 64-bit input block. + */ +/** + * \brief Encrypts a block of plaintext with ForkSkinny-64-192. + * + * \param key 192-bit tweakey for ForkSkinny-64-192. + * \param output_left Left output block for the ciphertext, or NULL if + * the left output is not required. + * \param output_right Right output block for the authentication tag, + * or NULL if the right output is not required. + * \param input 64-bit input plaintext block. + */ +void forkskinny_64_192_encrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +/** + * \brief Decrypts a block of ciphertext with ForkSkinny-64-192. + * + * \param key 192-bit tweakey for ForkSkinny-64-192. + * \param output_left Left output block, which is the plaintext. + * \param output_right Right output block for the authentication tag. + * \param input 64-bit input ciphertext block. + * + * Both output blocks will be populated; neither is optional. + */ +void forkskinny_64_192_decrypt + (const unsigned char key[24], unsigned char *output_left, + unsigned char *output_right, const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-skinnyutil.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-skinnyutil.h new file mode 100644 index 0000000..83136cb --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-skinnyutil.h @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNYUTIL_H +#define LW_INTERNAL_SKINNYUTIL_H + +/** + * \file internal-skinnyutil.h + * \brief Utilities to help implement SKINNY and its variants. + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond skinnyutil */ + +/* Utilities for implementing SKINNY-128 */ + +#define skinny128_LFSR2(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ + (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ + } while (0) + + +#define skinny128_LFSR3(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ + (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) +#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) + +#define skinny128_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint32_t row2 = tk[2]; \ + uint32_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 16) | (row3 >> 16); \ + tk[0] = ((row2 >> 8) & 0x000000FFU) | \ + ((row2 << 16) & 0x00FF0000U) | \ + ( row3 & 0xFF00FF00U); \ + tk[1] = ((row2 >> 16) & 0x000000FFU) | \ + (row2 & 0xFF000000U) | \ + ((row3 << 8) & 0x0000FF00U) | \ + ( row3 & 0x00FF0000U); \ + } while (0) + +#define skinny128_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint32_t row0 = tk[0]; \ + uint32_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 >> 16) & 0x000000FFU) | \ + ((row0 << 8) & 0x0000FF00U) | \ + ((row1 << 16) & 0x00FF0000U) | \ + ( row1 & 0xFF000000U); \ + tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ + ((row0 << 16) & 0xFF000000U) | \ + ((row1 >> 16) & 0x000000FFU) | \ + ((row1 << 8) & 0x00FF0000U); \ + } while (0) + +/* + * Apply the SKINNY sbox. The original version from the specification is + * equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE(x) + * ((((x) & 0x01010101U) << 2) | + * (((x) & 0x06060606U) << 5) | + * (((x) & 0x20202020U) >> 5) | + * (((x) & 0xC8C8C8C8U) >> 2) | + * (((x) & 0x10101010U) >> 1)) + * + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * return SBOX_SWAP(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ + y = (((x >> 5) & (x << 1)) & 0x04040404U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ + x = ((x & 0x08080808U) << 1) | \ + ((x & 0x32323232U) << 2) | \ + ((x & 0x01010101U) << 5) | \ + ((x & 0x80808080U) >> 6) | \ + ((x & 0x40404040U) >> 4) | \ + ((x & 0x04040404U) >> 2); \ +} while (0) + +/* + * Apply the inverse of the SKINNY sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE_INV(x) + * ((((x) & 0x08080808U) << 1) | + * (((x) & 0x32323232U) << 2) | + * (((x) & 0x01010101U) << 5) | + * (((x) & 0xC0C0C0C0U) >> 5) | + * (((x) & 0x04040404U) >> 2)) + * + * x = SBOX_SWAP(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_inv_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ + x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ + y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ + x = ((x & 0x01010101U) << 2) | \ + ((x & 0x04040404U) << 4) | \ + ((x & 0x02020202U) << 6) | \ + ((x & 0x20202020U) >> 5) | \ + ((x & 0xC8C8C8C8U) >> 2) | \ + ((x & 0x10101010U) >> 1); \ +} while (0) + +/* Utilities for implementing SKINNY-64 */ + +#define skinny64_LFSR2(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ + } while (0) + +#define skinny64_LFSR3(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) +#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) + +#define skinny64_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint16_t row2 = tk[2]; \ + uint16_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 8) | (row3 >> 8); \ + tk[0] = ((row2 << 4) & 0xF000U) | \ + ((row2 >> 8) & 0x00F0U) | \ + ( row3 & 0x0F0FU); \ + tk[1] = ((row2 << 8) & 0xF000U) | \ + ((row3 >> 4) & 0x0F00U) | \ + ( row3 & 0x00F0U) | \ + ( row2 & 0x000FU); \ + } while (0) + +#define skinny64_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint16_t row0 = tk[0]; \ + uint16_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 << 8) & 0xF000U) | \ + ((row0 >> 4) & 0x0F00U) | \ + ((row1 >> 8) & 0x00F0U) | \ + ( row1 & 0x000FU); \ + tk[3] = ((row1 << 8) & 0xF000U) | \ + ((row0 << 8) & 0x0F00U) | \ + ((row1 >> 4) & 0x00F0U) | \ + ((row0 >> 8) & 0x000FU); \ + } while (0) + +/* + * Apply the SKINNY-64 sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT(x) + * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_SHIFT steps to be performed with one final rotation. + * This reduces the number of required shift operations from 14 to 10. + * + * We can further reduce the number of NOT operations from 4 to 2 + * using the technique from https://github.com/kste/skinny_avx to + * convert NOR-XOR operations into AND-XOR operations by converting + * the S-box into its NOT-inverse. + */ +#define skinny64_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ + x = ~x; \ + x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ +} while (0) + +/* + * Apply the inverse of the SKINNY-64 sbox. The original version + * from the specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT_INV(x) + * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * return SBOX_MIX(x); + */ +#define skinny64_inv_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = ~x; \ + x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ +} while (0) + +/** @endcond */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-util.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/aead-common.c b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/aead-common.h b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/api.h b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/encrypt.c b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/encrypt.c new file mode 100644 index 0000000..1286684 --- /dev/null +++ b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "gift-cofb.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return gift_cofb_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return gift_cofb_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/gift-cofb.c b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/gift-cofb.c new file mode 100644 index 0000000..ed70e07 --- /dev/null +++ b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/gift-cofb.c @@ -0,0 +1,407 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "gift-cofb.h" +#include "internal-gift128.h" +#include "internal-util.h" +#include + +aead_cipher_t const gift_cofb_cipher = { + "GIFT-COFB", + GIFT_COFB_KEY_SIZE, + GIFT_COFB_NONCE_SIZE, + GIFT_COFB_TAG_SIZE, + AEAD_FLAG_NONE, + gift_cofb_aead_encrypt, + gift_cofb_aead_decrypt +}; + +/** + * \brief Structure of an L value. + * + * The value is assumed to have already been converted from big-endian + * to host byte order. + */ +typedef struct +{ + uint32_t x; /**< High word of the value */ + uint32_t y; /**< Low word of the value */ + +} gift_cofb_l_t; + +/** + * \brief Structure of a 128-bit block in host byte order. + * + * The block is assumed to have already been converted from big-endian + * to host byte order. + */ +typedef union +{ + uint32_t x[4]; /**< Words of the block */ + uint8_t y[16]; /**< Bytes of the block */ + +} gift_cofb_block_t; + +/** + * \brief Doubles an L value in the F(2^64) field. + * + * \param L The value to be doubled. + * + * L = L << 1 if the top-most bit is 0, or L = (L << 1) ^ 0x1B otherwise. + */ +#define gift_cofb_double_L(L) \ + do { \ + uint32_t mask = ((int32_t)((L)->x)) >> 31; \ + (L)->x = ((L)->x << 1) | ((L)->y >> 31); \ + (L)->y = ((L)->y << 1) ^ (mask & 0x1B); \ + } while (0) + +/** + * \brief Triples an L value in the F(2^64) field. + * + * \param L The value to be tripled. + * + * L = double(L) ^ L + */ +#define gift_cofb_triple_L(L) \ + do { \ + uint32_t mask = ((int32_t)((L)->x)) >> 31; \ + uint32_t tx = ((L)->x << 1) | ((L)->y >> 31); \ + uint32_t ty = ((L)->y << 1) ^ (mask & 0x1B); \ + (L)->x ^= tx; \ + (L)->y ^= ty; \ + } while (0) + +/** + * \brief Applies the GIFT-COFB feedback function to Y. + * + * \param Y The value to be modified with the feedback function. + * + * Y is divided into L and R halves and then (R, L <<< 1) is returned. + */ +#define gift_cofb_feedback(Y) \ + do { \ + uint32_t lx = (Y)->x[0]; \ + uint32_t ly = (Y)->x[1]; \ + (Y)->x[0] = (Y)->x[2]; \ + (Y)->x[1] = (Y)->x[3]; \ + (Y)->x[2] = (lx << 1) | (ly >> 31); \ + (Y)->x[3] = (ly << 1) | (lx >> 31); \ + } while (0) + +/** + * \brief Process the associated data for GIFT-COFB encryption or decryption. + * + * \param ks The GIFT-128 key schedule to use. + * \param Y GIFT-COFB internal state. + * \param L GIFT-COFB internal state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param mlen Length of the plaintext in bytes. + */ +static void gift_cofb_assoc_data + (gift128b_key_schedule_t *ks, gift_cofb_block_t *Y, gift_cofb_l_t *L, + const unsigned char *ad, unsigned long long adlen, unsigned long long mlen) +{ + /* Deal with all associated data blocks except the last */ + while (adlen > 16) { + gift_cofb_double_L(L); + gift_cofb_feedback(Y); + Y->x[0] ^= L->x ^ be_load_word32(ad); + Y->x[1] ^= L->y ^ be_load_word32(ad + 4); + Y->x[2] ^= be_load_word32(ad + 8); + Y->x[3] ^= be_load_word32(ad + 12); + gift128b_encrypt_preloaded(ks, Y->x, Y->x); + ad += 16; + adlen -= 16; + } + + /* Pad and deal with the last block */ + gift_cofb_feedback(Y); + if (adlen == 16) { + Y->x[0] ^= be_load_word32(ad); + Y->x[1] ^= be_load_word32(ad + 4); + Y->x[2] ^= be_load_word32(ad + 8); + Y->x[3] ^= be_load_word32(ad + 12); + gift_cofb_triple_L(L); + } else { + unsigned temp = (unsigned)adlen; + unsigned char padded[16]; + memcpy(padded, ad, temp); + padded[temp] = 0x80; + memset(padded + temp + 1, 0, 16 - temp - 1); + Y->x[0] ^= be_load_word32(padded); + Y->x[1] ^= be_load_word32(padded + 4); + Y->x[2] ^= be_load_word32(padded + 8); + Y->x[3] ^= be_load_word32(padded + 12); + gift_cofb_triple_L(L); + gift_cofb_triple_L(L); + } + if (mlen == 0) { + gift_cofb_triple_L(L); + gift_cofb_triple_L(L); + } + Y->x[0] ^= L->x; + Y->x[1] ^= L->y; + gift128b_encrypt_preloaded(ks, Y->x, Y->x); +} + +/** @cond cofb_byte_swap */ + +/* Byte-swap a block if the platform is little-endian */ +#if defined(LW_UTIL_LITTLE_ENDIAN) +#define gift_cofb_byte_swap_word(y) \ + (__extension__ ({ \ + uint32_t _y = (y); \ + (_y >> 24) | (_y << 24) | ((_y << 8) & 0x00FF0000U) | \ + ((_y >> 8) & 0x0000FF00U); \ + })) +#define gift_cofb_byte_swap(x) \ + do { \ + (x)[0] = gift_cofb_byte_swap_word((x)[0]); \ + (x)[1] = gift_cofb_byte_swap_word((x)[1]); \ + (x)[2] = gift_cofb_byte_swap_word((x)[2]); \ + (x)[3] = gift_cofb_byte_swap_word((x)[3]); \ + } while (0) +#else +#define gift_cofb_byte_swap(x) do { ; } while (0) +#endif + +/** @endcond */ + +int gift_cofb_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + gift128b_key_schedule_t ks; + gift_cofb_block_t Y; + gift_cofb_l_t L; + gift_cofb_block_t P; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + GIFT_COFB_TAG_SIZE; + + /* Set up the key schedule and use it to encrypt the nonce */ + if (!gift128b_init(&ks, k, GIFT_COFB_KEY_SIZE)) + return -1; + Y.x[0] = be_load_word32(npub); + Y.x[1] = be_load_word32(npub + 4); + Y.x[2] = be_load_word32(npub + 8); + Y.x[3] = be_load_word32(npub + 12); + gift128b_encrypt_preloaded(&ks, Y.x, Y.x); + L.x = Y.x[0]; + L.y = Y.x[1]; + + /* Authenticate the associated data */ + gift_cofb_assoc_data(&ks, &Y, &L, ad, adlen, mlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + /* Deal with all plaintext blocks except the last */ + while (mlen > 16) { + P.x[0] = be_load_word32(m); + P.x[1] = be_load_word32(m + 4); + P.x[2] = be_load_word32(m + 8); + P.x[3] = be_load_word32(m + 12); + be_store_word32(c, Y.x[0] ^ P.x[0]); + be_store_word32(c + 4, Y.x[1] ^ P.x[1]); + be_store_word32(c + 8, Y.x[2] ^ P.x[2]); + be_store_word32(c + 12, Y.x[3] ^ P.x[3]); + gift_cofb_double_L(&L); + gift_cofb_feedback(&Y); + Y.x[0] ^= L.x ^ P.x[0]; + Y.x[1] ^= L.y ^ P.x[1]; + Y.x[2] ^= P.x[2]; + Y.x[3] ^= P.x[3]; + gift128b_encrypt_preloaded(&ks, Y.x, Y.x); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and deal with the last plaintext block */ + if (mlen == 16) { + P.x[0] = be_load_word32(m); + P.x[1] = be_load_word32(m + 4); + P.x[2] = be_load_word32(m + 8); + P.x[3] = be_load_word32(m + 12); + be_store_word32(c, Y.x[0] ^ P.x[0]); + be_store_word32(c + 4, Y.x[1] ^ P.x[1]); + be_store_word32(c + 8, Y.x[2] ^ P.x[2]); + be_store_word32(c + 12, Y.x[3] ^ P.x[3]); + gift_cofb_feedback(&Y); + Y.x[0] ^= P.x[0]; + Y.x[1] ^= P.x[1]; + Y.x[2] ^= P.x[2]; + Y.x[3] ^= P.x[3]; + gift_cofb_triple_L(&L); + c += 16; + } else { + unsigned temp = (unsigned)mlen; + gift_cofb_block_t padded; + memcpy(padded.y, m, temp); + padded.y[temp] = 0x80; + memset(padded.y + temp + 1, 0, 16 - temp - 1); + P.x[0] = be_load_word32(padded.y); + P.x[1] = be_load_word32(padded.y + 4); + P.x[2] = be_load_word32(padded.y + 8); + P.x[3] = be_load_word32(padded.y + 12); + gift_cofb_byte_swap(padded.x); + padded.x[0] ^= Y.x[0]; + padded.x[1] ^= Y.x[1]; + padded.x[2] ^= Y.x[2]; + padded.x[3] ^= Y.x[3]; + gift_cofb_byte_swap(padded.x); + memcpy(c, padded.y, temp); + gift_cofb_feedback(&Y); + Y.x[0] ^= P.x[0]; + Y.x[1] ^= P.x[1]; + Y.x[2] ^= P.x[2]; + Y.x[3] ^= P.x[3]; + gift_cofb_triple_L(&L); + gift_cofb_triple_L(&L); + c += temp; + } + Y.x[0] ^= L.x; + Y.x[1] ^= L.y; + gift128b_encrypt_preloaded(&ks, Y.x, Y.x); + } + + /* Generate the final authentication tag */ + be_store_word32(c, Y.x[0]); + be_store_word32(c + 4, Y.x[1]); + be_store_word32(c + 8, Y.x[2]); + be_store_word32(c + 12, Y.x[3]); + return 0; +} + +int gift_cofb_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + gift128b_key_schedule_t ks; + gift_cofb_block_t Y; + gift_cofb_l_t L; + gift_cofb_block_t P; + unsigned char *mtemp; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < GIFT_COFB_TAG_SIZE) + return -1; + *mlen = clen - GIFT_COFB_TAG_SIZE; + + /* Set up the key schedule and use it to encrypt the nonce */ + if (!gift128b_init(&ks, k, GIFT_COFB_KEY_SIZE)) + return -1; + Y.x[0] = be_load_word32(npub); + Y.x[1] = be_load_word32(npub + 4); + Y.x[2] = be_load_word32(npub + 8); + Y.x[3] = be_load_word32(npub + 12); + gift128b_encrypt_preloaded(&ks, Y.x, Y.x); + L.x = Y.x[0]; + L.y = Y.x[1]; + + /* Authenticate the associated data */ + gift_cofb_assoc_data(&ks, &Y, &L, ad, adlen, *mlen); + + /* Decrypt the ciphertext to produce the plaintext */ + mtemp = m; + clen -= GIFT_COFB_TAG_SIZE; + if (clen > 0) { + /* Deal with all ciphertext blocks except the last */ + while (clen > 16) { + P.x[0] = Y.x[0] ^ be_load_word32(c); + P.x[1] = Y.x[1] ^ be_load_word32(c + 4); + P.x[2] = Y.x[2] ^ be_load_word32(c + 8); + P.x[3] = Y.x[3] ^ be_load_word32(c + 12); + be_store_word32(m, P.x[0]); + be_store_word32(m + 4, P.x[1]); + be_store_word32(m + 8, P.x[2]); + be_store_word32(m + 12, P.x[3]); + gift_cofb_double_L(&L); + gift_cofb_feedback(&Y); + Y.x[0] ^= L.x ^ P.x[0]; + Y.x[1] ^= L.y ^ P.x[1]; + Y.x[2] ^= P.x[2]; + Y.x[3] ^= P.x[3]; + gift128b_encrypt_preloaded(&ks, Y.x, Y.x); + c += 16; + m += 16; + clen -= 16; + } + + /* Pad and deal with the last ciphertext block */ + if (clen == 16) { + P.x[0] = Y.x[0] ^ be_load_word32(c); + P.x[1] = Y.x[1] ^ be_load_word32(c + 4); + P.x[2] = Y.x[2] ^ be_load_word32(c + 8); + P.x[3] = Y.x[3] ^ be_load_word32(c + 12); + be_store_word32(m, P.x[0]); + be_store_word32(m + 4, P.x[1]); + be_store_word32(m + 8, P.x[2]); + be_store_word32(m + 12, P.x[3]); + gift_cofb_feedback(&Y); + Y.x[0] ^= P.x[0]; + Y.x[1] ^= P.x[1]; + Y.x[2] ^= P.x[2]; + Y.x[3] ^= P.x[3]; + gift_cofb_triple_L(&L); + c += 16; + } else { + unsigned temp = (unsigned)clen; + P.x[0] = Y.x[0]; + P.x[1] = Y.x[1]; + P.x[2] = Y.x[2]; + P.x[3] = Y.x[3]; + gift_cofb_byte_swap(P.x); + lw_xor_block_2_dest(m, P.y, c, temp); + P.y[temp] = 0x80; + memset(P.y + temp + 1, 0, 16 - temp - 1); + gift_cofb_byte_swap(P.x); + gift_cofb_feedback(&Y); + Y.x[0] ^= P.x[0]; + Y.x[1] ^= P.x[1]; + Y.x[2] ^= P.x[2]; + Y.x[3] ^= P.x[3]; + gift_cofb_triple_L(&L); + gift_cofb_triple_L(&L); + c += temp; + } + Y.x[0] ^= L.x; + Y.x[1] ^= L.y; + gift128b_encrypt_preloaded(&ks, Y.x, Y.x); + } + + /* Check the authentication tag at the end of the packet */ + gift_cofb_byte_swap(Y.x); + return aead_check_tag(mtemp, *mlen, Y.y, c, GIFT_COFB_TAG_SIZE); +} diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/gift-cofb.h b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/gift-cofb.h new file mode 100644 index 0000000..670d042 --- /dev/null +++ b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/gift-cofb.h @@ -0,0 +1,127 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_GIFT_COFB_H +#define LWCRYPTO_GIFT_COFB_H + +#include "aead-common.h" + +/** + * \file gift-cofb.h + * \brief GIFT-COFB authenticated encryption algorithm. + * + * GIFT-COFB is an authenticated encryption algorithm that combines + * the COFB (COmbined FeedBack) block cipher mode with the GIFT-128 + * block cipher. The algorithm has a 128-bit key, a 128-bit nonce, + * and a 128-bit authentication tag. + * + * References: https://www.isical.ac.in/~lightweight/COFB/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for GIFT-COFB. + */ +#define GIFT_COFB_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for all GIFT-COFB family members. + */ +#define GIFT_COFB_TAG_SIZE 16 + +/** + * \brief Size of the nonce for GIFT-COFB. + */ +#define GIFT_COFB_NONCE_SIZE 16 + +/** + * \brief Meta-information block for the GIFT-COFB cipher. + */ +extern aead_cipher_t const gift_cofb_cipher; + +/** + * \brief Encrypts and authenticates a packet with GIFT-COFB. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa gift_cofb_aead_decrypt() + */ +int gift_cofb_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with GIFT-COFB-0. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa gift_cofb_aead_encrypt() + */ +int gift_cofb_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128.c b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128.c new file mode 100644 index 0000000..681dbc8 --- /dev/null +++ b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128.c @@ -0,0 +1,849 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-gift128.h" +#include "internal-util.h" + +/* Round constants for GIFT-128 in the fixsliced representation */ +static uint32_t const GIFT128_RC[40] = { + 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, + 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, + 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, + 0x03020180, 0x8000002b, 0x10080880, 0x60014000, 0x01400002, 0x02020080, + 0x80000021, 0x10000080, 0x0001c000, 0x51000002, 0x03010180, 0x8000002e, + 0x10088800, 0x60012000, 0x40500002, 0x01030080, 0x80000006, 0x10008808, + 0xc001a000, 0x14500002, 0x01020181, 0x8000001a +}; + +/** + * \brief Swaps bits within two words. + * + * \param a The first word. + * \param b The second word. + * \param mask Mask for the bits to shift. + * \param shift Shift amount in bits. + */ +#define gift128b_swap_move(a, b, mask, shift) \ + do { \ + uint32_t tmp = ((b) ^ ((a) >> (shift))) & (mask); \ + (b) ^= tmp; \ + (a) ^= tmp << (shift); \ + } while (0) + +/** + * \brief Derives the next 10 fixsliced keys in the key schedule. + * + * \param next Points to the buffer to receive the next 10 keys. + * \param prev Points to the buffer holding the previous 10 keys. + * + * The \a next and \a prev buffers are allowed to be the same. + */ +#define gift128b_derive_keys(next, prev) \ + do { \ + /* Key 0 */ \ + uint32_t s = (prev)[0]; \ + uint32_t t = (prev)[1]; \ + gift128b_swap_move(t, t, 0x00003333U, 16); \ + gift128b_swap_move(t, t, 0x55554444U, 1); \ + (next)[0] = t; \ + /* Key 1 */ \ + s = leftRotate8(s & 0x33333333U) | leftRotate16(s & 0xCCCCCCCCU); \ + gift128b_swap_move(s, s, 0x55551100U, 1); \ + (next)[1] = s; \ + /* Key 2 */ \ + s = (prev)[2]; \ + t = (prev)[3]; \ + (next)[2] = ((t >> 4) & 0x0F000F00U) | ((t & 0x0F000F00U) << 4) | \ + ((t >> 6) & 0x00030003U) | ((t & 0x003F003FU) << 2); \ + /* Key 3 */ \ + (next)[3] = ((s >> 6) & 0x03000300U) | ((s & 0x3F003F00U) << 2) | \ + ((s >> 5) & 0x00070007U) | ((s & 0x001F001FU) << 3); \ + /* Key 4 */ \ + s = (prev)[4]; \ + t = (prev)[5]; \ + (next)[4] = leftRotate8(t & 0xAAAAAAAAU) | \ + leftRotate16(t & 0x55555555U); \ + /* Key 5 */ \ + (next)[5] = leftRotate8(s & 0x55555555U) | \ + leftRotate12(s & 0xAAAAAAAAU); \ + /* Key 6 */ \ + s = (prev)[6]; \ + t = (prev)[7]; \ + (next)[6] = ((t >> 2) & 0x03030303U) | ((t & 0x03030303U) << 2) | \ + ((t >> 1) & 0x70707070U) | ((t & 0x10101010U) << 3); \ + /* Key 7 */ \ + (next)[7] = ((s >> 18) & 0x00003030U) | ((s & 0x01010101U) << 3) | \ + ((s >> 14) & 0x0000C0C0U) | ((s & 0x0000E0E0U) << 15) | \ + ((s >> 1) & 0x07070707U) | ((s & 0x00001010U) << 19); \ + /* Key 8 */ \ + s = (prev)[8]; \ + t = (prev)[9]; \ + (next)[8] = ((t >> 4) & 0x0FFF0000U) | ((t & 0x000F0000U) << 12) | \ + ((t >> 8) & 0x000000FFU) | ((t & 0x000000FFU) << 8); \ + /* Key 9 */ \ + (next)[9] = ((s >> 6) & 0x03FF0000U) | ((s & 0x003F0000U) << 10) | \ + ((s >> 4) & 0x00000FFFU) | ((s & 0x0000000FU) << 12); \ + } while (0) + +/** + * \brief Compute the round keys for GIFT-128 in the fixsliced representation. + * + * \param ks Points to the key schedule to initialize. + * \param k0 First key word. + * \param k1 Second key word. + * \param k2 Third key word. + * \param k3 Fourth key word. + */ +static void gift128b_compute_round_keys + (gift128b_key_schedule_t *ks, + uint32_t k0, uint32_t k1, uint32_t k2, uint32_t k3) +{ + unsigned index; + uint32_t temp; + + /* Set the regular key with k0 and k3 pre-swapped for the round function */ + ks->k[0] = k3; + ks->k[1] = k1; + ks->k[2] = k2; + ks->k[3] = k0; + + /* Pre-compute the keys for rounds 3..10 and permute into fixsliced form */ + for (index = 4; index < 20; index += 2) { + ks->k[index] = ks->k[index - 3]; + temp = ks->k[index - 4]; + temp = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + ks->k[index + 1] = temp; + } + for (index = 0; index < 20; index += 10) { + /* Keys 0 and 10 */ + temp = ks->k[index]; + gift128b_swap_move(temp, temp, 0x00550055U, 9); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index] = temp; + + /* Keys 1 and 11 */ + temp = ks->k[index + 1]; + gift128b_swap_move(temp, temp, 0x00550055U, 9); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 1] = temp; + + /* Keys 2 and 12 */ + temp = ks->k[index + 2]; + gift128b_swap_move(temp, temp, 0x11111111U, 3); + gift128b_swap_move(temp, temp, 0x03030303U, 6); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 2] = temp; + + /* Keys 3 and 13 */ + temp = ks->k[index + 3]; + gift128b_swap_move(temp, temp, 0x11111111U, 3); + gift128b_swap_move(temp, temp, 0x03030303U, 6); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 3] = temp; + + /* Keys 4 and 14 */ + temp = ks->k[index + 4]; + gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 4] = temp; + + /* Keys 5 and 15 */ + temp = ks->k[index + 5]; + gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 5] = temp; + + /* Keys 6 and 16 */ + temp = ks->k[index + 6]; + gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); + gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 6] = temp; + + /* Keys 7 and 17 */ + temp = ks->k[index + 7]; + gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); + gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 7] = temp; + + /* Keys 8, 9, 18, and 19 do not need any adjustment */ + } + + /* Derive the fixsliced keys for the remaining rounds 11..40 */ + for (index = 20; index < 80; index += 10) { + gift128b_derive_keys(ks->k + index, ks->k + index - 20); + } +} + +int gift128b_init + (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len) +{ + if (!ks || !key || key_len != 16) + return 0; + gift128b_compute_round_keys + (ks, be_load_word32(key), be_load_word32(key + 4), + be_load_word32(key + 8), be_load_word32(key + 12)); + return 1; +} + +/** + * \brief Performs the GIFT-128 S-box on the bit-sliced state. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_sbox(s0, s1, s2, s3) \ + do { \ + s1 ^= s0 & s2; \ + s0 ^= s1 & s3; \ + s2 ^= s0 | s1; \ + s3 ^= s2; \ + s1 ^= s3; \ + s3 ^= 0xFFFFFFFFU; \ + s2 ^= s0 & s1; \ + } while (0) + +/** + * \brief Performs the inverse of the GIFT-128 S-box on the bit-sliced state. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_sbox(s0, s1, s2, s3) \ + do { \ + s2 ^= s3 & s1; \ + s0 ^= 0xFFFFFFFFU; \ + s1 ^= s0; \ + s0 ^= s2; \ + s2 ^= s3 | s1; \ + s3 ^= s1 & s0; \ + s1 ^= s3 & s2; \ + } while (0) + +/** + * \brief Permutes the GIFT-128 state between the 1st and 2nd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_1(s0, s1, s2, s3) \ + do { \ + s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ + s2 = ((s2 >> 3) & 0x11111111U) | ((s2 & 0x77777777U) << 1); \ + s3 = ((s3 >> 1) & 0x77777777U) | ((s3 & 0x11111111U) << 3); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 2nd and 3rd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_2(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 4) & 0x0FFF0FFFU) | ((s0 & 0x000F000FU) << 12); \ + s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ + s2 = ((s2 >> 12) & 0x000F000FU) | ((s2 & 0x0FFF0FFFU) << 4); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 3rd and 4th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_3(s0, s1, s2, s3) \ + do { \ + gift128b_swap_move(s1, s1, 0x55555555U, 1); \ + s2 = leftRotate16(s2); \ + gift128b_swap_move(s2, s2, 0x00005555U, 1); \ + s3 = leftRotate16(s3); \ + gift128b_swap_move(s3, s3, 0x55550000U, 1); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 4th and 5th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_4(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 6) & 0x03030303U) | ((s0 & 0x3F3F3F3FU) << 2); \ + s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ + s2 = ((s2 >> 2) & 0x3F3F3F3FU) | ((s2 & 0x03030303U) << 6); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 5th and 1st mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_5(s0, s1, s2, s3) \ + do { \ + s1 = leftRotate16(s1); \ + s2 = rightRotate8(s2); \ + s3 = leftRotate8(s3); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 1st and 2nd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_1(s0, s1, s2, s3) \ + do { \ + s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ + s2 = ((s2 >> 1) & 0x77777777U) | ((s2 & 0x11111111U) << 3); \ + s3 = ((s3 >> 3) & 0x11111111U) | ((s3 & 0x77777777U) << 1); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 2nd and 3rd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_2(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 12) & 0x000F000FU) | ((s0 & 0x0FFF0FFFU) << 4); \ + s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ + s2 = ((s2 >> 4) & 0x0FFF0FFFU) | ((s2 & 0x000F000FU) << 12); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 3rd and 4th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_3(s0, s1, s2, s3) \ + do { \ + gift128b_swap_move(s1, s1, 0x55555555U, 1); \ + gift128b_swap_move(s2, s2, 0x00005555U, 1); \ + s2 = leftRotate16(s2); \ + gift128b_swap_move(s3, s3, 0x55550000U, 1); \ + s3 = leftRotate16(s3); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 4th and 5th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_4(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 2) & 0x3F3F3F3FU) | ((s0 & 0x03030303U) << 6); \ + s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ + s2 = ((s2 >> 6) & 0x03030303U) | ((s2 & 0x3F3F3F3FU) << 2); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 5th and 1st mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_5(s0, s1, s2, s3) \ + do { \ + s1 = leftRotate16(s1); \ + s2 = leftRotate8(s2); \ + s3 = rightRotate8(s3); \ + } while (0); + +/** + * \brief Performs five fixsliced encryption rounds for GIFT-128. + * + * \param rk Points to the 10 round keys for these rounds. + * \param rc Points to the round constants for these rounds. + * + * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. + * + * The permutation is restructured so that one of the words each round + * does not need to be permuted, with the others rotating left, up, right, + * and down to keep the bits in line with their non-moving counterparts. + * This reduces the number of shifts required significantly. + * + * At the end of five rounds, the bit ordering will return to the + * original position. We then repeat the process for the next 5 rounds. + */ +#define gift128b_encrypt_5_rounds(rk, rc) \ + do { \ + /* 1st round - S-box, rotate left, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_1(s0, s1, s2, s3); \ + s1 ^= (rk)[0]; \ + s2 ^= (rk)[1]; \ + s0 ^= (rc)[0]; \ + \ + /* 2nd round - S-box, rotate up, add round key */ \ + gift128b_sbox(s3, s1, s2, s0); \ + gift128b_permute_state_2(s0, s1, s2, s3); \ + s1 ^= (rk)[2]; \ + s2 ^= (rk)[3]; \ + s3 ^= (rc)[1]; \ + \ + /* 3rd round - S-box, swap columns, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_3(s0, s1, s2, s3); \ + s1 ^= (rk)[4]; \ + s2 ^= (rk)[5]; \ + s0 ^= (rc)[2]; \ + \ + /* 4th round - S-box, rotate left and swap rows, add round key */ \ + gift128b_sbox(s3, s1, s2, s0); \ + gift128b_permute_state_4(s0, s1, s2, s3); \ + s1 ^= (rk)[6]; \ + s2 ^= (rk)[7]; \ + s3 ^= (rc)[3]; \ + \ + /* 5th round - S-box, rotate up, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_5(s0, s1, s2, s3); \ + s1 ^= (rk)[8]; \ + s2 ^= (rk)[9]; \ + s0 ^= (rc)[4]; \ + \ + /* Swap s0 and s3 in preparation for the next 1st round */ \ + s0 ^= s3; \ + s3 ^= s0; \ + s0 ^= s3; \ + } while (0) + +/** + * \brief Performs five fixsliced decryption rounds for GIFT-128. + * + * \param rk Points to the 10 round keys for these rounds. + * \param rc Points to the round constants for these rounds. + * + * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. + */ +#define gift128b_decrypt_5_rounds(rk, rc) \ + do { \ + /* Swap s0 and s3 in preparation for the next 5th round */ \ + s0 ^= s3; \ + s3 ^= s0; \ + s0 ^= s3; \ + \ + /* 5th round - S-box, rotate down, add round key */ \ + s1 ^= (rk)[8]; \ + s2 ^= (rk)[9]; \ + s0 ^= (rc)[4]; \ + gift128b_inv_permute_state_5(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + \ + /* 4th round - S-box, rotate right and swap rows, add round key */ \ + s1 ^= (rk)[6]; \ + s2 ^= (rk)[7]; \ + s3 ^= (rc)[3]; \ + gift128b_inv_permute_state_4(s0, s1, s2, s3); \ + gift128b_inv_sbox(s0, s1, s2, s3); \ + \ + /* 3rd round - S-box, swap columns, add round key */ \ + s1 ^= (rk)[4]; \ + s2 ^= (rk)[5]; \ + s0 ^= (rc)[2]; \ + gift128b_inv_permute_state_3(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + \ + /* 2nd round - S-box, rotate down, add round key */ \ + s1 ^= (rk)[2]; \ + s2 ^= (rk)[3]; \ + s3 ^= (rc)[1]; \ + gift128b_inv_permute_state_2(s0, s1, s2, s3); \ + gift128b_inv_sbox(s0, s1, s2, s3); \ + \ + /* 1st round - S-box, rotate right, add round key */ \ + s1 ^= (rk)[0]; \ + s2 ^= (rk)[1]; \ + s0 ^= (rc)[0]; \ + gift128b_inv_permute_state_1(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + } while (0) + +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into local variables */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; +} + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +int gift128n_init + (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len) +{ + /* Use the little-endian key byte order from the HYENA submission */ + if (!ks || !key || key_len != 16) + return 0; + gift128b_compute_round_keys + (ks, le_load_word32(key + 12), le_load_word32(key + 8), + le_load_word32(key + 4), le_load_word32(key)); + return 1; +} + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/** + * \brief Converts the GIFT-128 nibble-based representation into word-based. + * + * \param output Output buffer to write the word-based version to. + * \param input Input buffer to read the nibble-based version from. + * + * The \a input and \a output buffers can be the same buffer. + */ +static void gift128n_to_words + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input buffer into 32-bit words. We use the nibble order + * from the HYENA submission to NIST which is byte-reversed with respect + * to the nibble order of the original GIFT-128 paper. Nibble zero is in + * the first byte instead of the last, which means little-endian order. */ + s0 = le_load_word32(input + 12); + s1 = le_load_word32(input + 8); + s2 = le_load_word32(input + 4); + s3 = le_load_word32(input); + + /* Rearrange the bits so that bits 0..3 of each nibble are + * scattered to bytes 0..3 of each word. The permutation is: + * + * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 + * + * Generated with "http://programming.sirrida.de/calcperm.php". + */ + #define PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + PERM_WORDS(s0); + PERM_WORDS(s1); + PERM_WORDS(s2); + PERM_WORDS(s3); + + /* Rearrange the bytes and write them to the output buffer */ + output[0] = (uint8_t)s0; + output[1] = (uint8_t)s1; + output[2] = (uint8_t)s2; + output[3] = (uint8_t)s3; + output[4] = (uint8_t)(s0 >> 8); + output[5] = (uint8_t)(s1 >> 8); + output[6] = (uint8_t)(s2 >> 8); + output[7] = (uint8_t)(s3 >> 8); + output[8] = (uint8_t)(s0 >> 16); + output[9] = (uint8_t)(s1 >> 16); + output[10] = (uint8_t)(s2 >> 16); + output[11] = (uint8_t)(s3 >> 16); + output[12] = (uint8_t)(s0 >> 24); + output[13] = (uint8_t)(s1 >> 24); + output[14] = (uint8_t)(s2 >> 24); + output[15] = (uint8_t)(s3 >> 24); +} + +/** + * \brief Converts the GIFT-128 word-based representation into nibble-based. + * + * \param output Output buffer to write the nibble-based version to. + * \param input Input buffer to read the word-based version from. + */ +static void gift128n_to_nibbles + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input bytes and rearrange them so that s0 contains the + * most significant nibbles and s3 contains the least significant */ + s0 = (((uint32_t)(input[12])) << 24) | + (((uint32_t)(input[8])) << 16) | + (((uint32_t)(input[4])) << 8) | + ((uint32_t)(input[0])); + s1 = (((uint32_t)(input[13])) << 24) | + (((uint32_t)(input[9])) << 16) | + (((uint32_t)(input[5])) << 8) | + ((uint32_t)(input[1])); + s2 = (((uint32_t)(input[14])) << 24) | + (((uint32_t)(input[10])) << 16) | + (((uint32_t)(input[6])) << 8) | + ((uint32_t)(input[2])); + s3 = (((uint32_t)(input[15])) << 24) | + (((uint32_t)(input[11])) << 16) | + (((uint32_t)(input[7])) << 8) | + ((uint32_t)(input[3])); + + /* Apply the inverse of PERM_WORDS() from the function above */ + #define INV_PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x00aa00aa, 7); \ + bit_permute_step(x, 0x0000cccc, 14); \ + bit_permute_step(x, 0x00f000f0, 4); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + INV_PERM_WORDS(s0); + INV_PERM_WORDS(s1); + INV_PERM_WORDS(s2); + INV_PERM_WORDS(s3); + + /* Store the result into the output buffer as 32-bit words */ + le_store_word32(output + 12, s0); + le_store_word32(output + 8, s1); + le_store_word32(output + 4, s2); + le_store_word32(output, s3); +} + +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_encrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_decrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +/* 4-bit tweak values expanded to 32-bit */ +static uint32_t const GIFT128_tweaks[16] = { + 0x00000000, 0xe1e1e1e1, 0xd2d2d2d2, 0x33333333, + 0xb4b4b4b4, 0x55555555, 0x66666666, 0x87878787, + 0x78787878, 0x99999999, 0xaaaaaaaa, 0x4b4b4b4b, + 0xcccccccc, 0x2d2d2d2d, 0x1e1e1e1e, 0xffffffff +}; + +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak) +{ + uint32_t s0, s1, s2, s3, tword; + + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + tword = GIFT128_tweaks[tweak]; + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +void gift128t_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak) +{ + uint32_t s0, s1, s2, s3, tword; + + /* Copy the ciphertext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the first we add the tweak value to the state */ + tword = GIFT128_tweaks[tweak]; + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + + /* Pack the state into the plaintext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128.h b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128.h new file mode 100644 index 0000000..1ac40e5 --- /dev/null +++ b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128.h @@ -0,0 +1,229 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_GIFT128_H +#define LW_INTERNAL_GIFT128_H + +/** + * \file internal-gift128.h + * \brief GIFT-128 block cipher. + * + * There are three versions of GIFT-128 in use within the second round + * submissions to the NIST lightweight cryptography competition. + * + * The most efficient version for 32-bit software implementation is the + * GIFT-128-b bit-sliced version from GIFT-COFB and SUNDAE-GIFT. + * + * The second is the nibble-based version from HYENA. We implement the + * HYENA version as a wrapper around the bit-sliced version. + * + * The third version is a variant on the HYENA nibble-based version that + * includes a 4-bit tweak value for domain separation. It is used by + * the ESTATE submission to NIST. + * + * Technically there is a fourth version of GIFT-128 which is the one that + * appeared in the original GIFT-128 paper. It is almost the same as the + * HYENA version except that the byte ordering is big-endian instead of + * HYENA's little-endian. The original version of GIFT-128 doesn't appear + * in any of the NIST submissions so we don't bother with it in this library. + * + * References: https://eprint.iacr.org/2017/622.pdf, + * https://giftcipher.github.io/gift/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a GIFT-128 block in bytes. + */ +#define GIFT128_BLOCK_SIZE 16 + +/** + * \brief Number of round keys for the fixsliced representation of GIFT-128. + */ +#define GIFT128_ROUND_KEYS 80 + +/** + * \brief Structure of the key schedule for GIFT-128 (bit-sliced). + */ +typedef struct +{ + /** Pre-computed round keys in the fixsliced form */ + uint32_t k[GIFT128_ROUND_KEYS]; + +} gift128b_key_schedule_t; + +/** + * \brief Initializes the key schedule for GIFT-128 (bit-sliced). + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int gift128b_init + (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced and pre-loaded). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version assumes that the input has already been pre-loaded from + * big-endian into host byte order in the supplied word array. The output + * is delivered in the same way. + */ +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]); + +/** + * \brief Decrypts a 128-bit block with GIFT-128 (bit-sliced). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + */ +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Structure of the key schedule for GIFT-128 (nibble-based). + */ +typedef gift128b_key_schedule_t gift128n_key_schedule_t; + +/** + * \brief Initializes the key schedule for GIFT-128 (nibble-based). + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int gift128n_init + (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with GIFT-128 (nibble-based). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + */ +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tweak 4-bit tweak value. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This variant of GIFT-128 is used by the ESTATE submission to the + * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to + * some of the rounds to provide domain separation. If the tweak is + * zero, then this function is identical to gift128n_encrypt(). + */ +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak); + +/** + * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tweak 4-bit tweak value. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This variant of GIFT-128 is used by the ESTATE submission to the + * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to + * some of the rounds to provide domain separation. If the tweak is + * zero, then this function is identical to gift128n_encrypt(). + */ +void gift128t_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-util.h b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys/aead-common.c b/gimli/Implementations/crypto_aead/gimli24v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/gimli/Implementations/crypto_aead/gimli24v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys/aead-common.h b/gimli/Implementations/crypto_aead/gimli24v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/gimli/Implementations/crypto_aead/gimli24v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys/api.h b/gimli/Implementations/crypto_aead/gimli24v1/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/gimli/Implementations/crypto_aead/gimli24v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys/encrypt.c b/gimli/Implementations/crypto_aead/gimli24v1/rhys/encrypt.c new file mode 100644 index 0000000..53f563e --- /dev/null +++ b/gimli/Implementations/crypto_aead/gimli24v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "gimli24.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return gimli24_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return gimli24_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys/gimli24.c b/gimli/Implementations/crypto_aead/gimli24v1/rhys/gimli24.c new file mode 100644 index 0000000..4bc7d9f --- /dev/null +++ b/gimli/Implementations/crypto_aead/gimli24v1/rhys/gimli24.c @@ -0,0 +1,330 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "gimli24.h" +#include "internal-gimli24.h" +#include + +aead_cipher_t const gimli24_cipher = { + "GIMLI-24", + GIMLI24_KEY_SIZE, + GIMLI24_NONCE_SIZE, + GIMLI24_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + gimli24_aead_encrypt, + gimli24_aead_decrypt +}; + +aead_hash_algorithm_t const gimli24_hash_algorithm = { + "GIMLI-24-HASH", + sizeof(gimli24_hash_state_t), + GIMLI24_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + gimli24_hash, + (aead_hash_init_t)gimli24_hash_init, + (aead_hash_update_t)gimli24_hash_absorb, + (aead_hash_finalize_t)gimli24_hash_finalize, + (aead_xof_absorb_t)gimli24_hash_absorb, + (aead_xof_squeeze_t)gimli24_hash_squeeze +}; + +/** + * \brief Number of bytes of input or output data to process per block. + */ +#define GIMLI24_BLOCK_SIZE 16 + +/** + * \brief Structure of the GIMLI-24 state as both an array of words + * and an array of bytes. + */ +typedef union +{ + uint32_t words[12]; /**< Words in the state */ + uint8_t bytes[48]; /**< Bytes in the state */ + +} gimli24_state_t; + +/** + * \brief Absorbs data into a GIMLI-24 state. + * + * \param state The state to absorb the data into. + * \param data Points to the data to be absorbed. + * \param len Length of the data to be absorbed. + */ +static void gimli24_absorb + (gimli24_state_t *state, const unsigned char *data, unsigned long long len) +{ + unsigned temp; + while (len >= GIMLI24_BLOCK_SIZE) { + lw_xor_block(state->bytes, data, GIMLI24_BLOCK_SIZE); + gimli24_permute(state->words); + data += GIMLI24_BLOCK_SIZE; + len -= GIMLI24_BLOCK_SIZE; + } + temp = (unsigned)len; + lw_xor_block(state->bytes, data, temp); + state->bytes[temp] ^= 0x01; /* Padding */ + state->bytes[47] ^= 0x01; + gimli24_permute(state->words); +} + +/** + * \brief Encrypts a block of data with a GIMLI-24 state. + * + * \param state The state to encrypt with. + * \param dest Points to the destination buffer. + * \param src Points to the source buffer. + * \param len Length of the data to encrypt from \a src into \a dest. + */ +static void gimli24_encrypt + (gimli24_state_t *state, unsigned char *dest, + const unsigned char *src, unsigned long long len) +{ + unsigned temp; + while (len >= GIMLI24_BLOCK_SIZE) { + lw_xor_block_2_dest(dest, state->bytes, src, GIMLI24_BLOCK_SIZE); + gimli24_permute(state->words); + dest += GIMLI24_BLOCK_SIZE; + src += GIMLI24_BLOCK_SIZE; + len -= GIMLI24_BLOCK_SIZE; + } + temp = (unsigned)len; + lw_xor_block_2_dest(dest, state->bytes, src, temp); + state->bytes[temp] ^= 0x01; /* Padding */ + state->bytes[47] ^= 0x01; + gimli24_permute(state->words); +} + +/** + * \brief Decrypts a block of data with a GIMLI-24 state. + * + * \param state The state to decrypt with. + * \param dest Points to the destination buffer. + * \param src Points to the source buffer. + * \param len Length of the data to decrypt from \a src into \a dest. + */ +static void gimli24_decrypt + (gimli24_state_t *state, unsigned char *dest, + const unsigned char *src, unsigned long long len) +{ + unsigned temp; + while (len >= GIMLI24_BLOCK_SIZE) { + lw_xor_block_swap(dest, state->bytes, src, GIMLI24_BLOCK_SIZE); + gimli24_permute(state->words); + dest += GIMLI24_BLOCK_SIZE; + src += GIMLI24_BLOCK_SIZE; + len -= GIMLI24_BLOCK_SIZE; + } + temp = (unsigned)len; + lw_xor_block_swap(dest, state->bytes, src, temp); + state->bytes[temp] ^= 0x01; /* Padding */ + state->bytes[47] ^= 0x01; + gimli24_permute(state->words); +} + +int gimli24_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + gimli24_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + GIMLI24_TAG_SIZE; + + /* Format the initial GIMLI state from the nonce and the key */ + memcpy(state.words, npub, GIMLI24_NONCE_SIZE); + memcpy(state.words + 4, k, GIMLI24_KEY_SIZE); + + /* Permute the initial state */ + gimli24_permute(state.words); + + /* Absorb the associated data */ + gimli24_absorb(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + gimli24_encrypt(&state, c, m, mlen); + + /* Generate the authentication tag at the end of the ciphertext */ + memcpy(c + mlen, state.bytes, GIMLI24_TAG_SIZE); + return 0; +} + +int gimli24_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + gimli24_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < GIMLI24_TAG_SIZE) + return -1; + *mlen = clen - GIMLI24_TAG_SIZE; + + /* Format the initial GIMLI state from the nonce and the key */ + memcpy(state.words, npub, GIMLI24_NONCE_SIZE); + memcpy(state.words + 4, k, GIMLI24_KEY_SIZE); + + /* Permute the initial state */ + gimli24_permute(state.words); + + /* Absorb the associated data */ + gimli24_absorb(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + gimli24_decrypt(&state, m, c, *mlen); + + /* Check the authentication tag at the end of the packet */ + return aead_check_tag + (m, *mlen, state.bytes, c + *mlen, GIMLI24_TAG_SIZE); +} + +int gimli24_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + gimli24_state_t state; + + /* Initialize the hash state to all zeroes */ + memset(&state, 0, sizeof(state)); + + /* Absorb the input */ + gimli24_absorb(&state, in, inlen); + + /* Generate the output hash */ + memcpy(out, state.bytes, GIMLI24_HASH_SIZE / 2); + gimli24_permute(state.words); + memcpy(out + GIMLI24_HASH_SIZE / 2, state.bytes, GIMLI24_HASH_SIZE / 2); + return 0; +} + +void gimli24_hash_init(gimli24_hash_state_t *state) +{ + memset(state, 0, sizeof(gimli24_hash_state_t)); +} + +#define GIMLI24_XOF_RATE 16 +#define gimli24_xof_permute() \ + gimli24_permute((uint32_t *)(state->s.state)) + +void gimli24_hash_absorb + (gimli24_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + unsigned temp; + + if (state->s.mode) { + /* We were squeezing output - go back to the absorb phase */ + state->s.mode = 0; + state->s.count = 0; + gimli24_xof_permute(); + } + + /* Handle the partial left-over block from last time */ + if (state->s.count) { + temp = GIMLI24_XOF_RATE - state->s.count; + if (temp > inlen) { + temp = (unsigned)inlen; + lw_xor_block(state->s.state + state->s.count, in, temp); + state->s.count += temp; + return; + } + lw_xor_block(state->s.state + state->s.count, in, temp); + state->s.count = 0; + in += temp; + inlen -= temp; + gimli24_xof_permute(); + } + + /* Process full blocks that are aligned at state->s.count == 0 */ + while (inlen >= GIMLI24_XOF_RATE) { + lw_xor_block(state->s.state, in, GIMLI24_XOF_RATE); + in += GIMLI24_XOF_RATE; + inlen -= GIMLI24_XOF_RATE; + gimli24_xof_permute(); + } + + /* Process the left-over block at the end of the input */ + temp = (unsigned)inlen; + lw_xor_block(state->s.state, in, temp); + state->s.count = temp; +} + +void gimli24_hash_squeeze + (gimli24_hash_state_t *state, unsigned char *out, + unsigned long long outlen) +{ + unsigned temp; + + /* Pad the final input block if we were still in the absorb phase */ + if (!state->s.mode) { + state->s.state[state->s.count] ^= 0x01; + state->s.state[47] ^= 0x01; + state->s.count = 0; + state->s.mode = 1; + } + + /* Handle left-over partial blocks from last time */ + if (state->s.count) { + temp = GIMLI24_XOF_RATE - state->s.count; + if (temp > outlen) { + temp = (unsigned)outlen; + memcpy(out, state->s.state + state->s.count, temp); + state->s.count += temp; + return; + } + memcpy(out, state->s.state + state->s.count, temp); + out += temp; + outlen -= temp; + state->s.count = 0; + } + + /* Handle full blocks */ + while (outlen >= GIMLI24_XOF_RATE) { + gimli24_xof_permute(); + memcpy(out, state->s.state, GIMLI24_XOF_RATE); + out += GIMLI24_XOF_RATE; + outlen -= GIMLI24_XOF_RATE; + } + + /* Handle the left-over block */ + if (outlen > 0) { + temp = (unsigned)outlen; + gimli24_xof_permute(); + memcpy(out, state->s.state, temp); + state->s.count = temp; + } +} + +void gimli24_hash_finalize + (gimli24_hash_state_t *state, unsigned char *out) +{ + gimli24_hash_squeeze(state, out, GIMLI24_HASH_SIZE); +} diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys/gimli24.h b/gimli/Implementations/crypto_aead/gimli24v1/rhys/gimli24.h new file mode 100644 index 0000000..f72aec7 --- /dev/null +++ b/gimli/Implementations/crypto_aead/gimli24v1/rhys/gimli24.h @@ -0,0 +1,220 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_GIMLI24_H +#define LWCRYPTO_GIMLI24_H + +#include "aead-common.h" + +/** + * \file gimli24.h + * \brief Gimli authenticated encryption algorithm. + * + * GIMLI-24-CIPHER has a 256-bit key, a 128-bit nonce, and a 128-bit tag. + * It is the spiritual successor to the widely used ChaCha20 and has a + * similar design. + * + * This library also includes an implementation of the hash algorithm + * GIMLI-24-HASH in both regular hashing and XOF modes. + * + * References: https://gimli.cr.yp.to/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for GIMLI-24. + */ +#define GIMLI24_KEY_SIZE 32 + +/** + * \brief Size of the nonce for GIMLI-24. + */ +#define GIMLI24_NONCE_SIZE 16 + +/** + * \brief Size of the authentication tag for GIMLI-24. + */ +#define GIMLI24_TAG_SIZE 16 + +/** + * \brief Size of the hash output for GIMLI-24. + */ +#define GIMLI24_HASH_SIZE 32 + +/** + * \brief State information for GIMLI-24-HASH incremental modes. + */ +typedef union +{ + struct { + unsigned char state[48]; /**< Current hash state */ + unsigned char count; /**< Number of bytes in the current block */ + unsigned char mode; /**< Hash mode: 0 for absorb, 1 for squeeze */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} gimli24_hash_state_t; + +/** + * \brief Meta-information block for the GIMLI-24 cipher. + */ +extern aead_cipher_t const gimli24_cipher; + +/** + * \brief Meta-information block for the GIMLI-24-HASH algorithm. + * + * This meta-information block can also be used in XOF mode. + */ +extern aead_hash_algorithm_t const gimli24_hash_algorithm; + +/** + * \brief Encrypts and authenticates a packet with GIMLI-24 using the + * full AEAD mode. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa gimli24_aead_decrypt() + */ +int gimli24_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with GIMLI-24 using the + * full AEAD mode. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa gimli24_aead_encrypt() + */ +int gimli24_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with GIMLI-24 to generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * GIMLI24_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int gimli24_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a GIMLI-24-HASH hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa gimli24_hash_absorb(), gimli24_hash_squeeze(), gimli24_hash() + */ +void gimli24_hash_init(gimli24_hash_state_t *state); + +/** + * \brief Aborbs more input data into a GIMLI-24-HASH state. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa gimli24_hash_init(), gimli24_hash_squeeze() + */ +void gimli24_hash_absorb + (gimli24_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Squeezes output data from an GIMLI-24-HASH state. + * + * \param state Hash state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + * + * \sa gimli24_hash_init(), gimli24_hash_absorb() + */ +void gimli24_hash_squeeze + (gimli24_hash_state_t *state, unsigned char *out, + unsigned long long outlen); + +/** + * \brief Returns the final hash value from a GIMLI-24-HASH hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + * + * \note This is a wrapper around gimli24_hash_squeeze() for a fixed length + * of GIMLI24_HASH_SIZE bytes. + * + * \sa gimli24_hash_init(), gimli24_hash_absorb() + */ +void gimli24_hash_finalize + (gimli24_hash_state_t *state, unsigned char *out); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-gimli24.c b/gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-gimli24.c new file mode 100644 index 0000000..ab2c830 --- /dev/null +++ b/gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-gimli24.c @@ -0,0 +1,138 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-gimli24.h" + +/* Apply the SP-box to a specific column in the state array */ +#define GIMLI24_SP(s0, s4, s8) \ + do { \ + x = leftRotate24(s0); \ + y = leftRotate9(s4); \ + s4 = y ^ x ^ ((x | s8) << 1); \ + s0 = s8 ^ y ^ ((x & y) << 3); \ + s8 = x ^ (s8 << 1) ^ ((y & s8) << 2); \ + } while (0) + +void gimli24_permute(uint32_t state[12]) +{ + uint32_t s0, s1, s2, s3, s4, s5; + uint32_t s6, s7, s8, s9, s10, s11; + uint32_t x, y; + unsigned round; + + /* Load the state into local variables and convert from little-endian */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s0 = state[0]; + s1 = state[1]; + s2 = state[2]; + s3 = state[3]; + s4 = state[4]; + s5 = state[5]; + s6 = state[6]; + s7 = state[7]; + s8 = state[8]; + s9 = state[9]; + s10 = state[10]; + s11 = state[11]; +#else + s0 = le_load_word32((const unsigned char *)(&(state[0]))); + s1 = le_load_word32((const unsigned char *)(&(state[1]))); + s2 = le_load_word32((const unsigned char *)(&(state[2]))); + s3 = le_load_word32((const unsigned char *)(&(state[3]))); + s4 = le_load_word32((const unsigned char *)(&(state[4]))); + s5 = le_load_word32((const unsigned char *)(&(state[5]))); + s6 = le_load_word32((const unsigned char *)(&(state[6]))); + s7 = le_load_word32((const unsigned char *)(&(state[7]))); + s8 = le_load_word32((const unsigned char *)(&(state[8]))); + s9 = le_load_word32((const unsigned char *)(&(state[9]))); + s10 = le_load_word32((const unsigned char *)(&(state[10]))); + s11 = le_load_word32((const unsigned char *)(&(state[11]))); +#endif + + /* Unroll and perform the rounds 4 at a time */ + for (round = 24; round > 0; round -= 4) { + /* Round 0: SP-box, small swap, add round constant */ + GIMLI24_SP(s0, s4, s8); + GIMLI24_SP(s1, s5, s9); + GIMLI24_SP(s2, s6, s10); + GIMLI24_SP(s3, s7, s11); + x = s0; + y = s2; + s0 = s1 ^ 0x9e377900U ^ round; + s1 = x; + s2 = s3; + s3 = y; + + /* Round 1: SP-box only */ + GIMLI24_SP(s0, s4, s8); + GIMLI24_SP(s1, s5, s9); + GIMLI24_SP(s2, s6, s10); + GIMLI24_SP(s3, s7, s11); + + /* Round 2: SP-box, big swap */ + GIMLI24_SP(s0, s4, s8); + GIMLI24_SP(s1, s5, s9); + GIMLI24_SP(s2, s6, s10); + GIMLI24_SP(s3, s7, s11); + x = s0; + y = s1; + s0 = s2; + s1 = s3; + s2 = x; + s3 = y; + + /* Round 3: SP-box only */ + GIMLI24_SP(s0, s4, s8); + GIMLI24_SP(s1, s5, s9); + GIMLI24_SP(s2, s6, s10); + GIMLI24_SP(s3, s7, s11); + } + + /* Convert state to little-endian if the platform is not little-endian */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state[0] = s0; + state[1] = s1; + state[2] = s2; + state[3] = s3; + state[4] = s4; + state[5] = s5; + state[6] = s6; + state[7] = s7; + state[8] = s8; + state[9] = s9; + state[10] = s10; + state[11] = s11; +#else + le_store_word32(((unsigned char *)(&(state[0]))), s0); + le_store_word32(((unsigned char *)(&(state[1]))), s1); + le_store_word32(((unsigned char *)(&(state[2]))), s2); + le_store_word32(((unsigned char *)(&(state[3]))), s3); + le_store_word32(((unsigned char *)(&(state[4]))), s4); + le_store_word32(((unsigned char *)(&(state[5]))), s5); + le_store_word32(((unsigned char *)(&(state[6]))), s6); + le_store_word32(((unsigned char *)(&(state[7]))), s7); + le_store_word32(((unsigned char *)(&(state[8]))), s8); + le_store_word32(((unsigned char *)(&(state[9]))), s9); + le_store_word32(((unsigned char *)(&(state[10]))), s10); + le_store_word32(((unsigned char *)(&(state[11]))), s11); +#endif +} diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-gimli24.h b/gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-gimli24.h new file mode 100644 index 0000000..c81ead1 --- /dev/null +++ b/gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-gimli24.h @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_GIMLI24_H +#define LW_INTERNAL_GIMLI24_H + +#include "internal-util.h" + +/** + * \file internal-gimli24.h + * \brief Internal implementation of the GIMLI-24 permutation. + * + * References: https://gimli.cr.yp.to/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Permutes the GIMLI-24 state. + * + * \param state The GIMLI-24 state to be permuted. + * + * The input and output \a state will be in little-endian byte order. + */ +void gimli24_permute(uint32_t state[12]); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-util.h b/gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/aead-common.c b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/aead-common.h b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/api.h b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/api.h new file mode 100644 index 0000000..32c9622 --- /dev/null +++ b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 12 +#define CRYPTO_ABYTES 8 +#define CRYPTO_NOOVERLAP 1 diff --git a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/encrypt.c b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/encrypt.c new file mode 100644 index 0000000..2724d30 --- /dev/null +++ b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "grain128.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return grain128_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return grain128_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/grain128.c b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/grain128.c new file mode 100644 index 0000000..fa41b64 --- /dev/null +++ b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/grain128.c @@ -0,0 +1,151 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "grain128.h" +#include "internal-grain128.h" +#include + +aead_cipher_t const grain128_aead_cipher = { + "Grain-128AEAD", + GRAIN128_KEY_SIZE, + GRAIN128_NONCE_SIZE, + GRAIN128_TAG_SIZE, + AEAD_FLAG_NONE, + grain128_aead_encrypt, + grain128_aead_decrypt +}; + +/** + * \brief Encodes the associated data length in DER. + * + * \param buf The buffer to encode the length into. + * \param adlen The length of the associated data in bytes, which must be + * less than 2^32 to limit the length of the DER encoding to 5 bytes. + * + * \return The length of the DER encoding that was written to \a buf. + */ +static unsigned grain128_encode_adlen + (unsigned char buf[5], unsigned long long adlen) +{ + if (adlen < 0x80U) { + buf[0] = (unsigned char)adlen; + return 1; + } else if (adlen < 0x100U) { + buf[0] = 0x81; + buf[1] = (unsigned char)adlen; + return 2; + } else if (adlen < 0x10000U) { + buf[0] = 0x82; + buf[1] = (unsigned char)(adlen >> 8); + buf[2] = (unsigned char)adlen; + return 3; + } else if (adlen < 0x1000000U) { + buf[0] = 0x83; + buf[1] = (unsigned char)(adlen >> 16); + buf[2] = (unsigned char)(adlen >> 8); + buf[3] = (unsigned char)adlen; + return 4; + } else { + buf[0] = 0x84; + buf[1] = (unsigned char)(adlen >> 24); + buf[2] = (unsigned char)(adlen >> 16); + buf[3] = (unsigned char)(adlen >> 8); + buf[4] = (unsigned char)adlen; + return 5; + } +} + +int grain128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + grain128_state_t state; + unsigned char der[5]; + unsigned derlen; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + GRAIN128_TAG_SIZE; + + /* Limit the amount of associated data to make DER encoding easier */ + if (adlen >= 0x100000000ULL) + return -2; + + /* Initialize the Grain-128 stream cipher with the key and nonce */ + grain128_setup(&state, k, npub); + + /* Authenticate the associated data, prefixed with the DER-encoded length */ + derlen = grain128_encode_adlen(der, adlen); + grain128_authenticate(&state, der, derlen); + grain128_authenticate(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + grain128_encrypt(&state, c, m, mlen); + + /* Generate the authentication tag */ + grain128_compute_tag(&state); + memcpy(c + mlen, state.ks, GRAIN128_TAG_SIZE); + return 0; +} + +int grain128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + grain128_state_t state; + unsigned char der[5]; + unsigned derlen; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < GRAIN128_TAG_SIZE) + return -1; + *mlen = clen - GRAIN128_TAG_SIZE; + + /* Limit the amount of associated data to make DER encoding easier */ + if (adlen >= 0x100000000ULL) + return -2; + + /* Initialize the Grain-128 stream cipher with the key and nonce */ + grain128_setup(&state, k, npub); + + /* Authenticate the associated data, prefixed with the DER-encoded length */ + derlen = grain128_encode_adlen(der, adlen); + grain128_authenticate(&state, der, derlen); + grain128_authenticate(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= GRAIN128_TAG_SIZE; + grain128_decrypt(&state, m, c, clen); + + /* Check the authentication tag */ + grain128_compute_tag(&state); + return aead_check_tag(m, clen, state.ks, c + clen, GRAIN128_TAG_SIZE); +} diff --git a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/grain128.h b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/grain128.h new file mode 100644 index 0000000..c8d6de9 --- /dev/null +++ b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/grain128.h @@ -0,0 +1,125 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_GRAIN128_H +#define LWCRYPTO_GRAIN128_H + +#include "aead-common.h" + +/** + * \file grain128.h + * \brief Grain-128AEAD authenticated encryption algorithm. + * + * Grain-128AEAD is an authenticated encryption algorithm based around a + * combination of a 128-bit linear feedback shift register (LFSR) and a + * 128-bit non-linear feedback shift register (NFSR). It is a member of + * the Grain family of stream ciphers. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for Grain-128AEAD. + */ +#define GRAIN128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Grain-128AEAD. + */ +#define GRAIN128_TAG_SIZE 8 + +/** + * \brief Size of the nonce for Grain-128AEAD. + */ +#define GRAIN128_NONCE_SIZE 12 + +/** + * \brief Meta-information block for the Grain-128AEAD cipher. + */ +extern aead_cipher_t const grain128_aead_cipher; + +/** + * \brief Encrypts and authenticates a packet with Grain-128AEAD. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa grain128_aead_decrypt() + */ +int grain128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Grain-128AEAD. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa grain128_aead_encrypt() + */ +int grain128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/internal-grain128.c b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/internal-grain128.c new file mode 100644 index 0000000..d0d71ea --- /dev/null +++ b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/internal-grain128.c @@ -0,0 +1,411 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-grain128.h" + +/* Extracts 32 bits from the Grain state that are not word-aligned */ +#define GWORD(a, b, start_bit) \ + (((a) << ((start_bit) % 32)) ^ ((b) >> (32 - ((start_bit) % 32)))) + +/** + * \brief Performs 32 rounds of Grain-128 in parallel. + * + * \param state Grain-128 state. + * \param x 32 bits of input to be incorporated into the LFSR state, or zero. + * \param x2 Another 32 bits to be incorporated into the NFSR state, or zero. + */ +static void grain128_core + (grain128_state_t *state, uint32_t x, uint32_t x2) +{ + uint32_t s0, s1, s2, s3; + + /* From the Grain-128AEAD specification, the LFSR feedback algorithm is: + * + * s'[i] = s[i + 1] + * s'[127] = s[0] ^ s[7] ^ s[38] ^ s[70] ^ s[81] ^ s[96] ^ x + * + * The bits are numbered from the most significant bit in the first + * word of the LFSR state. Calculate the feedback bits 32 at a time. + */ + s0 = state->lfsr[0]; + s1 = state->lfsr[1]; + s2 = state->lfsr[2]; + s3 = state->lfsr[3]; + x ^= s0; /* s[0] */ + x ^= GWORD(s0, s1, 7); /* s[7] */ + x ^= GWORD(s1, s2, 38); /* s[38] */ + x ^= GWORD(s2, s3, 70); /* s[70] */ + x ^= GWORD(s2, s3, 81); /* s[81] */ + x ^= s3; /* s[96] */ + + /* Rotate the LFSR state left by 32 bits and feed s0 into the NFSR */ + state->lfsr[0] = s1; + state->lfsr[1] = s2; + state->lfsr[2] = s3; + state->lfsr[3] = x; + x2 ^= s0; + + /* Perform the NFSR feedback algorithm from the specification: + * + * b'[i] = b[i + 1] + * b'[127] = s'[127] ^ b[0] ^ b[26] ^ b[56] ^ b[91] ^ b[96] + * ^ (b[3] & b[67]) ^ (b[11] & b[13]) ^ (b[17] & b[18]) + * ^ (b[27] & b[59]) ^ (b[40] & b[48]) ^ (b[61] & b[65]) + * ^ (b[68] & b[84]) ^ (b[22] & b[24] & b[25]) + * ^ (b[70] & b[78] & b[82]) + * ^ (b[88] & b[92] & b[93] & b[95]) ^ x2 + * + * Once again, we calculate 32 feedback bits in parallel. + */ + s0 = state->nfsr[0]; + s1 = state->nfsr[1]; + s2 = state->nfsr[2]; + s3 = state->nfsr[3]; + x2 ^= s0; /* b[0] */ + x2 ^= GWORD(s0, s1, 26); /* b[26] */ + x2 ^= GWORD(s1, s2, 56); /* b[56] */ + x2 ^= GWORD(s2, s3, 91); /* b[91] */ + x2 ^= s3; /* b[96] */ + x2 ^= GWORD(s0, s1, 3) & GWORD(s2, s3, 67); /* b[3] & b[67] */ + x2 ^= GWORD(s0, s1, 11) & GWORD(s0, s1, 13); /* b[11] & b[13] */ + x2 ^= GWORD(s0, s1, 17) & GWORD(s0, s1, 18); /* b[17] & b[18] */ + x2 ^= GWORD(s0, s1, 27) & GWORD(s1, s2, 59); /* b[27] & b[59] */ + x2 ^= GWORD(s1, s2, 40) & GWORD(s1, s2, 48); /* b[40] & b[48] */ + x2 ^= GWORD(s1, s2, 61) & GWORD(s2, s3, 65); /* b[61] & b[65] */ + x2 ^= GWORD(s2, s3, 68) & GWORD(s2, s3, 84); /* b[68] & b[84] */ + x2 ^= GWORD(s0, s1, 22) & GWORD(s0, s1, 24) & /* b[22] & b[24] & b[25] */ + GWORD(s0, s1, 25); + x2 ^= GWORD(s2, s3, 70) & GWORD(s2, s3, 78) & /* b[70] & b[78] & b[82] */ + GWORD(s2, s3, 82); + x2 ^= GWORD(s2, s3, 88) & GWORD(s2, s3, 92) & /* b[88] & b[92] ... */ + GWORD(s2, s3, 93) & GWORD(s2, s3, 95); /* ... & b[93] & b[95] */ + + /* Rotate the NFSR state left by 32 bits */ + state->nfsr[0] = s1; + state->nfsr[1] = s2; + state->nfsr[2] = s3; + state->nfsr[3] = x2; +} + +/** + * \brief Generates 32 bits of pre-output data. + * + * \param state Grain-128 state. + * + * \return The generated 32 bits of pre-output data. + */ +static uint32_t grain128_preoutput(const grain128_state_t *state) +{ + uint32_t s0, s1, s2, s3; + uint32_t b0, b1, b2, b3; + uint32_t x0, x4, y; + + /* From the Grain-128AEAD specification, each pre-output bit y is given by: + * + * x[0..8] = b[12], s[8], s[13], s[20], b[95], + * s[42], s[60], s[79], s[94] + * h(x) = (x[0] & x[1]) ^ (x[2] & x[3]) ^ (x[4] & x[5]) + * ^ (x[6] & x[7]) ^ (x[0] & x[4] & x[8]) + * y = h(x) ^ s[93] ^ b[2] ^ b[15] ^ b[36] ^ b[45] + * ^ b[64] ^ b[73] ^ b[89] + * + * Calculate 32 pre-output bits in parallel. + */ + s0 = state->lfsr[0]; + s1 = state->lfsr[1]; + s2 = state->lfsr[2]; + s3 = state->lfsr[3]; + b0 = state->nfsr[0]; + b1 = state->nfsr[1]; + b2 = state->nfsr[2]; + b3 = state->nfsr[3]; + x0 = GWORD(b0, b1, 12); + x4 = GWORD(b2, b3, 95); + y = (x0 & GWORD(s0, s1, 8)); /* x[0] & x[1] */ + y ^= (GWORD(s0, s1, 13) & GWORD(s0, s1, 20)); /* x[2] & x[3] */ + y ^= (x4 & GWORD(s1, s2, 42)); /* x[4] & x[5] */ + y ^= (GWORD(s1, s2, 60) & GWORD(s2, s3, 79)); /* x[6] & x[7] */ + y ^= (x0 & x4 & GWORD(s2, s3, 94)); /* x[0] & x[4] & x[8] */ + y ^= GWORD(s2, s3, 93); /* s[93] */ + y ^= GWORD(b0, b1, 2); /* b[2] */ + y ^= GWORD(b0, b1, 15); /* b[15] */ + y ^= GWORD(b1, b2, 36); /* b[36] */ + y ^= GWORD(b1, b2, 45); /* b[45] */ + y ^= b2; /* b[64] */ + y ^= GWORD(b2, b3, 73); /* b[73] */ + y ^= GWORD(b2, b3, 89); /* b[89] */ + return y; +} + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step_simple */ +#define bit_permute_step_simple(_y, mask, shift) \ + do { \ + (_y) = (((_y) & (mask)) << (shift)) | (((_y) >> (shift)) & (mask)); \ + } while (0) + +void grain128_setup + (grain128_state_t *state, const unsigned char *key, + const unsigned char *nonce) +{ + uint32_t k[4]; + unsigned round; + + /* Internally, the Grain-128 stream cipher uses big endian bit + * order, but the Grain-128AEAD specification for NIST uses little + * endian bit order. We need to swap the bits around when we load + * the bits of the key and the nonce. + * + * Permutation generated with "http://programming.sirrida.de/calcperm.php". + * + * P = [7 6 5 4 3 2 1 0 15 14 13 12 11 10 9 8 + * 23 22 21 20 19 18 17 16 31 30 29 28 27 26 25 24] + */ + #define SWAP_BITS(out, in) \ + do { \ + uint32_t tmp = (in); \ + bit_permute_step_simple(tmp, 0x55555555, 1); \ + bit_permute_step_simple(tmp, 0x33333333, 2); \ + bit_permute_step_simple(tmp, 0x0f0f0f0f, 4); \ + (out) = tmp; \ + } while (0) + + /* Initialize the LFSR state with the nonce and padding */ + SWAP_BITS(state->lfsr[0], be_load_word32(nonce)); + SWAP_BITS(state->lfsr[1], be_load_word32(nonce + 4)); + SWAP_BITS(state->lfsr[2], be_load_word32(nonce + 8)); + state->lfsr[3] = 0xFFFFFFFEU; /* pad with all-1s and a terminating 0 */ + + /* Initialize the NFSR state with the key */ + SWAP_BITS(k[0], be_load_word32(key)); + SWAP_BITS(k[1], be_load_word32(key + 4)); + SWAP_BITS(k[2], be_load_word32(key + 8)); + SWAP_BITS(k[3], be_load_word32(key + 12)); + state->nfsr[0] = k[0]; + state->nfsr[1] = k[1]; + state->nfsr[2] = k[2]; + state->nfsr[3] = k[3]; + + /* Perform 256 rounds of Grain-128 to mix up the initial state. + * The rounds can be performed 32 at a time: 32 * 8 = 256 */ + for (round = 0; round < 8; ++round) { + uint32_t y = grain128_preoutput(state); + grain128_core(state, y, y); + } + + /* Absorb the key into the state again and generate the initial + * state of the accumulator and the shift register */ + state->accum = ((uint64_t)(grain128_preoutput(state))) << 32; + grain128_core(state, k[0], 0); + state->accum |= grain128_preoutput(state); + grain128_core(state, k[1], 0); + state->sr = ((uint64_t)(grain128_preoutput(state))) << 32; + grain128_core(state, k[2], 0); + state->sr |= grain128_preoutput(state); + grain128_core(state, k[3], 0); + + /* No keystream data has been generated yet */ + state->posn = sizeof(state->ks); +} + +/** + * \brief Generates the next 16 byte block of keystream output data. + * + * \param state Grain-128 state. + */ +static void grain128_next_keystream(grain128_state_t *state) +{ + unsigned posn; + for (posn = 0; posn < sizeof(state->ks); posn += 4) { + /* Get the next word of pre-output and run the Grain-128 core */ + uint32_t x = grain128_preoutput(state); + grain128_core(state, 0, 0); + + /* Grain-128 uses big-endian bit order, but the NIST functions + * that are built on top of this use little-endian bit order. + * Swap the bits around so that they are ready for use later. + * + * We also need to separate the bits: even bits are used to encrypt + * and odd bits are used to authenticate. Shift them to separate + * bytes to make it easier to access the even and odd bits later. + * + * P = [7 15 6 14 5 13 4 12 3 11 2 10 1 9 0 8 + * 23 31 22 30 21 29 20 28 19 27 18 26 17 25 16 24] + */ + bit_permute_step(x, 0x11111111, 3); + bit_permute_step(x, 0x03030303, 6); + bit_permute_step(x, 0x000f000f, 12); + bit_permute_step_simple(x, 0x00ff00ff, 8); + be_store_word32(state->ks + posn, x); + } +} + +void grain128_authenticate + (grain128_state_t *state, const unsigned char *data, + unsigned long long len) +{ + unsigned char abyte; + unsigned char sbyte; + unsigned char bit; + uint64_t accum = state->accum; + uint64_t sr = state->sr; + unsigned posn = state->posn; + while (len > 0) { + /* Fetch the next byte to be authenticated */ + abyte = *data++; + --len; + + /* Request more keystream data if necessary */ + if (posn >= sizeof(state->ks)) { + grain128_next_keystream(state); + posn = 0; + } + + /* Get the next byte of keystream to add to the shift register. + * We use the odd bytes from the keystream and ignore even ones */ + sbyte = state->ks[posn + 1]; + posn += 2; + + /* XOR the shift register with the accumulator for each 1 bit + * in the byte that we are authenticating. And shift in the + * keystream byte we retrieved above */ + for (bit = 0; bit < 8; ++bit) { + accum ^= sr & (-((uint64_t)(abyte & 0x01))); + sr = (sr << 1) ^ (sbyte & 0x01); + abyte >>= 1; + sbyte >>= 1; + } + } + state->accum = accum; + state->sr = sr; + state->posn = posn; +} + +void grain128_encrypt + (grain128_state_t *state, unsigned char *c, const unsigned char *m, + unsigned long long len) +{ + unsigned char mbyte; + unsigned char sbyte; + unsigned char bit; + uint64_t accum = state->accum; + uint64_t sr = state->sr; + unsigned posn = state->posn; + while (len > 0) { + /* Fetch the next byte to be encrypted and authenticated */ + mbyte = *m++; + --len; + + /* Request more keystream data if necessary */ + if (posn >= sizeof(state->ks)) { + grain128_next_keystream(state); + posn = 0; + } + + /* Get the next two bytes of keystream data. The even byte is + * used to encrypt the input and the odd byte is shifted into + * the shift register for authentication purposes */ + *c++ = mbyte ^ state->ks[posn]; + sbyte = state->ks[posn + 1]; + posn += 2; + + /* XOR the shift register with the accumulator for each 1 bit + * in the plaintext byte that we are authenticating. And shift + * in the keystream byte we retrieved above */ + for (bit = 0; bit < 8; ++bit) { + accum ^= sr & (-((uint64_t)(mbyte & 0x01))); + sr = (sr << 1) ^ (sbyte & 0x01); + mbyte >>= 1; + sbyte >>= 1; + } + } + state->accum = accum; + state->sr = sr; + state->posn = posn; +} + +void grain128_decrypt + (grain128_state_t *state, unsigned char *m, const unsigned char *c, + unsigned long long len) +{ + unsigned char mbyte; + unsigned char sbyte; + unsigned char bit; + uint64_t accum = state->accum; + uint64_t sr = state->sr; + unsigned posn = state->posn; + while (len > 0) { + /* Fetch the next byte to be decrypted and authenticated */ + mbyte = *c++; + --len; + + /* Request more keystream data if necessary */ + if (posn >= sizeof(state->ks)) { + grain128_next_keystream(state); + posn = 0; + } + + /* Get the next two bytes of keystream data. The even byte is + * used to decrypt the input and the odd byte is shifted into + * the shift register for authentication purposes */ + mbyte ^= state->ks[posn]; + *m++ = mbyte; + sbyte = state->ks[posn + 1]; + posn += 2; + + /* XOR the shift register with the accumulator for each 1 bit + * in the plaintext byte that we are authenticating. And shift + * in the keystream byte we retrieved above */ + for (bit = 0; bit < 8; ++bit) { + accum ^= sr & (-((uint64_t)(mbyte & 0x01))); + sr = (sr << 1) ^ (sbyte & 0x01); + mbyte >>= 1; + sbyte >>= 1; + } + } + state->accum = accum; + state->sr = sr; + state->posn = posn; +} + +void grain128_compute_tag(grain128_state_t *state) +{ + uint64_t x; + + /* Authenticate a final 1 bit as padding on the stream */ + state->accum ^= state->sr; + + /* Swap the bits of the accumulator into little endian + * order and write them to the keystream buffer */ + x = state->accum; + bit_permute_step_simple(x, 0x5555555555555555ULL, 1); + bit_permute_step_simple(x, 0x3333333333333333ULL, 2); + bit_permute_step_simple(x, 0x0f0f0f0f0f0f0f0fULL, 4); + be_store_word64(state->ks, x); +} diff --git a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/internal-grain128.h b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/internal-grain128.h new file mode 100644 index 0000000..4c3a6e4 --- /dev/null +++ b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/internal-grain128.h @@ -0,0 +1,113 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_GRAIN128_H +#define LW_INTERNAL_GRAIN128_H + +#include "internal-util.h" + +/** + * \file internal-grain128.h + * \brief Internal implementation of the Grain-128 stream cipher. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Representation of the state of Grain-128. + * + * Note: The specification numbers bits starting with the most significant, + * so bit 0 is in the highest bit of the first word of each field below. + */ +typedef struct +{ + uint32_t lfsr[4]; /**< 128-bit LFSR state for Grain-128 */ + uint32_t nfsr[4]; /**< 128-bit NFSR state for Grain-128 */ + uint64_t accum; /**< 64-bit accumulator for authentication */ + uint64_t sr; /**< 64-bit shift register for authentication */ + unsigned char ks[16]; /**< Keystream block for auth or encrypt mode */ + unsigned posn; /**< Current position within the keystream */ + +} grain128_state_t; + +/** + * \brief Sets up the initial Grain-128 state with the key and nonce. + * + * \param state Grain-128 state to be initialized. + * \param key Points to the 128-bit key. + * \param nonce Points to the 96-bit nonce. + */ +void grain128_setup + (grain128_state_t *state, const unsigned char *key, + const unsigned char *nonce); + +/** + * \brief Authenticates data with Grain-128. + * + * \param state Grain-128 state. + * \param data Points to the data to be authenticated. + * \param len Length of the data to be authenticated. + */ +void grain128_authenticate + (grain128_state_t *state, const unsigned char *data, + unsigned long long len); + +/** + * \brief Encrypts and authenticates data with Grain-128. + * + * \param state Grain-128 state. + * \param c Points to the ciphertext output buffer. + * \param m Points to the plaintext input buffer. + * \param len Length of the data to be encrypted. + */ +void grain128_encrypt + (grain128_state_t *state, unsigned char *c, const unsigned char *m, + unsigned long long len); + +/** + * \brief Decrypts and authenticates data with Grain-128. + * + * \param state Grain-128 state. + * \param m Points to the plaintext output buffer. + * \param c Points to the ciphertext input buffer. + * \param len Length of the data to be decrypted. + */ +void grain128_decrypt + (grain128_state_t *state, unsigned char *m, const unsigned char *c, + unsigned long long len); + +/** + * \brief Computes the final authentiation tag. + * + * \param state Grain-128 state. + * + * The final authentication tag is written to the first 8 bytes of state->ks. + */ +void grain128_compute_tag(grain128_state_t *state); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/internal-util.h b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/hyena/Implementations/crypto_aead/hyenav1/rhys/aead-common.c b/hyena/Implementations/crypto_aead/hyenav1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/hyena/Implementations/crypto_aead/hyenav1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/hyena/Implementations/crypto_aead/hyenav1/rhys/aead-common.h b/hyena/Implementations/crypto_aead/hyenav1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/hyena/Implementations/crypto_aead/hyenav1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/hyena/Implementations/crypto_aead/hyenav1/rhys/api.h b/hyena/Implementations/crypto_aead/hyenav1/rhys/api.h new file mode 100644 index 0000000..c3c0a27 --- /dev/null +++ b/hyena/Implementations/crypto_aead/hyenav1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 12 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/hyena/Implementations/crypto_aead/hyenav1/rhys/encrypt.c b/hyena/Implementations/crypto_aead/hyenav1/rhys/encrypt.c new file mode 100644 index 0000000..db50784 --- /dev/null +++ b/hyena/Implementations/crypto_aead/hyenav1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "hyena.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return hyena_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return hyena_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/hyena/Implementations/crypto_aead/hyenav1/rhys/hyena.c b/hyena/Implementations/crypto_aead/hyenav1/rhys/hyena.c new file mode 100644 index 0000000..3af79fa --- /dev/null +++ b/hyena/Implementations/crypto_aead/hyenav1/rhys/hyena.c @@ -0,0 +1,283 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "hyena.h" +#include "internal-gift128.h" +#include "internal-util.h" +#include + +aead_cipher_t const hyena_cipher = { + "HYENA", + HYENA_KEY_SIZE, + HYENA_NONCE_SIZE, + HYENA_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + hyena_aead_encrypt, + hyena_aead_decrypt +}; + +/** + * \brief Doubles a delta value in the F(2^64) field. + * + * \param D The delta value to be doubled. + * + * D = D << 1 if the top-most bit is 0, or D = (D << 1) ^ 0x1B otherwise. + */ +static void hyena_double_delta(unsigned char D[8]) +{ + unsigned index; + unsigned char mask = (unsigned char)(((signed char)(D[0])) >> 7); + for (index = 0; index < 7; ++index) + D[index] = (D[index] << 1) | (D[index + 1] >> 7); + D[7] = (D[7] << 1) ^ (mask & 0x1B); +} + +/** + * \brief Process the associated data for HYENA. + * + * \param ks Key schedule for the GIFT-128 cipher. + * \param Y Internal hash state of HYENA. + * \param D Internal hash state of HYENA. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void hyena_process_ad + (const gift128n_key_schedule_t *ks, unsigned char Y[16], + unsigned char D[8], const unsigned char *ad, + unsigned long long adlen) +{ + unsigned char feedback[16]; + hyena_double_delta(D); + while (adlen > 16) { + memcpy(feedback, ad, 16); + lw_xor_block(feedback + 8, Y + 8, 8); + lw_xor_block(feedback + 8, D, 8); + lw_xor_block(Y, feedback, 16); + gift128n_encrypt(ks, Y, Y); + hyena_double_delta(D); + ad += 16; + adlen -= 16; + } + if (adlen == 16) { + hyena_double_delta(D); + memcpy(feedback, ad, 16); + lw_xor_block(feedback + 8, Y + 8, 8); + lw_xor_block(feedback + 8, D, 8); + lw_xor_block(Y, feedback, 16); + } else { + unsigned temp = (unsigned)adlen; + hyena_double_delta(D); + hyena_double_delta(D); + memcpy(feedback, ad, temp); + feedback[temp] = 0x01; + memset(feedback + temp + 1, 0, 15 - temp); + if (temp > 8) + lw_xor_block(feedback + 8, Y + 8, temp - 8); + lw_xor_block(feedback + 8, D, 8); + lw_xor_block(Y, feedback, 16); + } +} + +int hyena_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + gift128n_key_schedule_t ks; + unsigned char Y[16]; + unsigned char D[8]; + unsigned char feedback[16]; + unsigned index; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + HYENA_TAG_SIZE; + + /* Set up the key schedule and use it to encrypt the nonce */ + if (!gift128n_init(&ks, k, HYENA_KEY_SIZE)) + return -1; + Y[0] = 0; + if (adlen == 0) + Y[0] |= 0x01; + if (adlen == 0 && mlen == 0) + Y[0] |= 0x02; + Y[1] = 0; + Y[2] = 0; + Y[3] = 0; + memcpy(Y + 4, npub, HYENA_NONCE_SIZE); + gift128n_encrypt(&ks, Y, Y); + memcpy(D, Y + 8, 8); + + /* Process the associated data */ + hyena_process_ad(&ks, Y, D, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > 16) { + gift128n_encrypt(&ks, Y, Y); + hyena_double_delta(D); + memcpy(feedback, m, 16); + lw_xor_block(feedback + 8, Y + 8, 8); + lw_xor_block(feedback + 8, D, 8); + lw_xor_block_2_src(c, m, Y, 16); + lw_xor_block(Y, feedback, 16); + c += 16; + m += 16; + mlen -= 16; + } + gift128n_encrypt(&ks, Y, Y); + if (mlen == 16) { + hyena_double_delta(D); + hyena_double_delta(D); + memcpy(feedback, m, 16); + lw_xor_block(feedback + 8, Y + 8, 8); + lw_xor_block(feedback + 8, D, 8); + lw_xor_block_2_src(c, m, Y, 16); + lw_xor_block(Y, feedback, 16); + c += 16; + } else { + unsigned temp = (unsigned)mlen; + hyena_double_delta(D); + hyena_double_delta(D); + hyena_double_delta(D); + memcpy(feedback, m, temp); + feedback[temp] = 0x01; + memset(feedback + temp + 1, 0, 15 - temp); + if (temp > 8) + lw_xor_block(feedback + 8, Y + 8, temp - 8); + lw_xor_block(feedback + 8, D, 8); + lw_xor_block_2_src(c, m, Y, temp); + lw_xor_block(Y, feedback, 16); + c += temp; + } + } + + /* Swap the two halves of Y and generate the authentication tag */ + for (index = 0; index < 8; ++index) { + unsigned char temp1 = Y[index]; + unsigned char temp2 = Y[index + 8]; + Y[index] = temp2; + Y[index + 8] = temp1; + } + gift128n_encrypt(&ks, c, Y); + return 0; +} + +int hyena_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + gift128n_key_schedule_t ks; + unsigned char Y[16]; + unsigned char D[8]; + unsigned char feedback[16]; + unsigned char *mtemp; + unsigned index; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < HYENA_TAG_SIZE) + return -1; + *mlen = clen - HYENA_TAG_SIZE; + + /* Set up the key schedule and use it to encrypt the nonce */ + if (!gift128n_init(&ks, k, HYENA_KEY_SIZE)) + return -1; + Y[0] = 0; + if (adlen == 0) + Y[0] |= 0x01; + if (adlen == 0 && clen == HYENA_TAG_SIZE) + Y[0] |= 0x02; + Y[1] = 0; + Y[2] = 0; + Y[3] = 0; + memcpy(Y + 4, npub, HYENA_NONCE_SIZE); + gift128n_encrypt(&ks, Y, Y); + memcpy(D, Y + 8, 8); + + /* Process the associated data */ + hyena_process_ad(&ks, Y, D, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= HYENA_TAG_SIZE; + mtemp = m; + if (clen > 0) { + while (clen > 16) { + gift128n_encrypt(&ks, Y, Y); + hyena_double_delta(D); + memcpy(feedback + 8, c + 8, 8); + lw_xor_block_2_src(m, c, Y, 16); + memcpy(feedback, m, 8); + lw_xor_block(feedback + 8, D, 8); + lw_xor_block(Y, feedback, 16); + c += 16; + m += 16; + clen -= 16; + } + gift128n_encrypt(&ks, Y, Y); + if (clen == 16) { + hyena_double_delta(D); + hyena_double_delta(D); + memcpy(feedback + 8, c + 8, 8); + lw_xor_block_2_src(m, c, Y, 16); + memcpy(feedback, m, 8); + lw_xor_block(feedback + 8, D, 8); + lw_xor_block(Y, feedback, 16); + c += 16; + } else { + unsigned temp = (unsigned)clen; + hyena_double_delta(D); + hyena_double_delta(D); + hyena_double_delta(D); + if (temp > 8) { + memcpy(feedback + 8, c + 8, temp - 8); + lw_xor_block_2_src(m, c, Y, temp); + memcpy(feedback, m, 8); + } else { + lw_xor_block_2_src(m, c, Y, temp); + memcpy(feedback, m, temp); + } + feedback[temp] = 0x01; + memset(feedback + temp + 1, 0, 15 - temp); + lw_xor_block(feedback + 8, D, 8); + lw_xor_block(Y, feedback, 16); + c += temp; + } + } + + /* Swap the two halves of Y and check the authentication tag */ + for (index = 0; index < 8; ++index) { + unsigned char temp1 = Y[index]; + unsigned char temp2 = Y[index + 8]; + Y[index] = temp2; + Y[index + 8] = temp1; + } + gift128n_encrypt(&ks, Y, Y); + return aead_check_tag(mtemp, *mlen, Y, c, HYENA_TAG_SIZE); +} diff --git a/hyena/Implementations/crypto_aead/hyenav1/rhys/hyena.h b/hyena/Implementations/crypto_aead/hyenav1/rhys/hyena.h new file mode 100644 index 0000000..ee9bb9c --- /dev/null +++ b/hyena/Implementations/crypto_aead/hyenav1/rhys/hyena.h @@ -0,0 +1,126 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_HYENA_H +#define LWCRYPTO_HYENA_H + +#include "aead-common.h" + +/** + * \file hyena.h + * \brief HYENA authenticated encryption algorithm. + * + * HYENA is an authenticated encryption algorithm that is built around the + * GIFT-128 block cipher. The algorithm has a 128-bit key, a 96-bit nonce, + * and a 128-bit authentication tag. + * + * References: https://www.isical.ac.in/~lightweight/hyena/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for HYENA. + */ +#define HYENA_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for HYENA. + */ +#define HYENA_TAG_SIZE 16 + +/** + * \brief Size of the nonce for HYENA. + */ +#define HYENA_NONCE_SIZE 12 + +/** + * \brief Meta-information block for the HYENA cipher. + */ +extern aead_cipher_t const hyena_cipher; + +/** + * \brief Encrypts and authenticates a packet with HYENA. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa hyena_aead_decrypt() + */ +int hyena_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with HYENA. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa hyena_aead_encrypt() + */ +int hyena_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128.c b/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128.c new file mode 100644 index 0000000..681dbc8 --- /dev/null +++ b/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128.c @@ -0,0 +1,849 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-gift128.h" +#include "internal-util.h" + +/* Round constants for GIFT-128 in the fixsliced representation */ +static uint32_t const GIFT128_RC[40] = { + 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, + 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, + 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, + 0x03020180, 0x8000002b, 0x10080880, 0x60014000, 0x01400002, 0x02020080, + 0x80000021, 0x10000080, 0x0001c000, 0x51000002, 0x03010180, 0x8000002e, + 0x10088800, 0x60012000, 0x40500002, 0x01030080, 0x80000006, 0x10008808, + 0xc001a000, 0x14500002, 0x01020181, 0x8000001a +}; + +/** + * \brief Swaps bits within two words. + * + * \param a The first word. + * \param b The second word. + * \param mask Mask for the bits to shift. + * \param shift Shift amount in bits. + */ +#define gift128b_swap_move(a, b, mask, shift) \ + do { \ + uint32_t tmp = ((b) ^ ((a) >> (shift))) & (mask); \ + (b) ^= tmp; \ + (a) ^= tmp << (shift); \ + } while (0) + +/** + * \brief Derives the next 10 fixsliced keys in the key schedule. + * + * \param next Points to the buffer to receive the next 10 keys. + * \param prev Points to the buffer holding the previous 10 keys. + * + * The \a next and \a prev buffers are allowed to be the same. + */ +#define gift128b_derive_keys(next, prev) \ + do { \ + /* Key 0 */ \ + uint32_t s = (prev)[0]; \ + uint32_t t = (prev)[1]; \ + gift128b_swap_move(t, t, 0x00003333U, 16); \ + gift128b_swap_move(t, t, 0x55554444U, 1); \ + (next)[0] = t; \ + /* Key 1 */ \ + s = leftRotate8(s & 0x33333333U) | leftRotate16(s & 0xCCCCCCCCU); \ + gift128b_swap_move(s, s, 0x55551100U, 1); \ + (next)[1] = s; \ + /* Key 2 */ \ + s = (prev)[2]; \ + t = (prev)[3]; \ + (next)[2] = ((t >> 4) & 0x0F000F00U) | ((t & 0x0F000F00U) << 4) | \ + ((t >> 6) & 0x00030003U) | ((t & 0x003F003FU) << 2); \ + /* Key 3 */ \ + (next)[3] = ((s >> 6) & 0x03000300U) | ((s & 0x3F003F00U) << 2) | \ + ((s >> 5) & 0x00070007U) | ((s & 0x001F001FU) << 3); \ + /* Key 4 */ \ + s = (prev)[4]; \ + t = (prev)[5]; \ + (next)[4] = leftRotate8(t & 0xAAAAAAAAU) | \ + leftRotate16(t & 0x55555555U); \ + /* Key 5 */ \ + (next)[5] = leftRotate8(s & 0x55555555U) | \ + leftRotate12(s & 0xAAAAAAAAU); \ + /* Key 6 */ \ + s = (prev)[6]; \ + t = (prev)[7]; \ + (next)[6] = ((t >> 2) & 0x03030303U) | ((t & 0x03030303U) << 2) | \ + ((t >> 1) & 0x70707070U) | ((t & 0x10101010U) << 3); \ + /* Key 7 */ \ + (next)[7] = ((s >> 18) & 0x00003030U) | ((s & 0x01010101U) << 3) | \ + ((s >> 14) & 0x0000C0C0U) | ((s & 0x0000E0E0U) << 15) | \ + ((s >> 1) & 0x07070707U) | ((s & 0x00001010U) << 19); \ + /* Key 8 */ \ + s = (prev)[8]; \ + t = (prev)[9]; \ + (next)[8] = ((t >> 4) & 0x0FFF0000U) | ((t & 0x000F0000U) << 12) | \ + ((t >> 8) & 0x000000FFU) | ((t & 0x000000FFU) << 8); \ + /* Key 9 */ \ + (next)[9] = ((s >> 6) & 0x03FF0000U) | ((s & 0x003F0000U) << 10) | \ + ((s >> 4) & 0x00000FFFU) | ((s & 0x0000000FU) << 12); \ + } while (0) + +/** + * \brief Compute the round keys for GIFT-128 in the fixsliced representation. + * + * \param ks Points to the key schedule to initialize. + * \param k0 First key word. + * \param k1 Second key word. + * \param k2 Third key word. + * \param k3 Fourth key word. + */ +static void gift128b_compute_round_keys + (gift128b_key_schedule_t *ks, + uint32_t k0, uint32_t k1, uint32_t k2, uint32_t k3) +{ + unsigned index; + uint32_t temp; + + /* Set the regular key with k0 and k3 pre-swapped for the round function */ + ks->k[0] = k3; + ks->k[1] = k1; + ks->k[2] = k2; + ks->k[3] = k0; + + /* Pre-compute the keys for rounds 3..10 and permute into fixsliced form */ + for (index = 4; index < 20; index += 2) { + ks->k[index] = ks->k[index - 3]; + temp = ks->k[index - 4]; + temp = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + ks->k[index + 1] = temp; + } + for (index = 0; index < 20; index += 10) { + /* Keys 0 and 10 */ + temp = ks->k[index]; + gift128b_swap_move(temp, temp, 0x00550055U, 9); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index] = temp; + + /* Keys 1 and 11 */ + temp = ks->k[index + 1]; + gift128b_swap_move(temp, temp, 0x00550055U, 9); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 1] = temp; + + /* Keys 2 and 12 */ + temp = ks->k[index + 2]; + gift128b_swap_move(temp, temp, 0x11111111U, 3); + gift128b_swap_move(temp, temp, 0x03030303U, 6); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 2] = temp; + + /* Keys 3 and 13 */ + temp = ks->k[index + 3]; + gift128b_swap_move(temp, temp, 0x11111111U, 3); + gift128b_swap_move(temp, temp, 0x03030303U, 6); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 3] = temp; + + /* Keys 4 and 14 */ + temp = ks->k[index + 4]; + gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 4] = temp; + + /* Keys 5 and 15 */ + temp = ks->k[index + 5]; + gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 5] = temp; + + /* Keys 6 and 16 */ + temp = ks->k[index + 6]; + gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); + gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 6] = temp; + + /* Keys 7 and 17 */ + temp = ks->k[index + 7]; + gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); + gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 7] = temp; + + /* Keys 8, 9, 18, and 19 do not need any adjustment */ + } + + /* Derive the fixsliced keys for the remaining rounds 11..40 */ + for (index = 20; index < 80; index += 10) { + gift128b_derive_keys(ks->k + index, ks->k + index - 20); + } +} + +int gift128b_init + (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len) +{ + if (!ks || !key || key_len != 16) + return 0; + gift128b_compute_round_keys + (ks, be_load_word32(key), be_load_word32(key + 4), + be_load_word32(key + 8), be_load_word32(key + 12)); + return 1; +} + +/** + * \brief Performs the GIFT-128 S-box on the bit-sliced state. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_sbox(s0, s1, s2, s3) \ + do { \ + s1 ^= s0 & s2; \ + s0 ^= s1 & s3; \ + s2 ^= s0 | s1; \ + s3 ^= s2; \ + s1 ^= s3; \ + s3 ^= 0xFFFFFFFFU; \ + s2 ^= s0 & s1; \ + } while (0) + +/** + * \brief Performs the inverse of the GIFT-128 S-box on the bit-sliced state. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_sbox(s0, s1, s2, s3) \ + do { \ + s2 ^= s3 & s1; \ + s0 ^= 0xFFFFFFFFU; \ + s1 ^= s0; \ + s0 ^= s2; \ + s2 ^= s3 | s1; \ + s3 ^= s1 & s0; \ + s1 ^= s3 & s2; \ + } while (0) + +/** + * \brief Permutes the GIFT-128 state between the 1st and 2nd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_1(s0, s1, s2, s3) \ + do { \ + s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ + s2 = ((s2 >> 3) & 0x11111111U) | ((s2 & 0x77777777U) << 1); \ + s3 = ((s3 >> 1) & 0x77777777U) | ((s3 & 0x11111111U) << 3); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 2nd and 3rd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_2(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 4) & 0x0FFF0FFFU) | ((s0 & 0x000F000FU) << 12); \ + s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ + s2 = ((s2 >> 12) & 0x000F000FU) | ((s2 & 0x0FFF0FFFU) << 4); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 3rd and 4th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_3(s0, s1, s2, s3) \ + do { \ + gift128b_swap_move(s1, s1, 0x55555555U, 1); \ + s2 = leftRotate16(s2); \ + gift128b_swap_move(s2, s2, 0x00005555U, 1); \ + s3 = leftRotate16(s3); \ + gift128b_swap_move(s3, s3, 0x55550000U, 1); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 4th and 5th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_4(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 6) & 0x03030303U) | ((s0 & 0x3F3F3F3FU) << 2); \ + s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ + s2 = ((s2 >> 2) & 0x3F3F3F3FU) | ((s2 & 0x03030303U) << 6); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 5th and 1st mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_5(s0, s1, s2, s3) \ + do { \ + s1 = leftRotate16(s1); \ + s2 = rightRotate8(s2); \ + s3 = leftRotate8(s3); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 1st and 2nd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_1(s0, s1, s2, s3) \ + do { \ + s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ + s2 = ((s2 >> 1) & 0x77777777U) | ((s2 & 0x11111111U) << 3); \ + s3 = ((s3 >> 3) & 0x11111111U) | ((s3 & 0x77777777U) << 1); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 2nd and 3rd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_2(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 12) & 0x000F000FU) | ((s0 & 0x0FFF0FFFU) << 4); \ + s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ + s2 = ((s2 >> 4) & 0x0FFF0FFFU) | ((s2 & 0x000F000FU) << 12); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 3rd and 4th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_3(s0, s1, s2, s3) \ + do { \ + gift128b_swap_move(s1, s1, 0x55555555U, 1); \ + gift128b_swap_move(s2, s2, 0x00005555U, 1); \ + s2 = leftRotate16(s2); \ + gift128b_swap_move(s3, s3, 0x55550000U, 1); \ + s3 = leftRotate16(s3); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 4th and 5th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_4(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 2) & 0x3F3F3F3FU) | ((s0 & 0x03030303U) << 6); \ + s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ + s2 = ((s2 >> 6) & 0x03030303U) | ((s2 & 0x3F3F3F3FU) << 2); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 5th and 1st mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_5(s0, s1, s2, s3) \ + do { \ + s1 = leftRotate16(s1); \ + s2 = leftRotate8(s2); \ + s3 = rightRotate8(s3); \ + } while (0); + +/** + * \brief Performs five fixsliced encryption rounds for GIFT-128. + * + * \param rk Points to the 10 round keys for these rounds. + * \param rc Points to the round constants for these rounds. + * + * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. + * + * The permutation is restructured so that one of the words each round + * does not need to be permuted, with the others rotating left, up, right, + * and down to keep the bits in line with their non-moving counterparts. + * This reduces the number of shifts required significantly. + * + * At the end of five rounds, the bit ordering will return to the + * original position. We then repeat the process for the next 5 rounds. + */ +#define gift128b_encrypt_5_rounds(rk, rc) \ + do { \ + /* 1st round - S-box, rotate left, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_1(s0, s1, s2, s3); \ + s1 ^= (rk)[0]; \ + s2 ^= (rk)[1]; \ + s0 ^= (rc)[0]; \ + \ + /* 2nd round - S-box, rotate up, add round key */ \ + gift128b_sbox(s3, s1, s2, s0); \ + gift128b_permute_state_2(s0, s1, s2, s3); \ + s1 ^= (rk)[2]; \ + s2 ^= (rk)[3]; \ + s3 ^= (rc)[1]; \ + \ + /* 3rd round - S-box, swap columns, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_3(s0, s1, s2, s3); \ + s1 ^= (rk)[4]; \ + s2 ^= (rk)[5]; \ + s0 ^= (rc)[2]; \ + \ + /* 4th round - S-box, rotate left and swap rows, add round key */ \ + gift128b_sbox(s3, s1, s2, s0); \ + gift128b_permute_state_4(s0, s1, s2, s3); \ + s1 ^= (rk)[6]; \ + s2 ^= (rk)[7]; \ + s3 ^= (rc)[3]; \ + \ + /* 5th round - S-box, rotate up, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_5(s0, s1, s2, s3); \ + s1 ^= (rk)[8]; \ + s2 ^= (rk)[9]; \ + s0 ^= (rc)[4]; \ + \ + /* Swap s0 and s3 in preparation for the next 1st round */ \ + s0 ^= s3; \ + s3 ^= s0; \ + s0 ^= s3; \ + } while (0) + +/** + * \brief Performs five fixsliced decryption rounds for GIFT-128. + * + * \param rk Points to the 10 round keys for these rounds. + * \param rc Points to the round constants for these rounds. + * + * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. + */ +#define gift128b_decrypt_5_rounds(rk, rc) \ + do { \ + /* Swap s0 and s3 in preparation for the next 5th round */ \ + s0 ^= s3; \ + s3 ^= s0; \ + s0 ^= s3; \ + \ + /* 5th round - S-box, rotate down, add round key */ \ + s1 ^= (rk)[8]; \ + s2 ^= (rk)[9]; \ + s0 ^= (rc)[4]; \ + gift128b_inv_permute_state_5(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + \ + /* 4th round - S-box, rotate right and swap rows, add round key */ \ + s1 ^= (rk)[6]; \ + s2 ^= (rk)[7]; \ + s3 ^= (rc)[3]; \ + gift128b_inv_permute_state_4(s0, s1, s2, s3); \ + gift128b_inv_sbox(s0, s1, s2, s3); \ + \ + /* 3rd round - S-box, swap columns, add round key */ \ + s1 ^= (rk)[4]; \ + s2 ^= (rk)[5]; \ + s0 ^= (rc)[2]; \ + gift128b_inv_permute_state_3(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + \ + /* 2nd round - S-box, rotate down, add round key */ \ + s1 ^= (rk)[2]; \ + s2 ^= (rk)[3]; \ + s3 ^= (rc)[1]; \ + gift128b_inv_permute_state_2(s0, s1, s2, s3); \ + gift128b_inv_sbox(s0, s1, s2, s3); \ + \ + /* 1st round - S-box, rotate right, add round key */ \ + s1 ^= (rk)[0]; \ + s2 ^= (rk)[1]; \ + s0 ^= (rc)[0]; \ + gift128b_inv_permute_state_1(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + } while (0) + +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into local variables */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; +} + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +int gift128n_init + (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len) +{ + /* Use the little-endian key byte order from the HYENA submission */ + if (!ks || !key || key_len != 16) + return 0; + gift128b_compute_round_keys + (ks, le_load_word32(key + 12), le_load_word32(key + 8), + le_load_word32(key + 4), le_load_word32(key)); + return 1; +} + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/** + * \brief Converts the GIFT-128 nibble-based representation into word-based. + * + * \param output Output buffer to write the word-based version to. + * \param input Input buffer to read the nibble-based version from. + * + * The \a input and \a output buffers can be the same buffer. + */ +static void gift128n_to_words + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input buffer into 32-bit words. We use the nibble order + * from the HYENA submission to NIST which is byte-reversed with respect + * to the nibble order of the original GIFT-128 paper. Nibble zero is in + * the first byte instead of the last, which means little-endian order. */ + s0 = le_load_word32(input + 12); + s1 = le_load_word32(input + 8); + s2 = le_load_word32(input + 4); + s3 = le_load_word32(input); + + /* Rearrange the bits so that bits 0..3 of each nibble are + * scattered to bytes 0..3 of each word. The permutation is: + * + * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 + * + * Generated with "http://programming.sirrida.de/calcperm.php". + */ + #define PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + PERM_WORDS(s0); + PERM_WORDS(s1); + PERM_WORDS(s2); + PERM_WORDS(s3); + + /* Rearrange the bytes and write them to the output buffer */ + output[0] = (uint8_t)s0; + output[1] = (uint8_t)s1; + output[2] = (uint8_t)s2; + output[3] = (uint8_t)s3; + output[4] = (uint8_t)(s0 >> 8); + output[5] = (uint8_t)(s1 >> 8); + output[6] = (uint8_t)(s2 >> 8); + output[7] = (uint8_t)(s3 >> 8); + output[8] = (uint8_t)(s0 >> 16); + output[9] = (uint8_t)(s1 >> 16); + output[10] = (uint8_t)(s2 >> 16); + output[11] = (uint8_t)(s3 >> 16); + output[12] = (uint8_t)(s0 >> 24); + output[13] = (uint8_t)(s1 >> 24); + output[14] = (uint8_t)(s2 >> 24); + output[15] = (uint8_t)(s3 >> 24); +} + +/** + * \brief Converts the GIFT-128 word-based representation into nibble-based. + * + * \param output Output buffer to write the nibble-based version to. + * \param input Input buffer to read the word-based version from. + */ +static void gift128n_to_nibbles + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input bytes and rearrange them so that s0 contains the + * most significant nibbles and s3 contains the least significant */ + s0 = (((uint32_t)(input[12])) << 24) | + (((uint32_t)(input[8])) << 16) | + (((uint32_t)(input[4])) << 8) | + ((uint32_t)(input[0])); + s1 = (((uint32_t)(input[13])) << 24) | + (((uint32_t)(input[9])) << 16) | + (((uint32_t)(input[5])) << 8) | + ((uint32_t)(input[1])); + s2 = (((uint32_t)(input[14])) << 24) | + (((uint32_t)(input[10])) << 16) | + (((uint32_t)(input[6])) << 8) | + ((uint32_t)(input[2])); + s3 = (((uint32_t)(input[15])) << 24) | + (((uint32_t)(input[11])) << 16) | + (((uint32_t)(input[7])) << 8) | + ((uint32_t)(input[3])); + + /* Apply the inverse of PERM_WORDS() from the function above */ + #define INV_PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x00aa00aa, 7); \ + bit_permute_step(x, 0x0000cccc, 14); \ + bit_permute_step(x, 0x00f000f0, 4); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + INV_PERM_WORDS(s0); + INV_PERM_WORDS(s1); + INV_PERM_WORDS(s2); + INV_PERM_WORDS(s3); + + /* Store the result into the output buffer as 32-bit words */ + le_store_word32(output + 12, s0); + le_store_word32(output + 8, s1); + le_store_word32(output + 4, s2); + le_store_word32(output, s3); +} + +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_encrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_decrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +/* 4-bit tweak values expanded to 32-bit */ +static uint32_t const GIFT128_tweaks[16] = { + 0x00000000, 0xe1e1e1e1, 0xd2d2d2d2, 0x33333333, + 0xb4b4b4b4, 0x55555555, 0x66666666, 0x87878787, + 0x78787878, 0x99999999, 0xaaaaaaaa, 0x4b4b4b4b, + 0xcccccccc, 0x2d2d2d2d, 0x1e1e1e1e, 0xffffffff +}; + +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak) +{ + uint32_t s0, s1, s2, s3, tword; + + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + tword = GIFT128_tweaks[tweak]; + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +void gift128t_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak) +{ + uint32_t s0, s1, s2, s3, tword; + + /* Copy the ciphertext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the first we add the tweak value to the state */ + tword = GIFT128_tweaks[tweak]; + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + + /* Pack the state into the plaintext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} diff --git a/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128.h b/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128.h new file mode 100644 index 0000000..1ac40e5 --- /dev/null +++ b/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128.h @@ -0,0 +1,229 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_GIFT128_H +#define LW_INTERNAL_GIFT128_H + +/** + * \file internal-gift128.h + * \brief GIFT-128 block cipher. + * + * There are three versions of GIFT-128 in use within the second round + * submissions to the NIST lightweight cryptography competition. + * + * The most efficient version for 32-bit software implementation is the + * GIFT-128-b bit-sliced version from GIFT-COFB and SUNDAE-GIFT. + * + * The second is the nibble-based version from HYENA. We implement the + * HYENA version as a wrapper around the bit-sliced version. + * + * The third version is a variant on the HYENA nibble-based version that + * includes a 4-bit tweak value for domain separation. It is used by + * the ESTATE submission to NIST. + * + * Technically there is a fourth version of GIFT-128 which is the one that + * appeared in the original GIFT-128 paper. It is almost the same as the + * HYENA version except that the byte ordering is big-endian instead of + * HYENA's little-endian. The original version of GIFT-128 doesn't appear + * in any of the NIST submissions so we don't bother with it in this library. + * + * References: https://eprint.iacr.org/2017/622.pdf, + * https://giftcipher.github.io/gift/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a GIFT-128 block in bytes. + */ +#define GIFT128_BLOCK_SIZE 16 + +/** + * \brief Number of round keys for the fixsliced representation of GIFT-128. + */ +#define GIFT128_ROUND_KEYS 80 + +/** + * \brief Structure of the key schedule for GIFT-128 (bit-sliced). + */ +typedef struct +{ + /** Pre-computed round keys in the fixsliced form */ + uint32_t k[GIFT128_ROUND_KEYS]; + +} gift128b_key_schedule_t; + +/** + * \brief Initializes the key schedule for GIFT-128 (bit-sliced). + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int gift128b_init + (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced and pre-loaded). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version assumes that the input has already been pre-loaded from + * big-endian into host byte order in the supplied word array. The output + * is delivered in the same way. + */ +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]); + +/** + * \brief Decrypts a 128-bit block with GIFT-128 (bit-sliced). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + */ +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Structure of the key schedule for GIFT-128 (nibble-based). + */ +typedef gift128b_key_schedule_t gift128n_key_schedule_t; + +/** + * \brief Initializes the key schedule for GIFT-128 (nibble-based). + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int gift128n_init + (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with GIFT-128 (nibble-based). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + */ +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tweak 4-bit tweak value. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This variant of GIFT-128 is used by the ESTATE submission to the + * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to + * some of the rounds to provide domain separation. If the tweak is + * zero, then this function is identical to gift128n_encrypt(). + */ +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak); + +/** + * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tweak 4-bit tweak value. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This variant of GIFT-128 is used by the ESTATE submission to the + * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to + * some of the rounds to provide domain separation. If the tweak is + * zero, then this function is identical to gift128n_encrypt(). + */ +void gift128t_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-util.h b/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/isap/Implementations/crypto_aead/isapa128av20/LWC_AEAD_KAT_128_128.txt b/isap/Implementations/crypto_aead/isapa128av20/LWC_AEAD_KAT_128_128.txt new file mode 100644 index 0000000..14d9e21 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128av20/LWC_AEAD_KAT_128_128.txt @@ -0,0 +1,7623 @@ +Count = 1 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = +CT = 7B94EF35AE55AB272C9C44D6C1CF0102 + +Count = 2 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00 +CT = 40FEAD6FDF1C2D6D6EAE40DEDDFF9F55 + +Count = 3 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 0001 +CT = CFCFA290EF310E3AC17F94E5FB6A6CB5 + +Count = 4 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102 +CT = 6DCFE6F0AA3C033088ECC0B510A04621 + +Count = 5 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00010203 +CT = 7EB2B5F0E99C87481B0D2B9EED843A6E + +Count = 6 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 0001020304 +CT = DF2A631E42081B3484F88111E885102A + +Count = 7 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405 +CT = 426624B11EFA922063FFA2819D07B833 + +Count = 8 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00010203040506 +CT = E1634C37D738296C4D451010628F5A68 + +Count = 9 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 0001020304050607 +CT = 7AE5F96BD1AE7F5B08FA85177750B6B3 + +Count = 10 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708 +CT = A510A73839FD7778A28C57597D553835 + +Count = 11 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00010203040506070809 +CT = 2A6734132A1A441D73595388ED99645A + +Count = 12 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A +CT = 195F687994F5D96E447218820AF2E564 + +Count = 13 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B +CT = 5A2CBEA8CD9BCCD9DC7AE883A0DDF1A5 + +Count = 14 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C +CT = 03805BB0A39DB5257D38758C57C5E1AF + +Count = 15 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D +CT = 647E6DE047568F7653DF4475EE7EE197 + +Count = 16 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E +CT = 33746E6FE412644C136A086978C098A0 + +Count = 17 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F +CT = 0F6C019E38CE48BD96C92E04DEDCE839 + +Count = 18 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 7D9AFEA7387AA4E2FEE43B656DF1F7CE + +Count = 19 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 323771011AF75827561378B54C346766 + +Count = 20 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = BDFEA6AA74EF2DCE9A40565F51774879 + +Count = 21 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 70E8D7AFAA6A932E1A735F9E92A78616 + +Count = 22 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 5965D02D9E8AEF127C989A411DC6CAF8 + +Count = 23 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = C19B1B8CC1B30A54FBF44CC38ED74C71 + +Count = 24 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 9A00715C9B0F13EE41260F0694F8082D + +Count = 25 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = A44BF6EAD69B12BE91E5FC36BB213D78 + +Count = 26 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 8D80A93216387DB161710881D05DC84F + +Count = 27 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 72134A43A2F5882DBAFC7CB35F0C8A48 + +Count = 28 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 031B61608B40F2622D03361A3B66C08B + +Count = 29 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 79F8D5D5B0F26435975719C080F89586 + +Count = 30 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 8CC301CA674CAA17775671B8722E3DBB + +Count = 31 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = D851AF19E33AE33AA661A8ED64A38434 + +Count = 32 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 492E0B743D4B1A209414431158083DA2 + +Count = 33 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 0FD7B1D873F0F0F8D5B6DD32D0CE3009 + +Count = 34 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = +CT = 2CFACF138C6FDBBCC8763A7205FD66316D + +Count = 35 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00 +CT = 2C4522C1765C743B9D0FD335AC4BBAEB45 + +Count = 36 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 0001 +CT = 2CABFC2912506FF9136DC27DF1DD48D9D8 + +Count = 37 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102 +CT = 2C9B7F0A598A5B0EE0F7D0BABCC9FA303E + +Count = 38 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00010203 +CT = 2C1B6828AFAD4E01993ABD6480239E1DEE + +Count = 39 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 0001020304 +CT = 2C874BF2DA05394C04E93C83777716661A + +Count = 40 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405 +CT = 2C9B5D1FCCF2B25056E3FCEC341FE5F6D7 + +Count = 41 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00010203040506 +CT = 2C9D161B0730C571130FB00B17A7149099 + +Count = 42 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 0001020304050607 +CT = 2CAD812235FAE6C6F35436CC98E6E38868 + +Count = 43 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708 +CT = 2CFE0D595478B7481A543F85CB01890B71 + +Count = 44 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00010203040506070809 +CT = 2C6C49233315DA8B9A499AA55425C51AF3 + +Count = 45 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A +CT = 2C5B5C3865DFE4E94E37D795C4194E62D8 + +Count = 46 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B +CT = 2C04327C849CACE95ED64F8AB23751DD6A + +Count = 47 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C +CT = 2CF9AA260A6353BB97992E45A0258BEE05 + +Count = 48 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D +CT = 2CAB26252FE18672E335A7EA51F636D275 + +Count = 49 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E +CT = 2C6E252A9C557D629295F31B86CC563A87 + +Count = 50 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F +CT = 2C97705FEA7D1E16F9299204483F65AA11 + +Count = 51 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2C2C3252AB93747ABCDDE83ADDD9B9BA2A + +Count = 52 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2C4D13818D2E536A32DC151BA6D41583E8 + +Count = 53 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2C8B12B7FC6448B2D37EC90CBBC1C15FC6 + +Count = 54 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2C5E2AC4325E4961F7CED515DB28340D62 + +Count = 55 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2C73AF654AB63E8ABE6E7E325B0134FBF5 + +Count = 56 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2C8FD5BF337E5C76D91B7287BC6546F5B2 + +Count = 57 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2C66C660556B16CB62E92B8B88F641E153 + +Count = 58 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CA97649FBECCF792708796DA5223F8C83 + +Count = 59 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CFE733D270EBC8DD121280465DE6BDB22 + +Count = 60 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2C689E4F4026CFC87FFA3548C0501B50EE + +Count = 61 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2C1F8A62677F763F39D9C4FB602BCA5BAB + +Count = 62 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2C11FB4EF7E999AE09EB704635C2945865 + +Count = 63 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CC18B65539D61DF2BC506657C6A6FB6B2 + +Count = 64 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2C10E714D8B23B3EDFED28A4FDF361F626 + +Count = 65 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CA245C3E398A9B83E65075AE28A9AEBEA + +Count = 66 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CE05615570495AD908FE230D00D9CC0D6 + +Count = 67 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = +CT = 2CDEC77B90FE11E2CCA0BD535AEAF2344709 + +Count = 68 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00 +CT = 2CDE0E1D9882193D7E84EF85FCEE265B3BA0 + +Count = 69 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 0001 +CT = 2CDEEA6E3BE4353F7448FF940ABAC08D9D06 + +Count = 70 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102 +CT = 2CDEDE537D72CF39B1907F0AEC8C96E1E024 + +Count = 71 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00010203 +CT = 2CDE8C7899695BEFF19186DBDC78C76682B4 + +Count = 72 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 0001020304 +CT = 2CDE4FBE55EC204CDAE48F1E6EED320DC1E2 + +Count = 73 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405 +CT = 2CDE3B54B8813F9A029C64762751EE895A03 + +Count = 74 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00010203040506 +CT = 2CDEBD8BA52F5C4E28F0244879EA02D7273B + +Count = 75 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 0001020304050607 +CT = 2CDEDA452D80CD5299C4BAF6749615A4C584 + +Count = 76 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708 +CT = 2CDEB00F38EC0867F450F98C8DB5FA34D313 + +Count = 77 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00010203040506070809 +CT = 2CDE59F166F1C62F3FDF96E8A1945477D59C + +Count = 78 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A +CT = 2CDE101FC592F563C7CC9D714EB7DA9C25D9 + +Count = 79 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B +CT = 2CDEA967C9AA70DF3A7D960A1420A446A08E + +Count = 80 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C +CT = 2CDE6509893AA367A6E6A4862C1BD9DBA216 + +Count = 81 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D +CT = 2CDE8547A9FF896851EAB63D07848D6DE8E4 + +Count = 82 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E +CT = 2CDED70433B7204D2094582E4785A5FF659E + +Count = 83 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDEF22596228D6E6E31F92CBCACF3232510 + +Count = 84 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE90F4A1707F5850BCB2C6EF3F3CB08936 + +Count = 85 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE46ADCA338E00D9A7DA0915F6DE63D85A + +Count = 86 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDEB13AB235A5D46E2F9050BE3B0EDF9F31 + +Count = 87 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE8DD93270E11F7196259B05482B1205EA + +Count = 88 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE054A926FE503EB3824E9C450982935D4 + +Count = 89 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDEFF031D2C0D7B88AE59AD9A26DDF7B850 + +Count = 90 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE0390BBD12E4FCCC92A80741E45831170 + +Count = 91 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDEECBB2258E3A6AF2E37C8A69913DFBB0E + +Count = 92 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE47D658DF2ED4D0F8BE9061793D46D196 + +Count = 93 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE7E15FEB68672390FF3C92F26C65A903E + +Count = 94 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDEC4CE1DB346E2CDAE816F0FECDDAF5AA7 + +Count = 95 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDEF6766636F014EF10A6D966077905EBC6 + +Count = 96 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE3C1EE523F38DAFB44F5AA080AA44267F + +Count = 97 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDEAAFF9699B736E55C7613B3BF38CB4EA3 + +Count = 98 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE42C7711EFDF8293A106D62D925FBA3BA + +Count = 99 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE62C20AD95880F81ADBB861B1629B9558 + +Count = 100 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = +CT = 2CDE2857024E1B8FE9E3780581B68F505A423E + +Count = 101 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00 +CT = 2CDE28C9B00030368E541382494F3150883231 + +Count = 102 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 0001 +CT = 2CDE284254554F5D30B528D3DC6DFDB1D136EF + +Count = 103 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102 +CT = 2CDE286AED9172F716383CD7B0824BA8507390 + +Count = 104 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00010203 +CT = 2CDE282010B7656C208038CCEEE1B423BEA303 + +Count = 105 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 0001020304 +CT = 2CDE28E4F87869CAE592171BB7692392983844 + +Count = 106 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405 +CT = 2CDE286B2B247E724EFD31276E4D284CC31006 + +Count = 107 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00010203040506 +CT = 2CDE28C7535777FE9A4387A3874FF1084FE83D + +Count = 108 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 0001020304050607 +CT = 2CDE288577C09256A94E80F85565B36F94B419 + +Count = 109 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708 +CT = 2CDE2856A12D0146EF93DF643064A3490D13BF + +Count = 110 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00010203040506070809 +CT = 2CDE2832E19248493797B5B25B8207D5055C09 + +Count = 111 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A +CT = 2CDE28497B6CC277366647B258E7BDA436D715 + +Count = 112 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B +CT = 2CDE28E6D1844B9AE58D4970E7546D403BE408 + +Count = 113 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C +CT = 2CDE2831071909BA039192001D8548D86CA9BF + +Count = 114 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D +CT = 2CDE28B0AE521AC5BD66E03FAEBC88201A0BF0 + +Count = 115 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28AA2A10A873007242AED062E2BAFC5947 + +Count = 116 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28031AA0CD1395CF262B9AA431CA8C9AC6 + +Count = 117 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE282B094D11F131FB61B24C702864F2EBCF + +Count = 118 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28E6D5E86BE90B1EB64DC0DC83F5C095DC + +Count = 119 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28841032F2D8983140E04175FF1AC5F514 + +Count = 120 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28FB6F942D96395E6A3395A9E46D65D738 + +Count = 121 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE288320FD2EF8AAEDDD9D62BFD0221A42B0 + +Count = 122 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE2857E6842AD572ECC12869CD8F2EA4533C + +Count = 123 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE288E08FFD326094A71626E6EAF55BC7785 + +Count = 124 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE283899D225AA2DA3F25C6679FDA12B3DD0 + +Count = 125 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28C9D751C98C2039C74947636780D6C7AD + +Count = 126 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28A8AB876D4AD7825DCB974F662038959B + +Count = 127 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE284B334900CA8BB1BB870312B0BD6F67FB + +Count = 128 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DCEF02E0B3B817708966605BCC4CDBBD + +Count = 129 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE2826D5705699B29E9B2AEBE7BD6A05C6A4 + +Count = 130 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28FEBD2D8AB8DD83EE53F6B1FFFD4BEDAD + +Count = 131 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28FFA1F7226721C26CB9436CEE4B2A45E6 + +Count = 132 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE2825549FB71AAF43BD351BCA3D88E4EF0E + +Count = 133 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = +CT = 2CDE28DB0F0F144EE19A84BF8C639AD5802854D2 + +Count = 134 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00 +CT = 2CDE28DBFD2DACEA4B18FF83CB627D0DFC91A0AD + +Count = 135 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 0001 +CT = 2CDE28DB0F2B993296BD82BB7E1EBCE9D4B9D238 + +Count = 136 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102 +CT = 2CDE28DBDD1F42D621A8C6A110F67545E6087E0F + +Count = 137 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00010203 +CT = 2CDE28DB59846FB3B0E3A66EFD5FC50B7F397A22 + +Count = 138 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 0001020304 +CT = 2CDE28DBDA22A87918E2F39D0D03E2F0842ABD97 + +Count = 139 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405 +CT = 2CDE28DBEB53205C555E6FC4C6E98E03CAB07461 + +Count = 140 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00010203040506 +CT = 2CDE28DBE0F14ECB79AFA15094D416FA29767BA6 + +Count = 141 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 0001020304050607 +CT = 2CDE28DB96EC263A8940713057C71E4AAFA65400 + +Count = 142 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708 +CT = 2CDE28DBAC668AA234EB02FCF134FBE310C57EB9 + +Count = 143 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00010203040506070809 +CT = 2CDE28DBC0956133CB70D62EE50B296FF629ABC1 + +Count = 144 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A +CT = 2CDE28DB552797D5EF5724B4B61AC7AB50F8603B + +Count = 145 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B +CT = 2CDE28DBD0454AAB232BB57B7AAE3061D698DB90 + +Count = 146 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C +CT = 2CDE28DB8094D05DF16FEF6591B65F5BDA26ECCE + +Count = 147 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBAAD01994FDE7AC8CC52EF48B00D31132 + +Count = 148 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBA319E1D36B4FDA32E0B021E671001646 + +Count = 149 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DB95A4DBFCC361C983E2981159D1E4F6B5 + +Count = 150 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBFE6B85C4392544EB728122DD7DF931DB + +Count = 151 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBA3AEE625D588F28DDEE26194F74B3149 + +Count = 152 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DB05ABF0D0749F9EB8B8FF080E6277EBD3 + +Count = 153 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DB8346E57C11AC5B6C9E141ED925EC6AA4 + +Count = 154 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DB1D2E7E82C3D2BDF31EABB5B747831317 + +Count = 155 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DB4ED3F49524BB1DA406C52A8511C52DB8 + +Count = 156 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBF095B3033038854E73B98DCE0E162C51 + +Count = 157 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DB4D87BC3AAA6CFE9B1BF4069E4383976A + +Count = 158 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBF77E1354C82FC48CB3D3E9F130BC0855 + +Count = 159 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBABADF4D1142380E45A6AC455EB51B3B4 + +Count = 160 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBDD2E07F43D008038459A0F77988D3E5D + +Count = 161 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DB911FD9F02EBD3C3C69068828B14C220C + +Count = 162 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DB249DA6462B10D52092EA8C3F22AF9DD7 + +Count = 163 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBEF52EAFC6AE1ABBD0BAEDA543AD270EE + +Count = 164 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DB94AA8DD7EB1E1B6B6C0BF9E350398790 + +Count = 165 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBA3D378D1D00D29F86E26244CED4D4635 + +Count = 166 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = +CT = 2CDE28DBBBC27DB0228D78F35D34033FB16C9DD181 + +Count = 167 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00 +CT = 2CDE28DBBB3989A3A5FBC0D6290441AE232CCCD9E8 + +Count = 168 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 0001 +CT = 2CDE28DBBB47FEAEB476ED2E7988A50D979FEC699A + +Count = 169 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102 +CT = 2CDE28DBBB4F09A5ECC4FD2D6235F13154385C58F6 + +Count = 170 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00010203 +CT = 2CDE28DBBBD1D0571F7F5789C01254F98E10A5E15C + +Count = 171 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 0001020304 +CT = 2CDE28DBBB9697941C89D12B619DEB928401AF9BAA + +Count = 172 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405 +CT = 2CDE28DBBBF0A871E22936E001DA7CB08990DE80B7 + +Count = 173 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00010203040506 +CT = 2CDE28DBBB7CFE82E6BE16815BF2F239C54F044EF8 + +Count = 174 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 0001020304050607 +CT = 2CDE28DBBB787779C81667518E06AC34E807E31EF3 + +Count = 175 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708 +CT = 2CDE28DBBBEEB301D577F03F757DF181CD9619D21E + +Count = 176 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00010203040506070809 +CT = 2CDE28DBBBE5D602A73782B22BCAD7C8E44134F482 + +Count = 177 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A +CT = 2CDE28DBBB6C8092F3222B701E9A6FD515A0094F0F + +Count = 178 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B +CT = 2CDE28DBBB2BB6C5085AD899E42CEA3A2ADAAD6DEC + +Count = 179 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBE1B0729821B22BFA03113721349AAB39 + +Count = 180 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBB54D6DAED54E385C7A90A1FAB68D17E5A + +Count = 181 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBEBBF5BE0253B6E6A542112560001CB33 + +Count = 182 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBA8088B083D305B6C74B5DA2F66884E9F + +Count = 183 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBB5970988A707886C3029603960AC903A2 + +Count = 184 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBF66E6D994D7D1519B7678FD8D623EA54 + +Count = 185 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBB0832FAD08C2F021021A137EE1BD0E544 + +Count = 186 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBAA7FD60008B2555BA9B6BCD4C8A11F95 + +Count = 187 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBB1BEED41E5496CA6799730764109583E7 + +Count = 188 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBDE47C75793A95B1107B151529C8421F4 + +Count = 189 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBE0E066F01138FE110D393DC5CE51B97E + +Count = 190 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBCE729883B22025BD67D80960951DCFAD + +Count = 191 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBBF1652BDC9FA60D9A00F3074065203DD + +Count = 192 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBE95F4FD9F89AF5933E9FA59E6B488CED + +Count = 193 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBDD1CA137D73F38FB83390A7ADCF778DC + +Count = 194 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBDB8CD1AB40B85F1A985BC07920438D3A + +Count = 195 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBB5BBB47743AC9A60D372E257DA4782E92 + +Count = 196 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBB5439AD10EC251A5ABEF78EAB630BC312 + +Count = 197 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBB5061349F789F1B4CD0723AF868432C50 + +Count = 198 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBB0F63B11AC33DD4E826E9F318C4436355 + +Count = 199 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = +CT = 2CDE28DBBBD94623D3F60051B0967663ADCBFDD543B2 + +Count = 200 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00 +CT = 2CDE28DBBBD9EFAAFEA100BD9BFD081896841F669FCC + +Count = 201 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 0001 +CT = 2CDE28DBBBD9DE3AE2F2B4DEEDA3A43BF01F8075CBB6 + +Count = 202 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102 +CT = 2CDE28DBBBD947F9B9B28C1E550E6505AFB814B7B1FF + +Count = 203 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00010203 +CT = 2CDE28DBBBD94A9402FF3DE417BB0325640FD0A4974F + +Count = 204 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 0001020304 +CT = 2CDE28DBBBD96BB482AF6FE34FDE7577816B0CF44D6A + +Count = 205 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405 +CT = 2CDE28DBBBD931D8B75C49152D8FD0927DD1618A5308 + +Count = 206 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00010203040506 +CT = 2CDE28DBBBD97A0CB56DDCF23541695AA86189290552 + +Count = 207 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 0001020304050607 +CT = 2CDE28DBBBD99D937A70327BCC85C4DE14A5DB1B64CF + +Count = 208 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708 +CT = 2CDE28DBBBD9F54EF8013B08647890C35BC991F144ED + +Count = 209 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00010203040506070809 +CT = 2CDE28DBBBD968FB5BAD811EAD224221836602B8E7A3 + +Count = 210 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A +CT = 2CDE28DBBBD9AFDBBE401FC7FB3DF2E0B3675A23BA42 + +Count = 211 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9EFDAF75B643D78E6996C2BABDAD97817 + +Count = 212 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9E467E855BAF25B9F5A25A67D1D68F731 + +Count = 213 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD901C2D9E28F71D502A2B2020CFABA539D + +Count = 214 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD90AF3A4F079A5BF8489F841F1F883B693 + +Count = 215 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD981C7B6F3ED0A541F676E0C0DF1E5C4B1 + +Count = 216 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9D48FD2176623B2D8BA5821C14E6B2029 + +Count = 217 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD97F6D6B045380210CF005F68B75FBA702 + +Count = 218 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD923A278EE278F3E9FF27FB8E498C313D0 + +Count = 219 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9E2A117A5847480E0008B3FBEC72FEB92 + +Count = 220 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD94CD6E8CA9D65EA70D1311E900868C8C4 + +Count = 221 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9D215A18C93FA401A6B0D3124D3E2EA65 + +Count = 222 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9950C352160481DFD56AC09BEA5AE78E2 + +Count = 223 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9AE5222850112DD4A93B69F5B5B06E177 + +Count = 224 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD93A60A1FA82E8FB4EEBDFAAEA7F49302A + +Count = 225 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9371D001078496201E893AB4AB008D8FD + +Count = 226 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9B0CA5E9AB0CC430C0ACCAA5DD9B78052 + +Count = 227 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9E334C93DAAEEB0E939E53421EA4F5BAC + +Count = 228 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9AE55FA6B9319A27E63AACFFC13011957 + +Count = 229 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9E424BCFADE99556CD89471FD16368C94 + +Count = 230 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9F9D7E4EBEA16828DD1660F1FF31E52C3 + +Count = 231 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD97562E5B4FB5298023683A663EA924759 + +Count = 232 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = +CT = 2CDE28DBBBD91303BB03B4D02D5A90820C0FE6881A7E23 + +Count = 233 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00 +CT = 2CDE28DBBBD9133EF9BE7D7C85D3058E3A6EA4DAA34AEB + +Count = 234 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 0001 +CT = 2CDE28DBBBD913E1529EBB468B24632D8736C2E038FF9F + +Count = 235 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102 +CT = 2CDE28DBBBD9131DFD78895E2971E1ABC36B93EF91E7F6 + +Count = 236 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00010203 +CT = 2CDE28DBBBD9130C956536193457760EFECB095821962E + +Count = 237 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 0001020304 +CT = 2CDE28DBBBD913BF055B43E8B00326549567D85B1B3480 + +Count = 238 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405 +CT = 2CDE28DBBBD913E3F5ED645C068E904FB993FFF67F170F + +Count = 239 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00010203040506 +CT = 2CDE28DBBBD913E93D73908F7142FC6D203D030CEB1771 + +Count = 240 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 0001020304050607 +CT = 2CDE28DBBBD9130B095F7BE5376BA7F661AF4EF29990DB + +Count = 241 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708 +CT = 2CDE28DBBBD913EAD9CF758E33C8508F9E7FF2B5903068 + +Count = 242 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00010203040506070809 +CT = 2CDE28DBBBD913ABEE4384850E6285DA38D8E822F19834 + +Count = 243 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131CEE65C8A2B8F9AA5DADF57FC65C485A + +Count = 244 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD913E2371DB8E489B678C14A9318EAF70C59 + +Count = 245 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD913272DF55DF693077BDA71C5BC4BF6A8D6 + +Count = 246 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD91394DC6A703F6B421627972A4FB97D4E78 + +Count = 247 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD913835F5CCB302FAB76E197DFC724938212 + +Count = 248 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9138BD555E519065BA825D5ED9F1E1968BD + +Count = 249 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9133781D980127DADD00515549A1E854358 + +Count = 250 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9139E3B0F224B965C6A6807801A902B06B3 + +Count = 251 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9136B2D56F700F71BEA006025F94CF70C81 + +Count = 252 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9136E02D119678A21FF5B0EFFABA1096FE0 + +Count = 253 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD91331ED38CD274333A27EE09D39B54B811B + +Count = 254 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD913039465F85B2745D1DAF0ECC0CBB6DAA5 + +Count = 255 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD913A9135E70B9426011EC00DAB094903F3E + +Count = 256 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD91323DC1F8FAAF543C95951FDC1788589D5 + +Count = 257 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9130B79D110254A2B8597617F8837AEFC40 + +Count = 258 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD913E14E2D3CD83AB73FFF447B6B919C081D + +Count = 259 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD91387B38E2F0AE339F6D0870612FC6C99ED + +Count = 260 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131AE042F2C988AF04E7AABCDE338398F8 + +Count = 261 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9137306F4431711EFCBC90E1EEF67E85558 + +Count = 262 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD913A74E60265DB26F772C4B6313CBA3EDD6 + +Count = 263 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD913AF29CDB68F25B9FE08DB27D146A9EA2D + +Count = 264 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9139F5F689AD2846C77EACB9B53C9500E6A + +Count = 265 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = +CT = 2CDE28DBBBD9131ED3F44B4FB43055D5AC109F83F530D165 + +Count = 266 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00 +CT = 2CDE28DBBBD9131E3EB91FA1A81CE5C87077D1651424DAF4 + +Count = 267 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 0001 +CT = 2CDE28DBBBD9131EA55C69346E5012B5F356E1AB19171A3A + +Count = 268 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102 +CT = 2CDE28DBBBD9131E9E507757D5319B46248FA071D00650F9 + +Count = 269 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00010203 +CT = 2CDE28DBBBD9131E4486F358CF115F9B2AF55994F7CEF4EA + +Count = 270 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 0001020304 +CT = 2CDE28DBBBD9131E854C9F46787968D0E022382F3F1AEE03 + +Count = 271 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405 +CT = 2CDE28DBBBD9131E425F4F40950B5CB331E181E1B5FFC6E8 + +Count = 272 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00010203040506 +CT = 2CDE28DBBBD9131E0A4EE1102568B2A8DB64B00E292DA2CA + +Count = 273 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 0001020304050607 +CT = 2CDE28DBBBD9131E4270DFFF9B0C36C0824E86D98DAED276 + +Count = 274 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708 +CT = 2CDE28DBBBD9131E652BCB622444F17B498F1A0A8EE1DDE1 + +Count = 275 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131E075E621EC4002F860FDC451FC4EB650F + +Count = 276 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131E060A1857233A610970EA7AE5CABBF3D5 + +Count = 277 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131E20E8CE3A40EEBCC0135357F85183A3B1 + +Count = 278 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EC4C9384007645BE4AE641AE4DA997AAF + +Count = 279 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EC66A9CD52373E1ABE61C9823FF40615B + +Count = 280 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131E756B57E6E0EAD52B3F4150345FE2955C + +Count = 281 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131ED572EB41F0975D6A7BA2AC89F61384C9 + +Count = 282 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131E3CB666625F697B13AE839E80B46756B4 + +Count = 283 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131E08A625FCDCD37C17EC5E0AA3345268EA + +Count = 284 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131E54FA45B6731BA06DD34D464118B591C6 + +Count = 285 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EC4A6908ACE1B689D7C486425480C6B99 + +Count = 286 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131E1C21BA246F4369E1F66AD643A3D005F1 + +Count = 287 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131E740731BA2D23CF2A44F81C19E590EE4A + +Count = 288 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131E94559948212489AE710B610AD986693F + +Count = 289 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EA56E09B4444573D3A7C20F15B6C142FC + +Count = 290 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EB575448F8EAA56BF03FED88A240D2E1D + +Count = 291 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131E395023A2A69D889B93B026F1F30A8561 + +Count = 292 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131E5085DCB97DA73CE7CCA3497FE98EB063 + +Count = 293 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131E32C3B8CC91B0D8B5813F75C63ACE5DB6 + +Count = 294 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131E5A2441E7BA48C24366AF17F2AD7CD6E5 + +Count = 295 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131E53FBB9D4CF5F21DE02A1CF1B72BFB1CD + +Count = 296 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131ED88FE13D8066E0B23372DBD29FC6A44F + +Count = 297 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EFA04DAA40A19D16E69F05097989A77A7 + +Count = 298 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = +CT = 2CDE28DBBBD9131EBC5EBBDBB307B3328AB0FA8E8CF236AC74 + +Count = 299 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00 +CT = 2CDE28DBBBD9131EBCA6AC9AD6B52C28EC0465FCBF52304B2A + +Count = 300 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 0001 +CT = 2CDE28DBBBD9131EBCACECD0089EE217B0AA7FCAA20BB32616 + +Count = 301 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102 +CT = 2CDE28DBBBD9131EBCD5B479A783C98A6D3684ED00C30D52C3 + +Count = 302 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00010203 +CT = 2CDE28DBBBD9131EBC6C67F216F4F12749AB5D6FB1706FF8C6 + +Count = 303 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC6C07B442077119CF98B2EB8E0F98D7D1 + +Count = 304 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC71A9D39A0850C16A0398260EC7653110 + +Count = 305 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBCF6ED12D1BA407BAB976C78BF733F33E5 + +Count = 306 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC9DFE3091540111198B2C5B8ED060DA90 + +Count = 307 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC2B0AADC2869B041DE48C979FBED97B8A + +Count = 308 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC48C3B38E26A36C0CDBB6E448DEB02BC9 + +Count = 309 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC42073CB3BC759F632E30043CE902F7A3 + +Count = 310 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC277F93B97DCD5DF43AB4D648FFC9208C + +Count = 311 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC55C2ACAF3B68B15A7985EEEE9C30AE7F + +Count = 312 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBCB5AFACE99AF2611241499868E41481F6 + +Count = 313 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC7CA2BBC3A8B6EF2F008930E506CDB19F + +Count = 314 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC177B4D86A9B3E8FA4753A2C74EF8F60D + +Count = 315 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC59438A3E8DE1ECD73C1A73CD40B8FD81 + +Count = 316 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBCDD10C544A25A8316A90478ADB6D9D264 + +Count = 317 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC261C0E47FBA527BB5FD445B528D41903 + +Count = 318 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC2885363C07C256D49D7BFC333EA85D66 + +Count = 319 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC36D804FD41B382F9D69AB5C174BF33BB + +Count = 320 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBCDAF608E6C237078BB8F194493A82A898 + +Count = 321 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBCC163F7ABCC8EBD9A9D7281B484DDFC9A + +Count = 322 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBCE64C1785840D71132687FA8B6FC39EE6 + +Count = 323 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC27F95FFE8A2D3D1716984E286D1C59EB + +Count = 324 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC449EC7CF3DBC9716DCBFF0B579B1615C + +Count = 325 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC2271BA4D2E21E84D25C6E79CCB9F609D + +Count = 326 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC29605542B51E06131B450566E5D13C2D + +Count = 327 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC50A3DD615E6E1FC35EB07E8D3C3161D5 + +Count = 328 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBCA124748E316AF69E7C6BE6394CF40D4D + +Count = 329 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBCEDD33696DFD3A0AA6534673A1DC3B835 + +Count = 330 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC122190F437AD722DF106B758829D45F7 + +Count = 331 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = +CT = 2CDE28DBBBD9131EBC5615D6C26ED446BDFE36175E746D0F15FB + +Count = 332 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00 +CT = 2CDE28DBBBD9131EBC56FC4FAC946EF41818D3E61168BA6DCBE7 + +Count = 333 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 0001 +CT = 2CDE28DBBBD9131EBC561D99900B7D840037FB0AB3695BA70E15 + +Count = 334 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102 +CT = 2CDE28DBBBD9131EBC561785B47AAA8306AAA4E861271B69D559 + +Count = 335 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00010203 +CT = 2CDE28DBBBD9131EBC56FDC8DD24B7F9431272B532269BCB1C96 + +Count = 336 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC56B20C15D0B9389DEA960BC18EF8748762 + +Count = 337 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC56602421AFEDFA9B2C8334F579DB339007 + +Count = 338 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC56D5D3F702D4F6AE28E6DCFD5F78FEA596 + +Count = 339 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC56C15EC0CD5681CF047B5851C65373FE64 + +Count = 340 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC567ACD83F222AB68E291AC3D6537D44979 + +Count = 341 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC56D0158557ABB72A76746D167C88DF6D05 + +Count = 342 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC560D2065DED51F7DCE6EED886957B4BE52 + +Count = 343 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC56FB2F5AF59150E6437888CF49CD383E92 + +Count = 344 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC56BD31B9F2525B1C82B3F3ED47F5F43B4A + +Count = 345 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC561555384A7268EC8A7601B5AE625C7C07 + +Count = 346 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC56A393C9E69FE6EB2CACB4BD71A6F16187 + +Count = 347 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC5615B2F5A4686C479C861C5C3336C571EB + +Count = 348 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC56EDC96A587DFC56F8600861D07127D545 + +Count = 349 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC562BE4995C820074E99B6D8D92D7A954CD + +Count = 350 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC562B32978C2D0B00F841C2EDC0300A2855 + +Count = 351 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC560EEFF0ADDD21192A1C39DCA93C44111D + +Count = 352 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC5604AB73B2F0D617F42B5F369A595E0646 + +Count = 353 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC566F7259F407C496BAEF5C550FCF2AADD0 + +Count = 354 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC56E2EE14AF74394D47B6787D20ABF7BA50 + +Count = 355 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC56AC264D9F1A7AE8B2250030888F376123 + +Count = 356 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC569A3576945BF9688812A0ECD106568098 + +Count = 357 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC56322B0EB0283AA1F1979B97882F52B443 + +Count = 358 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC56AB78B73F2D3C164A78FB41360AAB5A23 + +Count = 359 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC567D99F86522FBBACE5E52E3F52C175368 + +Count = 360 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC560ABED09A27C90E2CA817071B9C02C654 + +Count = 361 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC56AF9F24DDEB1DA0D53456C19AFD30B111 + +Count = 362 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC56380F7C205D188BAC90ECFA0C937865A1 + +Count = 363 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC560A9800C51A323B3B52FEEAA061AE9086 + +Count = 364 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = +CT = 2CDE28DBBBD9131EBC568DAC7A21E1DE8C78C637DC46CC49ADCDDE + +Count = 365 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00 +CT = 2CDE28DBBBD9131EBC568D8266D147001C7BCC1F97C0DBBAD2D4BE + +Count = 366 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D56CCB54101770D36BE59911878353712 + +Count = 367 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102 +CT = 2CDE28DBBBD9131EBC568DD63DEDD482D72199A4B04631C1BBD0EE + +Count = 368 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D79B6EFF401CC800E0B77D06349353109 + +Count = 369 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568DCF96F63A581A051B52E5693F55735398 + +Count = 370 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D093F7E6EA7BD5C6DDBA619C5B151D8F3 + +Count = 371 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D39512A2846AAB70A3255165220E92F2F + +Count = 372 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568DBEB813654ABADFB013A510458B9EB48F + +Count = 373 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568DDC04AE97A9EA9E2CDA2F44822134022B + +Count = 374 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D09334C97708FB4964358A604321DE55E + +Count = 375 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568DFF5B4B50A91E5357E5ADF37AB080F849 + +Count = 376 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D8038662AE697573337E4B3438AEB28BA + +Count = 377 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D22C8EAEEAA71C1D21581149D90806D5C + +Count = 378 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568DA99B2FB9B5584CEC5D8F423F11946B76 + +Count = 379 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568DEEFF3C414928B68429DAC42AB690A691 + +Count = 380 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D68ECC087C1016D685A4C66A2AC1FF427 + +Count = 381 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D844D042CAB502C46F5C69A242A38741F + +Count = 382 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D6E82F3095D0E3CD725D196BECD3DCBDC + +Count = 383 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D63995CB2DCA0A164599A54345265063A + +Count = 384 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D1993A60D8C66B1AD47094EE951E0CF33 + +Count = 385 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568DE56B7E7977A0C230A140E82799682DB9 + +Count = 386 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D90C7A0971D2D49700035A1BE791743D5 + +Count = 387 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568DB4D43EECE197D9CB522D49B2B42359D5 + +Count = 388 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568DF8A7B4C70D520978B46D1CA1A4D1B69A + +Count = 389 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568DF4CF07C20F49BF60D0FA893428199CF2 + +Count = 390 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568DEF401240D1F602A1F2FF790F142343EF + +Count = 391 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568DAB821B6C0286ACCC3957FD45C160BF95 + +Count = 392 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568DBC61103DD90A65C7F69F7761F7A4084F + +Count = 393 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568DD264D9161956690EBE6166E293AC375E + +Count = 394 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D02BC30D6ECA9B85F0C65378B3FD16E48 + +Count = 395 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D53A4A14C6482313E617DD4DB59C08CC8 + +Count = 396 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568DA74204444F01D39C5DE2A00E45A24ECD + +Count = 397 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = +CT = 2CDE28DBBBD9131EBC568D77B5531CE34F28DA3C1E90C69DD7956637 + +Count = 398 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00 +CT = 2CDE28DBBBD9131EBC568D778248D37044C64FEE7D10384C95779E30 + +Count = 399 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77B6BF937F3EAE148C3EAD4199726ABDD3 + +Count = 400 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D77EA424A17D8E137AD0892FD46C1DA33B2 + +Count = 401 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D777FA9D7276392BF25F782DB6A5DD8BBC7 + +Count = 402 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D779BD56380F26A67E7149F6546D7C73BD3 + +Count = 403 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D7791C7E4C38E4C78F51B9CFDA409831EA6 + +Count = 404 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D7735E3FAF20007CA65551D006A92022D85 + +Count = 405 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D77B36A860AFF1DBC29C2A5E733A697660E + +Count = 406 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77BB4E8D44FC3F7C274024B7E184AB7EE5 + +Count = 407 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D7798E1EE233FADD85C21B9B1331BFC07B2 + +Count = 408 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77D7C6F733321C49B520CDD319ACF06D15 + +Count = 409 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D77A3F18AFFD2F037520DE15B3B831927C6 + +Count = 410 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D77A459377B80D0C1EC4C7276569F52D485 + +Count = 411 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D77F3BB87F86EFEB5EFA2B91ADA1F550A5B + +Count = 412 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D77D039A0F0A388D7EA8BB760817AFB4516 + +Count = 413 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D7786504F93E925B3DCE0CDF8AF30C2821C + +Count = 414 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D777265DB46ADCFF6B6D455913F65640723 + +Count = 415 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D777D4197D96CA91E0573298C5E28220C41 + +Count = 416 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D777AEF9BE455449AA1B1F6A0A9E41AD8F5 + +Count = 417 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D7796EF6AA9663CDCD87A5D7B847522B2BF + +Count = 418 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77E030BE7A842F20E97CD474B534B05A26 + +Count = 419 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D770B8EB112ACD29FB74A9FC9CF10945FCB + +Count = 420 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D772BEF4813F5BBB9245B2767272DA3BCB5 + +Count = 421 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D7727026D9BA5504424BBE690CF3BBC1FF3 + +Count = 422 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D774B7A5A591A62D8B968F0B378BA97D454 + +Count = 423 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D77B341FF3220C823F3CF2A83C698BE7094 + +Count = 424 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D77F2C2ED3319D28150F8CD5B8F41303473 + +Count = 425 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77C72DAC0B3C11DE1729B93835E791B740 + +Count = 426 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D77B1F3591882D32963CB8FE10B60C5F6C4 + +Count = 427 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D777DF410A77007C28A1EB3A2AE776191CB + +Count = 428 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77D72A0A7F9B755628FF9C6554E1A46BA7 + +Count = 429 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D777C25FBB0FF98496C7DD111409DD6D3E1 + +Count = 430 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = +CT = 2CDE28DBBBD9131EBC568D777241BC32568E4C3E434583C6BCA5808F2B + +Count = 431 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00 +CT = 2CDE28DBBBD9131EBC568D7772D1CF54C5064CC89CC839A5DFA346775E + +Count = 432 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77729E0DB2E8343BAA92CF3C00B7DEF11379 + +Count = 433 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D7772105E3AD36CD3A1CB5C864C18F3814CEE + +Count = 434 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D7772D02B6A1F26E2EDA0B989DE55AE355050 + +Count = 435 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D7772CEA33BE5E56120E1C8558E365F9E479A + +Count = 436 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D7772A9ABD56A359BCA1F805AE0E1E44B9713 + +Count = 437 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D77729F2FC88BB9C34A6BFD53F14D5235B735 + +Count = 438 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D7772F7EE30C3A2F7785EEE22F04711E461D3 + +Count = 439 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77729E17CDB43A92393DADEE5FA941C9095E + +Count = 440 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D7772AB8F0CDBC3720760EA74282026B87641 + +Count = 441 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77722946796985C79EDE343E0663B69A7748 + +Count = 442 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D777286F4D8342A6E6CA34423C7C50ECA1CFE + +Count = 443 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D777296217E26CA564B5E7D31F24DDC77E77B + +Count = 444 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D7772F68785C3D63A4348C05FEFA85D86B882 + +Count = 445 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D7772CDF4541A778466F1E403789CF632804C + +Count = 446 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D77720F718251BA5C17956D64B44D6BDB5D78 + +Count = 447 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D7772807996EE3496B6A8A21B626251490F31 + +Count = 448 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D7772EB1F6CD44792DEC4DB87FE72B4183103 + +Count = 449 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D77726F5C3A14201F73FD2A0368E230958251 + +Count = 450 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D777224BE23FDE5DE57225BDB3D67B9D340D9 + +Count = 451 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77720F25E2A48F104820AAD1482B648CC10F + +Count = 452 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D77729FD509AC5491E7B342BFB47B135BDCE6 + +Count = 453 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D77721CA8238821D347039E758CE7273347D0 + +Count = 454 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D7772A7B8CCEA0E2A97DEC5783998364264C4 + +Count = 455 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D77724173C01D796150341771A3BDB170E7A4 + +Count = 456 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D7772F2FEA07A58FA8B7ED189AB3A85D64497 + +Count = 457 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D7772A0C1F1B96FED496214682C7B149B91F1 + +Count = 458 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77720CF1FC364C1940E513ADFCB1AD2AE92E + +Count = 459 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D7772D4FA643CE953A6825B476541A338A010 + +Count = 460 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D77726B384214334D3D75A8ECCC999827F6EB + +Count = 461 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77727805B99B47509593EB008C72C9F0E4EA + +Count = 462 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D7772C6E570B60965D23682B0A82F8A836530 + +Count = 463 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = +CT = 2CDE28DBBBD9131EBC568D77725B8E9976DC30819B092310AEEC038274A2 + +Count = 464 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00 +CT = 2CDE28DBBBD9131EBC568D77725B1B38614A2B11C3086F4D73C59D08EA42 + +Count = 465 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77725B2873354C5310B05E3F2A9FD52A46DFD1 + +Count = 466 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D77725B7418F82EA92D098764C5B137552BC1BE + +Count = 467 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D77725B6CA5163A99D405E8AA66CB4711BFFC2D + +Count = 468 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D77725B735183688F9C6850FAC363B101D83616 + +Count = 469 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D77725BD2EA134218D9815EB7BDD5C3B89272FD + +Count = 470 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D77725B68D3EA7927639DE1D8013AB98F24CCE2 + +Count = 471 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D77725B0D1A3DBF807FEDD868D74C882A732F15 + +Count = 472 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77725B29CF2DDB8E3F0CEF289D4F8487472E38 + +Count = 473 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D77725B3ED5EBD03F0582C1DFEBC034D36537FD + +Count = 474 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77725B739A0E2C9A43378B6C5D8E461C11BE81 + +Count = 475 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D77725BF34DAE622A9B19799E7F6DC7647DBACC + +Count = 476 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D77725B85397CB92F01BF4AF22A0B7AD6F5CC6C + +Count = 477 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D77725B3115C0166187F0B0ABD9BD3EF411F3A6 + +Count = 478 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D77725B511F4F908B85E4D420867A0343A10FEA + +Count = 479 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D77725B20CE00FC32F3C5B981B4FFB827EC5105 + +Count = 480 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D77725BC27F285672A3AB7927FEDEBE3A957600 + +Count = 481 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D77725BAAA4CCF5EED8AADD67B409567D695EC2 + +Count = 482 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D77725B0B194EB80826BB4AC1B2DD5C9F07F8C5 + +Count = 483 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D77725B1FA3F02F09F942B12642AEDDD7BF2486 + +Count = 484 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77725BD59EC2087A1EC66D3CA90100661F92E9 + +Count = 485 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D77725BC31843BF2373176F07964C9B78EFEB9A + +Count = 486 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D77725B69365D43FCA66B79926B44C3AC818FDE + +Count = 487 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D77725B9D66A09E404C6F4807348AEFFC053403 + +Count = 488 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D77725B2F5A15673C3DD5A553CC9E79F0326ECA + +Count = 489 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D77725B879DA97FB30AA0A59D27373A4FD8ECC5 + +Count = 490 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D77725BE13809CEDF5A86628DBE7EB07418C302 + +Count = 491 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77725B194959E15F6E8A0C8A8AC2135B447E1A + +Count = 492 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D77725B1D60B53A79667E47F14ADDF8680A5317 + +Count = 493 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D77725B6537E5768715C487C0751245E299DB38 + +Count = 494 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77725B5332F03DE20FA788224961F5258970D5 + +Count = 495 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D77725B806568DA19B4F70897D72625F5371DBD + +Count = 496 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = +CT = 2CDE28DBBBD9131EBC568D77725B252955A7B9B5B4958915A7A305E3BA36E3 + +Count = 497 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00 +CT = 2CDE28DBBBD9131EBC568D77725B25B047A768BD4E73FD6DAE54A8F2BFAB50 + +Count = 498 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77725B25CCA25234333DEF7A285700FD3CB965F7 + +Count = 499 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D77725B253F75EDE834142E3649089D6444C2A9EE + +Count = 500 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D77725B2547B9B90D874BAA16629D7784010DF474 + +Count = 501 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D77725B25E1EFCD7CCA979282F6693DDA5BE06F41 + +Count = 502 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D77725B25203E3C7ED5B3555984DDA2B1AACBE161 + +Count = 503 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D77725B25D5CE7EE96348DBE2001A9A1F577E7B2B + +Count = 504 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D77725B25071FFBDA37F02AACF93DE21B61B784C1 + +Count = 505 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77725B250C8055466E1EE01873576E01778354A1 + +Count = 506 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D77725B25FA3E49FFDA8AD56A602865CB96C22CEC + +Count = 507 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77725B25615716A52AFBDEA04E7BCD0FF339B16F + +Count = 508 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D77725B25EFA11E0E6843EA93021EC05182989372 + +Count = 509 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D77725B25A21D9BC5B7F53E61AD1FCEE905B1B484 + +Count = 510 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D77725B2585B2E58B37C43E83443E3C3AFC01A4C2 + +Count = 511 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D77725B259C0E2C35CC854580409A4571FF284596 + +Count = 512 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D77725B2554D420B9A0028593C9012575AB036120 + +Count = 513 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D77725B2543E7ADFFC93FBA08BCFA1076322BEFC5 + +Count = 514 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D77725B257E9E9AA1BAB964BC9ED27C0EF184F8EC + +Count = 515 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D77725B25528C70D63FFF92040F536EEAA90BE5BC + +Count = 516 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D77725B25D8FDF50C3FF5EBC3E1C736CAD5CE845B + +Count = 517 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77725B25FA91C78ECE7A8243C2CF5F202B488233 + +Count = 518 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D77725B25E9884085FEC621F4CDE34627CA4FDC64 + +Count = 519 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D77725B2596C5D386BAA149B7C0B2C716E5ABE448 + +Count = 520 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D77725B255D5743DBA73D93937D91BB746C93F187 + +Count = 521 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D77725B254A36F3DD2FB245F62D67FB57B1A93FEF + +Count = 522 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D77725B2588FB08387DB65DCA21EDB1FD80125F9D + +Count = 523 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D77725B258232180BE541BAFA77A02C409C902A22 + +Count = 524 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77725B257C9000683128EF74BCE491FC9CF2C434 + +Count = 525 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D77725B2588FFD3D3BDB69B1BCC179FBDD1C18573 + +Count = 526 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D77725B25E4A1F2780A0AD120A062521D799C66D2 + +Count = 527 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77725B25D3C0AB1ED56F56C865593654CA733281 + +Count = 528 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D77725B25801626FABFACF5796DE1838D60C35FAB + +Count = 529 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = +CT = 2CDE28DBBBD9131EBC568D77725B2593EA1386DC348963366E27B2A69A88EB38 + +Count = 530 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00 +CT = 2CDE28DBBBD9131EBC568D77725B259385A1E58A6F9F47083EA81960996A802A + +Count = 531 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77725B25939F795F017B933800E6F58703921490CF + +Count = 532 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D77725B2593B3EC7788C66C613239B126CE8412B7DD + +Count = 533 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D77725B259370BD553DF3C446C40BA2C1906364BB20 + +Count = 534 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D77725B259325E892CC4ABB0166DDAEA098D82BAC5F + +Count = 535 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D77725B2593E70020C403BA1651D1669F611CCA69BC + +Count = 536 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D77725B25939F391EACE1BD3EC0B040E88D5E2D8ECC + +Count = 537 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D77725B259382F79747EE86B4EB6ED69AE360BA6C93 + +Count = 538 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77725B259394D333F9DE03F7E0FFEB00B6367D80CD + +Count = 539 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D77725B2593F662C4A47762A032E3519FEFD360CBF1 + +Count = 540 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77725B25932A08A8A09E48952939F7E464A9C7C0D6 + +Count = 541 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D77725B259396FF818FE68618F653F87A03C1E1C530 + +Count = 542 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D77725B25930D5AB75CE4E3877F0FCC253649833D9A + +Count = 543 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D77725B259316BA09B5C210712D0827A9B1197AFD3F + +Count = 544 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D77725B2593A19DC16ADF4B361D5AF7CD874973A282 + +Count = 545 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D77725B2593EBD8512D55ACD2BEE8926DC13AC9A062 + +Count = 546 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D77725B2593E49FB25C6ED467AE8B20B43C97AFCB7D + +Count = 547 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D77725B25937C495F836AE72AE0634CFDBDEA472B3B + +Count = 548 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D77725B25937FC98C27EF12F340169F5F688FFD4350 + +Count = 549 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D77725B2593E4AD6ABA1FFB6C3567E555A6BF42655D + +Count = 550 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77725B259378583F190C5F6AD71FC171DEE6E9B6AD + +Count = 551 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D77725B25932E530CAD70A64F6D54B31785C4D7C1B3 + +Count = 552 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D77725B25930F336945519DBDEBBFD42219211A84A6 + +Count = 553 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D77725B2593971B7CA6713510DCC91836DDE97D28BA + +Count = 554 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D77725B25933A4E51B1541DB9B4232186CC5FD3BECE + +Count = 555 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D77725B25934F0893F9CA824139220C6B6A0B716530 + +Count = 556 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D77725B2593A9BB002DC4F299FC92219B91EFDE2E61 + +Count = 557 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77725B2593537524DA50E557ABF6F325BF1653E7B5 + +Count = 558 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D77725B2593226AE39C88D64BC07464D61BC3BA791E + +Count = 559 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D77725B2593DE7CAE34836308D6BBA91825EE721E9F + +Count = 560 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77725B259316FCBEB4A3EC11C8C5157D5D1F9853E2 + +Count = 561 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D77725B25933ED3143BC16E89FCE414745316B6803A + +Count = 562 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = +CT = 2CDE28DBBBD9131EBC568D77725B25937C0CD0927F4931FF6C9DF9EA7FFAB49F28 + +Count = 563 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00 +CT = 2CDE28DBBBD9131EBC568D77725B25937C4A486DE30D2F979A6EA6CB89B5758FA9 + +Count = 564 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77725B25937C2DB98B0FB8CEF46E70C962A19F943790 + +Count = 565 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D77725B25937C35BB5FF0DD46FB2A6EE6E9CDAD43C511 + +Count = 566 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D77725B25937CD371FC731CAC125A12634B7792CCE812 + +Count = 567 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D77725B25937C0465A4924E35CEE4335E4C644884B91B + +Count = 568 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D77725B25937C452D6C90F66F95400ABDCE4487885430 + +Count = 569 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D77725B25937CD054DC3DE42C84B1C1E04D9DEFDC85CB + +Count = 570 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D77725B25937C8B4E7656456AE8E93D063D65FD2E8368 + +Count = 571 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77725B25937C787881E676CA908010D93F0A52DE5F1E + +Count = 572 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D77725B25937C36BA299F7BB0358B830AA664217B0137 + +Count = 573 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77725B25937C1C2FCE6368B6AC64D553417A1AB7AE63 + +Count = 574 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF54BB3BFA3E63E8E0073CACEBA4AB3E1 + +Count = 575 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D77725B25937C4E949B03E83137848575E1292ACF0CA2 + +Count = 576 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D77725B25937CFEA51416838FDB4086BA1C56D4A7D8B6 + +Count = 577 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D77725B25937C2971C67C8D4D44B316690A7F6E300765 + +Count = 578 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D77725B25937C4D3DF203201081ED32FB3DBE3976A246 + +Count = 579 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D77725B25937CD2ACF61C880C842A9CDAB1BCBF360B2D + +Count = 580 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D77725B25937CB5A80E9ABB07FB452AD1AC4DE92C1922 + +Count = 581 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D77725B25937C5277460C5BBA4ACBC766230306A2835C + +Count = 582 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D77725B25937C26B9DE11A6DA3049C0F42A78ADEBD571 + +Count = 583 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77725B25937CC198CE6FB150268C67154B2C29EBB895 + +Count = 584 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D77725B25937C2B32B6DDD6D6ABF51E74690816F002E5 + +Count = 585 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D77725B25937CAE2FF733A71A277F9E392ED0EFE9B6C6 + +Count = 586 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF2963BF93E0DF106C655EA582CA55631 + +Count = 587 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D77725B25937C4C5083CC1C8EFC5056370C0B2E0437AD + +Count = 588 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D77725B25937C17B9A87A5D8F420618C3B006C2AD839C + +Count = 589 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D77725B25937CEC3FAB8DD7DDBDE833B80FB69817BCEB + +Count = 590 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77725B25937CD11661E1DEC94E4A796619CB4261080A + +Count = 591 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D77725B25937C40EF7B98C7341D42A21A183542BFEC90 + +Count = 592 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D77725B25937CD3D07C4306B52D5564E123E55C20FEF9 + +Count = 593 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77725B25937CD6307EA8D53099C9574EDAF3953C1D05 + +Count = 594 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D77725B25937CA335AE70F4DAD4ACD851175D053063EE + +Count = 595 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8F7517367215FA4256684043E63654A2E + +Count = 596 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8C2FA35A4C9043F7597740FC711477029 + +Count = 597 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF882160E6BFDE81340269B5F83F1EB8161 + +Count = 598 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8C6206D67E3A6B4394C5603AD75993446 + +Count = 599 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF89AA8F8DDD3B75D63E3986D8BFB85E316 + +Count = 600 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF86756DF460D22DFC1736373D7F2293A4E + +Count = 601 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8A8F35CE1080380754FAF5BF05B7ECDC7 + +Count = 602 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8242A5B052F671A899D93DDEA0E29A4B1 + +Count = 603 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF896B0AF71F18E11297E59094AE0E3C426 + +Count = 604 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF84D01BFEF58B2877DE44C5BCFB394DA86 + +Count = 605 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED96EAD117795BABAE48A35EB797E47B + +Count = 606 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8C37D81DF4CEF803366B8E5AE0080C747 + +Count = 607 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF83EC5C59299FA7769BC86A7A3736D8072 + +Count = 608 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8D51C7EA960F8573CC508416B87F27884 + +Count = 609 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF80810A19CD6E1CC8F5D2C476FE01D4A87 + +Count = 610 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF84B9F4D791FC832A25A42B8AD36377DCF + +Count = 611 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF89C8586AD3C385A4DABA111D7DAB2132D + +Count = 612 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF88D92FE2019CB88D296FC8F9779EE4E83 + +Count = 613 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8A52F6632C0C50704F2A9B4228B6EBE16 + +Count = 614 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8B5365CD74913C48965290FD6C4294824 + +Count = 615 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8AE2E44C99E3D722554E3F4C471E35173 + +Count = 616 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF833FA4810BEE925808A7C81A2555EDA5B + +Count = 617 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8FED38E1899869A93AA766B757B6914D2 + +Count = 618 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF84F7CDAD170DE0071A0A9FAF8E32D4998 + +Count = 619 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8A43D41C03FC2F7DB25EC96B653296970 + +Count = 620 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF85093E2218A1F667CCEBB5E3C2E3237D1 + +Count = 621 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8CDBD2DCD394F7F3380157988DCE97CA8 + +Count = 622 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF820233B7566FC7B14D9D1B95F17195387 + +Count = 623 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8E057339ACBAA7CD797F39C00B921E221 + +Count = 624 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8FF13E1A60AC2FB0AC7268FC56330E548 + +Count = 625 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF88EA6AB4070EB80B4F0B8BF964970C2E4 + +Count = 626 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF80365C5B301A398AB1A9028E0D9D1D783 + +Count = 627 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8FD29AD4A6A90E5F97674C209691ADBDF + +Count = 628 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED9EB07AF2AD2C8778061479063E5077AF + +Count = 629 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED4973C72DB06C14922A984DA8BE67F4E9 + +Count = 630 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED7BB9FB8FC470D1B5F10F2BEADC38251A + +Count = 631 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB588A9FD8E16DA696ACCC95DE3DC2A0E + +Count = 632 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED52ED81CED752A7FF407A73DC5BC6BDB5 + +Count = 633 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDE5EEE9E5D3A2107B91B82837104ECF8E + +Count = 634 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDE01E8F92274E101956630619C5D00254 + +Count = 635 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED5A62B64D410DE47A7C2C74DB4363D303 + +Count = 636 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED89550EBEBA56A9511C7E949DCB72AA5F + +Count = 637 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDE9166D1751E047CC37503606AF4E5C8E + +Count = 638 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB5D86D5961590D3EBABEA19182182188 + +Count = 639 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED0CFF02872D2B1272EA723E7E39F12134 + +Count = 640 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED318B303BD12C8126F668EAC4B37950B6 + +Count = 641 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED522096328112300872508D4E64A7D39F + +Count = 642 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB7980B6BE77BB02BB8EABF985249C3D0 + +Count = 643 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED3CBC7E172A4A36589012C66CD7E37243 + +Count = 644 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED412B3A9BAF1E5EFE25B9306A6BD7BC61 + +Count = 645 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED868FE5475196D8873A37F7AA38B6FF73 + +Count = 646 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDF3DC0F1F3FFF6D80CEEA577AB88C38A9 + +Count = 647 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDA505D23D5627EDA5B36B772CB3879310 + +Count = 648 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDAE55611836A66602A4423A9328B93453 + +Count = 649 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED6506232898141D99B9DFC9AA4D867D36 + +Count = 650 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDC7A227B99B0D65A9B446D7D8D46EEB7B + +Count = 651 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB196CDDCF9C1E9BBB6A8BFADB93A90DC + +Count = 652 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDAC2547C4227749DDBC51ABBE6B083301 + +Count = 653 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED5E53F85EA37221AEA2108A21870E5D57 + +Count = 654 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDD22CE9CA8AF696C0F33E72B44D9FF1EE + +Count = 655 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED3B1E69A15F7E0A7DA762D830B1FD08E3 + +Count = 656 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDC375BE9D999C0D6A8CC1F519AFF74655 + +Count = 657 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED69A97950B716BA8E07F3045FF0D7EF08 + +Count = 658 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED43C44CDD271A916D0EB2A8F5D5072304 + +Count = 659 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED244C5387B68D01C78ED13C9E44212B1A + +Count = 660 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED29A1749E4435B1E3FAB6D748D4D8C655 + +Count = 661 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8D29B96A6BE37E55D8AC446F48680070E + +Count = 662 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB85D626E243D49E6DD8396A70872113564 + +Count = 663 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8BAF7AE2292EF83230733EB2317678A92 + +Count = 664 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8F4B7EC5B2BB00AE96E63799DA389C411 + +Count = 665 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB85D9B673F8103A92F5890BBED4E85F43A + +Count = 666 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8E0EBA18CB4DBDF5E4BD0748643FFBFDD + +Count = 667 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB85742A0A89CCE5EB10F3BFD944F7C161E + +Count = 668 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8B9555DBA57E06D969178913C1E521424 + +Count = 669 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB84572234059F857735F85C1AD31EDBDD3 + +Count = 670 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB81B8A632FFA3DE0DA87FD7C837CDC85B5 + +Count = 671 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB81744B85AFFBBC1BCD461778BE6B938E8 + +Count = 672 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB88EB1120D07CABACA249153B43E3C6DA1 + +Count = 673 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8661D421BB10AE984A8F939CD99AA372F + +Count = 674 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB87AB502C3B0BF191FD88BA45D0CF237A7 + +Count = 675 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8889EB450A0B22FFB5F7A51BE100F4AA0 + +Count = 676 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB89A4AC3B73C0640F2CA8CB7447B845DD6 + +Count = 677 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8EB2A76977D78F061D3713C5237ECDEF4 + +Count = 678 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8D910EFD18A7B4E22681C4A1827F14E6B + +Count = 679 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB833D71581F9348DC3BFCECD5F9886F4DD + +Count = 680 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB80FDFFF135CF861490A7ED73713549BD0 + +Count = 681 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB89485D0855E0423BC6B67A425F707FDEB + +Count = 682 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB88B64421708FD01F917C726FD9D6672CF + +Count = 683 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8168537DB9FB43E63632132CFE00004EF + +Count = 684 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB876BBF6D5542C7D071721EEB3BAAC70EB + +Count = 685 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB878960D46A3C5A8B94AFF6702604DD0A7 + +Count = 686 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB87F4542FE6996B63F9662CFC44BB376C4 + +Count = 687 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB89DD077C389A8E14A24589269B20AAD60 + +Count = 688 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB802E99B54E142620D94DD44833DFF1E32 + +Count = 689 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB84510E4C6FC0E99C1716D63C14FE361FF + +Count = 690 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8AB60B4E48E1AEB86BB15C178A7CCDBF8 + +Count = 691 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8EBD0157C032A3D8D9C3CCC52C733CF20 + +Count = 692 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB83441A3E14AFD811D46FB9407BB3B7C82 + +Count = 693 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8880FAA57D350FB6F3CCDB9C98393890B + +Count = 694 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A84E78AF74477D50CC1F6BDC47B81C1C9E + +Count = 695 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8EB715944B946A2E92686095290462A3C + +Count = 696 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8CA1BB4EB2606F295A465135EF0AAF45D + +Count = 697 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A862C56FA1391B757C7CCA8360BF7A0CC4 + +Count = 698 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8E5EC4CE789594C293F318329E8D7E694 + +Count = 699 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8A273A2ED594CD1B140000A5C733A6E0D + +Count = 700 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8743063C1C9B038E8573C5E70CCA0F389 + +Count = 701 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8548F561E529EB04DC67A3DE8B1E75AD2 + +Count = 702 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A87A4EA054BA7B27292957377D5EC6284C + +Count = 703 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8BAD7CD3C8058E5D00389BF9B3F85DD64 + +Count = 704 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A87DD108E2049CF53D18E5771FCEDFA32D + +Count = 705 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A83069BF0696B457F31E7E2041589D2B09 + +Count = 706 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8DC8C334EA5A5BD1D40E096F39C3C27DA + +Count = 707 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8D3066A8B843FFBA545415798DE612B7A + +Count = 708 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F952A583270021D4B9FC6D96E440FBFB + +Count = 709 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A86D0B2ADBF4A73B854793C248B9FA2377 + +Count = 710 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A84C9526AF5734300F860C5F7BDA114BF0 + +Count = 711 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A81F9E3571988C75BA37CC5A5E7728F2F7 + +Count = 712 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A89ABC02399EF1905CB670ECE8B6A96EB8 + +Count = 713 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F7519544E3BD11E35455CB78604B99C7 + +Count = 714 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8DE5B510065D390BECAE8FE4CAD5FB7E4 + +Count = 715 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8EDD6E780C684B74CCE935512096FC9D8 + +Count = 716 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8D213C5CA4BD1AB4D9D2BC34260EF4C1F + +Count = 717 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8538269C2A265E92942AA3A5E9A75F8DF + +Count = 718 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8A1BFB465EB72E3357D8631C4108159AD + +Count = 719 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8EE5F228ED4214AED42F518D5462B266A + +Count = 720 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A80FFDFAE9AC56E8A6CBBF8CC3066A5535 + +Count = 721 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8E2F5476BA0D8A1E30C1157DAB8880A7E + +Count = 722 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8B929BAB8EEBD329D4899E65104A8317F + +Count = 723 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A880EE4BCD92E56A957859754380D8F4B9 + +Count = 724 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8BA9BDF99330BCDFC9F96A1BEEAE77D17 + +Count = 725 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A84686B32FB2D132E41314F146E014C65A + +Count = 726 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8FBFA0A1B600AA3D62D1C341F43A592DA + +Count = 727 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5F5A9105B995D308D4D550AEECE3E364F + +Count = 728 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F554718FAAB5A908920DE458CF9571FC98 + +Count = 729 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5FF9B8A08A6E3F8DF64F18DD73C0D3580 + +Count = 730 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5FDB1BACCBA3BD43BEB1E82F79DCD422F + +Count = 731 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5CD13C852882BEECBB3EF596AF623675E + +Count = 732 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F502AC0BCC7C02BED1D1F29C4C1BBFA87A + +Count = 733 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F517550BF44569A500B8058B412D1436E2 + +Count = 734 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5455FC45C131DF09EF8873F43E4DDCCD4 + +Count = 735 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F558D817E40BF320E597819CD3CF43A32F + +Count = 736 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5FA4CA458819524875881B36857F70C76 + +Count = 737 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F51E1CFF9ADBE06BBD07CABE57784293C0 + +Count = 738 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F59F08F6517CDCDE5948339BFD4709058C + +Count = 739 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F56774BFCB8F052B3173E58286AEDD7450 + +Count = 740 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5A61F8B265148CAE4E8F22A0168DD3D0C + +Count = 741 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F53FB415EAABCB5DAA2B8FAD1953BCEA13 + +Count = 742 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5C142F0DBD465D153AB22FA5167867C7F + +Count = 743 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5C8345D2D4333AC0A3B402194CFF691ED + +Count = 744 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5334D8FFB34D2A348B181B18D258CEC65 + +Count = 745 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F52F2A0DBF157B089C1DF685BAFAEDD764 + +Count = 746 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F536A9F1688DD8F25A2E08BA46ECAF0994 + +Count = 747 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5711C7C5FA284208CB97B9C64BE441192 + +Count = 748 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F56F6533F45AF21A5C0ED259B2FF1DCBEA + +Count = 749 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5A78ABEA0B30392DF1879253B5DF985D7 + +Count = 750 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5F04495565DA372FD001CC838A1DA24CC + +Count = 751 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5683E4C5B58EA09A3EB4B3F34E9D0108F + +Count = 752 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5453490A8926526D35DEE1A98EFFCC7CF + +Count = 753 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F59E5289B6FB35385F73263BFDC774F8F6 + +Count = 754 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5DD2E8D43776A5BAF3799FF8D16AEA53B + +Count = 755 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F58ADC7D6C6D7A5C4AF688C20087629075 + +Count = 756 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F561B492B46F0DE96852C3AE6FD14F7561 + +Count = 757 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5EE27993AD9CE72E1A1584D3B565C12AE + +Count = 758 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F57BA7FA28BA23AE158372C2FD70570379 + +Count = 759 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F55CC4B1D61EC51F04ECD6727A96566984 + +Count = 760 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A047E43B68CBF359B7C97F7A905C80A81 + +Count = 761 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A48EEF9F0664D9E0B98E0A725908911F6 + +Count = 762 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AF77B05CA7A9B995036972E731E34C543 + +Count = 763 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AF5803D23DC32D0F63F283324BB652A0F + +Count = 764 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A0A038A61B4A9AB66F7E5676E4D3157C5 + +Count = 765 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A8832BA8D700E200B05CC0A654FC76E10 + +Count = 766 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A9F341A11D67107662D7F3640EB773714 + +Count = 767 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50ACD257B1C10FF11B3457387D32FFA68F0 + +Count = 768 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A07DD072CB384807F00C9CC33BA5983A5 + +Count = 769 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50ABB94CC7FD3EB6269704E8A2D9471DEBD + +Count = 770 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AA5AF6BE96055F455CE45473116CE64A2 + +Count = 771 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A51312527CC6AEA52AED910035253C093 + +Count = 772 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AE1D7A37B9C3C72A7A405A8C8B1FCA27E + +Count = 773 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A02062053517B30EBADB7F85F435F37A8 + +Count = 774 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A53E065E5A83EF8E0D3AD713758C9563B + +Count = 775 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A1117BDB6E56030726C5555C5E8F1F6A8 + +Count = 776 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A61834E4A79BDBC42B6DDB3B7241F4941 + +Count = 777 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AD93C3014FF7C3955923F7BD385378B50 + +Count = 778 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A94F5A22C1982EE9D7A0D11521C7DA680 + +Count = 779 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A70F48EA7A82E063CEA33CB22076FDB51 + +Count = 780 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AB3829CDEA56FA56D7D45D223B015E55D + +Count = 781 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AF6EA22EBFFB11137EA45E545BC413CCB + +Count = 782 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AD040665EDB0E266716055D2B8B67F83B + +Count = 783 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A83B6C965CE4D260A438C548C38647DB0 + +Count = 784 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AA078D225ECDF96C2F4E0AA525B41661A + +Count = 785 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AD39924039B7626D883787CF5ADC4CC48 + +Count = 786 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AEED518385A99854F2F9DF24E44B629D6 + +Count = 787 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50ADBB14CE581483DC48A8DF0C2D9CDC392 + +Count = 788 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AEEF1CB9B2DF17B7DA5D9A8C86A7DAD5C + +Count = 789 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A592169740440B2998349A6465EC71930 + +Count = 790 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A619205AFCD306EAF1CEF503B6CFE625E + +Count = 791 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AA5B2EE8522FE5A401483EC5C9B44DD0E + +Count = 792 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A7D7AA7B88D535445FAF4B7BB7F06E77A + +Count = 793 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A97969E8978A61C2F23E9FDB4046A5D45 + +Count = 794 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A0FF2C164B141A2476B9F017A25404CF5 + +Count = 795 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2AC5624B1550BFFDBBAFF7ACCE1C342BE5 + +Count = 796 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A62887B01033E6BD5A627C2C585B1656C + +Count = 797 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A200FDC87970E654C79524CB5B45C7433 + +Count = 798 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A024CCB0D610A59C04E0A89DA5DB2FAAA + +Count = 799 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A79533D5364070453519D3D6EFD91D89F + +Count = 800 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A4A905D0F91E5D4F8B647AF1D24B1E1C2 + +Count = 801 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2AF787840F7A9844FD8AB5C11F3F9D549D + +Count = 802 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2AA16E60202A73E6AE4AB3BD4F31F77EF3 + +Count = 803 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2AB8332E52CF416FB50879D76DC18B76D8 + +Count = 804 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A95456648E57C609057288685DCE11684 + +Count = 805 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ABD844D002BEF1E075178625A2B76FC97 + +Count = 806 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A21C3953AD772141958C7D2C4FB22C697 + +Count = 807 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A2D97535672FFFB1B94C39B0D08ABF21A + +Count = 808 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A09ED937DA63F6E4E28681E7D4C03D6B8 + +Count = 809 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ADFE002DCD63F0AF98ADE025834F64E22 + +Count = 810 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A624563DDA4FF278164DF5EB257EB7274 + +Count = 811 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2AD30963E7A4B5D3A6ED580DC9DBDB7156 + +Count = 812 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2AC795C3D769E799C789979D3F4C50C706 + +Count = 813 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2AB476AF2F2D0D8E5AA0721A86C65EEAE8 + +Count = 814 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A123E301BC33261FEFFE5A714109A734C + +Count = 815 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACA9FBE6AFE256C4E768A777A6264A795 + +Count = 816 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A67559A16D4F098499458E7ECFE24D0D2 + +Count = 817 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2AAC253E94C5D4701E813AE3A1D457CE18 + +Count = 818 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A040826DFD305B38FB0627885AA3629A0 + +Count = 819 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2AF2774B5A0704C07510B9F8BAAF7A3139 + +Count = 820 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A95DBC61E35E94EF687091BCE55844652 + +Count = 821 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A34FE6E74A59B3FDADD5D0D3D5FEEAD29 + +Count = 822 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACF2FCEF94647200B2E2E50F863E8A1D2 + +Count = 823 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A80606E21D163E21279E5357A7213DC9A + +Count = 824 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2AC16ED198A18C8B08CD72A78B0977258C + +Count = 825 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A3EB6BC12FBB887AE2A4F8C6E70CAC073 + +Count = 826 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEE03FA8D4463188F53FE646328EFADB06 + +Count = 827 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEADF29BF0FF715A931444DF7D4A127977 + +Count = 828 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAC427B4D9885AD47CD11DCE2470B192 + +Count = 829 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE112A096C15CB8CBB6C740D23A8A4B527 + +Count = 830 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEEEC24B2A708F1544CE82826529399509 + +Count = 831 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEADC3587A9C43A71CA1F58B35550066B0 + +Count = 832 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEC50116E9D1F1692CBC2CA3DC2E6D5D2D + +Count = 833 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEC2CD63C9E7AEFE5A3E7CF719B9FACB8F + +Count = 834 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE4A40BDAFC7BEBCDBE8C62D86E8DB067C + +Count = 835 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE84857A4EF3DCF70D2DCA35ACA85828B5 + +Count = 836 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACECA3EB5D9006074C16E53ACE02941E393 + +Count = 837 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDD6154D9BC92949B20A76F093DA1C046 + +Count = 838 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACED25EFE4425A4033C22EDFB1BFFFBC687 + +Count = 839 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE84A985148B7E14B4A2CB1056A644CC1D + +Count = 840 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEB7AF379C4AAD733AC5C73FE97C2FB75D + +Count = 841 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE0ECEED5A360D3FAE02621555D2D4423A + +Count = 842 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE8C502BE808088CF18A31810EE28414AE + +Count = 843 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE0F5F8D7CBF20CA9A7D5A9574488B9A9B + +Count = 844 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEC00A95BB76161B6903623390CE8C55F4 + +Count = 845 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE8362B9073BC5FEC7C6DB434A7FDEA469 + +Count = 846 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEE2270C3C7B0D96855F236EEAE06AF932 + +Count = 847 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE160C7FBF5A91176849FD2CB25868EB0E + +Count = 848 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEB189E4E9E9C18E9C0686B63A8CBEEF6B + +Count = 849 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE683C90EF3B036BCD6A6C1DCE48310D99 + +Count = 850 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE1D779CE89475789445DBBC44DE6291E6 + +Count = 851 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE3C09FC919EFB0491825334FF9316B148 + +Count = 852 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE1C169C7BA2698A24AAE869EB593636AE + +Count = 853 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE6A5BC55BAAFFEF151C62BDD3CD0F67C7 + +Count = 854 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE47EEBDB1B1EF38713FF0B46F116631CC + +Count = 855 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEB8B156210A1D84FEF3940F34F530B0A2 + +Count = 856 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACECE46D11ABE2EB760EA207640A83A603E + +Count = 857 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE18782E46708348C254A64C479F431DEF + +Count = 858 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE0B01864B70B5FCC79A12F50F2E934247 + +Count = 859 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA07B3682FB4BA5366D3EC504DBB0DBC2B + +Count = 860 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA69E0EFC4929A227E1A045A3E40324C24 + +Count = 861 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA5AF8035E40AF9D96AEBA57A600E7EC11 + +Count = 862 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA03A30DF285B08235DCB0F445304C27A5 + +Count = 863 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAA7BBA5CC6A3E70AC6756FCA4C2F0A6FF + +Count = 864 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAC0AF8C6562DCBB46B6F00ECD5CD09411 + +Count = 865 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA72FE7CC80EB910B5032658B4A1488F11 + +Count = 866 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAB4E136F5B6757543BE697C8874C9D7B7 + +Count = 867 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAACADFBC31774DC085B3C4E25DE1F3DAE + +Count = 868 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAD4A89ACEB84D6CD121C1E9E416C77F66 + +Count = 869 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAA15A38246D900A3BAD47D0C0F9F39455 + +Count = 870 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAA7BF17B7C3ACD31A3F19222604718E5C + +Count = 871 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAABF0376F512BAB50BC7CCACE9E878C4D + +Count = 872 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA903B895429451B1832EC60B57FC6E47B + +Count = 873 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAF577F98D8752080420D9A45AFE1A9500 + +Count = 874 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAE93A1F92E0152824EAA1B2A8176F8CC5 + +Count = 875 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA1FE71E4C4EB0F45CB9567876227C677C + +Count = 876 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDACAA5D1D79C6DCBCF0D2130371D066EAB + +Count = 877 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA01C2F935E041324F55162B2820A57355 + +Count = 878 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAAD255CE95A64E623A414D09B17133F97 + +Count = 879 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA4E4CDA10A19A33477B3EEFCAEB8B4CDC + +Count = 880 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA5B306786BC6FAADAC5128B475DDDB505 + +Count = 881 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA14F222FA0A15003BBD3CCA35A362CCAC + +Count = 882 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA85F9829420B77501E29C4BD16A49FF01 + +Count = 883 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA81F0725706B50EE84B399FAFDF59560B + +Count = 884 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA8D82E1B209D7950A67636B886856B6FE + +Count = 885 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAC2BF8980DEA30A84BE7D371417E19221 + +Count = 886 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAC232A74F5D2A00D49FC01A00D0EB7D7C + +Count = 887 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA67886DF04E40A834E2FE0ACCE5F3FE29 + +Count = 888 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAD08DA354B902BDC80C71301FFC96F9E3 + +Count = 889 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAEB257EB10CA7013B2CA85C66C5793DCD + +Count = 890 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA567C31552FB14E74B578DCDC680AEFD0 + +Count = 891 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAA3A404BDC93ED6BBA9F99B6BA63D731B + +Count = 892 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3587D4453EFC0E205626538BC7363ACC30 + +Count = 893 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA35298D8F93EDDE779E491B005465BB5DA0 + +Count = 894 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA35F4065CF0DF03B5DB143ADCF561960CDD + +Count = 895 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA35D0484BC0AA44F0A725F1095A9D5C3B17 + +Count = 896 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3585111D1EC9409FA830018859BA1BF433 + +Count = 897 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3592752E68A3A7DB8EC638E2DBFAE9EC01 + +Count = 898 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3582B197A0403048221310FFB2EAA5A47D + +Count = 899 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA35BC47F3A73770A6572BDB785434311C16 + +Count = 900 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3523A6E1020F61FD834452EA9C9EC00871 + +Count = 901 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA35A92E905E800025A1948A952A26909983 + +Count = 902 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3577824ECCDE9C13F57822DEE4CE2F970E + +Count = 903 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA35A83304AF5FC43D665944D283FEBA6753 + +Count = 904 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA353044644A6C163D80B7675E66D52DCEBA + +Count = 905 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3503D62F8BDF6BBEE4198C721FDBE58651 + +Count = 906 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA35942CE395F4A6B4DEA11233984AE2EE21 + +Count = 907 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3523299F74E08D32E95C434875B671C4D9 + +Count = 908 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA35D0D241CE52F0CE726F374B6DD275A6B7 + +Count = 909 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA359307B6E146EB69F2693762CC222A962E + +Count = 910 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA35804A09365A238BEA1CCD88DBAB0FF14E + +Count = 911 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA354F9B071A9F747B59ECE99B52A4860A71 + +Count = 912 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA351AA0C34C51E5348151161D9835F6604E + +Count = 913 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA355B60C5B5A9019AD23A2C9B8320DEC062 + +Count = 914 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356368146F3689D66365F1866AAB509049 + +Count = 915 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA355C45B7D44EA0EDF6B441A03545A25498 + +Count = 916 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA35422D43EB4D2E20F563E40E8F5539D216 + +Count = 917 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CA1D405EC91FFBFD49D470F27AB5647 + +Count = 918 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3596CBB63879EAA85E90C99E7A33A473C3 + +Count = 919 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3502B71ECA94E93AF57175635F97E12D11 + +Count = 920 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356EF1FE1E4FB8FD08F89114FB5E2EE195 + +Count = 921 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3530204C3F15B505BCBD294A163E7A3953 + +Count = 922 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA358547152DF2735EDD767785050A495DFC + +Count = 923 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3556E3AB9A8444C6FCE2DAE2D67EEEDBC1 + +Count = 924 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA351EFD0E17AA53E2B76FF6C34087F80F02 + +Count = 925 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C1528FCD331771674CDB3628A9B2251BD + +Count = 926 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C467D17477F1D4758F9707DD749A5F641 + +Count = 927 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C789E2C5F15CF4F438152D0827A8DEEA8 + +Count = 928 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CE39ED9B331E1BC820C3C0340C999762F + +Count = 929 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C52208C1E6FA97790CFDF3366654850D8 + +Count = 930 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C56C396EE40B500B19651968F24C2AB13 + +Count = 931 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CF21B78E12069B9028CAF494A4E866985 + +Count = 932 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CFCBAC1155D46DF7EDE52723266B7DBAA + +Count = 933 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C43BEFD90671F74FF5DE2536A5BB84AE7 + +Count = 934 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CD2359F32A0970B8B1B20B1D70FBACEE5 + +Count = 935 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C4CB2C2A3B1136EE982D0B73D3826F8B9 + +Count = 936 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C92D36227C4497638E45EAA3CE261039A + +Count = 937 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CF453A4D1C460F84A37E257A17A9F216B + +Count = 938 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C034FC4C85BD5EF6656C3F7E0465DF99B + +Count = 939 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CFF36CB8F08E85AA4A35095DA1C496BDF + +Count = 940 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C11619522611F569E4E8226D8EF295738 + +Count = 941 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CB5270276FE506D40C85FB8097049F3FC + +Count = 942 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C8DA6E054CFA8F1323B2FA3ECDA1F5DC1 + +Count = 943 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CDAF7CAFB2203A31670E8A6C12065B278 + +Count = 944 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CC4E3FC703A9D446FA54ACEBC9767267A + +Count = 945 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C2098474493C2604D4ECB20DE7A7E70EE + +Count = 946 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CBB23CCF044E7E1870276B1576153100F + +Count = 947 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C911E11CAE22D9FFFE02BC3933A641044 + +Count = 948 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CB270ED1F3454DD63CC5B1307D7AE16D0 + +Count = 949 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C633198DC2E1201C9D5120E9BE919E653 + +Count = 950 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C74F4FF9B72D0EFFAEC0FD7976C3D7A79 + +Count = 951 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CE5DA1C88CEAEAD3614707EC18B3AC6AF + +Count = 952 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CE9B2CCAD910D81ABEAD34D6CF30783ED + +Count = 953 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CE619B3BCEBC14BF60B82789AA99D1C72 + +Count = 954 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CD5D89842569ABCA44336A148F6C658D1 + +Count = 955 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CF15F6262D883C78AE2AD101E6E31D474 + +Count = 956 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C441FC5577069E95A6B4B5823E2C73978 + +Count = 957 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C0E6CB1AA13DC83E0B604C797F49CAB3B + +Count = 958 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C96AA8A20A8CA4A697D9254B28B4D3C08 + +Count = 959 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CEE4080F66D618A2D50AB6F136A39602F + +Count = 960 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CC75F8BA1E1F5100D3AA41EFA4AB6631F + +Count = 961 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CCF1A13EA16176CDF42C468F4B090A605 + +Count = 962 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CCB5C550FFB48B3D6571C346CF8EBD8E7 + +Count = 963 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C1649C9521627EA0C0DE132D09470FBF7 + +Count = 964 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C5C4859475E39D2A3A22762A39B960763 + +Count = 965 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C0A7B4FCF7359F93794A59974B2DF974D + +Count = 966 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C82128A12C9DB4F2A68C47BBA90D0F979 + +Count = 967 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C9B6DD1FD1FCC8A0E6E35F60C0E542D81 + +Count = 968 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CB10399B36BE999CB031BBFFEEF51C262 + +Count = 969 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C307AC0DEE7A79C1DBC2EBDE9127E5E3B + +Count = 970 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C3BDBFEBDF28CAB5868F3ED37A8205822 + +Count = 971 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C9313F314999F6090AF979EA5AC5E7620 + +Count = 972 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C655B3FA02CE377D348BC8F63FCD4D737 + +Count = 973 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CF0982DB89B1EE1C5AE810D75400BD47B + +Count = 974 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CEFCE09513F3C3874CCCF9D7CBBB5E68C + +Count = 975 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C7B4C3599426AFF95B07C4A62A768C9CB + +Count = 976 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CE5B9F166D079669A683F8CD1AC40288F + +Count = 977 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CD9DCFC217FA1F8FB11222DDB9F03A242 + +Count = 978 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C3E66889E00872F439C27A8C44D0A0955 + +Count = 979 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C4F0405F20EA3EE8F904FF5AD247F3D79 + +Count = 980 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CAD93CBEA961592496EDEA31221191756 + +Count = 981 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C10AC9BC8A3BBCF16A407F54A28748D92 + +Count = 982 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CD21B11F0946526D3D30B466B7282EC74 + +Count = 983 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CE8B59A7EDC781EB555F25ADE0EC38560 + +Count = 984 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C0043DFFAAEEAC505D458EE670676E8EC + +Count = 985 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CFAA354641ADF282B121795847A6D39E8 + +Count = 986 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C58659D22BD96FFF79F3F7B177B3ECC09 + +Count = 987 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C20488FD065666B594D705E6CF19440FA + +Count = 988 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CC36FB3CF4A967EE54726581FE5CA3B66 + +Count = 989 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CC1232E04F3F67871733713451AF8938A + +Count = 990 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C209EBAFD96558A3EEC10AF56BAAA4AA1 + +Count = 991 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3CC03BE3B7BC2EF28F3ADC5EF231E2659 + +Count = 992 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3DE22C5446AE9844A60806B86D7445680 + +Count = 993 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3695EBD3F5EA71DF45A9003285E0C1E36 + +Count = 994 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3828C8BAF0753C140A4E9B1B252DBA93B + +Count = 995 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3BB3E28A6B646C1C84487BF38186FD7FB + +Count = 996 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3F825479EDA8F691CAAAFAF28791CC78A + +Count = 997 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA39ED10CDA5BEFDA728C25C724AE328FFA + +Count = 998 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3859464BA6DEAB06F7553056C6B53B80E + +Count = 999 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA390024BDEF107E4F1DA6604333566E563 + +Count = 1000 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA34055304891C6C34558043267E63D9E73 + +Count = 1001 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D6E996B29CE3828835B819C71668C865 + +Count = 1002 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA373CB9C219F04D66445954E39C32DEC49 + +Count = 1003 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA36D43487BA4819AD4B5B87B05517F3CBB + +Count = 1004 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA352CDB1F825651738FBFC1320774313C2 + +Count = 1005 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3BE3753D0E204CF93ADE541A808D155FB + +Count = 1006 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3AF45994856767D4EAB1C1A276BE321F9 + +Count = 1007 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA316AD7079FED6A86EB6262603772D1BD4 + +Count = 1008 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA393359EBEA682999C1AE93DEC45AE1139 + +Count = 1009 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA36BE227452E606CE36F9A5043C1AD1E69 + +Count = 1010 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA35A6C61296F4F0E1F54CCA0603EBD8A33 + +Count = 1011 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA31B80610C6014944DF72722A097AEE699 + +Count = 1012 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3811737E468DF247415A71FAAC4AFB029 + +Count = 1013 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA360D7AE00E5B2420D1C868A77E83762CD + +Count = 1014 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA341BE0A13A28B3BA157F54A2503751678 + +Count = 1015 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA303055774E9BDD524EFA7495D2340E3E6 + +Count = 1016 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA31FCFAF64707DEBDB379E7891ECFD7507 + +Count = 1017 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA303327F572343ECEFE02B86FB57BD3151 + +Count = 1018 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA37D49CD76FB33866FAF881E0F43838551 + +Count = 1019 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3E908DAC98FAC2C33C9AD95D3E449ADF8 + +Count = 1020 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA32DD2F76808E7F3EF4F395CB9BC4CA402 + +Count = 1021 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3FB4C98D6B13895AE53E706744AAC69CD + +Count = 1022 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA394C4374EE6A52AFFC25F65A6CA27A600 + +Count = 1023 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA37E6BAC673A3B47BB63441CF9F9EFC45E + +Count = 1024 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4249478DF6F7535F622296A5DC58EC99A + +Count = 1025 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D42ABEDB5926BEFDB64038A7A411972DB2 + +Count = 1026 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4A1E0E214C7CF75C27B47B5724D8F2F98 + +Count = 1027 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4B47EDB5A7E3610209F7DF810A73DCDBD + +Count = 1028 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D466C9EE2B035949ED83B3E7120B31E860 + +Count = 1029 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D496ADD2521AE005796B166997F26DAC0B + +Count = 1030 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D49E422658B3ACC8B3CB0AF1EE2599207A + +Count = 1031 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D484E2667E0006399887441AF2474405CB + +Count = 1032 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4BA6C44E41035845EF31D6658E39CC81C + +Count = 1033 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D438E5933B35936D036825F7A795BF3E2E + +Count = 1034 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4D1D3FDCED557228F683743B2D8799D0A + +Count = 1035 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D41202B3565C3C65D0572D1B3EB0792F7C + +Count = 1036 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4FC854FB6E1002A94A5499BBA6C6C30AE + +Count = 1037 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D460D1C0C492512BBE91205115FFC1AC7B + +Count = 1038 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4EF5AA1DBAF959E4D6052B7BE9EE42FFB + +Count = 1039 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4D9A4AA179938C3E9B3E3E9A935C55DCA + +Count = 1040 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D40879E9FFEB18D106C1CD3AA8692FD727 + +Count = 1041 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4C117AA931B7390709198BF13773A6764 + +Count = 1042 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4081BE303B77443EE119108E3EDFBDF58 + +Count = 1043 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D47356815D937818BC7317F54ADE5042F2 + +Count = 1044 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4ABD51B5EEE071A597184EA565F022A5A + +Count = 1045 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D412A71366FF53E2B4DA38C4498B1216CB + +Count = 1046 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4CD7DAC6279D7188C40562F46B54F588D + +Count = 1047 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D420C368B0BED30CE6456F4CE341CE13E5 + +Count = 1048 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D429E0A693F4F772B3E427E4D76B68B10A + +Count = 1049 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4510B6B8695CC75E988D087F015E4B2E5 + +Count = 1050 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4915EB158B57FF8C8E310A3C0CB775FCC + +Count = 1051 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4E05394E09915C291844D091BD7B9F223 + +Count = 1052 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4A6F4C48739AC1147C8B3BD92513C99B9 + +Count = 1053 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D440DCCAAEA9BB9AAFF1A86F4782BCDB35 + +Count = 1054 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D45E1278B9E1635673649D81EA874118F0 + +Count = 1055 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4EE5DBF8EAB7B07EBC61B439DC9E1AE1C + +Count = 1056 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D43AC5AAD7A9487183448DE2D62D752116 + +Count = 1057 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BF1FFF1857830BF9A555B3409441F45E0 + +Count = 1058 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BD7298C8C101F4048C8948CABC5119CCA + +Count = 1059 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B5CB3BE03DEDD6F6B7FB37860D4EAEF2A + +Count = 1060 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B456A436E59AAB966D1488C6F33566325 + +Count = 1061 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B20F471FD90DAB63B96994540E66DBC4D + +Count = 1062 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001020304 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BC4D8F06FB891B76A3272A9A6D7DFE469 + +Count = 1063 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B97DA4A3329A97B9094586F8F58709B3B + +Count = 1064 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203040506 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BA870B060557802EA48CBD5B212C4D725 + +Count = 1065 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001020304050607 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B3EDFC9210306009288ADD5FB7A3388EE + +Count = 1066 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BD9B6EF4828ACDDA4AA783AE56CAC3E97 + +Count = 1067 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203040506070809 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B3D38E5AD8DC193AA17D3AC4B17C5245C + +Count = 1068 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B85EBBC110059022F94057274513495E9 + +Count = 1069 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BE52C86820DCCABD49A3E4913CE99772A + +Count = 1070 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B09CE8E6BC0B12EFFBEB808E731ACB428 + +Count = 1071 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B5255E43EEE68EE20E7CFD964021423E0 + +Count = 1072 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BC6B5A81F5B01D3D40E9DB36CDD56423C + +Count = 1073 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B8745B7A198ED0072049BE9F5280BE8AF + +Count = 1074 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B1BE8664368D6FEF4545F27288B05F25B + +Count = 1075 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B29E1BF87365C7822A3E7E638CBB0ADA1 + +Count = 1076 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B95373DE96DC09453FB89138293447AFE + +Count = 1077 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BCE17340AE1AEA1739EA48AD2602C1F42 + +Count = 1078 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BAF8AD9FF6A0AE5A9488C1F8CD77997F0 + +Count = 1079 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B754A253C41AD0F8939A4C5F065AB079D + +Count = 1080 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B76AD56E80943117272F5C70339779C54 + +Count = 1081 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B82AF1AA2707B28EEF970578D59C5005B + +Count = 1082 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BE9CE1FF29E4BED98C4AFC83A7A6ED111 + +Count = 1083 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B6A224ECE0A56F52B422FE9843141B26E + +Count = 1084 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BE5EDCEC1D9D5492BCD12BDADE90811DE + +Count = 1085 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B0D95BEDB118303D9269B3B5F73DFBACA + +Count = 1086 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B7A8986FFAF938C3E145DB93FCB6764C5 + +Count = 1087 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B804ACD07F8D5490F75250B0FE4322463 + +Count = 1088 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B8BC7FE9E9ABEB93AB626E4FE11A667DB + +Count = 1089 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BAF83B960928F1E4CC975EA24F488202C + diff --git a/isap/Implementations/crypto_aead/isapa128av20/ref/LWC_AEAD_KAT_128_128.txt b/isap/Implementations/crypto_aead/isapa128av20/ref/LWC_AEAD_KAT_128_128.txt deleted file mode 100644 index 14d9e21..0000000 --- a/isap/Implementations/crypto_aead/isapa128av20/ref/LWC_AEAD_KAT_128_128.txt +++ /dev/null @@ -1,7623 +0,0 @@ -Count = 1 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = -CT = 7B94EF35AE55AB272C9C44D6C1CF0102 - -Count = 2 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00 -CT = 40FEAD6FDF1C2D6D6EAE40DEDDFF9F55 - -Count = 3 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 0001 -CT = CFCFA290EF310E3AC17F94E5FB6A6CB5 - -Count = 4 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102 -CT = 6DCFE6F0AA3C033088ECC0B510A04621 - -Count = 5 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00010203 -CT = 7EB2B5F0E99C87481B0D2B9EED843A6E - -Count = 6 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 0001020304 -CT = DF2A631E42081B3484F88111E885102A - -Count = 7 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405 -CT = 426624B11EFA922063FFA2819D07B833 - -Count = 8 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00010203040506 -CT = E1634C37D738296C4D451010628F5A68 - -Count = 9 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 0001020304050607 -CT = 7AE5F96BD1AE7F5B08FA85177750B6B3 - -Count = 10 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708 -CT = A510A73839FD7778A28C57597D553835 - -Count = 11 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00010203040506070809 -CT = 2A6734132A1A441D73595388ED99645A - -Count = 12 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A -CT = 195F687994F5D96E447218820AF2E564 - -Count = 13 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B -CT = 5A2CBEA8CD9BCCD9DC7AE883A0DDF1A5 - -Count = 14 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C -CT = 03805BB0A39DB5257D38758C57C5E1AF - -Count = 15 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D -CT = 647E6DE047568F7653DF4475EE7EE197 - -Count = 16 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E -CT = 33746E6FE412644C136A086978C098A0 - -Count = 17 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F6C019E38CE48BD96C92E04DEDCE839 - -Count = 18 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 7D9AFEA7387AA4E2FEE43B656DF1F7CE - -Count = 19 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 323771011AF75827561378B54C346766 - -Count = 20 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = BDFEA6AA74EF2DCE9A40565F51774879 - -Count = 21 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 70E8D7AFAA6A932E1A735F9E92A78616 - -Count = 22 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 5965D02D9E8AEF127C989A411DC6CAF8 - -Count = 23 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C19B1B8CC1B30A54FBF44CC38ED74C71 - -Count = 24 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 9A00715C9B0F13EE41260F0694F8082D - -Count = 25 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A44BF6EAD69B12BE91E5FC36BB213D78 - -Count = 26 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 8D80A93216387DB161710881D05DC84F - -Count = 27 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 72134A43A2F5882DBAFC7CB35F0C8A48 - -Count = 28 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 031B61608B40F2622D03361A3B66C08B - -Count = 29 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 79F8D5D5B0F26435975719C080F89586 - -Count = 30 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 8CC301CA674CAA17775671B8722E3DBB - -Count = 31 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = D851AF19E33AE33AA661A8ED64A38434 - -Count = 32 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 492E0B743D4B1A209414431158083DA2 - -Count = 33 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 0FD7B1D873F0F0F8D5B6DD32D0CE3009 - -Count = 34 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = -CT = 2CFACF138C6FDBBCC8763A7205FD66316D - -Count = 35 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00 -CT = 2C4522C1765C743B9D0FD335AC4BBAEB45 - -Count = 36 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 0001 -CT = 2CABFC2912506FF9136DC27DF1DD48D9D8 - -Count = 37 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102 -CT = 2C9B7F0A598A5B0EE0F7D0BABCC9FA303E - -Count = 38 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00010203 -CT = 2C1B6828AFAD4E01993ABD6480239E1DEE - -Count = 39 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 0001020304 -CT = 2C874BF2DA05394C04E93C83777716661A - -Count = 40 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405 -CT = 2C9B5D1FCCF2B25056E3FCEC341FE5F6D7 - -Count = 41 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00010203040506 -CT = 2C9D161B0730C571130FB00B17A7149099 - -Count = 42 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 0001020304050607 -CT = 2CAD812235FAE6C6F35436CC98E6E38868 - -Count = 43 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708 -CT = 2CFE0D595478B7481A543F85CB01890B71 - -Count = 44 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00010203040506070809 -CT = 2C6C49233315DA8B9A499AA55425C51AF3 - -Count = 45 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A -CT = 2C5B5C3865DFE4E94E37D795C4194E62D8 - -Count = 46 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B -CT = 2C04327C849CACE95ED64F8AB23751DD6A - -Count = 47 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C -CT = 2CF9AA260A6353BB97992E45A0258BEE05 - -Count = 48 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D -CT = 2CAB26252FE18672E335A7EA51F636D275 - -Count = 49 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E -CT = 2C6E252A9C557D629295F31B86CC563A87 - -Count = 50 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2C97705FEA7D1E16F9299204483F65AA11 - -Count = 51 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2C2C3252AB93747ABCDDE83ADDD9B9BA2A - -Count = 52 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2C4D13818D2E536A32DC151BA6D41583E8 - -Count = 53 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2C8B12B7FC6448B2D37EC90CBBC1C15FC6 - -Count = 54 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2C5E2AC4325E4961F7CED515DB28340D62 - -Count = 55 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2C73AF654AB63E8ABE6E7E325B0134FBF5 - -Count = 56 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2C8FD5BF337E5C76D91B7287BC6546F5B2 - -Count = 57 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2C66C660556B16CB62E92B8B88F641E153 - -Count = 58 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CA97649FBECCF792708796DA5223F8C83 - -Count = 59 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CFE733D270EBC8DD121280465DE6BDB22 - -Count = 60 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2C689E4F4026CFC87FFA3548C0501B50EE - -Count = 61 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2C1F8A62677F763F39D9C4FB602BCA5BAB - -Count = 62 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2C11FB4EF7E999AE09EB704635C2945865 - -Count = 63 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CC18B65539D61DF2BC506657C6A6FB6B2 - -Count = 64 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2C10E714D8B23B3EDFED28A4FDF361F626 - -Count = 65 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CA245C3E398A9B83E65075AE28A9AEBEA - -Count = 66 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CE05615570495AD908FE230D00D9CC0D6 - -Count = 67 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = -CT = 2CDEC77B90FE11E2CCA0BD535AEAF2344709 - -Count = 68 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00 -CT = 2CDE0E1D9882193D7E84EF85FCEE265B3BA0 - -Count = 69 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 0001 -CT = 2CDEEA6E3BE4353F7448FF940ABAC08D9D06 - -Count = 70 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102 -CT = 2CDEDE537D72CF39B1907F0AEC8C96E1E024 - -Count = 71 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00010203 -CT = 2CDE8C7899695BEFF19186DBDC78C76682B4 - -Count = 72 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 0001020304 -CT = 2CDE4FBE55EC204CDAE48F1E6EED320DC1E2 - -Count = 73 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405 -CT = 2CDE3B54B8813F9A029C64762751EE895A03 - -Count = 74 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00010203040506 -CT = 2CDEBD8BA52F5C4E28F0244879EA02D7273B - -Count = 75 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 0001020304050607 -CT = 2CDEDA452D80CD5299C4BAF6749615A4C584 - -Count = 76 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708 -CT = 2CDEB00F38EC0867F450F98C8DB5FA34D313 - -Count = 77 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00010203040506070809 -CT = 2CDE59F166F1C62F3FDF96E8A1945477D59C - -Count = 78 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A -CT = 2CDE101FC592F563C7CC9D714EB7DA9C25D9 - -Count = 79 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B -CT = 2CDEA967C9AA70DF3A7D960A1420A446A08E - -Count = 80 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C -CT = 2CDE6509893AA367A6E6A4862C1BD9DBA216 - -Count = 81 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D -CT = 2CDE8547A9FF896851EAB63D07848D6DE8E4 - -Count = 82 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E -CT = 2CDED70433B7204D2094582E4785A5FF659E - -Count = 83 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDEF22596228D6E6E31F92CBCACF3232510 - -Count = 84 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE90F4A1707F5850BCB2C6EF3F3CB08936 - -Count = 85 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE46ADCA338E00D9A7DA0915F6DE63D85A - -Count = 86 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDEB13AB235A5D46E2F9050BE3B0EDF9F31 - -Count = 87 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE8DD93270E11F7196259B05482B1205EA - -Count = 88 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE054A926FE503EB3824E9C450982935D4 - -Count = 89 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDEFF031D2C0D7B88AE59AD9A26DDF7B850 - -Count = 90 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE0390BBD12E4FCCC92A80741E45831170 - -Count = 91 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDEECBB2258E3A6AF2E37C8A69913DFBB0E - -Count = 92 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE47D658DF2ED4D0F8BE9061793D46D196 - -Count = 93 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE7E15FEB68672390FF3C92F26C65A903E - -Count = 94 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDEC4CE1DB346E2CDAE816F0FECDDAF5AA7 - -Count = 95 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDEF6766636F014EF10A6D966077905EBC6 - -Count = 96 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE3C1EE523F38DAFB44F5AA080AA44267F - -Count = 97 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDEAAFF9699B736E55C7613B3BF38CB4EA3 - -Count = 98 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE42C7711EFDF8293A106D62D925FBA3BA - -Count = 99 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE62C20AD95880F81ADBB861B1629B9558 - -Count = 100 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = -CT = 2CDE2857024E1B8FE9E3780581B68F505A423E - -Count = 101 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00 -CT = 2CDE28C9B00030368E541382494F3150883231 - -Count = 102 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 0001 -CT = 2CDE284254554F5D30B528D3DC6DFDB1D136EF - -Count = 103 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102 -CT = 2CDE286AED9172F716383CD7B0824BA8507390 - -Count = 104 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00010203 -CT = 2CDE282010B7656C208038CCEEE1B423BEA303 - -Count = 105 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 0001020304 -CT = 2CDE28E4F87869CAE592171BB7692392983844 - -Count = 106 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405 -CT = 2CDE286B2B247E724EFD31276E4D284CC31006 - -Count = 107 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00010203040506 -CT = 2CDE28C7535777FE9A4387A3874FF1084FE83D - -Count = 108 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 0001020304050607 -CT = 2CDE288577C09256A94E80F85565B36F94B419 - -Count = 109 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708 -CT = 2CDE2856A12D0146EF93DF643064A3490D13BF - -Count = 110 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00010203040506070809 -CT = 2CDE2832E19248493797B5B25B8207D5055C09 - -Count = 111 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A -CT = 2CDE28497B6CC277366647B258E7BDA436D715 - -Count = 112 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B -CT = 2CDE28E6D1844B9AE58D4970E7546D403BE408 - -Count = 113 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C -CT = 2CDE2831071909BA039192001D8548D86CA9BF - -Count = 114 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D -CT = 2CDE28B0AE521AC5BD66E03FAEBC88201A0BF0 - -Count = 115 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28AA2A10A873007242AED062E2BAFC5947 - -Count = 116 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28031AA0CD1395CF262B9AA431CA8C9AC6 - -Count = 117 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE282B094D11F131FB61B24C702864F2EBCF - -Count = 118 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28E6D5E86BE90B1EB64DC0DC83F5C095DC - -Count = 119 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28841032F2D8983140E04175FF1AC5F514 - -Count = 120 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28FB6F942D96395E6A3395A9E46D65D738 - -Count = 121 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE288320FD2EF8AAEDDD9D62BFD0221A42B0 - -Count = 122 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE2857E6842AD572ECC12869CD8F2EA4533C - -Count = 123 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE288E08FFD326094A71626E6EAF55BC7785 - -Count = 124 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE283899D225AA2DA3F25C6679FDA12B3DD0 - -Count = 125 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28C9D751C98C2039C74947636780D6C7AD - -Count = 126 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28A8AB876D4AD7825DCB974F662038959B - -Count = 127 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE284B334900CA8BB1BB870312B0BD6F67FB - -Count = 128 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DCEF02E0B3B817708966605BCC4CDBBD - -Count = 129 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE2826D5705699B29E9B2AEBE7BD6A05C6A4 - -Count = 130 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28FEBD2D8AB8DD83EE53F6B1FFFD4BEDAD - -Count = 131 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28FFA1F7226721C26CB9436CEE4B2A45E6 - -Count = 132 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE2825549FB71AAF43BD351BCA3D88E4EF0E - -Count = 133 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = -CT = 2CDE28DB0F0F144EE19A84BF8C639AD5802854D2 - -Count = 134 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00 -CT = 2CDE28DBFD2DACEA4B18FF83CB627D0DFC91A0AD - -Count = 135 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 0001 -CT = 2CDE28DB0F2B993296BD82BB7E1EBCE9D4B9D238 - -Count = 136 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102 -CT = 2CDE28DBDD1F42D621A8C6A110F67545E6087E0F - -Count = 137 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00010203 -CT = 2CDE28DB59846FB3B0E3A66EFD5FC50B7F397A22 - -Count = 138 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 0001020304 -CT = 2CDE28DBDA22A87918E2F39D0D03E2F0842ABD97 - -Count = 139 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405 -CT = 2CDE28DBEB53205C555E6FC4C6E98E03CAB07461 - -Count = 140 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00010203040506 -CT = 2CDE28DBE0F14ECB79AFA15094D416FA29767BA6 - -Count = 141 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 0001020304050607 -CT = 2CDE28DB96EC263A8940713057C71E4AAFA65400 - -Count = 142 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708 -CT = 2CDE28DBAC668AA234EB02FCF134FBE310C57EB9 - -Count = 143 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00010203040506070809 -CT = 2CDE28DBC0956133CB70D62EE50B296FF629ABC1 - -Count = 144 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A -CT = 2CDE28DB552797D5EF5724B4B61AC7AB50F8603B - -Count = 145 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B -CT = 2CDE28DBD0454AAB232BB57B7AAE3061D698DB90 - -Count = 146 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C -CT = 2CDE28DB8094D05DF16FEF6591B65F5BDA26ECCE - -Count = 147 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBAAD01994FDE7AC8CC52EF48B00D31132 - -Count = 148 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBA319E1D36B4FDA32E0B021E671001646 - -Count = 149 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DB95A4DBFCC361C983E2981159D1E4F6B5 - -Count = 150 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBFE6B85C4392544EB728122DD7DF931DB - -Count = 151 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBA3AEE625D588F28DDEE26194F74B3149 - -Count = 152 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DB05ABF0D0749F9EB8B8FF080E6277EBD3 - -Count = 153 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DB8346E57C11AC5B6C9E141ED925EC6AA4 - -Count = 154 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DB1D2E7E82C3D2BDF31EABB5B747831317 - -Count = 155 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DB4ED3F49524BB1DA406C52A8511C52DB8 - -Count = 156 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBF095B3033038854E73B98DCE0E162C51 - -Count = 157 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DB4D87BC3AAA6CFE9B1BF4069E4383976A - -Count = 158 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBF77E1354C82FC48CB3D3E9F130BC0855 - -Count = 159 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBABADF4D1142380E45A6AC455EB51B3B4 - -Count = 160 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBDD2E07F43D008038459A0F77988D3E5D - -Count = 161 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DB911FD9F02EBD3C3C69068828B14C220C - -Count = 162 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DB249DA6462B10D52092EA8C3F22AF9DD7 - -Count = 163 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBEF52EAFC6AE1ABBD0BAEDA543AD270EE - -Count = 164 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DB94AA8DD7EB1E1B6B6C0BF9E350398790 - -Count = 165 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBA3D378D1D00D29F86E26244CED4D4635 - -Count = 166 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = -CT = 2CDE28DBBBC27DB0228D78F35D34033FB16C9DD181 - -Count = 167 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00 -CT = 2CDE28DBBB3989A3A5FBC0D6290441AE232CCCD9E8 - -Count = 168 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 0001 -CT = 2CDE28DBBB47FEAEB476ED2E7988A50D979FEC699A - -Count = 169 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102 -CT = 2CDE28DBBB4F09A5ECC4FD2D6235F13154385C58F6 - -Count = 170 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00010203 -CT = 2CDE28DBBBD1D0571F7F5789C01254F98E10A5E15C - -Count = 171 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 0001020304 -CT = 2CDE28DBBB9697941C89D12B619DEB928401AF9BAA - -Count = 172 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405 -CT = 2CDE28DBBBF0A871E22936E001DA7CB08990DE80B7 - -Count = 173 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00010203040506 -CT = 2CDE28DBBB7CFE82E6BE16815BF2F239C54F044EF8 - -Count = 174 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 0001020304050607 -CT = 2CDE28DBBB787779C81667518E06AC34E807E31EF3 - -Count = 175 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708 -CT = 2CDE28DBBBEEB301D577F03F757DF181CD9619D21E - -Count = 176 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00010203040506070809 -CT = 2CDE28DBBBE5D602A73782B22BCAD7C8E44134F482 - -Count = 177 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A -CT = 2CDE28DBBB6C8092F3222B701E9A6FD515A0094F0F - -Count = 178 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B -CT = 2CDE28DBBB2BB6C5085AD899E42CEA3A2ADAAD6DEC - -Count = 179 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBE1B0729821B22BFA03113721349AAB39 - -Count = 180 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBB54D6DAED54E385C7A90A1FAB68D17E5A - -Count = 181 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBEBBF5BE0253B6E6A542112560001CB33 - -Count = 182 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBA8088B083D305B6C74B5DA2F66884E9F - -Count = 183 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBB5970988A707886C3029603960AC903A2 - -Count = 184 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBF66E6D994D7D1519B7678FD8D623EA54 - -Count = 185 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBB0832FAD08C2F021021A137EE1BD0E544 - -Count = 186 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBAA7FD60008B2555BA9B6BCD4C8A11F95 - -Count = 187 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBB1BEED41E5496CA6799730764109583E7 - -Count = 188 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBDE47C75793A95B1107B151529C8421F4 - -Count = 189 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBE0E066F01138FE110D393DC5CE51B97E - -Count = 190 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBCE729883B22025BD67D80960951DCFAD - -Count = 191 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBBF1652BDC9FA60D9A00F3074065203DD - -Count = 192 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBE95F4FD9F89AF5933E9FA59E6B488CED - -Count = 193 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBDD1CA137D73F38FB83390A7ADCF778DC - -Count = 194 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBDB8CD1AB40B85F1A985BC07920438D3A - -Count = 195 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBB5BBB47743AC9A60D372E257DA4782E92 - -Count = 196 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBB5439AD10EC251A5ABEF78EAB630BC312 - -Count = 197 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBB5061349F789F1B4CD0723AF868432C50 - -Count = 198 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBB0F63B11AC33DD4E826E9F318C4436355 - -Count = 199 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = -CT = 2CDE28DBBBD94623D3F60051B0967663ADCBFDD543B2 - -Count = 200 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00 -CT = 2CDE28DBBBD9EFAAFEA100BD9BFD081896841F669FCC - -Count = 201 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 0001 -CT = 2CDE28DBBBD9DE3AE2F2B4DEEDA3A43BF01F8075CBB6 - -Count = 202 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102 -CT = 2CDE28DBBBD947F9B9B28C1E550E6505AFB814B7B1FF - -Count = 203 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00010203 -CT = 2CDE28DBBBD94A9402FF3DE417BB0325640FD0A4974F - -Count = 204 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 0001020304 -CT = 2CDE28DBBBD96BB482AF6FE34FDE7577816B0CF44D6A - -Count = 205 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405 -CT = 2CDE28DBBBD931D8B75C49152D8FD0927DD1618A5308 - -Count = 206 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00010203040506 -CT = 2CDE28DBBBD97A0CB56DDCF23541695AA86189290552 - -Count = 207 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 0001020304050607 -CT = 2CDE28DBBBD99D937A70327BCC85C4DE14A5DB1B64CF - -Count = 208 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708 -CT = 2CDE28DBBBD9F54EF8013B08647890C35BC991F144ED - -Count = 209 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00010203040506070809 -CT = 2CDE28DBBBD968FB5BAD811EAD224221836602B8E7A3 - -Count = 210 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A -CT = 2CDE28DBBBD9AFDBBE401FC7FB3DF2E0B3675A23BA42 - -Count = 211 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9EFDAF75B643D78E6996C2BABDAD97817 - -Count = 212 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9E467E855BAF25B9F5A25A67D1D68F731 - -Count = 213 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD901C2D9E28F71D502A2B2020CFABA539D - -Count = 214 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD90AF3A4F079A5BF8489F841F1F883B693 - -Count = 215 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD981C7B6F3ED0A541F676E0C0DF1E5C4B1 - -Count = 216 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9D48FD2176623B2D8BA5821C14E6B2029 - -Count = 217 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD97F6D6B045380210CF005F68B75FBA702 - -Count = 218 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD923A278EE278F3E9FF27FB8E498C313D0 - -Count = 219 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9E2A117A5847480E0008B3FBEC72FEB92 - -Count = 220 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD94CD6E8CA9D65EA70D1311E900868C8C4 - -Count = 221 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9D215A18C93FA401A6B0D3124D3E2EA65 - -Count = 222 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9950C352160481DFD56AC09BEA5AE78E2 - -Count = 223 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9AE5222850112DD4A93B69F5B5B06E177 - -Count = 224 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD93A60A1FA82E8FB4EEBDFAAEA7F49302A - -Count = 225 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9371D001078496201E893AB4AB008D8FD - -Count = 226 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9B0CA5E9AB0CC430C0ACCAA5DD9B78052 - -Count = 227 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9E334C93DAAEEB0E939E53421EA4F5BAC - -Count = 228 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9AE55FA6B9319A27E63AACFFC13011957 - -Count = 229 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9E424BCFADE99556CD89471FD16368C94 - -Count = 230 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9F9D7E4EBEA16828DD1660F1FF31E52C3 - -Count = 231 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD97562E5B4FB5298023683A663EA924759 - -Count = 232 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = -CT = 2CDE28DBBBD91303BB03B4D02D5A90820C0FE6881A7E23 - -Count = 233 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00 -CT = 2CDE28DBBBD9133EF9BE7D7C85D3058E3A6EA4DAA34AEB - -Count = 234 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 0001 -CT = 2CDE28DBBBD913E1529EBB468B24632D8736C2E038FF9F - -Count = 235 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102 -CT = 2CDE28DBBBD9131DFD78895E2971E1ABC36B93EF91E7F6 - -Count = 236 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00010203 -CT = 2CDE28DBBBD9130C956536193457760EFECB095821962E - -Count = 237 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 0001020304 -CT = 2CDE28DBBBD913BF055B43E8B00326549567D85B1B3480 - -Count = 238 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405 -CT = 2CDE28DBBBD913E3F5ED645C068E904FB993FFF67F170F - -Count = 239 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00010203040506 -CT = 2CDE28DBBBD913E93D73908F7142FC6D203D030CEB1771 - -Count = 240 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 0001020304050607 -CT = 2CDE28DBBBD9130B095F7BE5376BA7F661AF4EF29990DB - -Count = 241 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708 -CT = 2CDE28DBBBD913EAD9CF758E33C8508F9E7FF2B5903068 - -Count = 242 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00010203040506070809 -CT = 2CDE28DBBBD913ABEE4384850E6285DA38D8E822F19834 - -Count = 243 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131CEE65C8A2B8F9AA5DADF57FC65C485A - -Count = 244 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD913E2371DB8E489B678C14A9318EAF70C59 - -Count = 245 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD913272DF55DF693077BDA71C5BC4BF6A8D6 - -Count = 246 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD91394DC6A703F6B421627972A4FB97D4E78 - -Count = 247 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD913835F5CCB302FAB76E197DFC724938212 - -Count = 248 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9138BD555E519065BA825D5ED9F1E1968BD - -Count = 249 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9133781D980127DADD00515549A1E854358 - -Count = 250 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9139E3B0F224B965C6A6807801A902B06B3 - -Count = 251 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9136B2D56F700F71BEA006025F94CF70C81 - -Count = 252 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9136E02D119678A21FF5B0EFFABA1096FE0 - -Count = 253 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD91331ED38CD274333A27EE09D39B54B811B - -Count = 254 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD913039465F85B2745D1DAF0ECC0CBB6DAA5 - -Count = 255 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD913A9135E70B9426011EC00DAB094903F3E - -Count = 256 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD91323DC1F8FAAF543C95951FDC1788589D5 - -Count = 257 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9130B79D110254A2B8597617F8837AEFC40 - -Count = 258 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD913E14E2D3CD83AB73FFF447B6B919C081D - -Count = 259 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD91387B38E2F0AE339F6D0870612FC6C99ED - -Count = 260 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131AE042F2C988AF04E7AABCDE338398F8 - -Count = 261 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9137306F4431711EFCBC90E1EEF67E85558 - -Count = 262 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD913A74E60265DB26F772C4B6313CBA3EDD6 - -Count = 263 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD913AF29CDB68F25B9FE08DB27D146A9EA2D - -Count = 264 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9139F5F689AD2846C77EACB9B53C9500E6A - -Count = 265 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = -CT = 2CDE28DBBBD9131ED3F44B4FB43055D5AC109F83F530D165 - -Count = 266 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00 -CT = 2CDE28DBBBD9131E3EB91FA1A81CE5C87077D1651424DAF4 - -Count = 267 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 0001 -CT = 2CDE28DBBBD9131EA55C69346E5012B5F356E1AB19171A3A - -Count = 268 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102 -CT = 2CDE28DBBBD9131E9E507757D5319B46248FA071D00650F9 - -Count = 269 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00010203 -CT = 2CDE28DBBBD9131E4486F358CF115F9B2AF55994F7CEF4EA - -Count = 270 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 0001020304 -CT = 2CDE28DBBBD9131E854C9F46787968D0E022382F3F1AEE03 - -Count = 271 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405 -CT = 2CDE28DBBBD9131E425F4F40950B5CB331E181E1B5FFC6E8 - -Count = 272 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00010203040506 -CT = 2CDE28DBBBD9131E0A4EE1102568B2A8DB64B00E292DA2CA - -Count = 273 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 0001020304050607 -CT = 2CDE28DBBBD9131E4270DFFF9B0C36C0824E86D98DAED276 - -Count = 274 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708 -CT = 2CDE28DBBBD9131E652BCB622444F17B498F1A0A8EE1DDE1 - -Count = 275 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131E075E621EC4002F860FDC451FC4EB650F - -Count = 276 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131E060A1857233A610970EA7AE5CABBF3D5 - -Count = 277 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131E20E8CE3A40EEBCC0135357F85183A3B1 - -Count = 278 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EC4C9384007645BE4AE641AE4DA997AAF - -Count = 279 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EC66A9CD52373E1ABE61C9823FF40615B - -Count = 280 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131E756B57E6E0EAD52B3F4150345FE2955C - -Count = 281 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131ED572EB41F0975D6A7BA2AC89F61384C9 - -Count = 282 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131E3CB666625F697B13AE839E80B46756B4 - -Count = 283 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131E08A625FCDCD37C17EC5E0AA3345268EA - -Count = 284 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131E54FA45B6731BA06DD34D464118B591C6 - -Count = 285 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EC4A6908ACE1B689D7C486425480C6B99 - -Count = 286 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131E1C21BA246F4369E1F66AD643A3D005F1 - -Count = 287 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131E740731BA2D23CF2A44F81C19E590EE4A - -Count = 288 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131E94559948212489AE710B610AD986693F - -Count = 289 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EA56E09B4444573D3A7C20F15B6C142FC - -Count = 290 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EB575448F8EAA56BF03FED88A240D2E1D - -Count = 291 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131E395023A2A69D889B93B026F1F30A8561 - -Count = 292 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131E5085DCB97DA73CE7CCA3497FE98EB063 - -Count = 293 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131E32C3B8CC91B0D8B5813F75C63ACE5DB6 - -Count = 294 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131E5A2441E7BA48C24366AF17F2AD7CD6E5 - -Count = 295 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131E53FBB9D4CF5F21DE02A1CF1B72BFB1CD - -Count = 296 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131ED88FE13D8066E0B23372DBD29FC6A44F - -Count = 297 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EFA04DAA40A19D16E69F05097989A77A7 - -Count = 298 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = -CT = 2CDE28DBBBD9131EBC5EBBDBB307B3328AB0FA8E8CF236AC74 - -Count = 299 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00 -CT = 2CDE28DBBBD9131EBCA6AC9AD6B52C28EC0465FCBF52304B2A - -Count = 300 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 0001 -CT = 2CDE28DBBBD9131EBCACECD0089EE217B0AA7FCAA20BB32616 - -Count = 301 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102 -CT = 2CDE28DBBBD9131EBCD5B479A783C98A6D3684ED00C30D52C3 - -Count = 302 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00010203 -CT = 2CDE28DBBBD9131EBC6C67F216F4F12749AB5D6FB1706FF8C6 - -Count = 303 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC6C07B442077119CF98B2EB8E0F98D7D1 - -Count = 304 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC71A9D39A0850C16A0398260EC7653110 - -Count = 305 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBCF6ED12D1BA407BAB976C78BF733F33E5 - -Count = 306 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC9DFE3091540111198B2C5B8ED060DA90 - -Count = 307 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC2B0AADC2869B041DE48C979FBED97B8A - -Count = 308 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC48C3B38E26A36C0CDBB6E448DEB02BC9 - -Count = 309 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC42073CB3BC759F632E30043CE902F7A3 - -Count = 310 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC277F93B97DCD5DF43AB4D648FFC9208C - -Count = 311 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC55C2ACAF3B68B15A7985EEEE9C30AE7F - -Count = 312 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBCB5AFACE99AF2611241499868E41481F6 - -Count = 313 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC7CA2BBC3A8B6EF2F008930E506CDB19F - -Count = 314 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC177B4D86A9B3E8FA4753A2C74EF8F60D - -Count = 315 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC59438A3E8DE1ECD73C1A73CD40B8FD81 - -Count = 316 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBCDD10C544A25A8316A90478ADB6D9D264 - -Count = 317 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC261C0E47FBA527BB5FD445B528D41903 - -Count = 318 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC2885363C07C256D49D7BFC333EA85D66 - -Count = 319 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC36D804FD41B382F9D69AB5C174BF33BB - -Count = 320 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBCDAF608E6C237078BB8F194493A82A898 - -Count = 321 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBCC163F7ABCC8EBD9A9D7281B484DDFC9A - -Count = 322 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBCE64C1785840D71132687FA8B6FC39EE6 - -Count = 323 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC27F95FFE8A2D3D1716984E286D1C59EB - -Count = 324 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC449EC7CF3DBC9716DCBFF0B579B1615C - -Count = 325 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC2271BA4D2E21E84D25C6E79CCB9F609D - -Count = 326 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC29605542B51E06131B450566E5D13C2D - -Count = 327 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC50A3DD615E6E1FC35EB07E8D3C3161D5 - -Count = 328 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBCA124748E316AF69E7C6BE6394CF40D4D - -Count = 329 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBCEDD33696DFD3A0AA6534673A1DC3B835 - -Count = 330 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC122190F437AD722DF106B758829D45F7 - -Count = 331 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = -CT = 2CDE28DBBBD9131EBC5615D6C26ED446BDFE36175E746D0F15FB - -Count = 332 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00 -CT = 2CDE28DBBBD9131EBC56FC4FAC946EF41818D3E61168BA6DCBE7 - -Count = 333 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 0001 -CT = 2CDE28DBBBD9131EBC561D99900B7D840037FB0AB3695BA70E15 - -Count = 334 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102 -CT = 2CDE28DBBBD9131EBC561785B47AAA8306AAA4E861271B69D559 - -Count = 335 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00010203 -CT = 2CDE28DBBBD9131EBC56FDC8DD24B7F9431272B532269BCB1C96 - -Count = 336 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC56B20C15D0B9389DEA960BC18EF8748762 - -Count = 337 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC56602421AFEDFA9B2C8334F579DB339007 - -Count = 338 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC56D5D3F702D4F6AE28E6DCFD5F78FEA596 - -Count = 339 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC56C15EC0CD5681CF047B5851C65373FE64 - -Count = 340 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC567ACD83F222AB68E291AC3D6537D44979 - -Count = 341 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC56D0158557ABB72A76746D167C88DF6D05 - -Count = 342 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC560D2065DED51F7DCE6EED886957B4BE52 - -Count = 343 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC56FB2F5AF59150E6437888CF49CD383E92 - -Count = 344 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC56BD31B9F2525B1C82B3F3ED47F5F43B4A - -Count = 345 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC561555384A7268EC8A7601B5AE625C7C07 - -Count = 346 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC56A393C9E69FE6EB2CACB4BD71A6F16187 - -Count = 347 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC5615B2F5A4686C479C861C5C3336C571EB - -Count = 348 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC56EDC96A587DFC56F8600861D07127D545 - -Count = 349 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC562BE4995C820074E99B6D8D92D7A954CD - -Count = 350 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC562B32978C2D0B00F841C2EDC0300A2855 - -Count = 351 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC560EEFF0ADDD21192A1C39DCA93C44111D - -Count = 352 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC5604AB73B2F0D617F42B5F369A595E0646 - -Count = 353 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC566F7259F407C496BAEF5C550FCF2AADD0 - -Count = 354 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC56E2EE14AF74394D47B6787D20ABF7BA50 - -Count = 355 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC56AC264D9F1A7AE8B2250030888F376123 - -Count = 356 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC569A3576945BF9688812A0ECD106568098 - -Count = 357 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC56322B0EB0283AA1F1979B97882F52B443 - -Count = 358 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC56AB78B73F2D3C164A78FB41360AAB5A23 - -Count = 359 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC567D99F86522FBBACE5E52E3F52C175368 - -Count = 360 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC560ABED09A27C90E2CA817071B9C02C654 - -Count = 361 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC56AF9F24DDEB1DA0D53456C19AFD30B111 - -Count = 362 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC56380F7C205D188BAC90ECFA0C937865A1 - -Count = 363 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC560A9800C51A323B3B52FEEAA061AE9086 - -Count = 364 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = -CT = 2CDE28DBBBD9131EBC568DAC7A21E1DE8C78C637DC46CC49ADCDDE - -Count = 365 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00 -CT = 2CDE28DBBBD9131EBC568D8266D147001C7BCC1F97C0DBBAD2D4BE - -Count = 366 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D56CCB54101770D36BE59911878353712 - -Count = 367 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102 -CT = 2CDE28DBBBD9131EBC568DD63DEDD482D72199A4B04631C1BBD0EE - -Count = 368 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D79B6EFF401CC800E0B77D06349353109 - -Count = 369 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568DCF96F63A581A051B52E5693F55735398 - -Count = 370 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D093F7E6EA7BD5C6DDBA619C5B151D8F3 - -Count = 371 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D39512A2846AAB70A3255165220E92F2F - -Count = 372 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568DBEB813654ABADFB013A510458B9EB48F - -Count = 373 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568DDC04AE97A9EA9E2CDA2F44822134022B - -Count = 374 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D09334C97708FB4964358A604321DE55E - -Count = 375 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568DFF5B4B50A91E5357E5ADF37AB080F849 - -Count = 376 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D8038662AE697573337E4B3438AEB28BA - -Count = 377 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D22C8EAEEAA71C1D21581149D90806D5C - -Count = 378 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568DA99B2FB9B5584CEC5D8F423F11946B76 - -Count = 379 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568DEEFF3C414928B68429DAC42AB690A691 - -Count = 380 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D68ECC087C1016D685A4C66A2AC1FF427 - -Count = 381 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D844D042CAB502C46F5C69A242A38741F - -Count = 382 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D6E82F3095D0E3CD725D196BECD3DCBDC - -Count = 383 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D63995CB2DCA0A164599A54345265063A - -Count = 384 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D1993A60D8C66B1AD47094EE951E0CF33 - -Count = 385 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568DE56B7E7977A0C230A140E82799682DB9 - -Count = 386 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D90C7A0971D2D49700035A1BE791743D5 - -Count = 387 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568DB4D43EECE197D9CB522D49B2B42359D5 - -Count = 388 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568DF8A7B4C70D520978B46D1CA1A4D1B69A - -Count = 389 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568DF4CF07C20F49BF60D0FA893428199CF2 - -Count = 390 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568DEF401240D1F602A1F2FF790F142343EF - -Count = 391 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568DAB821B6C0286ACCC3957FD45C160BF95 - -Count = 392 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568DBC61103DD90A65C7F69F7761F7A4084F - -Count = 393 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568DD264D9161956690EBE6166E293AC375E - -Count = 394 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D02BC30D6ECA9B85F0C65378B3FD16E48 - -Count = 395 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D53A4A14C6482313E617DD4DB59C08CC8 - -Count = 396 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568DA74204444F01D39C5DE2A00E45A24ECD - -Count = 397 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = -CT = 2CDE28DBBBD9131EBC568D77B5531CE34F28DA3C1E90C69DD7956637 - -Count = 398 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00 -CT = 2CDE28DBBBD9131EBC568D778248D37044C64FEE7D10384C95779E30 - -Count = 399 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77B6BF937F3EAE148C3EAD4199726ABDD3 - -Count = 400 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D77EA424A17D8E137AD0892FD46C1DA33B2 - -Count = 401 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D777FA9D7276392BF25F782DB6A5DD8BBC7 - -Count = 402 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D779BD56380F26A67E7149F6546D7C73BD3 - -Count = 403 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D7791C7E4C38E4C78F51B9CFDA409831EA6 - -Count = 404 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D7735E3FAF20007CA65551D006A92022D85 - -Count = 405 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D77B36A860AFF1DBC29C2A5E733A697660E - -Count = 406 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77BB4E8D44FC3F7C274024B7E184AB7EE5 - -Count = 407 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D7798E1EE233FADD85C21B9B1331BFC07B2 - -Count = 408 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77D7C6F733321C49B520CDD319ACF06D15 - -Count = 409 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D77A3F18AFFD2F037520DE15B3B831927C6 - -Count = 410 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D77A459377B80D0C1EC4C7276569F52D485 - -Count = 411 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D77F3BB87F86EFEB5EFA2B91ADA1F550A5B - -Count = 412 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D77D039A0F0A388D7EA8BB760817AFB4516 - -Count = 413 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D7786504F93E925B3DCE0CDF8AF30C2821C - -Count = 414 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D777265DB46ADCFF6B6D455913F65640723 - -Count = 415 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D777D4197D96CA91E0573298C5E28220C41 - -Count = 416 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D777AEF9BE455449AA1B1F6A0A9E41AD8F5 - -Count = 417 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D7796EF6AA9663CDCD87A5D7B847522B2BF - -Count = 418 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77E030BE7A842F20E97CD474B534B05A26 - -Count = 419 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D770B8EB112ACD29FB74A9FC9CF10945FCB - -Count = 420 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D772BEF4813F5BBB9245B2767272DA3BCB5 - -Count = 421 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D7727026D9BA5504424BBE690CF3BBC1FF3 - -Count = 422 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D774B7A5A591A62D8B968F0B378BA97D454 - -Count = 423 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D77B341FF3220C823F3CF2A83C698BE7094 - -Count = 424 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D77F2C2ED3319D28150F8CD5B8F41303473 - -Count = 425 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77C72DAC0B3C11DE1729B93835E791B740 - -Count = 426 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D77B1F3591882D32963CB8FE10B60C5F6C4 - -Count = 427 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D777DF410A77007C28A1EB3A2AE776191CB - -Count = 428 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77D72A0A7F9B755628FF9C6554E1A46BA7 - -Count = 429 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D777C25FBB0FF98496C7DD111409DD6D3E1 - -Count = 430 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = -CT = 2CDE28DBBBD9131EBC568D777241BC32568E4C3E434583C6BCA5808F2B - -Count = 431 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00 -CT = 2CDE28DBBBD9131EBC568D7772D1CF54C5064CC89CC839A5DFA346775E - -Count = 432 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77729E0DB2E8343BAA92CF3C00B7DEF11379 - -Count = 433 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D7772105E3AD36CD3A1CB5C864C18F3814CEE - -Count = 434 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D7772D02B6A1F26E2EDA0B989DE55AE355050 - -Count = 435 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D7772CEA33BE5E56120E1C8558E365F9E479A - -Count = 436 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D7772A9ABD56A359BCA1F805AE0E1E44B9713 - -Count = 437 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D77729F2FC88BB9C34A6BFD53F14D5235B735 - -Count = 438 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D7772F7EE30C3A2F7785EEE22F04711E461D3 - -Count = 439 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77729E17CDB43A92393DADEE5FA941C9095E - -Count = 440 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D7772AB8F0CDBC3720760EA74282026B87641 - -Count = 441 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77722946796985C79EDE343E0663B69A7748 - -Count = 442 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D777286F4D8342A6E6CA34423C7C50ECA1CFE - -Count = 443 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D777296217E26CA564B5E7D31F24DDC77E77B - -Count = 444 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D7772F68785C3D63A4348C05FEFA85D86B882 - -Count = 445 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D7772CDF4541A778466F1E403789CF632804C - -Count = 446 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D77720F718251BA5C17956D64B44D6BDB5D78 - -Count = 447 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D7772807996EE3496B6A8A21B626251490F31 - -Count = 448 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D7772EB1F6CD44792DEC4DB87FE72B4183103 - -Count = 449 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D77726F5C3A14201F73FD2A0368E230958251 - -Count = 450 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D777224BE23FDE5DE57225BDB3D67B9D340D9 - -Count = 451 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77720F25E2A48F104820AAD1482B648CC10F - -Count = 452 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D77729FD509AC5491E7B342BFB47B135BDCE6 - -Count = 453 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D77721CA8238821D347039E758CE7273347D0 - -Count = 454 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D7772A7B8CCEA0E2A97DEC5783998364264C4 - -Count = 455 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D77724173C01D796150341771A3BDB170E7A4 - -Count = 456 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D7772F2FEA07A58FA8B7ED189AB3A85D64497 - -Count = 457 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D7772A0C1F1B96FED496214682C7B149B91F1 - -Count = 458 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77720CF1FC364C1940E513ADFCB1AD2AE92E - -Count = 459 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D7772D4FA643CE953A6825B476541A338A010 - -Count = 460 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D77726B384214334D3D75A8ECCC999827F6EB - -Count = 461 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77727805B99B47509593EB008C72C9F0E4EA - -Count = 462 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D7772C6E570B60965D23682B0A82F8A836530 - -Count = 463 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = -CT = 2CDE28DBBBD9131EBC568D77725B8E9976DC30819B092310AEEC038274A2 - -Count = 464 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00 -CT = 2CDE28DBBBD9131EBC568D77725B1B38614A2B11C3086F4D73C59D08EA42 - -Count = 465 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77725B2873354C5310B05E3F2A9FD52A46DFD1 - -Count = 466 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D77725B7418F82EA92D098764C5B137552BC1BE - -Count = 467 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D77725B6CA5163A99D405E8AA66CB4711BFFC2D - -Count = 468 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D77725B735183688F9C6850FAC363B101D83616 - -Count = 469 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D77725BD2EA134218D9815EB7BDD5C3B89272FD - -Count = 470 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D77725B68D3EA7927639DE1D8013AB98F24CCE2 - -Count = 471 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D77725B0D1A3DBF807FEDD868D74C882A732F15 - -Count = 472 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77725B29CF2DDB8E3F0CEF289D4F8487472E38 - -Count = 473 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D77725B3ED5EBD03F0582C1DFEBC034D36537FD - -Count = 474 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77725B739A0E2C9A43378B6C5D8E461C11BE81 - -Count = 475 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D77725BF34DAE622A9B19799E7F6DC7647DBACC - -Count = 476 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D77725B85397CB92F01BF4AF22A0B7AD6F5CC6C - -Count = 477 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D77725B3115C0166187F0B0ABD9BD3EF411F3A6 - -Count = 478 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D77725B511F4F908B85E4D420867A0343A10FEA - -Count = 479 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D77725B20CE00FC32F3C5B981B4FFB827EC5105 - -Count = 480 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D77725BC27F285672A3AB7927FEDEBE3A957600 - -Count = 481 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D77725BAAA4CCF5EED8AADD67B409567D695EC2 - -Count = 482 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D77725B0B194EB80826BB4AC1B2DD5C9F07F8C5 - -Count = 483 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D77725B1FA3F02F09F942B12642AEDDD7BF2486 - -Count = 484 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77725BD59EC2087A1EC66D3CA90100661F92E9 - -Count = 485 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D77725BC31843BF2373176F07964C9B78EFEB9A - -Count = 486 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D77725B69365D43FCA66B79926B44C3AC818FDE - -Count = 487 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D77725B9D66A09E404C6F4807348AEFFC053403 - -Count = 488 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D77725B2F5A15673C3DD5A553CC9E79F0326ECA - -Count = 489 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D77725B879DA97FB30AA0A59D27373A4FD8ECC5 - -Count = 490 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D77725BE13809CEDF5A86628DBE7EB07418C302 - -Count = 491 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77725B194959E15F6E8A0C8A8AC2135B447E1A - -Count = 492 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D77725B1D60B53A79667E47F14ADDF8680A5317 - -Count = 493 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D77725B6537E5768715C487C0751245E299DB38 - -Count = 494 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77725B5332F03DE20FA788224961F5258970D5 - -Count = 495 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D77725B806568DA19B4F70897D72625F5371DBD - -Count = 496 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = -CT = 2CDE28DBBBD9131EBC568D77725B252955A7B9B5B4958915A7A305E3BA36E3 - -Count = 497 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00 -CT = 2CDE28DBBBD9131EBC568D77725B25B047A768BD4E73FD6DAE54A8F2BFAB50 - -Count = 498 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77725B25CCA25234333DEF7A285700FD3CB965F7 - -Count = 499 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D77725B253F75EDE834142E3649089D6444C2A9EE - -Count = 500 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D77725B2547B9B90D874BAA16629D7784010DF474 - -Count = 501 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D77725B25E1EFCD7CCA979282F6693DDA5BE06F41 - -Count = 502 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D77725B25203E3C7ED5B3555984DDA2B1AACBE161 - -Count = 503 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D77725B25D5CE7EE96348DBE2001A9A1F577E7B2B - -Count = 504 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D77725B25071FFBDA37F02AACF93DE21B61B784C1 - -Count = 505 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77725B250C8055466E1EE01873576E01778354A1 - -Count = 506 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D77725B25FA3E49FFDA8AD56A602865CB96C22CEC - -Count = 507 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77725B25615716A52AFBDEA04E7BCD0FF339B16F - -Count = 508 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D77725B25EFA11E0E6843EA93021EC05182989372 - -Count = 509 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D77725B25A21D9BC5B7F53E61AD1FCEE905B1B484 - -Count = 510 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D77725B2585B2E58B37C43E83443E3C3AFC01A4C2 - -Count = 511 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D77725B259C0E2C35CC854580409A4571FF284596 - -Count = 512 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D77725B2554D420B9A0028593C9012575AB036120 - -Count = 513 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D77725B2543E7ADFFC93FBA08BCFA1076322BEFC5 - -Count = 514 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D77725B257E9E9AA1BAB964BC9ED27C0EF184F8EC - -Count = 515 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D77725B25528C70D63FFF92040F536EEAA90BE5BC - -Count = 516 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D77725B25D8FDF50C3FF5EBC3E1C736CAD5CE845B - -Count = 517 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77725B25FA91C78ECE7A8243C2CF5F202B488233 - -Count = 518 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D77725B25E9884085FEC621F4CDE34627CA4FDC64 - -Count = 519 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D77725B2596C5D386BAA149B7C0B2C716E5ABE448 - -Count = 520 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D77725B255D5743DBA73D93937D91BB746C93F187 - -Count = 521 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D77725B254A36F3DD2FB245F62D67FB57B1A93FEF - -Count = 522 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D77725B2588FB08387DB65DCA21EDB1FD80125F9D - -Count = 523 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D77725B258232180BE541BAFA77A02C409C902A22 - -Count = 524 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77725B257C9000683128EF74BCE491FC9CF2C434 - -Count = 525 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D77725B2588FFD3D3BDB69B1BCC179FBDD1C18573 - -Count = 526 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D77725B25E4A1F2780A0AD120A062521D799C66D2 - -Count = 527 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77725B25D3C0AB1ED56F56C865593654CA733281 - -Count = 528 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D77725B25801626FABFACF5796DE1838D60C35FAB - -Count = 529 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = -CT = 2CDE28DBBBD9131EBC568D77725B2593EA1386DC348963366E27B2A69A88EB38 - -Count = 530 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00 -CT = 2CDE28DBBBD9131EBC568D77725B259385A1E58A6F9F47083EA81960996A802A - -Count = 531 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77725B25939F795F017B933800E6F58703921490CF - -Count = 532 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D77725B2593B3EC7788C66C613239B126CE8412B7DD - -Count = 533 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D77725B259370BD553DF3C446C40BA2C1906364BB20 - -Count = 534 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D77725B259325E892CC4ABB0166DDAEA098D82BAC5F - -Count = 535 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D77725B2593E70020C403BA1651D1669F611CCA69BC - -Count = 536 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D77725B25939F391EACE1BD3EC0B040E88D5E2D8ECC - -Count = 537 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D77725B259382F79747EE86B4EB6ED69AE360BA6C93 - -Count = 538 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77725B259394D333F9DE03F7E0FFEB00B6367D80CD - -Count = 539 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D77725B2593F662C4A47762A032E3519FEFD360CBF1 - -Count = 540 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77725B25932A08A8A09E48952939F7E464A9C7C0D6 - -Count = 541 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D77725B259396FF818FE68618F653F87A03C1E1C530 - -Count = 542 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D77725B25930D5AB75CE4E3877F0FCC253649833D9A - -Count = 543 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D77725B259316BA09B5C210712D0827A9B1197AFD3F - -Count = 544 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D77725B2593A19DC16ADF4B361D5AF7CD874973A282 - -Count = 545 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D77725B2593EBD8512D55ACD2BEE8926DC13AC9A062 - -Count = 546 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D77725B2593E49FB25C6ED467AE8B20B43C97AFCB7D - -Count = 547 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D77725B25937C495F836AE72AE0634CFDBDEA472B3B - -Count = 548 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D77725B25937FC98C27EF12F340169F5F688FFD4350 - -Count = 549 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D77725B2593E4AD6ABA1FFB6C3567E555A6BF42655D - -Count = 550 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77725B259378583F190C5F6AD71FC171DEE6E9B6AD - -Count = 551 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D77725B25932E530CAD70A64F6D54B31785C4D7C1B3 - -Count = 552 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D77725B25930F336945519DBDEBBFD42219211A84A6 - -Count = 553 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D77725B2593971B7CA6713510DCC91836DDE97D28BA - -Count = 554 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D77725B25933A4E51B1541DB9B4232186CC5FD3BECE - -Count = 555 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D77725B25934F0893F9CA824139220C6B6A0B716530 - -Count = 556 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D77725B2593A9BB002DC4F299FC92219B91EFDE2E61 - -Count = 557 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77725B2593537524DA50E557ABF6F325BF1653E7B5 - -Count = 558 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D77725B2593226AE39C88D64BC07464D61BC3BA791E - -Count = 559 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D77725B2593DE7CAE34836308D6BBA91825EE721E9F - -Count = 560 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77725B259316FCBEB4A3EC11C8C5157D5D1F9853E2 - -Count = 561 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D77725B25933ED3143BC16E89FCE414745316B6803A - -Count = 562 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = -CT = 2CDE28DBBBD9131EBC568D77725B25937C0CD0927F4931FF6C9DF9EA7FFAB49F28 - -Count = 563 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00 -CT = 2CDE28DBBBD9131EBC568D77725B25937C4A486DE30D2F979A6EA6CB89B5758FA9 - -Count = 564 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77725B25937C2DB98B0FB8CEF46E70C962A19F943790 - -Count = 565 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D77725B25937C35BB5FF0DD46FB2A6EE6E9CDAD43C511 - -Count = 566 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D77725B25937CD371FC731CAC125A12634B7792CCE812 - -Count = 567 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D77725B25937C0465A4924E35CEE4335E4C644884B91B - -Count = 568 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D77725B25937C452D6C90F66F95400ABDCE4487885430 - -Count = 569 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D77725B25937CD054DC3DE42C84B1C1E04D9DEFDC85CB - -Count = 570 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D77725B25937C8B4E7656456AE8E93D063D65FD2E8368 - -Count = 571 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77725B25937C787881E676CA908010D93F0A52DE5F1E - -Count = 572 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D77725B25937C36BA299F7BB0358B830AA664217B0137 - -Count = 573 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77725B25937C1C2FCE6368B6AC64D553417A1AB7AE63 - -Count = 574 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF54BB3BFA3E63E8E0073CACEBA4AB3E1 - -Count = 575 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D77725B25937C4E949B03E83137848575E1292ACF0CA2 - -Count = 576 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D77725B25937CFEA51416838FDB4086BA1C56D4A7D8B6 - -Count = 577 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D77725B25937C2971C67C8D4D44B316690A7F6E300765 - -Count = 578 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D77725B25937C4D3DF203201081ED32FB3DBE3976A246 - -Count = 579 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D77725B25937CD2ACF61C880C842A9CDAB1BCBF360B2D - -Count = 580 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D77725B25937CB5A80E9ABB07FB452AD1AC4DE92C1922 - -Count = 581 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D77725B25937C5277460C5BBA4ACBC766230306A2835C - -Count = 582 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D77725B25937C26B9DE11A6DA3049C0F42A78ADEBD571 - -Count = 583 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77725B25937CC198CE6FB150268C67154B2C29EBB895 - -Count = 584 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D77725B25937C2B32B6DDD6D6ABF51E74690816F002E5 - -Count = 585 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D77725B25937CAE2FF733A71A277F9E392ED0EFE9B6C6 - -Count = 586 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF2963BF93E0DF106C655EA582CA55631 - -Count = 587 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D77725B25937C4C5083CC1C8EFC5056370C0B2E0437AD - -Count = 588 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D77725B25937C17B9A87A5D8F420618C3B006C2AD839C - -Count = 589 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D77725B25937CEC3FAB8DD7DDBDE833B80FB69817BCEB - -Count = 590 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77725B25937CD11661E1DEC94E4A796619CB4261080A - -Count = 591 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D77725B25937C40EF7B98C7341D42A21A183542BFEC90 - -Count = 592 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D77725B25937CD3D07C4306B52D5564E123E55C20FEF9 - -Count = 593 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77725B25937CD6307EA8D53099C9574EDAF3953C1D05 - -Count = 594 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D77725B25937CA335AE70F4DAD4ACD851175D053063EE - -Count = 595 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8F7517367215FA4256684043E63654A2E - -Count = 596 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8C2FA35A4C9043F7597740FC711477029 - -Count = 597 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF882160E6BFDE81340269B5F83F1EB8161 - -Count = 598 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8C6206D67E3A6B4394C5603AD75993446 - -Count = 599 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF89AA8F8DDD3B75D63E3986D8BFB85E316 - -Count = 600 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF86756DF460D22DFC1736373D7F2293A4E - -Count = 601 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8A8F35CE1080380754FAF5BF05B7ECDC7 - -Count = 602 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8242A5B052F671A899D93DDEA0E29A4B1 - -Count = 603 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF896B0AF71F18E11297E59094AE0E3C426 - -Count = 604 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF84D01BFEF58B2877DE44C5BCFB394DA86 - -Count = 605 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED96EAD117795BABAE48A35EB797E47B - -Count = 606 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8C37D81DF4CEF803366B8E5AE0080C747 - -Count = 607 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF83EC5C59299FA7769BC86A7A3736D8072 - -Count = 608 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8D51C7EA960F8573CC508416B87F27884 - -Count = 609 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF80810A19CD6E1CC8F5D2C476FE01D4A87 - -Count = 610 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF84B9F4D791FC832A25A42B8AD36377DCF - -Count = 611 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF89C8586AD3C385A4DABA111D7DAB2132D - -Count = 612 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF88D92FE2019CB88D296FC8F9779EE4E83 - -Count = 613 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8A52F6632C0C50704F2A9B4228B6EBE16 - -Count = 614 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8B5365CD74913C48965290FD6C4294824 - -Count = 615 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8AE2E44C99E3D722554E3F4C471E35173 - -Count = 616 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF833FA4810BEE925808A7C81A2555EDA5B - -Count = 617 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8FED38E1899869A93AA766B757B6914D2 - -Count = 618 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF84F7CDAD170DE0071A0A9FAF8E32D4998 - -Count = 619 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8A43D41C03FC2F7DB25EC96B653296970 - -Count = 620 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF85093E2218A1F667CCEBB5E3C2E3237D1 - -Count = 621 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8CDBD2DCD394F7F3380157988DCE97CA8 - -Count = 622 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF820233B7566FC7B14D9D1B95F17195387 - -Count = 623 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8E057339ACBAA7CD797F39C00B921E221 - -Count = 624 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8FF13E1A60AC2FB0AC7268FC56330E548 - -Count = 625 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF88EA6AB4070EB80B4F0B8BF964970C2E4 - -Count = 626 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF80365C5B301A398AB1A9028E0D9D1D783 - -Count = 627 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8FD29AD4A6A90E5F97674C209691ADBDF - -Count = 628 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED9EB07AF2AD2C8778061479063E5077AF - -Count = 629 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED4973C72DB06C14922A984DA8BE67F4E9 - -Count = 630 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED7BB9FB8FC470D1B5F10F2BEADC38251A - -Count = 631 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB588A9FD8E16DA696ACCC95DE3DC2A0E - -Count = 632 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED52ED81CED752A7FF407A73DC5BC6BDB5 - -Count = 633 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDE5EEE9E5D3A2107B91B82837104ECF8E - -Count = 634 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDE01E8F92274E101956630619C5D00254 - -Count = 635 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED5A62B64D410DE47A7C2C74DB4363D303 - -Count = 636 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED89550EBEBA56A9511C7E949DCB72AA5F - -Count = 637 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDE9166D1751E047CC37503606AF4E5C8E - -Count = 638 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB5D86D5961590D3EBABEA19182182188 - -Count = 639 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED0CFF02872D2B1272EA723E7E39F12134 - -Count = 640 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED318B303BD12C8126F668EAC4B37950B6 - -Count = 641 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED522096328112300872508D4E64A7D39F - -Count = 642 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB7980B6BE77BB02BB8EABF985249C3D0 - -Count = 643 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED3CBC7E172A4A36589012C66CD7E37243 - -Count = 644 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED412B3A9BAF1E5EFE25B9306A6BD7BC61 - -Count = 645 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED868FE5475196D8873A37F7AA38B6FF73 - -Count = 646 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDF3DC0F1F3FFF6D80CEEA577AB88C38A9 - -Count = 647 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDA505D23D5627EDA5B36B772CB3879310 - -Count = 648 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDAE55611836A66602A4423A9328B93453 - -Count = 649 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED6506232898141D99B9DFC9AA4D867D36 - -Count = 650 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDC7A227B99B0D65A9B446D7D8D46EEB7B - -Count = 651 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB196CDDCF9C1E9BBB6A8BFADB93A90DC - -Count = 652 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDAC2547C4227749DDBC51ABBE6B083301 - -Count = 653 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED5E53F85EA37221AEA2108A21870E5D57 - -Count = 654 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDD22CE9CA8AF696C0F33E72B44D9FF1EE - -Count = 655 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED3B1E69A15F7E0A7DA762D830B1FD08E3 - -Count = 656 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDC375BE9D999C0D6A8CC1F519AFF74655 - -Count = 657 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED69A97950B716BA8E07F3045FF0D7EF08 - -Count = 658 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED43C44CDD271A916D0EB2A8F5D5072304 - -Count = 659 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED244C5387B68D01C78ED13C9E44212B1A - -Count = 660 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8ED29A1749E4435B1E3FAB6D748D4D8C655 - -Count = 661 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8D29B96A6BE37E55D8AC446F48680070E - -Count = 662 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB85D626E243D49E6DD8396A70872113564 - -Count = 663 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8BAF7AE2292EF83230733EB2317678A92 - -Count = 664 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8F4B7EC5B2BB00AE96E63799DA389C411 - -Count = 665 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB85D9B673F8103A92F5890BBED4E85F43A - -Count = 666 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8E0EBA18CB4DBDF5E4BD0748643FFBFDD - -Count = 667 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB85742A0A89CCE5EB10F3BFD944F7C161E - -Count = 668 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8B9555DBA57E06D969178913C1E521424 - -Count = 669 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB84572234059F857735F85C1AD31EDBDD3 - -Count = 670 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB81B8A632FFA3DE0DA87FD7C837CDC85B5 - -Count = 671 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB81744B85AFFBBC1BCD461778BE6B938E8 - -Count = 672 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB88EB1120D07CABACA249153B43E3C6DA1 - -Count = 673 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8661D421BB10AE984A8F939CD99AA372F - -Count = 674 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB87AB502C3B0BF191FD88BA45D0CF237A7 - -Count = 675 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8889EB450A0B22FFB5F7A51BE100F4AA0 - -Count = 676 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB89A4AC3B73C0640F2CA8CB7447B845DD6 - -Count = 677 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8EB2A76977D78F061D3713C5237ECDEF4 - -Count = 678 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8D910EFD18A7B4E22681C4A1827F14E6B - -Count = 679 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB833D71581F9348DC3BFCECD5F9886F4DD - -Count = 680 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB80FDFFF135CF861490A7ED73713549BD0 - -Count = 681 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB89485D0855E0423BC6B67A425F707FDEB - -Count = 682 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB88B64421708FD01F917C726FD9D6672CF - -Count = 683 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8168537DB9FB43E63632132CFE00004EF - -Count = 684 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB876BBF6D5542C7D071721EEB3BAAC70EB - -Count = 685 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB878960D46A3C5A8B94AFF6702604DD0A7 - -Count = 686 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB87F4542FE6996B63F9662CFC44BB376C4 - -Count = 687 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB89DD077C389A8E14A24589269B20AAD60 - -Count = 688 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB802E99B54E142620D94DD44833DFF1E32 - -Count = 689 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB84510E4C6FC0E99C1716D63C14FE361FF - -Count = 690 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8AB60B4E48E1AEB86BB15C178A7CCDBF8 - -Count = 691 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8EBD0157C032A3D8D9C3CCC52C733CF20 - -Count = 692 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB83441A3E14AFD811D46FB9407BB3B7C82 - -Count = 693 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8880FAA57D350FB6F3CCDB9C98393890B - -Count = 694 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A84E78AF74477D50CC1F6BDC47B81C1C9E - -Count = 695 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8EB715944B946A2E92686095290462A3C - -Count = 696 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8CA1BB4EB2606F295A465135EF0AAF45D - -Count = 697 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A862C56FA1391B757C7CCA8360BF7A0CC4 - -Count = 698 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8E5EC4CE789594C293F318329E8D7E694 - -Count = 699 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8A273A2ED594CD1B140000A5C733A6E0D - -Count = 700 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8743063C1C9B038E8573C5E70CCA0F389 - -Count = 701 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8548F561E529EB04DC67A3DE8B1E75AD2 - -Count = 702 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A87A4EA054BA7B27292957377D5EC6284C - -Count = 703 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8BAD7CD3C8058E5D00389BF9B3F85DD64 - -Count = 704 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A87DD108E2049CF53D18E5771FCEDFA32D - -Count = 705 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A83069BF0696B457F31E7E2041589D2B09 - -Count = 706 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8DC8C334EA5A5BD1D40E096F39C3C27DA - -Count = 707 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8D3066A8B843FFBA545415798DE612B7A - -Count = 708 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F952A583270021D4B9FC6D96E440FBFB - -Count = 709 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A86D0B2ADBF4A73B854793C248B9FA2377 - -Count = 710 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A84C9526AF5734300F860C5F7BDA114BF0 - -Count = 711 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A81F9E3571988C75BA37CC5A5E7728F2F7 - -Count = 712 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A89ABC02399EF1905CB670ECE8B6A96EB8 - -Count = 713 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F7519544E3BD11E35455CB78604B99C7 - -Count = 714 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8DE5B510065D390BECAE8FE4CAD5FB7E4 - -Count = 715 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8EDD6E780C684B74CCE935512096FC9D8 - -Count = 716 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8D213C5CA4BD1AB4D9D2BC34260EF4C1F - -Count = 717 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8538269C2A265E92942AA3A5E9A75F8DF - -Count = 718 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8A1BFB465EB72E3357D8631C4108159AD - -Count = 719 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8EE5F228ED4214AED42F518D5462B266A - -Count = 720 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A80FFDFAE9AC56E8A6CBBF8CC3066A5535 - -Count = 721 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8E2F5476BA0D8A1E30C1157DAB8880A7E - -Count = 722 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8B929BAB8EEBD329D4899E65104A8317F - -Count = 723 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A880EE4BCD92E56A957859754380D8F4B9 - -Count = 724 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8BA9BDF99330BCDFC9F96A1BEEAE77D17 - -Count = 725 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A84686B32FB2D132E41314F146E014C65A - -Count = 726 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8FBFA0A1B600AA3D62D1C341F43A592DA - -Count = 727 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5F5A9105B995D308D4D550AEECE3E364F - -Count = 728 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F554718FAAB5A908920DE458CF9571FC98 - -Count = 729 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5FF9B8A08A6E3F8DF64F18DD73C0D3580 - -Count = 730 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5FDB1BACCBA3BD43BEB1E82F79DCD422F - -Count = 731 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5CD13C852882BEECBB3EF596AF623675E - -Count = 732 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F502AC0BCC7C02BED1D1F29C4C1BBFA87A - -Count = 733 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F517550BF44569A500B8058B412D1436E2 - -Count = 734 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5455FC45C131DF09EF8873F43E4DDCCD4 - -Count = 735 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F558D817E40BF320E597819CD3CF43A32F - -Count = 736 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5FA4CA458819524875881B36857F70C76 - -Count = 737 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F51E1CFF9ADBE06BBD07CABE57784293C0 - -Count = 738 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F59F08F6517CDCDE5948339BFD4709058C - -Count = 739 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F56774BFCB8F052B3173E58286AEDD7450 - -Count = 740 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5A61F8B265148CAE4E8F22A0168DD3D0C - -Count = 741 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F53FB415EAABCB5DAA2B8FAD1953BCEA13 - -Count = 742 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5C142F0DBD465D153AB22FA5167867C7F - -Count = 743 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5C8345D2D4333AC0A3B402194CFF691ED - -Count = 744 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5334D8FFB34D2A348B181B18D258CEC65 - -Count = 745 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F52F2A0DBF157B089C1DF685BAFAEDD764 - -Count = 746 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F536A9F1688DD8F25A2E08BA46ECAF0994 - -Count = 747 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5711C7C5FA284208CB97B9C64BE441192 - -Count = 748 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F56F6533F45AF21A5C0ED259B2FF1DCBEA - -Count = 749 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5A78ABEA0B30392DF1879253B5DF985D7 - -Count = 750 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5F04495565DA372FD001CC838A1DA24CC - -Count = 751 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5683E4C5B58EA09A3EB4B3F34E9D0108F - -Count = 752 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5453490A8926526D35DEE1A98EFFCC7CF - -Count = 753 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F59E5289B6FB35385F73263BFDC774F8F6 - -Count = 754 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5DD2E8D43776A5BAF3799FF8D16AEA53B - -Count = 755 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F58ADC7D6C6D7A5C4AF688C20087629075 - -Count = 756 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F561B492B46F0DE96852C3AE6FD14F7561 - -Count = 757 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F5EE27993AD9CE72E1A1584D3B565C12AE - -Count = 758 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F57BA7FA28BA23AE158372C2FD70570379 - -Count = 759 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F55CC4B1D61EC51F04ECD6727A96566984 - -Count = 760 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A047E43B68CBF359B7C97F7A905C80A81 - -Count = 761 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A48EEF9F0664D9E0B98E0A725908911F6 - -Count = 762 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AF77B05CA7A9B995036972E731E34C543 - -Count = 763 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AF5803D23DC32D0F63F283324BB652A0F - -Count = 764 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A0A038A61B4A9AB66F7E5676E4D3157C5 - -Count = 765 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A8832BA8D700E200B05CC0A654FC76E10 - -Count = 766 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A9F341A11D67107662D7F3640EB773714 - -Count = 767 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50ACD257B1C10FF11B3457387D32FFA68F0 - -Count = 768 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A07DD072CB384807F00C9CC33BA5983A5 - -Count = 769 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50ABB94CC7FD3EB6269704E8A2D9471DEBD - -Count = 770 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AA5AF6BE96055F455CE45473116CE64A2 - -Count = 771 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A51312527CC6AEA52AED910035253C093 - -Count = 772 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AE1D7A37B9C3C72A7A405A8C8B1FCA27E - -Count = 773 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A02062053517B30EBADB7F85F435F37A8 - -Count = 774 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A53E065E5A83EF8E0D3AD713758C9563B - -Count = 775 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A1117BDB6E56030726C5555C5E8F1F6A8 - -Count = 776 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A61834E4A79BDBC42B6DDB3B7241F4941 - -Count = 777 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AD93C3014FF7C3955923F7BD385378B50 - -Count = 778 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A94F5A22C1982EE9D7A0D11521C7DA680 - -Count = 779 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A70F48EA7A82E063CEA33CB22076FDB51 - -Count = 780 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AB3829CDEA56FA56D7D45D223B015E55D - -Count = 781 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AF6EA22EBFFB11137EA45E545BC413CCB - -Count = 782 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AD040665EDB0E266716055D2B8B67F83B - -Count = 783 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A83B6C965CE4D260A438C548C38647DB0 - -Count = 784 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AA078D225ECDF96C2F4E0AA525B41661A - -Count = 785 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AD39924039B7626D883787CF5ADC4CC48 - -Count = 786 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AEED518385A99854F2F9DF24E44B629D6 - -Count = 787 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50ADBB14CE581483DC48A8DF0C2D9CDC392 - -Count = 788 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AEEF1CB9B2DF17B7DA5D9A8C86A7DAD5C - -Count = 789 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A592169740440B2998349A6465EC71930 - -Count = 790 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A619205AFCD306EAF1CEF503B6CFE625E - -Count = 791 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50AA5B2EE8522FE5A401483EC5C9B44DD0E - -Count = 792 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A7D7AA7B88D535445FAF4B7BB7F06E77A - -Count = 793 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A97969E8978A61C2F23E9FDB4046A5D45 - -Count = 794 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A0FF2C164B141A2476B9F017A25404CF5 - -Count = 795 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2AC5624B1550BFFDBBAFF7ACCE1C342BE5 - -Count = 796 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A62887B01033E6BD5A627C2C585B1656C - -Count = 797 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A200FDC87970E654C79524CB5B45C7433 - -Count = 798 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A024CCB0D610A59C04E0A89DA5DB2FAAA - -Count = 799 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A79533D5364070453519D3D6EFD91D89F - -Count = 800 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A4A905D0F91E5D4F8B647AF1D24B1E1C2 - -Count = 801 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2AF787840F7A9844FD8AB5C11F3F9D549D - -Count = 802 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2AA16E60202A73E6AE4AB3BD4F31F77EF3 - -Count = 803 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2AB8332E52CF416FB50879D76DC18B76D8 - -Count = 804 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A95456648E57C609057288685DCE11684 - -Count = 805 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ABD844D002BEF1E075178625A2B76FC97 - -Count = 806 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A21C3953AD772141958C7D2C4FB22C697 - -Count = 807 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A2D97535672FFFB1B94C39B0D08ABF21A - -Count = 808 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A09ED937DA63F6E4E28681E7D4C03D6B8 - -Count = 809 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ADFE002DCD63F0AF98ADE025834F64E22 - -Count = 810 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A624563DDA4FF278164DF5EB257EB7274 - -Count = 811 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2AD30963E7A4B5D3A6ED580DC9DBDB7156 - -Count = 812 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2AC795C3D769E799C789979D3F4C50C706 - -Count = 813 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2AB476AF2F2D0D8E5AA0721A86C65EEAE8 - -Count = 814 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A123E301BC33261FEFFE5A714109A734C - -Count = 815 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACA9FBE6AFE256C4E768A777A6264A795 - -Count = 816 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A67559A16D4F098499458E7ECFE24D0D2 - -Count = 817 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2AAC253E94C5D4701E813AE3A1D457CE18 - -Count = 818 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A040826DFD305B38FB0627885AA3629A0 - -Count = 819 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2AF2774B5A0704C07510B9F8BAAF7A3139 - -Count = 820 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A95DBC61E35E94EF687091BCE55844652 - -Count = 821 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A34FE6E74A59B3FDADD5D0D3D5FEEAD29 - -Count = 822 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACF2FCEF94647200B2E2E50F863E8A1D2 - -Count = 823 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A80606E21D163E21279E5357A7213DC9A - -Count = 824 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2AC16ED198A18C8B08CD72A78B0977258C - -Count = 825 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2A3EB6BC12FBB887AE2A4F8C6E70CAC073 - -Count = 826 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEE03FA8D4463188F53FE646328EFADB06 - -Count = 827 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEADF29BF0FF715A931444DF7D4A127977 - -Count = 828 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAC427B4D9885AD47CD11DCE2470B192 - -Count = 829 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE112A096C15CB8CBB6C740D23A8A4B527 - -Count = 830 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEEEC24B2A708F1544CE82826529399509 - -Count = 831 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEADC3587A9C43A71CA1F58B35550066B0 - -Count = 832 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEC50116E9D1F1692CBC2CA3DC2E6D5D2D - -Count = 833 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEC2CD63C9E7AEFE5A3E7CF719B9FACB8F - -Count = 834 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE4A40BDAFC7BEBCDBE8C62D86E8DB067C - -Count = 835 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE84857A4EF3DCF70D2DCA35ACA85828B5 - -Count = 836 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACECA3EB5D9006074C16E53ACE02941E393 - -Count = 837 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDD6154D9BC92949B20A76F093DA1C046 - -Count = 838 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACED25EFE4425A4033C22EDFB1BFFFBC687 - -Count = 839 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE84A985148B7E14B4A2CB1056A644CC1D - -Count = 840 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEB7AF379C4AAD733AC5C73FE97C2FB75D - -Count = 841 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE0ECEED5A360D3FAE02621555D2D4423A - -Count = 842 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE8C502BE808088CF18A31810EE28414AE - -Count = 843 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE0F5F8D7CBF20CA9A7D5A9574488B9A9B - -Count = 844 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEC00A95BB76161B6903623390CE8C55F4 - -Count = 845 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE8362B9073BC5FEC7C6DB434A7FDEA469 - -Count = 846 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEE2270C3C7B0D96855F236EEAE06AF932 - -Count = 847 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE160C7FBF5A91176849FD2CB25868EB0E - -Count = 848 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEB189E4E9E9C18E9C0686B63A8CBEEF6B - -Count = 849 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE683C90EF3B036BCD6A6C1DCE48310D99 - -Count = 850 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE1D779CE89475789445DBBC44DE6291E6 - -Count = 851 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE3C09FC919EFB0491825334FF9316B148 - -Count = 852 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE1C169C7BA2698A24AAE869EB593636AE - -Count = 853 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE6A5BC55BAAFFEF151C62BDD3CD0F67C7 - -Count = 854 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE47EEBDB1B1EF38713FF0B46F116631CC - -Count = 855 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEB8B156210A1D84FEF3940F34F530B0A2 - -Count = 856 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACECE46D11ABE2EB760EA207640A83A603E - -Count = 857 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE18782E46708348C254A64C479F431DEF - -Count = 858 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACE0B01864B70B5FCC79A12F50F2E934247 - -Count = 859 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA07B3682FB4BA5366D3EC504DBB0DBC2B - -Count = 860 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA69E0EFC4929A227E1A045A3E40324C24 - -Count = 861 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA5AF8035E40AF9D96AEBA57A600E7EC11 - -Count = 862 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA03A30DF285B08235DCB0F445304C27A5 - -Count = 863 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAA7BBA5CC6A3E70AC6756FCA4C2F0A6FF - -Count = 864 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAC0AF8C6562DCBB46B6F00ECD5CD09411 - -Count = 865 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA72FE7CC80EB910B5032658B4A1488F11 - -Count = 866 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAB4E136F5B6757543BE697C8874C9D7B7 - -Count = 867 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAACADFBC31774DC085B3C4E25DE1F3DAE - -Count = 868 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAD4A89ACEB84D6CD121C1E9E416C77F66 - -Count = 869 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAA15A38246D900A3BAD47D0C0F9F39455 - -Count = 870 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAA7BF17B7C3ACD31A3F19222604718E5C - -Count = 871 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAABF0376F512BAB50BC7CCACE9E878C4D - -Count = 872 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA903B895429451B1832EC60B57FC6E47B - -Count = 873 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAF577F98D8752080420D9A45AFE1A9500 - -Count = 874 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAE93A1F92E0152824EAA1B2A8176F8CC5 - -Count = 875 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA1FE71E4C4EB0F45CB9567876227C677C - -Count = 876 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDACAA5D1D79C6DCBCF0D2130371D066EAB - -Count = 877 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA01C2F935E041324F55162B2820A57355 - -Count = 878 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAAD255CE95A64E623A414D09B17133F97 - -Count = 879 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA4E4CDA10A19A33477B3EEFCAEB8B4CDC - -Count = 880 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA5B306786BC6FAADAC5128B475DDDB505 - -Count = 881 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA14F222FA0A15003BBD3CCA35A362CCAC - -Count = 882 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA85F9829420B77501E29C4BD16A49FF01 - -Count = 883 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA81F0725706B50EE84B399FAFDF59560B - -Count = 884 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA8D82E1B209D7950A67636B886856B6FE - -Count = 885 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAC2BF8980DEA30A84BE7D371417E19221 - -Count = 886 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAC232A74F5D2A00D49FC01A00D0EB7D7C - -Count = 887 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA67886DF04E40A834E2FE0ACCE5F3FE29 - -Count = 888 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAD08DA354B902BDC80C71301FFC96F9E3 - -Count = 889 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAEB257EB10CA7013B2CA85C66C5793DCD - -Count = 890 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA567C31552FB14E74B578DCDC680AEFD0 - -Count = 891 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDAA3A404BDC93ED6BBA9F99B6BA63D731B - -Count = 892 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3587D4453EFC0E205626538BC7363ACC30 - -Count = 893 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA35298D8F93EDDE779E491B005465BB5DA0 - -Count = 894 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA35F4065CF0DF03B5DB143ADCF561960CDD - -Count = 895 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA35D0484BC0AA44F0A725F1095A9D5C3B17 - -Count = 896 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3585111D1EC9409FA830018859BA1BF433 - -Count = 897 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3592752E68A3A7DB8EC638E2DBFAE9EC01 - -Count = 898 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3582B197A0403048221310FFB2EAA5A47D - -Count = 899 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA35BC47F3A73770A6572BDB785434311C16 - -Count = 900 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3523A6E1020F61FD834452EA9C9EC00871 - -Count = 901 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA35A92E905E800025A1948A952A26909983 - -Count = 902 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3577824ECCDE9C13F57822DEE4CE2F970E - -Count = 903 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA35A83304AF5FC43D665944D283FEBA6753 - -Count = 904 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA353044644A6C163D80B7675E66D52DCEBA - -Count = 905 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3503D62F8BDF6BBEE4198C721FDBE58651 - -Count = 906 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA35942CE395F4A6B4DEA11233984AE2EE21 - -Count = 907 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3523299F74E08D32E95C434875B671C4D9 - -Count = 908 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA35D0D241CE52F0CE726F374B6DD275A6B7 - -Count = 909 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA359307B6E146EB69F2693762CC222A962E - -Count = 910 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA35804A09365A238BEA1CCD88DBAB0FF14E - -Count = 911 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA354F9B071A9F747B59ECE99B52A4860A71 - -Count = 912 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA351AA0C34C51E5348151161D9835F6604E - -Count = 913 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA355B60C5B5A9019AD23A2C9B8320DEC062 - -Count = 914 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356368146F3689D66365F1866AAB509049 - -Count = 915 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA355C45B7D44EA0EDF6B441A03545A25498 - -Count = 916 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA35422D43EB4D2E20F563E40E8F5539D216 - -Count = 917 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CA1D405EC91FFBFD49D470F27AB5647 - -Count = 918 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3596CBB63879EAA85E90C99E7A33A473C3 - -Count = 919 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3502B71ECA94E93AF57175635F97E12D11 - -Count = 920 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356EF1FE1E4FB8FD08F89114FB5E2EE195 - -Count = 921 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3530204C3F15B505BCBD294A163E7A3953 - -Count = 922 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA358547152DF2735EDD767785050A495DFC - -Count = 923 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA3556E3AB9A8444C6FCE2DAE2D67EEEDBC1 - -Count = 924 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA351EFD0E17AA53E2B76FF6C34087F80F02 - -Count = 925 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C1528FCD331771674CDB3628A9B2251BD - -Count = 926 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C467D17477F1D4758F9707DD749A5F641 - -Count = 927 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C789E2C5F15CF4F438152D0827A8DEEA8 - -Count = 928 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CE39ED9B331E1BC820C3C0340C999762F - -Count = 929 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C52208C1E6FA97790CFDF3366654850D8 - -Count = 930 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C56C396EE40B500B19651968F24C2AB13 - -Count = 931 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CF21B78E12069B9028CAF494A4E866985 - -Count = 932 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CFCBAC1155D46DF7EDE52723266B7DBAA - -Count = 933 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C43BEFD90671F74FF5DE2536A5BB84AE7 - -Count = 934 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CD2359F32A0970B8B1B20B1D70FBACEE5 - -Count = 935 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C4CB2C2A3B1136EE982D0B73D3826F8B9 - -Count = 936 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C92D36227C4497638E45EAA3CE261039A - -Count = 937 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CF453A4D1C460F84A37E257A17A9F216B - -Count = 938 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C034FC4C85BD5EF6656C3F7E0465DF99B - -Count = 939 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CFF36CB8F08E85AA4A35095DA1C496BDF - -Count = 940 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C11619522611F569E4E8226D8EF295738 - -Count = 941 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CB5270276FE506D40C85FB8097049F3FC - -Count = 942 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C8DA6E054CFA8F1323B2FA3ECDA1F5DC1 - -Count = 943 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CDAF7CAFB2203A31670E8A6C12065B278 - -Count = 944 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CC4E3FC703A9D446FA54ACEBC9767267A - -Count = 945 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C2098474493C2604D4ECB20DE7A7E70EE - -Count = 946 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CBB23CCF044E7E1870276B1576153100F - -Count = 947 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C911E11CAE22D9FFFE02BC3933A641044 - -Count = 948 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CB270ED1F3454DD63CC5B1307D7AE16D0 - -Count = 949 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C633198DC2E1201C9D5120E9BE919E653 - -Count = 950 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C74F4FF9B72D0EFFAEC0FD7976C3D7A79 - -Count = 951 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CE5DA1C88CEAEAD3614707EC18B3AC6AF - -Count = 952 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CE9B2CCAD910D81ABEAD34D6CF30783ED - -Count = 953 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CE619B3BCEBC14BF60B82789AA99D1C72 - -Count = 954 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CD5D89842569ABCA44336A148F6C658D1 - -Count = 955 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356CF15F6262D883C78AE2AD101E6E31D474 - -Count = 956 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C441FC5577069E95A6B4B5823E2C73978 - -Count = 957 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C0E6CB1AA13DC83E0B604C797F49CAB3B - -Count = 958 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C96AA8A20A8CA4A697D9254B28B4D3C08 - -Count = 959 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CEE4080F66D618A2D50AB6F136A39602F - -Count = 960 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CC75F8BA1E1F5100D3AA41EFA4AB6631F - -Count = 961 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CCF1A13EA16176CDF42C468F4B090A605 - -Count = 962 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CCB5C550FFB48B3D6571C346CF8EBD8E7 - -Count = 963 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C1649C9521627EA0C0DE132D09470FBF7 - -Count = 964 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C5C4859475E39D2A3A22762A39B960763 - -Count = 965 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C0A7B4FCF7359F93794A59974B2DF974D - -Count = 966 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C82128A12C9DB4F2A68C47BBA90D0F979 - -Count = 967 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C9B6DD1FD1FCC8A0E6E35F60C0E542D81 - -Count = 968 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CB10399B36BE999CB031BBFFEEF51C262 - -Count = 969 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C307AC0DEE7A79C1DBC2EBDE9127E5E3B - -Count = 970 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C3BDBFEBDF28CAB5868F3ED37A8205822 - -Count = 971 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C9313F314999F6090AF979EA5AC5E7620 - -Count = 972 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C655B3FA02CE377D348BC8F63FCD4D737 - -Count = 973 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CF0982DB89B1EE1C5AE810D75400BD47B - -Count = 974 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CEFCE09513F3C3874CCCF9D7CBBB5E68C - -Count = 975 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C7B4C3599426AFF95B07C4A62A768C9CB - -Count = 976 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CE5B9F166D079669A683F8CD1AC40288F - -Count = 977 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CD9DCFC217FA1F8FB11222DDB9F03A242 - -Count = 978 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C3E66889E00872F439C27A8C44D0A0955 - -Count = 979 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C4F0405F20EA3EE8F904FF5AD247F3D79 - -Count = 980 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CAD93CBEA961592496EDEA31221191756 - -Count = 981 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C10AC9BC8A3BBCF16A407F54A28748D92 - -Count = 982 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CD21B11F0946526D3D30B466B7282EC74 - -Count = 983 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CE8B59A7EDC781EB555F25ADE0EC38560 - -Count = 984 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C0043DFFAAEEAC505D458EE670676E8EC - -Count = 985 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CFAA354641ADF282B121795847A6D39E8 - -Count = 986 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C58659D22BD96FFF79F3F7B177B3ECC09 - -Count = 987 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C20488FD065666B594D705E6CF19440FA - -Count = 988 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CC36FB3CF4A967EE54726581FE5CA3B66 - -Count = 989 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CC1232E04F3F67871733713451AF8938A - -Count = 990 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3C209EBAFD96558A3EEC10AF56BAAA4AA1 - -Count = 991 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3CC03BE3B7BC2EF28F3ADC5EF231E2659 - -Count = 992 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3DE22C5446AE9844A60806B86D7445680 - -Count = 993 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3695EBD3F5EA71DF45A9003285E0C1E36 - -Count = 994 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3828C8BAF0753C140A4E9B1B252DBA93B - -Count = 995 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3BB3E28A6B646C1C84487BF38186FD7FB - -Count = 996 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3F825479EDA8F691CAAAFAF28791CC78A - -Count = 997 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA39ED10CDA5BEFDA728C25C724AE328FFA - -Count = 998 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3859464BA6DEAB06F7553056C6B53B80E - -Count = 999 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA390024BDEF107E4F1DA6604333566E563 - -Count = 1000 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA34055304891C6C34558043267E63D9E73 - -Count = 1001 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D6E996B29CE3828835B819C71668C865 - -Count = 1002 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA373CB9C219F04D66445954E39C32DEC49 - -Count = 1003 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA36D43487BA4819AD4B5B87B05517F3CBB - -Count = 1004 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA352CDB1F825651738FBFC1320774313C2 - -Count = 1005 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3BE3753D0E204CF93ADE541A808D155FB - -Count = 1006 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3AF45994856767D4EAB1C1A276BE321F9 - -Count = 1007 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA316AD7079FED6A86EB6262603772D1BD4 - -Count = 1008 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA393359EBEA682999C1AE93DEC45AE1139 - -Count = 1009 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA36BE227452E606CE36F9A5043C1AD1E69 - -Count = 1010 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA35A6C61296F4F0E1F54CCA0603EBD8A33 - -Count = 1011 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA31B80610C6014944DF72722A097AEE699 - -Count = 1012 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3811737E468DF247415A71FAAC4AFB029 - -Count = 1013 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA360D7AE00E5B2420D1C868A77E83762CD - -Count = 1014 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA341BE0A13A28B3BA157F54A2503751678 - -Count = 1015 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA303055774E9BDD524EFA7495D2340E3E6 - -Count = 1016 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA31FCFAF64707DEBDB379E7891ECFD7507 - -Count = 1017 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA303327F572343ECEFE02B86FB57BD3151 - -Count = 1018 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA37D49CD76FB33866FAF881E0F43838551 - -Count = 1019 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3E908DAC98FAC2C33C9AD95D3E449ADF8 - -Count = 1020 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA32DD2F76808E7F3EF4F395CB9BC4CA402 - -Count = 1021 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3FB4C98D6B13895AE53E706744AAC69CD - -Count = 1022 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA394C4374EE6A52AFFC25F65A6CA27A600 - -Count = 1023 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA37E6BAC673A3B47BB63441CF9F9EFC45E - -Count = 1024 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4249478DF6F7535F622296A5DC58EC99A - -Count = 1025 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D42ABEDB5926BEFDB64038A7A411972DB2 - -Count = 1026 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4A1E0E214C7CF75C27B47B5724D8F2F98 - -Count = 1027 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4B47EDB5A7E3610209F7DF810A73DCDBD - -Count = 1028 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D466C9EE2B035949ED83B3E7120B31E860 - -Count = 1029 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D496ADD2521AE005796B166997F26DAC0B - -Count = 1030 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D49E422658B3ACC8B3CB0AF1EE2599207A - -Count = 1031 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D484E2667E0006399887441AF2474405CB - -Count = 1032 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4BA6C44E41035845EF31D6658E39CC81C - -Count = 1033 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D438E5933B35936D036825F7A795BF3E2E - -Count = 1034 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4D1D3FDCED557228F683743B2D8799D0A - -Count = 1035 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D41202B3565C3C65D0572D1B3EB0792F7C - -Count = 1036 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4FC854FB6E1002A94A5499BBA6C6C30AE - -Count = 1037 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D460D1C0C492512BBE91205115FFC1AC7B - -Count = 1038 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4EF5AA1DBAF959E4D6052B7BE9EE42FFB - -Count = 1039 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4D9A4AA179938C3E9B3E3E9A935C55DCA - -Count = 1040 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D40879E9FFEB18D106C1CD3AA8692FD727 - -Count = 1041 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4C117AA931B7390709198BF13773A6764 - -Count = 1042 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4081BE303B77443EE119108E3EDFBDF58 - -Count = 1043 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D47356815D937818BC7317F54ADE5042F2 - -Count = 1044 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4ABD51B5EEE071A597184EA565F022A5A - -Count = 1045 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D412A71366FF53E2B4DA38C4498B1216CB - -Count = 1046 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4CD7DAC6279D7188C40562F46B54F588D - -Count = 1047 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D420C368B0BED30CE6456F4CE341CE13E5 - -Count = 1048 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D429E0A693F4F772B3E427E4D76B68B10A - -Count = 1049 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4510B6B8695CC75E988D087F015E4B2E5 - -Count = 1050 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4915EB158B57FF8C8E310A3C0CB775FCC - -Count = 1051 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4E05394E09915C291844D091BD7B9F223 - -Count = 1052 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4A6F4C48739AC1147C8B3BD92513C99B9 - -Count = 1053 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D440DCCAAEA9BB9AAFF1A86F4782BCDB35 - -Count = 1054 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D45E1278B9E1635673649D81EA874118F0 - -Count = 1055 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D4EE5DBF8EAB7B07EBC61B439DC9E1AE1C - -Count = 1056 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D43AC5AAD7A9487183448DE2D62D752116 - -Count = 1057 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BF1FFF1857830BF9A555B3409441F45E0 - -Count = 1058 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BD7298C8C101F4048C8948CABC5119CCA - -Count = 1059 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B5CB3BE03DEDD6F6B7FB37860D4EAEF2A - -Count = 1060 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B456A436E59AAB966D1488C6F33566325 - -Count = 1061 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B20F471FD90DAB63B96994540E66DBC4D - -Count = 1062 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BC4D8F06FB891B76A3272A9A6D7DFE469 - -Count = 1063 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B97DA4A3329A97B9094586F8F58709B3B - -Count = 1064 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BA870B060557802EA48CBD5B212C4D725 - -Count = 1065 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304050607 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B3EDFC9210306009288ADD5FB7A3388EE - -Count = 1066 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BD9B6EF4828ACDDA4AA783AE56CAC3E97 - -Count = 1067 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506070809 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B3D38E5AD8DC193AA17D3AC4B17C5245C - -Count = 1068 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B85EBBC110059022F94057274513495E9 - -Count = 1069 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BE52C86820DCCABD49A3E4913CE99772A - -Count = 1070 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B09CE8E6BC0B12EFFBEB808E731ACB428 - -Count = 1071 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B5255E43EEE68EE20E7CFD964021423E0 - -Count = 1072 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BC6B5A81F5B01D3D40E9DB36CDD56423C - -Count = 1073 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B8745B7A198ED0072049BE9F5280BE8AF - -Count = 1074 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B1BE8664368D6FEF4545F27288B05F25B - -Count = 1075 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B29E1BF87365C7822A3E7E638CBB0ADA1 - -Count = 1076 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B95373DE96DC09453FB89138293447AFE - -Count = 1077 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BCE17340AE1AEA1739EA48AD2602C1F42 - -Count = 1078 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BAF8AD9FF6A0AE5A9488C1F8CD77997F0 - -Count = 1079 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B754A253C41AD0F8939A4C5F065AB079D - -Count = 1080 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B76AD56E80943117272F5C70339779C54 - -Count = 1081 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B82AF1AA2707B28EEF970578D59C5005B - -Count = 1082 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BE9CE1FF29E4BED98C4AFC83A7A6ED111 - -Count = 1083 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B6A224ECE0A56F52B422FE9843141B26E - -Count = 1084 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BE5EDCEC1D9D5492BCD12BDADE90811DE - -Count = 1085 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B0D95BEDB118303D9269B3B5F73DFBACA - -Count = 1086 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B7A8986FFAF938C3E145DB93FCB6764C5 - -Count = 1087 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B804ACD07F8D5490F75250B0FE4322463 - -Count = 1088 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46B8BC7FE9E9ABEB93AB626E4FE11A667DB - -Count = 1089 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2CDE28DBBBD9131EBC568D77725B25937CF8EDB8A8F50A2ACEDA356C3CA3D46BAF83B960928F1E4CC975EA24F488202C - diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys/aead-common.c b/isap/Implementations/crypto_aead/isapa128av20/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128av20/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys/aead-common.h b/isap/Implementations/crypto_aead/isapa128av20/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128av20/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys/api.h b/isap/Implementations/crypto_aead/isapa128av20/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128av20/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys/encrypt.c b/isap/Implementations/crypto_aead/isapa128av20/rhys/encrypt.c new file mode 100644 index 0000000..18697ad --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128av20/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "isap.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return isap_ascon_128a_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return isap_ascon_128a_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-ascon.c b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-ascon.c new file mode 100644 index 0000000..12a8ec6 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-ascon.c @@ -0,0 +1,76 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-ascon.h" + +void ascon_permute(ascon_state_t *state, uint8_t first_round) +{ + uint64_t t0, t1, t2, t3, t4; +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = be_load_word64(state->B); + uint64_t x1 = be_load_word64(state->B + 8); + uint64_t x2 = be_load_word64(state->B + 16); + uint64_t x3 = be_load_word64(state->B + 24); + uint64_t x4 = be_load_word64(state->B + 32); +#else + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; + uint64_t x4 = state->S[4]; +#endif + while (first_round < 12) { + /* Add the round constant to the state */ + x2 ^= ((0x0F - first_round) << 4) | first_round; + + /* Substitution layer - apply the s-box using bit-slicing + * according to the algorithm recommended in the specification */ + x0 ^= x4; x4 ^= x3; x2 ^= x1; + t0 = ~x0; t1 = ~x1; t2 = ~x2; t3 = ~x3; t4 = ~x4; + t0 &= x1; t1 &= x2; t2 &= x3; t3 &= x4; t4 &= x0; + x0 ^= t1; x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t0; + x1 ^= x0; x0 ^= x4; x3 ^= x2; x2 = ~x2; + + /* Linear diffusion layer */ + x0 ^= rightRotate19_64(x0) ^ rightRotate28_64(x0); + x1 ^= rightRotate61_64(x1) ^ rightRotate39_64(x1); + x2 ^= rightRotate1_64(x2) ^ rightRotate6_64(x2); + x3 ^= rightRotate10_64(x3) ^ rightRotate17_64(x3); + x4 ^= rightRotate7_64(x4) ^ rightRotate41_64(x4); + + /* Move onto the next round */ + ++first_round; + } +#if defined(LW_UTIL_LITTLE_ENDIAN) + be_store_word64(state->B, x0); + be_store_word64(state->B + 8, x1); + be_store_word64(state->B + 16, x2); + be_store_word64(state->B + 24, x3); + be_store_word64(state->B + 32, x4); +#else + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; + state->S[4] = x4; +#endif +} diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-ascon.h b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-ascon.h new file mode 100644 index 0000000..d3fa3ca --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-ascon.h @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_ASCON_H +#define LW_INTERNAL_ASCON_H + +#include "internal-util.h" + +/** + * \file internal-ascon.h + * \brief Internal implementation of the ASCON permutation. + * + * References: http://competitions.cr.yp.to/round3/asconv12.pdf, + * http://ascon.iaik.tugraz.at/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Structure of the internal state of the ASCON permutation. + */ +typedef union +{ + uint64_t S[5]; /**< Words of the state */ + uint8_t B[40]; /**< Bytes of the state */ + +} ascon_state_t; + +/** + * \brief Permutes the ASCON state. + * + * \param state The ASCON state to be permuted. + * \param first_round The first round (of 12) to be performed; 0, 4, or 6. + * + * The input and output \a state will be in big-endian byte order. + */ +void ascon_permute(ascon_state_t *state, uint8_t first_round); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-isap.h b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-isap.h new file mode 100644 index 0000000..ba99f2a --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-isap.h @@ -0,0 +1,249 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +/* We expect a number of macros to be defined before this file + * is included to configure the underlying ISAP variant. + * + * ISAP_ALG_NAME Name of the ISAP algorithm; e.g. isap_keccak_128 + * ISAP_RATE Number of bytes in the rate for hashing and encryption. + * ISAP_sH Number of rounds for hashing. + * ISAP_sE Number of rounds for encryption. + * ISAP_sB Number of rounds for key bit absorption. + * ISAP_sK Number of rounds for keying. + * ISAP_STATE Type for the permuation state; e.g. ascon_state_t + * ISAP_PERMUTE(s,r) Permutes the state "s" with number of rounds "r". + */ +#if defined(ISAP_ALG_NAME) + +#define ISAP_CONCAT_INNER(name,suffix) name##suffix +#define ISAP_CONCAT(name,suffix) ISAP_CONCAT_INNER(name,suffix) + +/* IV string for initialising the associated data */ +static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_A) + [sizeof(ISAP_STATE) - ISAP_NONCE_SIZE] = { + 0x01, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, + ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK +}; + +/* IV string for authenticating associated data */ +static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_KA) + [sizeof(ISAP_STATE) - ISAP_KEY_SIZE] = { + 0x02, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, + ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK +}; + +/* IV string for encrypting payload data */ +static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_KE) + [sizeof(ISAP_STATE) - ISAP_KEY_SIZE] = { + 0x03, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, + ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK +}; + +/** + * \brief Re-keys the ISAP permutation state. + * + * \param state The permutation state to be re-keyed. + * \param k Points to the 128-bit key for the ISAP cipher. + * \param iv Points to the initialization vector for this re-keying operation. + * \param data Points to the data to be absorbed to perform the re-keying. + * \param data_len Length of the data to be absorbed. + * + * The output key will be left in the leading bytes of \a state. + */ +static void ISAP_CONCAT(ISAP_ALG_NAME,_rekey) + (ISAP_STATE *state, const unsigned char *k, const unsigned char *iv, + const unsigned char *data, unsigned data_len) +{ + unsigned bit, num_bits; + + /* Initialize the state with the key and IV */ + memcpy(state->B, k, ISAP_KEY_SIZE); + memcpy(state->B + ISAP_KEY_SIZE, iv, sizeof(state->B) - ISAP_KEY_SIZE); + ISAP_PERMUTE(state, ISAP_sK); + + /* Absorb all of the bits of the data buffer one by one */ + num_bits = data_len * 8 - 1; + for (bit = 0; bit < num_bits; ++bit) { + state->B[0] ^= (data[bit / 8] << (bit % 8)) & 0x80; + ISAP_PERMUTE(state, ISAP_sB); + } + state->B[0] ^= (data[bit / 8] << (bit % 8)) & 0x80; + ISAP_PERMUTE(state, ISAP_sK); +} + +/** + * \brief Encrypts (or decrypts) a message payload with ISAP. + * + * \param state ISAP permutation state. + * \param k Points to the 128-bit key for the ISAP cipher. + * \param npub Points to the 128-bit nonce for the ISAP cipher. + * \param c Buffer to receive the output ciphertext. + * \param m Buffer to receive the input plaintext. + * \param mlen Length of the input plaintext. + */ +static void ISAP_CONCAT(ISAP_ALG_NAME,_encrypt) + (ISAP_STATE *state, const unsigned char *k, const unsigned char *npub, + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Set up the re-keyed encryption key and nonce in the state */ + ISAP_CONCAT(ISAP_ALG_NAME,_rekey) + (state, k, ISAP_CONCAT(ISAP_ALG_NAME,_IV_KE), npub, ISAP_NONCE_SIZE); + memcpy(state->B + sizeof(ISAP_STATE) - ISAP_NONCE_SIZE, + npub, ISAP_NONCE_SIZE); + + /* Encrypt the plaintext to produce the ciphertext */ + while (mlen >= ISAP_RATE) { + ISAP_PERMUTE(state, ISAP_sE); + lw_xor_block_2_src(c, state->B, m, ISAP_RATE); + c += ISAP_RATE; + m += ISAP_RATE; + mlen -= ISAP_RATE; + } + if (mlen > 0) { + ISAP_PERMUTE(state, ISAP_sE); + lw_xor_block_2_src(c, state->B, m, (unsigned)mlen); + } +} + +/** + * \brief Authenticates the associated data and ciphertext using ISAP. + * + * \param state ISAP permutation state. + * \param k Points to the 128-bit key for the ISAP cipher. + * \param npub Points to the 128-bit nonce for the ISAP cipher. + * \param ad Buffer containing the associated data. + * \param adlen Length of the associated data. + * \param c Buffer containing the ciphertext. + * \param clen Length of the ciphertext. + */ +static void ISAP_CONCAT(ISAP_ALG_NAME,_mac) + (ISAP_STATE *state, const unsigned char *k, const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *c, unsigned long long clen, + unsigned char *tag) +{ + unsigned char preserve[sizeof(ISAP_STATE) - ISAP_TAG_SIZE]; + unsigned temp; + + /* Absorb the associated data */ + memcpy(state->B, npub, ISAP_NONCE_SIZE); + memcpy(state->B + ISAP_NONCE_SIZE, ISAP_CONCAT(ISAP_ALG_NAME,_IV_A), + sizeof(state->B) - ISAP_NONCE_SIZE); + ISAP_PERMUTE(state, ISAP_sH); + while (adlen >= ISAP_RATE) { + lw_xor_block(state->B, ad, ISAP_RATE); + ISAP_PERMUTE(state, ISAP_sH); + ad += ISAP_RATE; + adlen -= ISAP_RATE; + } + temp = (unsigned)adlen; + lw_xor_block(state->B, ad, temp); + state->B[temp] ^= 0x80; /* padding */ + ISAP_PERMUTE(state, ISAP_sH); + state->B[sizeof(state->B) - 1] ^= 0x01; /* domain separation */ + + /* Absorb the ciphertext */ + while (clen >= ISAP_RATE) { + lw_xor_block(state->B, c, ISAP_RATE); + ISAP_PERMUTE(state, ISAP_sH); + c += ISAP_RATE; + clen -= ISAP_RATE; + } + temp = (unsigned)clen; + lw_xor_block(state->B, c, temp); + state->B[temp] ^= 0x80; /* padding */ + ISAP_PERMUTE(state, ISAP_sH); + + /* Re-key the state and generate the authentication tag */ + memcpy(tag, state->B, ISAP_TAG_SIZE); + memcpy(preserve, state->B + ISAP_TAG_SIZE, sizeof(preserve)); + ISAP_CONCAT(ISAP_ALG_NAME,_rekey) + (state, k, ISAP_CONCAT(ISAP_ALG_NAME,_IV_KA), tag, ISAP_TAG_SIZE); + memcpy(state->B + ISAP_TAG_SIZE, preserve, sizeof(preserve)); + ISAP_PERMUTE(state, ISAP_sH); + memcpy(tag, state->B, ISAP_TAG_SIZE); +} + +int ISAP_CONCAT(ISAP_ALG_NAME,_aead_encrypt) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + ISAP_STATE state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ISAP_TAG_SIZE; + + /* Encrypt the plaintext to produce the ciphertext */ + ISAP_CONCAT(ISAP_ALG_NAME,_encrypt)(&state, k, npub, c, m, mlen); + + /* Authenticate the associated data and ciphertext to generate the tag */ + ISAP_CONCAT(ISAP_ALG_NAME,_mac) + (&state, k, npub, ad, adlen, c, mlen, c + mlen); + return 0; +} + +int ISAP_CONCAT(ISAP_ALG_NAME,_aead_decrypt) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + ISAP_STATE state; + unsigned char tag[ISAP_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ISAP_TAG_SIZE) + return -1; + *mlen = clen - ISAP_TAG_SIZE; + + /* Authenticate the associated data and ciphertext to generate the tag */ + ISAP_CONCAT(ISAP_ALG_NAME,_mac)(&state, k, npub, ad, adlen, c, *mlen, tag); + + /* Decrypt the ciphertext to produce the plaintext */ + ISAP_CONCAT(ISAP_ALG_NAME,_encrypt)(&state, k, npub, m, c, *mlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, tag, c + *mlen, ISAP_TAG_SIZE); +} + +#endif /* ISAP_ALG_NAME */ + +/* Now undefine everything so that we can include this file again for + * another variant on the ISAP algorithm */ +#undef ISAP_ALG_NAME +#undef ISAP_RATE +#undef ISAP_sH +#undef ISAP_sE +#undef ISAP_sB +#undef ISAP_sK +#undef ISAP_STATE +#undef ISAP_PERMUTE +#undef ISAP_CONCAT_INNER +#undef ISAP_CONCAT diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak.c b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak.c new file mode 100644 index 0000000..c3c4011 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak.c @@ -0,0 +1,204 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-keccak.h" + +/* Faster method to compute ((x + y) % 5) that avoids the division */ +static unsigned char const addMod5Table[9] = { + 0, 1, 2, 3, 4, 0, 1, 2, 3 +}; +#define addMod5(x, y) (addMod5Table[(x) + (y)]) + +void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds) +{ + static uint8_t const RC[18] = { + 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, + 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, + 0x02, 0x80 + }; + uint8_t B[5][5]; + uint8_t D; + unsigned round; + unsigned index, index2; + for (round = 18 - rounds; round < 18; ++round) { + /* Step mapping theta. The specification mentions two temporary + * arrays of size 5 called C and D. To save a bit of memory, + * we use the first row of B to store C and compute D on the fly */ + for (index = 0; index < 5; ++index) { + B[0][index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; + } + for (index = 0; index < 5; ++index) { + D = B[0][addMod5(index, 4)] ^ + leftRotate1_8(B[0][addMod5(index, 1)]); + for (index2 = 0; index2 < 5; ++index2) + state->A[index2][index] ^= D; + } + + /* Step mapping rho and pi combined into a single step. + * Rotate all lanes by a specific offset and rearrange */ + B[0][0] = state->A[0][0]; + B[1][0] = leftRotate4_8(state->A[0][3]); + B[2][0] = leftRotate1_8(state->A[0][1]); + B[3][0] = leftRotate3_8(state->A[0][4]); + B[4][0] = leftRotate6_8(state->A[0][2]); + B[0][1] = leftRotate4_8(state->A[1][1]); + B[1][1] = leftRotate4_8(state->A[1][4]); + B[2][1] = leftRotate6_8(state->A[1][2]); + B[3][1] = leftRotate4_8(state->A[1][0]); + B[4][1] = leftRotate7_8(state->A[1][3]); + B[0][2] = leftRotate3_8(state->A[2][2]); + B[1][2] = leftRotate3_8(state->A[2][0]); + B[2][2] = leftRotate1_8(state->A[2][3]); + B[3][2] = leftRotate2_8(state->A[2][1]); + B[4][2] = leftRotate7_8(state->A[2][4]); + B[0][3] = leftRotate5_8(state->A[3][3]); + B[1][3] = leftRotate5_8(state->A[3][1]); + B[2][3] = state->A[3][4]; + B[3][3] = leftRotate7_8(state->A[3][2]); + B[4][3] = leftRotate1_8(state->A[3][0]); + B[0][4] = leftRotate6_8(state->A[4][4]); + B[1][4] = leftRotate5_8(state->A[4][2]); + B[2][4] = leftRotate2_8(state->A[4][0]); + B[3][4] = state->A[4][3]; + B[4][4] = leftRotate2_8(state->A[4][1]); + + /* Step mapping chi. Combine each lane with two others in its row */ + for (index = 0; index < 5; ++index) { + for (index2 = 0; index2 < 5; ++index2) { + state->A[index2][index] = + B[index2][index] ^ + ((~B[index2][addMod5(index, 1)]) & + B[index2][addMod5(index, 2)]); + } + } + + /* Step mapping iota. XOR A[0][0] with the round constant */ + state->A[0][0] ^= RC[round]; + } +} + +#if defined(LW_UTIL_LITTLE_ENDIAN) +#define keccakp_400_permute_host keccakp_400_permute +#endif + +/* Keccak-p[400] that assumes that the input is already in host byte order */ +void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) +{ + static uint16_t const RC[20] = { + 0x0001, 0x8082, 0x808A, 0x8000, 0x808B, 0x0001, 0x8081, 0x8009, + 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, + 0x8002, 0x0080, 0x800A, 0x000A + }; + uint16_t B[5][5]; + uint16_t D; + unsigned round; + unsigned index, index2; + for (round = 20 - rounds; round < 20; ++round) { + /* Step mapping theta. The specification mentions two temporary + * arrays of size 5 called C and D. To save a bit of memory, + * we use the first row of B to store C and compute D on the fly */ + for (index = 0; index < 5; ++index) { + B[0][index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; + } + for (index = 0; index < 5; ++index) { + D = B[0][addMod5(index, 4)] ^ + leftRotate1_16(B[0][addMod5(index, 1)]); + for (index2 = 0; index2 < 5; ++index2) + state->A[index2][index] ^= D; + } + + /* Step mapping rho and pi combined into a single step. + * Rotate all lanes by a specific offset and rearrange */ + B[0][0] = state->A[0][0]; + B[1][0] = leftRotate12_16(state->A[0][3]); + B[2][0] = leftRotate1_16 (state->A[0][1]); + B[3][0] = leftRotate11_16(state->A[0][4]); + B[4][0] = leftRotate14_16(state->A[0][2]); + B[0][1] = leftRotate12_16(state->A[1][1]); + B[1][1] = leftRotate4_16 (state->A[1][4]); + B[2][1] = leftRotate6_16 (state->A[1][2]); + B[3][1] = leftRotate4_16 (state->A[1][0]); + B[4][1] = leftRotate7_16 (state->A[1][3]); + B[0][2] = leftRotate11_16(state->A[2][2]); + B[1][2] = leftRotate3_16 (state->A[2][0]); + B[2][2] = leftRotate9_16 (state->A[2][3]); + B[3][2] = leftRotate10_16(state->A[2][1]); + B[4][2] = leftRotate7_16 (state->A[2][4]); + B[0][3] = leftRotate5_16 (state->A[3][3]); + B[1][3] = leftRotate13_16(state->A[3][1]); + B[2][3] = leftRotate8_16 (state->A[3][4]); + B[3][3] = leftRotate15_16(state->A[3][2]); + B[4][3] = leftRotate9_16 (state->A[3][0]); + B[0][4] = leftRotate14_16(state->A[4][4]); + B[1][4] = leftRotate13_16(state->A[4][2]); + B[2][4] = leftRotate2_16 (state->A[4][0]); + B[3][4] = leftRotate8_16 (state->A[4][3]); + B[4][4] = leftRotate2_16 (state->A[4][1]); + + /* Step mapping chi. Combine each lane with two others in its row */ + for (index = 0; index < 5; ++index) { + for (index2 = 0; index2 < 5; ++index2) { + state->A[index2][index] = + B[index2][index] ^ + ((~B[index2][addMod5(index, 1)]) & + B[index2][addMod5(index, 2)]); + } + } + + /* Step mapping iota. XOR A[0][0] with the round constant */ + state->A[0][0] ^= RC[round]; + } +} + +#if !defined(LW_UTIL_LITTLE_ENDIAN) + +/** + * \brief Reverses the bytes in a Keccak-p[400] state. + * + * \param state The Keccak-p[400] state to apply byte-reversal to. + */ +static void keccakp_400_reverse_bytes(keccakp_400_state_t *state) +{ + unsigned index; + unsigned char temp1; + unsigned char temp2; + for (index = 0; index < 50; index += 2) { + temp1 = state->B[index]; + temp2 = state->B[index + 1]; + state->B[index] = temp2; + state->B[index + 1] = temp1; + } +} + +/* Keccak-p[400] that requires byte reversal on input and output */ +void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) +{ + keccakp_400_reverse_bytes(state); + keccakp_400_permute_host(state, rounds); + keccakp_400_reverse_bytes(state); +} + +#endif diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak.h b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak.h new file mode 100644 index 0000000..026da50 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak.h @@ -0,0 +1,88 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_KECCAK_H +#define LW_INTERNAL_KECCAK_H + +#include "internal-util.h" + +/** + * \file internal-keccak.h + * \brief Internal implementation of the Keccak-p permutation. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the state for the Keccak-p[200] permutation. + */ +#define KECCAKP_200_STATE_SIZE 25 + +/** + * \brief Size of the state for the Keccak-p[400] permutation. + */ +#define KECCAKP_400_STATE_SIZE 50 + +/** + * \brief Structure of the internal state of the Keccak-p[200] permutation. + */ +typedef union +{ + uint8_t A[5][5]; /**< Keccak-p[200] state as a 5x5 array of lanes */ + uint8_t B[25]; /**< Keccak-p[200] state as a byte array */ + +} keccakp_200_state_t; + +/** + * \brief Structure of the internal state of the Keccak-p[400] permutation. + */ +typedef union +{ + uint16_t A[5][5]; /**< Keccak-p[400] state as a 5x5 array of lanes */ + uint8_t B[50]; /**< Keccak-p[400] state as a byte array */ + +} keccakp_400_state_t; + +/** + * \brief Permutes the Keccak-p[200] state. + * + * \param state The Keccak-p[200] state to be permuted. + * \param rounds The number of rounds to perform (up to 18). + */ +void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds); + +/** + * \brief Permutes the Keccak-p[400] state, which is assumed to be in + * little-endian byte order. + * + * \param state The Keccak-p[400] state to be permuted. + * \param rounds The number of rounds to perform (up to 20). + */ +void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-util.h b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys/isap.c b/isap/Implementations/crypto_aead/isapa128av20/rhys/isap.c new file mode 100644 index 0000000..26d50a3 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128av20/rhys/isap.c @@ -0,0 +1,110 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "isap.h" +#include "internal-keccak.h" +#include "internal-ascon.h" +#include + +aead_cipher_t const isap_keccak_128a_cipher = { + "ISAP-K-128A", + ISAP_KEY_SIZE, + ISAP_NONCE_SIZE, + ISAP_TAG_SIZE, + AEAD_FLAG_NONE, + isap_keccak_128a_aead_encrypt, + isap_keccak_128a_aead_decrypt +}; + +aead_cipher_t const isap_ascon_128a_cipher = { + "ISAP-A-128A", + ISAP_KEY_SIZE, + ISAP_NONCE_SIZE, + ISAP_TAG_SIZE, + AEAD_FLAG_NONE, + isap_ascon_128a_aead_encrypt, + isap_ascon_128a_aead_decrypt +}; + +aead_cipher_t const isap_keccak_128_cipher = { + "ISAP-K-128", + ISAP_KEY_SIZE, + ISAP_NONCE_SIZE, + ISAP_TAG_SIZE, + AEAD_FLAG_NONE, + isap_keccak_128_aead_encrypt, + isap_keccak_128_aead_decrypt +}; + +aead_cipher_t const isap_ascon_128_cipher = { + "ISAP-A-128", + ISAP_KEY_SIZE, + ISAP_NONCE_SIZE, + ISAP_TAG_SIZE, + AEAD_FLAG_NONE, + isap_ascon_128_aead_encrypt, + isap_ascon_128_aead_decrypt +}; + +/* ISAP-K-128A */ +#define ISAP_ALG_NAME isap_keccak_128a +#define ISAP_RATE (144 / 8) +#define ISAP_sH 16 +#define ISAP_sE 8 +#define ISAP_sB 1 +#define ISAP_sK 8 +#define ISAP_STATE keccakp_400_state_t +#define ISAP_PERMUTE(s,r) keccakp_400_permute((s), (r)) +#include "internal-isap.h" + +/* ISAP-A-128A */ +#define ISAP_ALG_NAME isap_ascon_128a +#define ISAP_RATE (64 / 8) +#define ISAP_sH 12 +#define ISAP_sE 6 +#define ISAP_sB 1 +#define ISAP_sK 12 +#define ISAP_STATE ascon_state_t +#define ISAP_PERMUTE(s,r) ascon_permute((s), 12 - (r)) +#include "internal-isap.h" + +/* ISAP-K-128 */ +#define ISAP_ALG_NAME isap_keccak_128 +#define ISAP_RATE (144 / 8) +#define ISAP_sH 20 +#define ISAP_sE 12 +#define ISAP_sB 12 +#define ISAP_sK 12 +#define ISAP_STATE keccakp_400_state_t +#define ISAP_PERMUTE(s,r) keccakp_400_permute((s), (r)) +#include "internal-isap.h" + +/* ISAP-A-128 */ +#define ISAP_ALG_NAME isap_ascon_128 +#define ISAP_RATE (64 / 8) +#define ISAP_sH 12 +#define ISAP_sE 12 +#define ISAP_sB 12 +#define ISAP_sK 12 +#define ISAP_STATE ascon_state_t +#define ISAP_PERMUTE(s,r) ascon_permute((s), 12 - (r)) +#include "internal-isap.h" diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys/isap.h b/isap/Implementations/crypto_aead/isapa128av20/rhys/isap.h new file mode 100644 index 0000000..ddf8203 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128av20/rhys/isap.h @@ -0,0 +1,330 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ISAP_H +#define LWCRYPTO_ISAP_H + +#include "aead-common.h" + +/** + * \file isap.h + * \brief ISAP authenticated encryption algorithm. + * + * ISAP is a family of authenticated encryption algorithms that are built + * around the Keccak-p[400] or ASCON permutations. There are four algorithms + * in the family, each of which have a 128-bit key, a 128-bit nonce, and a + * 128-bit tag: + * + * \li ISAP-K-128A based around the Keccak-p[400] permutation with a + * reduced number of rounds. This is the primary member in the family. + * \li ISAP-A-128A based around the ASCON permutation with a reduced + * number of rounds. + * \li ISAP-K-128 based around the Keccak-p[400] permutation. + * \li ISAP-A-128 based around the ASCON permutation. + * + * ISAP is designed to provide some protection against adversaries + * using differential power analysis to determine the key. The + * downside is that key setup is very slow. + * + * References: https://isap.iaik.tugraz.at/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all ISAP family members. + */ +#define ISAP_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for all ISAP family members. + */ +#define ISAP_TAG_SIZE 16 + +/** + * \brief Size of the nonce for all ISAP family members. + */ +#define ISAP_NONCE_SIZE 16 + +/** + * \brief Meta-information block for the ISAP-K-128A cipher. + */ +extern aead_cipher_t const isap_keccak_128a_cipher; + +/** + * \brief Meta-information block for the ISAP-A-128A cipher. + */ +extern aead_cipher_t const isap_ascon_128a_cipher; + +/** + * \brief Meta-information block for the ISAP-K-128 cipher. + */ +extern aead_cipher_t const isap_keccak_128_cipher; + +/** + * \brief Meta-information block for the ISAP-A-128 cipher. + */ +extern aead_cipher_t const isap_ascon_128_cipher; + +/** + * \brief Encrypts and authenticates a packet with ISAP-K-128A. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa isap_keccak_128a_aead_decrypt() + */ +int isap_keccak_128a_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ISAP-K-128A. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa isap_keccak_128a_aead_encrypt() + */ +int isap_keccak_128a_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with ISAP-A-128A. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa isap_ascon_128a_aead_decrypt() + */ +int isap_ascon_128a_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ISAP-A-128A. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa isap_ascon_128a_aead_encrypt() + */ +int isap_ascon_128a_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with ISAP-K-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa isap_keccak_128_aead_decrypt() + */ +int isap_keccak_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ISAP-K-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa isap_keccak_128_aead_encrypt() + */ +int isap_keccak_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with ISAP-A-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa isap_ascon_128_aead_decrypt() + */ +int isap_ascon_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ISAP-A-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa isap_ascon_128_aead_encrypt() + */ +int isap_ascon_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/isap/Implementations/crypto_aead/isapa128v20/LWC_AEAD_KAT_128_128.txt b/isap/Implementations/crypto_aead/isapa128v20/LWC_AEAD_KAT_128_128.txt new file mode 100644 index 0000000..0b11aea --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128v20/LWC_AEAD_KAT_128_128.txt @@ -0,0 +1,7623 @@ +Count = 1 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = +CT = 79A08D4D8B9F23D3699CBB91174DD67B + +Count = 2 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00 +CT = 1C08E1C57809657AE74AB46A0C788990 + +Count = 3 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 0001 +CT = 0D10BF42FF4747E85E82B56E7BF6971F + +Count = 4 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102 +CT = 2CE0E5D2A62B7147AD115447EC82F973 + +Count = 5 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00010203 +CT = 0DCD47EB63C6D8747F1615CEB8DCBD41 + +Count = 6 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 0001020304 +CT = 69E5D506E54E4DC1A425CA3A8DDCFCEA + +Count = 7 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405 +CT = 912C71B754056032794554A2416DAFFC + +Count = 8 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00010203040506 +CT = 945EDDD648DE63D39E59CE082442EE32 + +Count = 9 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 0001020304050607 +CT = 6CA1782866E3A3C02A69808ACD90E116 + +Count = 10 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708 +CT = 0EA86DB28155B24BE09E1DD51512BCE8 + +Count = 11 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00010203040506070809 +CT = 619FD7C25C53F0650967790094FE60CB + +Count = 12 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A +CT = 395A0E0C1751A9E5828C2C1A01671FD8 + +Count = 13 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B +CT = FCC741F5758C9A23781BAB0816E6D70F + +Count = 14 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C +CT = 575333F4FE2F43383B5741C6DC678BAC + +Count = 15 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D +CT = 33403F908770AC8E7EC3F6A550FC8665 + +Count = 16 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E +CT = 32675670733ED9901E3A111E44A61265 + +Count = 17 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F +CT = 649D22260EC3AFBEFFD56CD41D55AE0D + +Count = 18 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 73A7D6F99838A3AFE6F43B0E420ABFC5 + +Count = 19 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 6F5161A7B19846B085661C4A0E5CBAE9 + +Count = 20 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 200CF404403A63EE5ACF37BB5973C361 + +Count = 21 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 898F3D7A9BC1A1A1FD74A32C7CF7CEB4 + +Count = 22 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 8F7D0211E6A58554E973D7176833C7DA + +Count = 23 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = E50705103326C58475E0F2B06A6E6A8A + +Count = 24 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 75B9DE37312119173D22207B8B905094 + +Count = 25 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = AC54A2482BB21C1D7DDB91B60357F691 + +Count = 26 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 995ED8B85E29554F68E684D176359E29 + +Count = 27 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 675740FE838B0870213EE2902C31A327 + +Count = 28 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = F433BD8DF5887CB3C5022D84A1BF31CC + +Count = 29 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = BEC1C573ED6A54301B653DAA9ABA039C + +Count = 30 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 44BE8F10DAA6804EE7E8F14DB2EF898C + +Count = 31 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = E91D9D193F7A54BDF5EFB46B5DE002F9 + +Count = 32 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = ECB3991BED7CB6BBB04D392357315959 + +Count = 33 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 1143900669E7333140265FB02B63EDEF + +Count = 34 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = +CT = B8681B221A6DAE4BFD96E8FCC8FB6FF81C + +Count = 35 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00 +CT = B8CDEA5650EB1A63E8FF96E7C641CDB731 + +Count = 36 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 0001 +CT = B8096428E3C142B7E0E9AC46193376AC1D + +Count = 37 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102 +CT = B82679F00439DFC49690C61C74E52C0B07 + +Count = 38 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00010203 +CT = B81018F1535A3EEFA33B5363B7CCF19267 + +Count = 39 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 0001020304 +CT = B8DB7F86AE6BE2EBB98BAC259F61A0BAB6 + +Count = 40 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405 +CT = B87377493B158FF695263CD237BDAE074B + +Count = 41 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00010203040506 +CT = B8E9159D7EBEB0438E1507486A98EFD944 + +Count = 42 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 0001020304050607 +CT = B8B60D5CFA4BA475562A012357E2B73CD7 + +Count = 43 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708 +CT = B87199BBFB81E2929FAD276AA94E6D9C65 + +Count = 44 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00010203040506070809 +CT = B89B4B92B070E7C8D414236154392E6262 + +Count = 45 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A +CT = B82767410B6A6F459841F8E2ED49005136 + +Count = 46 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B +CT = B877039F49FAF3072B6DBAE4C944365FCC + +Count = 47 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C +CT = B8051AACAA175E74B33EC4B2EB4D69138A + +Count = 48 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D +CT = B8DAEC24B12290C06E3B7426F11E901A9A + +Count = 49 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E +CT = B8E372D624567E33B0E0AA12D27AD43CCB + +Count = 50 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F +CT = B8898DB55ECC68FCB0E4D9AB0F1313D84F + +Count = 51 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B87BE8F0573E1DFB6892615B1445CADBEB + +Count = 52 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8F7EECF208A5AECC7D5D02F89BF04B609 + +Count = 53 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8B586094F925345890946EC859CE6CC09 + +Count = 54 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8AF8376A8C30EE517D990430E424DB760 + +Count = 55 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B86BBD40F7AC94F99CB3D53B69010E4E61 + +Count = 56 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8AC77834AA8CB332804FE78FA1CA00D46 + +Count = 57 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8CD611A73E66262A8AE93E5BA05E1EDFA + +Count = 58 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8187AD36AE90CBD60000FEEC1AFB7EA2A + +Count = 59 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B87A979B9C98145B534EDE723AEAC09AB9 + +Count = 60 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8A21A416E8627086A8C6B7CB18ADF08E4 + +Count = 61 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B80626F0935933C10A89B5A0A76A51D2DC + +Count = 62 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B80C69A13AB6AD619CD5624AF2A98973A6 + +Count = 63 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B824124B716A638658C5AA7ADE79D492CD + +Count = 64 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8410E59E06D4B2ABC709528DA9A2EB7AA + +Count = 65 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B83B3D6781E635E35C6C9054D761A0C8CE + +Count = 66 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8C1B1262E9155CCCBCD7620A4D3578EF3 + +Count = 67 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = +CT = B852318142C985AB74058BCB2C80C3B034D0 + +Count = 68 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00 +CT = B852AD7BA1B1E573B794A52BA482A128054E + +Count = 69 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 0001 +CT = B852878BC591E97BE148469CA563950D3C8F + +Count = 70 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102 +CT = B8525A263427AB77BDA2CD08FEC68D4F867D + +Count = 71 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00010203 +CT = B852B678A3B68C61498BF59553B121BF4CBD + +Count = 72 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 0001020304 +CT = B8520505635FC3CFC65E7B78D8494DD71E0A + +Count = 73 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405 +CT = B852AE9E7BEF230CDA1EB1118CBF4CFFECFE + +Count = 74 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00010203040506 +CT = B852D59A5308A4E3A29BE62E34BFB7660884 + +Count = 75 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 0001020304050607 +CT = B8528C9E53E7DD2D4308800CAD9BEB3CF409 + +Count = 76 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708 +CT = B852AC2F36729DF4BDF45F4EE297A37A17AA + +Count = 77 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00010203040506070809 +CT = B8524DD6358938F12FDCD80CD8417E0C44BB + +Count = 78 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A +CT = B852223DE26A176CA33CFB7E52E6BF3EA4A2 + +Count = 79 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B +CT = B8520A96D211483B19FD3FC3F8539ECC4723 + +Count = 80 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C +CT = B8527623F514F9C6EE6DF1528C1FF00AD6B6 + +Count = 81 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D +CT = B85220F540F47D0563D2D450FA2883200663 + +Count = 82 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E +CT = B852764AEF6DB525993D5781EDDC31638281 + +Count = 83 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F +CT = B852474C7BD71D243CCFADA77A15D36DECB9 + +Count = 84 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B852F3C2CDD920C52023FA86A991BE384654 + +Count = 85 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B852E490C66B89696B867C46375C5862BE76 + +Count = 86 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B852DE06C05A2C3471D86A79C838AF4FCC2A + +Count = 87 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B85268129C5DCA81B30826965C7BE3D6ED0E + +Count = 88 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B85205C308294E329A37E3112E69B644F90C + +Count = 89 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B852B9AAA719447308B34C01830E20D1F5D4 + +Count = 90 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8528B66D63B75F04A632E1B5E12C96654D5 + +Count = 91 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8520A66B6DF2343E181AF5AFA7AC560C764 + +Count = 92 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B852A4731937090EEB35A7012C6198F83DDA + +Count = 93 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B85260B91AF2ECC7B618B36B09C870D3F38A + +Count = 94 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B852E2DCCCA6CA5403E0AAC57714B16E2250 + +Count = 95 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B852628B9A79D9C97F52B6C0C7E780636ECF + +Count = 96 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B852A45EB9C0CDD06817A4F0C28827D38682 + +Count = 97 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B852EAB8FBEF49547AF7446851EC55807BFE + +Count = 98 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8526261116DCF1B386DA9EFDDCA7E17CFDB + +Count = 99 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B852A7AFD2E02707BF948893482D00C0920A + +Count = 100 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = +CT = B8529B87184E3591353EB3CED177DF850FA31F + +Count = 101 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00 +CT = B8529BC28C2991A6FED868869F700E711356A1 + +Count = 102 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 0001 +CT = B8529B69BE6ABEF571F4C1C12F1205C13764BA + +Count = 103 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102 +CT = B8529B816CACBA2546E6D005282D72C793964B + +Count = 104 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00010203 +CT = B8529B3819F5DA572D3720F24C76A4D64EAF09 + +Count = 105 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 0001020304 +CT = B8529BD3AC39641FBBADBD098F198EF076DC34 + +Count = 106 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405 +CT = B8529BFEAEBA66D206308AADB218E780747BDE + +Count = 107 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00010203040506 +CT = B8529BEDE79A25686309967E3D777A86C5221E + +Count = 108 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 0001020304050607 +CT = B8529BB51AC90CB3501D0A61CD03E1224A087A + +Count = 109 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708 +CT = B8529BECA8B96B32E8FEDE529020293E356110 + +Count = 110 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00010203040506070809 +CT = B8529B0050E28BE528EFA05E3D89D7DB157FFD + +Count = 111 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A +CT = B8529B82B7F6C7056D33881B31006D314C7556 + +Count = 112 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B +CT = B8529B0B9FA419F6B0C9C991F108B45494C99D + +Count = 113 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C +CT = B8529BDACF7A0FCBEC6B1E0192FC4D04EADEE8 + +Count = 114 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D +CT = B8529BDA44384B938B3E554254F51DCB680E53 + +Count = 115 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E +CT = B8529BEFD4DF6217A54467E24291CBE91C9999 + +Count = 116 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BFADD92DCDDDA9260D3CD1F3C38563078 + +Count = 117 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529B177A000EFE6076278C2639B02DA5B3DC + +Count = 118 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529B47DDAA7B572440CE612EEB358CC3E8DC + +Count = 119 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BB7765A6DC2B115AF80FBE16C19F2F900 + +Count = 120 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BC7A7558A5E1FA4CD4ECA57920D40ADB7 + +Count = 121 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529B38F2484235168C3EAF4FC5925C143EA9 + +Count = 122 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529B598F82F1F81ACE7F1C80964AF4DAD387 + +Count = 123 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529B7E76CF83F5470D3ADB2E8A264216A707 + +Count = 124 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BC500BDE3C02E014692886462C2F48AA4 + +Count = 125 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BD6AF42FE16542C99FC925AB171E447B9 + +Count = 126 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529B5114F0C9E79A988E518F1DD8AAE256E0 + +Count = 127 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BE35A812C7CAB780380DA6E2B287DEFC9 + +Count = 128 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529B771333F389BB9AFC3C2145C2D27CA7E0 + +Count = 129 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BD503296662D8FF09947721D7D5F6CEB2 + +Count = 130 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCAE1EE3AA5BDE04800F2EEDFD379BCEF + +Count = 131 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529B7C47EEB439001372B7FFAB95835745C4 + +Count = 132 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529B167689C1D0BA76010FC68131E9859EBB + +Count = 133 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = +CT = B8529BCE6EE52F1740275BD9AE7F2824A766A504 + +Count = 134 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00 +CT = B8529BCE0769964CFB73E2E7D8BA9E5F0BD13742 + +Count = 135 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 0001 +CT = B8529BCE0403B2C936C0467D1A04B97853D007A8 + +Count = 136 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102 +CT = B8529BCEFD8B6E21407015E108B1D54516231C7A + +Count = 137 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00010203 +CT = B8529BCE3724B769F12F7C5ED260E521896E8439 + +Count = 138 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 0001020304 +CT = B8529BCECEEA14D2EC32F6A8DCDAF81358CA496F + +Count = 139 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405 +CT = B8529BCEE24D614587E741308C79A53C74A9195B + +Count = 140 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00010203040506 +CT = B8529BCE1AEB30C042C14C47A8119A4F6085DE2D + +Count = 141 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 0001020304050607 +CT = B8529BCE33263FB060C69686B3F0C050FAD15CA9 + +Count = 142 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708 +CT = B8529BCE7FE1F7947F2591484065068978F95050 + +Count = 143 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00010203040506070809 +CT = B8529BCE661AFAD91919991F3763AB704DEE7768 + +Count = 144 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A +CT = B8529BCEF5D39846DF302AA609E2974B9D06EE90 + +Count = 145 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B +CT = B8529BCE2C1B7566034765363E8653D136C45E30 + +Count = 146 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C +CT = B8529BCE6817754E174F7D0E4B17B51DDA679682 + +Count = 147 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D +CT = B8529BCE71D73EC88951280B9D009928EFDACD0D + +Count = 148 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE86CF56CB4468E2BC5899EBCD26CD12DC + +Count = 149 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE4A9B1FA6183AD8C398804E7CD30AEF9C + +Count = 150 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE222EFE6DD52A550700FD9BAD79A14C36 + +Count = 151 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE3ED857D06B98849B2491CAAF823ACF25 + +Count = 152 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCEBCEC28DD1289459B90308D58D5E61AB5 + +Count = 153 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE46C33A21DD19D257A888A8AB14FAEAC6 + +Count = 154 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE8DEB2F3D20DF2D3A6DEE69CE0674C788 + +Count = 155 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE8ABF89EF4E3740FFD5CAA89072497E12 + +Count = 156 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE5C3127EB242E06AC12F12C351F159212 + +Count = 157 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCEBDBA60546092D35A0BEDB75D8B82A703 + +Count = 158 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCEA73BFC1C3149A6715620B81E1B975377 + +Count = 159 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE756DB8A2CDBCDA6D3F670E3B5B7DB336 + +Count = 160 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCEFF749AD0C9F33C8B237088895F0FF614 + +Count = 161 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE19EDA038C55252CD8A82322F532FE143 + +Count = 162 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCED9C26018101876F449409B5214E2C796 + +Count = 163 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCECD9082ADE141EF25212CC0A5BA3A5751 + +Count = 164 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE091364894986D6F550CE2787DE77E2A8 + +Count = 165 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE347979AAC0E18C6821BD5C5EDB33C34C + +Count = 166 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = +CT = B8529BCE1B14A150C8AABEB762993FB3CFD470E9D3 + +Count = 167 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00 +CT = B8529BCE1B061E0CB600F6478EC6F9EE2F378CAF2F + +Count = 168 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 0001 +CT = B8529BCE1B1BBFA2B6866761A9F9BDDE0245B3CC68 + +Count = 169 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102 +CT = B8529BCE1B9A77BF121DFFEE7FEFAED531AA0E5FED + +Count = 170 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00010203 +CT = B8529BCE1B4E67DFCE78F68F0AFBA2517E637650E8 + +Count = 171 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 0001020304 +CT = B8529BCE1B5B061BC0399F9E63347F422904912AAC + +Count = 172 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405 +CT = B8529BCE1BEB89140BEEF56CFBEF9ACBF1F2E88E6B + +Count = 173 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00010203040506 +CT = B8529BCE1B19BEB28DAB995A79C27A8F60D39E47B1 + +Count = 174 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 0001020304050607 +CT = B8529BCE1B809DFE9EF59C75B2A1725C50137601A5 + +Count = 175 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708 +CT = B8529BCE1B3688738717A14074C0F5726111796E9B + +Count = 176 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00010203040506070809 +CT = B8529BCE1BFEC45002B93C8BCD2C066A7E17E19993 + +Count = 177 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A +CT = B8529BCE1BDA96290B6876016B7F47D5C8773C3931 + +Count = 178 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B +CT = B8529BCE1BFF7E35F3FF5679237511F10954C696FA + +Count = 179 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C +CT = B8529BCE1B7953822C5D48345D83C8C554C9C77080 + +Count = 180 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B84CFE7C59DDB0874217C5C0CEB53355C + +Count = 181 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1BF1EB24CBA72C418D38E98EA024335ABF + +Count = 182 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B9F388F9FA26C143764831BCB90CC6479 + +Count = 183 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B2CAE16781B62F4DE3A9ECE7B8EAF4DBE + +Count = 184 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1BB84ABD60143FD6BD5F6528B7FB890227 + +Count = 185 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B2DCAED1F6755639287B90A60EB63FB95 + +Count = 186 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B5629F92C2C9D050C5AF627C664E13AE2 + +Count = 187 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B157D161371D053F53C6D68FB001109D3 + +Count = 188 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1BB6FA9727BC5208210E08BC28FF7FDAC2 + +Count = 189 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B6C156592EB6D13AA267CF7E5665E415D + +Count = 190 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1BBB5219113F8634C53FC06B6C691CB203 + +Count = 191 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1BDF5F7E359DFA0073D477C48FA3570193 + +Count = 192 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B82D47E472F48B5C7DDF37A733C22DE6A + +Count = 193 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B1A2482AF4E6213BE95AB7B6036759436 + +Count = 194 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B67C08C5796BD29E61AFD7156E72E3D6A + +Count = 195 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B2D1045C573050391BADA95C6DFB4B51A + +Count = 196 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B4872BA691A27C2BFEB6D8AD23A6D310C + +Count = 197 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B9125BB53A5504CB8480B330C3981D976 + +Count = 198 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1BEADCBA59F19DB38245A4BCC6476BF958 + +Count = 199 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = +CT = B8529BCE1B3F2FD9637B5A4B0A5B1DEF63AE4393ECF0 + +Count = 200 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00 +CT = B8529BCE1B3F861EE186192B223F0CEA0D52732A4356 + +Count = 201 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 0001 +CT = B8529BCE1B3F726B2F07F3403F017A1021448AD994C1 + +Count = 202 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102 +CT = B8529BCE1B3F74A7CF24428B1FF03BF8B4486D726039 + +Count = 203 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00010203 +CT = B8529BCE1B3FC43619EE3FDD95ED98ABDE200DC30F33 + +Count = 204 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 0001020304 +CT = B8529BCE1B3F7F16444EEAB278F56D230AC8D5731398 + +Count = 205 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405 +CT = B8529BCE1B3F0CC7211A73D2797F324B9121252A3DC7 + +Count = 206 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00010203040506 +CT = B8529BCE1B3F7199FE1730FAAF5CF97318CA9EF56710 + +Count = 207 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 0001020304050607 +CT = B8529BCE1B3F4268056CBE21B6A00BE27E68B2BA22B2 + +Count = 208 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708 +CT = B8529BCE1B3FD4935323A3113CCC2CB0759FE7E9FA44 + +Count = 209 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00010203040506070809 +CT = B8529BCE1B3FCDFF16387C16CC8525B15A3E72CBD3E7 + +Count = 210 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A +CT = B8529BCE1B3FE47A036FA085262DA5BE9D0859CF87A2 + +Count = 211 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B +CT = B8529BCE1B3F4C2E0B319AB3466D612F542D54E9A248 + +Count = 212 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F8E3F4C8371757DACF8C5AE7B9AB30DEF + +Count = 213 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F3FBE893FD5BC191A52E178AAB5C28EF5 + +Count = 214 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3FBA5FF63C5600680A0BAA4826B523F40C + +Count = 215 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9F14AC3BB4B5D394955BAD54EA4D940A + +Count = 216 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F73B38A9738F3DE88D612612C96A7B5C0 + +Count = 217 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3FF1D052E838940D66A71302383DAA13AA + +Count = 218 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F38076F437BD7D7F309DBB6F734CBA71F + +Count = 219 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F8676EA6251EE51A2AF9537F773C4A188 + +Count = 220 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3FAAC4AB5EEEB0A44D7721F5140C90B8BA + +Count = 221 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3FD00755950FABE8D890DC3227B4FA43AD + +Count = 222 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F5E365815469228DF04495054E54F432F + +Count = 223 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3FD8AAF80CBC1496FD7D513948B883FAD8 + +Count = 224 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F220C07AE5438E20B9C169CFAB5DBF28B + +Count = 225 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3FE69BB8DA05F6C2D64CAA036F0681994A + +Count = 226 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F482059E662915211FAE18933DF58D5CD + +Count = 227 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3FFBDFA33627ED8BEADB1B024ED2D3C452 + +Count = 228 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F02D1CFCECCC483E5C2CBADAEE2324E01 + +Count = 229 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F921F9378AC7686B7349EE2EC16D82508 + +Count = 230 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F6A7403E7B7C81DAAC1FF71CC9C08F593 + +Count = 231 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F4F0F18F095A0526DA14AE1D4A2B8620A + +Count = 232 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = +CT = B8529BCE1B3F9D809167647867D987D5E81331D614C8CB + +Count = 233 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00 +CT = B8529BCE1B3F9D097B116174F92A0F82D1BCBAD5BC4202 + +Count = 234 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 0001 +CT = B8529BCE1B3F9D7996DC8D60DF511AF9ED7D2EEF90FB7C + +Count = 235 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102 +CT = B8529BCE1B3F9DFCF7E81AB4B2B01BFD3FA4E1DCEE8F6E + +Count = 236 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00010203 +CT = B8529BCE1B3F9D2DF3F3A7475400671A148F2EE2CFD921 + +Count = 237 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 0001020304 +CT = B8529BCE1B3F9D62EDFCEE9721E75799F8EDED99BD7809 + +Count = 238 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405 +CT = B8529BCE1B3F9D4010C50E9160D97BBE9B25CA4CE07E5F + +Count = 239 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00010203040506 +CT = B8529BCE1B3F9DA140DFBFBF18F687939D46930C2F43C4 + +Count = 240 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 0001020304050607 +CT = B8529BCE1B3F9D9DDA8ABF780146BBC9C233CBCEAF8E1E + +Count = 241 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708 +CT = B8529BCE1B3F9DA6F92B5C2EB20B5337F87F775B6700C5 + +Count = 242 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00010203040506070809 +CT = B8529BCE1B3F9D889689C0310B67B829C31BF3E9790743 + +Count = 243 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A +CT = B8529BCE1B3F9D55FD0ED71AA26E0A6934215CBBA615BF + +Count = 244 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D52D6DA3EA742DCE5C9DB4A7C28E8B7EB + +Count = 245 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D37FCCC33A6308AD707C60C89C2047DFA + +Count = 246 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9DCB15E357BAD6F11DFCD39B69E3B674FF + +Count = 247 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9DCBD74EC487AA738E955B404828DECDD0 + +Count = 248 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D62AC6ED1D7BFDE0BE63E392318714211 + +Count = 249 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D7C49ECBB65874D14507A86DB03EC2D5F + +Count = 250 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9DB2BFF11E4F3F2CDCA2C1D189681D7DB3 + +Count = 251 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9DC6DA1FF98DEC0DFFDACC690F9F94457A + +Count = 252 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D65B6C35FCCBE498026BCDFA73BB1F48E + +Count = 253 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D7E406D47A29A4A3521909405DA1AFC6D + +Count = 254 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D34DF239320D11B1B56546DB2B1D20089 + +Count = 255 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9DA137DD38B2EB43CA5CDE0867D9DA8EAB + +Count = 256 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9DE8269539DCAE9CE146708EE5E00473EE + +Count = 257 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9DEA0CC2F6BC6927DC47A8AA3D9336FB53 + +Count = 258 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D2C6E91521AB9197AEC2F9F6AA573A108 + +Count = 259 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D7F59DF7A3648FD2BE95CFFEA40E02C53 + +Count = 260 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9DCE2E3AFCAC3043109DD75AA2BDF36448 + +Count = 261 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9DD9E7C956D0478E99971080B7138EC35D + +Count = 262 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9DA98200BFA115F3DBA73C08D3779DA4CD + +Count = 263 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9DC01B8611BBA7DBA4D2EB0A3227BA5F92 + +Count = 264 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9DD4AA450FA8071E610DA9C83D5D579738 + +Count = 265 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = +CT = B8529BCE1B3F9D0D86EEF74C15732A03B996956EF8F6B4D1 + +Count = 266 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00 +CT = B8529BCE1B3F9D0D2814047F43AFB17CA2DDC8039B265318 + +Count = 267 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 0001 +CT = B8529BCE1B3F9D0DF4B03CC74A810D3E869FBEF0AF71424B + +Count = 268 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102 +CT = B8529BCE1B3F9D0D5455EBD9E712D49BBD8184823D05C2FF + +Count = 269 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00010203 +CT = B8529BCE1B3F9D0D413A38A2B4F631AD90499ED5D5CE8729 + +Count = 270 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 0001020304 +CT = B8529BCE1B3F9D0D00C6F71FB1D62A3F814D1F85FB406A02 + +Count = 271 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405 +CT = B8529BCE1B3F9D0D7A4868F7E6C237ABC6BCD44E7476AC61 + +Count = 272 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00010203040506 +CT = B8529BCE1B3F9D0D43F504638CA61B8A18498C0A1319E351 + +Count = 273 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DBCD13B18FFA99D381349E71B8473BA98 + +Count = 274 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708 +CT = B8529BCE1B3F9D0D773BDB5AF899D1AEB6515E46B60D7031 + +Count = 275 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0D5610B091005171287A325D65A27D7330 + +Count = 276 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0D8C1043648D6507D63B2271C47AF08201 + +Count = 277 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0D05E859BA7F9183563C4D08FB5358F779 + +Count = 278 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DD71A3C3D969BF381784DC19BE4C0823C + +Count = 279 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0D0E74D5A014237838FD29971DEF989E86 + +Count = 280 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0D5D43BE1D2BDDEBD67391DBDEE1E52C9D + +Count = 281 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0D2540F297410A67F78DA7573065FB5727 + +Count = 282 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DAA4F3D0B893E66D4591DD88CD495DBCE + +Count = 283 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0D22E800460AEC298FE9345221F7E649FA + +Count = 284 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0D00CD0F3ABD6E6233A374B9429F18A43D + +Count = 285 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0D0081D40824F8810FDD97725A68DE4DCD + +Count = 286 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0D0BCBB148BCA6D38C845EE8E9E75404D6 + +Count = 287 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0D85A2DCABFE23FA59D3EED5D11FBAC652 + +Count = 288 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DD6521FD996139020CDF4AC5AFD4FFBDC + +Count = 289 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0D2CAF18E9ACAEB0F3204CC0D1479B2E69 + +Count = 290 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DAF65132241AD1D4DD92D4B08F653EB83 + +Count = 291 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0D1E7D3922CDA81797A7D35EEBE6EAA822 + +Count = 292 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0D22BD59A54B655EFF813DA396372C3797 + +Count = 293 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DC3AE00638EE469506202F9A657B7E70F + +Count = 294 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0D2525F5A02A6560848208A646051544AD + +Count = 295 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0D3119A5491E01C290610E778AC47E4CF3 + +Count = 296 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0D82F3C64B75FF96BB4AC49A021E2135F4 + +Count = 297 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0D1B48E302CD5F75A91A43E208B053B269 + +Count = 298 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = +CT = B8529BCE1B3F9D0DB7803E6407B8A7AFDCB970FA0E00D3F94A + +Count = 299 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00 +CT = B8529BCE1B3F9D0DB71A0DC7172C258C7A81408A3F39D80C24 + +Count = 300 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 0001 +CT = B8529BCE1B3F9D0DB7D51F83ADAD45224771B2C0051B1D3F40 + +Count = 301 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102 +CT = B8529BCE1B3F9D0DB7A1044E612019EC1CCF9DCC063DC7F354 + +Count = 302 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00010203 +CT = B8529BCE1B3F9D0DB7ECA5C1E6DACFDD97F7B7C85239DDDEBC + +Count = 303 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7378D07D8EDA2334D2B5B2D67E2CFCF5C + +Count = 304 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7F0DB484947671BC1EEAB33E09D724DE0 + +Count = 305 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7DBA6FA5AB3BB657032316E85B44075E6 + +Count = 306 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A3532233C0472E4EEF48D61B4496635D + +Count = 307 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB76ECA9E00AFEF3D6A83E7DCAF16275B73 + +Count = 308 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB71FED9E3C7617B7E9279C6A711D399834 + +Count = 309 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7520EA592ECC383F86975752A772FC4A9 + +Count = 310 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB74894B7B31697140C74106E5D273C0D0B + +Count = 311 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7784CB26A02B09419DBD435769E9F334E + +Count = 312 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7F080C503E3D24C722D3837AC2C000F46 + +Count = 313 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB794CF00C6960D99AC07547DEFBBDFEBA6 + +Count = 314 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7CDDB99252F57C72DD6F28AF19C7799B4 + +Count = 315 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB72BB9907E27549B3F9B77A718525ACDC3 + +Count = 316 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB73233B451D583F8E867A1F27390582DE8 + +Count = 317 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB77FD46538E6E75465A825CCBAA030BD87 + +Count = 318 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A779CE4C45B67748E382DDB0ECCC0799 + +Count = 319 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7E826322CA65F42105CAEFE40553A0EAA + +Count = 320 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A0ED49D164EB3095FB66C6843AEE2789 + +Count = 321 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7D597FB15880A29E9F71B0A524B5263AA + +Count = 322 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7780FDFEC2BACFDF11A4B61B8B461B16B + +Count = 323 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB70ECC10B02E9B4F55DBA2227CA939DA0E + +Count = 324 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB78F5584DC3D108A93A52120C9AFEAF135 + +Count = 325 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7CD4784EF593F6C4E94A68AE46E9B1DC6 + +Count = 326 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7B7489622D915C53B989971C1CBBE1F0C + +Count = 327 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB779E60116D7EDFB157C6D049C789CEBB5 + +Count = 328 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB79D26081622C324F2E68CCB557892D6FD + +Count = 329 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7E38456C5ADC471A7C58CF1FAA8D1DF0A + +Count = 330 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A991DF053CAAB572AA253BD629701ADC + +Count = 331 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = +CT = B8529BCE1B3F9D0DB7A9EF388A9886B3DB05FD0F40F565FF0F4F + +Count = 332 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00 +CT = B8529BCE1B3F9D0DB7A9CFBD92D5ED45C3B6782710327E1E0854 + +Count = 333 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 0001 +CT = B8529BCE1B3F9D0DB7A98EDFA8BEEB5A714C41468758579E7648 + +Count = 334 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102 +CT = B8529BCE1B3F9D0DB7A969CEA61B25D81B1B0B24E0625CB7A7A4 + +Count = 335 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9EA99DC0B1D68BB7885916A722AAF11BA + +Count = 336 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9455311C5DEBF2C13302DABCA4738D5A5 + +Count = 337 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A97A912D52558EDFD98297025411041E84 + +Count = 338 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9B04C281C6C1C8E694ECE14616191BA65 + +Count = 339 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9CE2FFE6B970999B81A2C6A1334514465 + +Count = 340 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A93165F2C3E02DEB948F0CF819F22D4880 + +Count = 341 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A92EE5F3E708B4BDE58F75DE80CFC23FAE + +Count = 342 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A992447A48F3626B6D202E1021FD5B795F + +Count = 343 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9EE6FEB0469D09FD621587AC16054A360 + +Count = 344 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9347EE754389120FAD6E21F2C3B425F93 + +Count = 345 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A94BF540AF30E355FD3E81F9106C304477 + +Count = 346 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9EF46DCA699D5DC550C50335ECAE50ABF + +Count = 347 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9B90B41CD081883325DEBEB659A0EF32B + +Count = 348 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9F5C64A98AA333D1BB74D43065C0981A7 + +Count = 349 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A932FDBDE453E724E546A08AE545950E82 + +Count = 350 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A97E1630D140BC9BBFD1D60CB37044D53B + +Count = 351 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9A322845DC5533D5609D5F3F92D2F577B + +Count = 352 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A97C2CF8E6C8B329E29CE2B5A22A79826F + +Count = 353 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9D9667567A4F2B5DB148A0B785ED9D2E7 + +Count = 354 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9F307C6C18733577768F6822BAD3EF616 + +Count = 355 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9B222311922626206EC7680572F89497B + +Count = 356 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9F5C5DA8359C95C7195B99D4B61E22675 + +Count = 357 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9E912320852171EFF2A5315ABAA38C22B + +Count = 358 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9BA46C173C0275969B0E78F320D1319FA + +Count = 359 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9E1AA36827BD37D7CE41A24F044FF19AD + +Count = 360 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9DFFF82756188D64FC684B04327734523 + +Count = 361 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A90EF3B48A74DAA9D15A2404C4EA07B0A6 + +Count = 362 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A928076BC4F5464F54109911AF5E4B35CE + +Count = 363 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A989E8C78D37D375F4AD43A7052F76D2C2 + +Count = 364 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = +CT = B8529BCE1B3F9D0DB7A9C834181EBE0DEB4BE30F600B849AF7D421 + +Count = 365 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C84967DA0DEB9E8F04C210B80C44E818A7 + +Count = 366 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8B09B7F50D77FBC7026F32D4A596E9B48 + +Count = 367 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C80D8BFC12DADE810F67CD1C1ABC10CD17 + +Count = 368 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C80591C70555C673923532E62672C1418C + +Count = 369 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C84354284A8DDDD6CAC64F2A977FF4D0BD + +Count = 370 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8B9DF6E6EE70AD6033216946D2F2EEE0A + +Count = 371 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C885C503F6EEDFA2A972B92DC7F9DB2166 + +Count = 372 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8C7B15C91AE848582FA98E89131C7B26A + +Count = 373 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C85F184898545394BE3BF7619FAC9A7136 + +Count = 374 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8527ACF1451BD737F0F2E3EAD99473405 + +Count = 375 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DE1C857884A54214FF857287152D7182 + +Count = 376 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8E10E3AFD4D71AFF7DC9076D1FAC3F038 + +Count = 377 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C84D6A05E0367A943DBE61C7AE46BE4CFB + +Count = 378 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8B6D0B5A047A4E41A64199ECB1CE91F8D + +Count = 379 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8062135D802990569C8A414EF2396967F + +Count = 380 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8B9B4101BD74EA602A653B06949C0CC45 + +Count = 381 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8F851F76C13A9934418D911F77A77042A + +Count = 382 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8BFC5EDDF255796DB438F0EB96253A692 + +Count = 383 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C86A88756856DC1922C534544DA13CAD23 + +Count = 384 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C84E40018EEB1B0ECC47759224CFFE48EB + +Count = 385 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C82E1C70DC893BE332D90ED99B3C6F6411 + +Count = 386 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C894B72C3F744C608EA6855F715C7D8C61 + +Count = 387 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C847930F66700E418A881D576C73FA6AB9 + +Count = 388 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8861AA9EF179D2FE78C32AF0BF6ABB327 + +Count = 389 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C884CE476737F9A02FA690C93A68CFC12D + +Count = 390 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8547BDE8EF418AA4B5CFAAA50E74C3FEC + +Count = 391 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C80FA6BE0218B0AF86C5786DC5985A336E + +Count = 392 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C85707ED35E2696AFF4B4E08999BA04861 + +Count = 393 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C869C5CF1564FFDA7BE6A882F150341B39 + +Count = 394 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C83194F6F0C56BB82308D6500155C63765 + +Count = 395 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C84E1ABCF895510664F82FD7FDF5060B4C + +Count = 396 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C85C8FFBC476C0D7E2CF2721789A1CEF4F + +Count = 397 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = +CT = B8529BCE1B3F9D0DB7A9C8DDF1492DAF87AF6DD5AF904F443505E375 + +Count = 398 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD743397B1E40BBFDBBD34C43F2E200EAC + +Count = 399 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD20FDB4B64461985A1AC8354352CB27FD + +Count = 400 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD10D98F37EBB99DBC1E854CFE31A1CA36 + +Count = 401 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD72A1F79F796100528279FD40502BD271 + +Count = 402 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DDD3479EFCDEAC9052D09FC4BB1D02F533 + +Count = 403 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DDEB9097F94F0D13603F42529B065FA5DA + +Count = 404 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DDBE7F400FC139968BECC001BFA7DDC78D + +Count = 405 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD715D23B5DF30C754E8D37B582D4EB064 + +Count = 406 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD87E8FFEB527FF47A5326C7B0EEECFD69 + +Count = 407 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD1C81DB290427B42866815B738D053AAC + +Count = 408 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD2A1E6641345AA1BEF66F61B78DF1C18C + +Count = 409 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DDF36CBF4AA98E722189F3EA203AB4101A + +Count = 410 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DDCC7208489C6D5141B50181C70B02CD12 + +Count = 411 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD25CD466DCEE42CCE6E16372056EB8294 + +Count = 412 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DDA63DF33CF9398A65A49056A59F8CC393 + +Count = 413 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DDEC4D09492CB9331B6B250B91D689F9DF + +Count = 414 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DDC0EDBD52782DF061DE6922B000B86941 + +Count = 415 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD5AD028B2C565779C42B972097DBC6C38 + +Count = 416 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD57E1C3B445C253917838E8AF1023D378 + +Count = 417 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD98064D16B4515B3DB65248298AA00265 + +Count = 418 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DDED2C88260F1EFEC94A92CF302BCF2D3E + +Count = 419 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD5E19C23EB0142DC22FC002E099485100 + +Count = 420 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DDF029702F2D9F8B020BCE99377075FE05 + +Count = 421 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DDCAD15358889BDEBD3E1FA140E8DD1B25 + +Count = 422 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD82A463A7B23073FF084932ABDED247C7 + +Count = 423 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD7DAE0F634E58D44EDB73E417E49A0083 + +Count = 424 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DDC89843310A13903D1F73F68F33018271 + +Count = 425 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD7BB0CEC3C3B76771DB9D863B4A93B391 + +Count = 426 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD8123603E5F4007FFF757A814612A73E9 + +Count = 427 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DDB5E395E49E9826B7494B6EFCC89F1E7F + +Count = 428 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DDA82446507AACAB865EAE622FE00E8F28 + +Count = 429 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD0B30C7B3198481B0C3D31065F84CC4D1 + +Count = 430 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = +CT = B8529BCE1B3F9D0DB7A9C8DD438986BFFA515D6022A65D9A48CAF530ED + +Count = 431 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD4391B02E7C387B0E0A7A3D7A34ABC3276F + +Count = 432 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD43EE1DAC189CF7FFEDD94CB89B78B5BEA7 + +Count = 433 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD43C33AF877C578A1D6F69164EA24276A90 + +Count = 434 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD43EE3B86176F08F3136B3300B4535E2397 + +Count = 435 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DD43BE7F33A7C9675DD01228608D13FC3207 + +Count = 436 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DD43F0C42D5CBDFCAA848BAD6B01C499A21E + +Count = 437 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DD43E00AF9504046B655F60D8A6D015A6748 + +Count = 438 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD43DE54D00AF80B16C07FA112BE9218B468 + +Count = 439 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD43499B225D07C0019FD88C645276475B7E + +Count = 440 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD432AF63DFD98EBBEFD649F71C460DFF05E + +Count = 441 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD43721030FBBB39CCB3911E6D9908978825 + +Count = 442 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DD4336FBFDA66026CA32CDBB856FE80340B9 + +Count = 443 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DD43A9397FCF99D885D45FF0497ABDE0DB75 + +Count = 444 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD431A80033BF7347E8812364EAA88992F61 + +Count = 445 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DD433DD8F30805C81D8C63B8E3E41A89762C + +Count = 446 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DD4316A4BEDB73ECB9BAD98D0156D121264D + +Count = 447 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DD43B86C04219D3A405A61AA418D227D773B + +Count = 448 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD43921A654FA11903A01E71CB32C71D2FB8 + +Count = 449 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD43930417E42B5DDAABFCB88CF7C00C4C53 + +Count = 450 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD4346ECD40C260EF8D334163DA70FCDAA97 + +Count = 451 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DD43ECFC0C64D23B48612C4383FAB60BC48C + +Count = 452 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD43FC82119FF2A1A854E245F9EEF0AC085A + +Count = 453 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DD432D6E7EAF0B122DB223375D786AEDD1A8 + +Count = 454 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DD43D10ECA3AD266A49986219E8CABAC23D8 + +Count = 455 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD431516ED47E25B0630D6CDF685E317545D + +Count = 456 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD43988493E7C492C44E833EFE6E41B39EA2 + +Count = 457 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DD432A9D36A800A67D2D41DA9AF0F88A38B1 + +Count = 458 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD43EC4017B799F01604CD634BC17375E0CD + +Count = 459 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD43C71FBDB4F770652349915C7D3A6755E0 + +Count = 460 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DD43D03491E166D9FAEC265060C3AE038D42 + +Count = 461 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DD43FF2D14C622CD8ACCBC69EC6A9253AF7B + +Count = 462 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD439823720098F9009704AAF43AACD84F39 + +Count = 463 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = +CT = B8529BCE1B3F9D0DB7A9C8DD43DD4E1C9E8547FAB1FB1488CF64655E711C + +Count = 464 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD43DDFBD7865D0087D8409FBCB4752F7C63E9 + +Count = 465 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD9D509644B4BB81106EFBBF5844241C4A + +Count = 466 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD43DDD995AFD4B0CD4EFDCF0FEEFCC9296A26 + +Count = 467 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD728AA6B81A37BD5B0F5DACA26854457A + +Count = 468 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD77B39005B17915216785F362CDD59ECB + +Count = 469 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD7A5C4E61C44A09CA061E65CEE31017F7 + +Count = 470 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD259A00FC2A532FB9EE7A44F5B592A554 + +Count = 471 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD31D60281AB47FDD4B751B00DF82BED49 + +Count = 472 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD73CF1321E13E0EBF45985F965F2B129E + +Count = 473 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD43DDC3DF7A3C0D8B800E6ADADC0FDF979B1A + +Count = 474 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD43DDCD06B5978218B6AFCCED012666AEFEEC + +Count = 475 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD23A02F1BEAE8E130CDA9B393A5699003 + +Count = 476 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD61EC22C4B75104D7B9FB5A7857B8E83C + +Count = 477 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD7A3A677C714BA68B9BA3C64474C89291 + +Count = 478 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DD43DDC9514009F510226E8CEA18C26C7B4DF7 + +Count = 479 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD2C479DA8FFAFA0065C1F2A439686ED3C + +Count = 480 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD54BB5D7740C02BD4BFB8B8E77DA60660 + +Count = 481 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD43DDA4B5C26C830948BD4343E9ADBD09E09A + +Count = 482 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD1B3E5AFD58341D17CB56F7078D29DAF4 + +Count = 483 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD75F48900A100A14CCC0B1339BC72E076 + +Count = 484 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD3A824D4126C91BC8A95AAAD78DDF6F74 + +Count = 485 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD8BB592CC16C8A3DE4528C5BDC868BC07 + +Count = 486 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD68C9FA23524A19E0AF3C0CFDD42AD55F + +Count = 487 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD8FD89B4EE3B9E43836A5D5D9C9DEF155 + +Count = 488 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD43DDADDE711E91CE3350BBFF07E389778748 + +Count = 489 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD9EEA5912006A50C932D058575C3B678A + +Count = 490 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD785C54E92B1BE3E84C6BE43240A45AC6 + +Count = 491 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD9ED70AA8B8C4D582B84A139BEACC6177 + +Count = 492 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD0F52B6ED96D97D5A0421D3570EDC2E91 + +Count = 493 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DD43DDFF5421C83B554A8A84E7B45FA6695AD3 + +Count = 494 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD65F1A73BD68726E4651365854D6CFE61 + +Count = 495 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD4FDCDFE6A6FCAEAAB050A2B921E148B9 + +Count = 496 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = +CT = B8529BCE1B3F9D0DB7A9C8DD43DD357631F17DCF4C125D115868A8F0FEA9EF + +Count = 497 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35C361768DD682FA9907B6F92860C33847 + +Count = 498 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD356F857DD2EEB4C7E53D640F108E0ABFEC + +Count = 499 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35E168DC5A440A9DC21D52DCC1F1A2022F + +Count = 500 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D7302D19AECC4FBAA40020F86E39F388 + +Count = 501 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35C231DBE101E98D3B70475A865E25CFBF + +Count = 502 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD352721B85AA8B9955A0667C45A32E0CC35 + +Count = 503 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35FD913B6DF38DB1E3683584F6363F68F1 + +Count = 504 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD352DFB75F00C0079C34F02846859C9BB1A + +Count = 505 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD3516A5398BE40151B6F917552A6C323505 + +Count = 506 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35C6C04ED6239242989EB15BFFD0B2F803 + +Count = 507 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35EA51032708CBE7A533F5A8133B80B175 + +Count = 508 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD3508855BDB48D026E9A772F928BA240763 + +Count = 509 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD3530D91F0762134859715668AE6E1CF606 + +Count = 510 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD354CE5731168A4409B803CC5A89315AE50 + +Count = 511 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD358F77D580B50633EEDF64962C373B23F0 + +Count = 512 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD3509063471A1D56513B6FF81EDD9373228 + +Count = 513 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD3591C2DC0088458215501A1D11AE10EE56 + +Count = 514 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD3536662D214B996DBC5EBC27BD43BFA242 + +Count = 515 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD3528133D3F59E9635F67CAE6854E6D16D7 + +Count = 516 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD357C2EE005AC5228AC19A1498098372572 + +Count = 517 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD3527202060EEB55CA94CC1E4570F90114A + +Count = 518 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD3594E93BC7EDE97A590E9D04D27AB465AC + +Count = 519 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD356139620CD1E39AC0EF21D2498BDAC00F + +Count = 520 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD355A5FC0893DF05F0602DE53591BC8CCDB + +Count = 521 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35E6E4CB0E9608AD021408742B1AE4B1E3 + +Count = 522 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35C43087E48ED9306FD45F2A7783ED92A6 + +Count = 523 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35E4DE22C2A7A7C3E52868D54AAB14B124 + +Count = 524 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD351F94A4749D0CA1E1155E8660F5721E3D + +Count = 525 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD354F6498F5A151D40EF82A979991E79244 + +Count = 526 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35433B190C228DCB8853F16D88052B8703 + +Count = 527 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD354A8F62B3A786DF22B8CBC79C99602A0A + +Count = 528 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD3583D7522371A71285B8061BDF7CD2E647 + +Count = 529 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D179DBFF926A5A9358CADBCDEB9BF68826 + +Count = 530 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1525F88D07FA3AA9931573EA6B070DA97 + +Count = 531 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D13628D7C6A36E5CB86BF7AFCD454B0388 + +Count = 532 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1F81E0BD4141C128C97FAEBF88C32A52A + +Count = 533 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D14EBDF2F1139B2081F543BAA67EB35A15 + +Count = 534 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1BF0E6A9BE00F34A2C829BA3CDD9F4380 + +Count = 535 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D157267ECDD2CB7735116989C103C96880 + +Count = 536 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1C505BF43066DDFCA20B57940F1A66994 + +Count = 537 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1D0AE25C47AB6DA2EC86EC0348FA7B518 + +Count = 538 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D14C727DDABB30D37D5C8CDD8ABAF23C42 + +Count = 539 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1DA2E76C40995B31DD1BCE6AEDD5AA62B + +Count = 540 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D117D5F77BF780817B2F3E5CFDF3D829B7 + +Count = 541 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1ADD2E6374F545DDED587764656FFD6C5 + +Count = 542 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1FFC2EBDD4CB4A9AEB61A65E64E40C856 + +Count = 543 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1A956A4FCAA749C607417844D556EA6B0 + +Count = 544 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1B22C00D31482C34B61E1CE103EC276FE + +Count = 545 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1BC1D03CD44D9E01E216894DA0839F508 + +Count = 546 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1FB49CE33ED2FC9EC261178FEA819794A + +Count = 547 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D16D5FFB24FF5C6A7D4B6D667A5718B53D + +Count = 548 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D19F2D5B7644D6D01BA99066A5E61A8B9F + +Count = 549 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1E8D2906C227A118207B7C96D8251516F + +Count = 550 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1197264729B0728BBD943105126884EC9 + +Count = 551 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D10DEE6AEA0208AA73B2B867097175C3A0 + +Count = 552 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1DDEC83267D1651BDDC0597C7325E91F7 + +Count = 553 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D11A9D7E0FFD55432C976F9FA90FBFCC23 + +Count = 554 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1FF6CF68A82039CE4BD113731B3EC55BA + +Count = 555 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1F4D97FB07BB061B954AEE2DA7458717B + +Count = 556 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D13B543E600A82A64A805983622B4CFBF2 + +Count = 557 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1F217D5F963949A2C081D58052E9CD2CC + +Count = 558 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1FA5BC67976D78F68FD3FE975A21E4017 + +Count = 559 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1254B522E1874403EC9EAE2BCC04E3A8B + +Count = 560 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1B4FCF80C6AED9384F56D5388D933CFBB + +Count = 561 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1AAC41F3A2C60DFE5C78C76EC40AED1A7 + +Count = 562 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E1EFE9123D180703C05B80C427FE6778F + +Count = 563 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18EB046DE9FF4E2563FEB1D9D37CC09F05B + +Count = 564 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E38A5EDBBAF8FDDEEDBFA7BA75016F194 + +Count = 565 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18EE98F64C7DBDDF1BD8B9FD05DE0CA1BEC + +Count = 566 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18EF1ECA5802AAA5F9BB2A5335FC196C7CC + +Count = 567 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E22AF64D7971DE4CD860EB3A49529C45A + +Count = 568 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E3C021C6CA64129C84916175D83237E1E + +Count = 569 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18EC4475E89E879C1BD4C9E0BECEEC49D23 + +Count = 570 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E793B0548A7F8287C9F364408FAD5A5ED + +Count = 571 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E8EBC0EB92ED9B7E3228BCB029E00D401 + +Count = 572 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E326CDE536E9BA0E665D6B269BF081DB6 + +Count = 573 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E969FB495D0AAE2E38ECC22753E2F1AB4 + +Count = 574 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18EFB0CC00FE2A3144FE55BF72221586C9E + +Count = 575 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18EB838AB9CA3196EDE74A3FEBB61CE499E + +Count = 576 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E3C72FACB2B77CFEE13F6AA579C5BCDCC + +Count = 577 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E53BDA299C22DED08A8BA03926D657A38 + +Count = 578 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E8C0A4AD9CC5A574F6B31498730100EEF + +Count = 579 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E6F957D2FEF265026A03479D1AA9E1B59 + +Count = 580 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18ED8AE14937E042D33529E91141F12CB5D + +Count = 581 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E651AC35DA6D80A2265121A30D496EECF + +Count = 582 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E7C90AC25EA8B25D6894EBBE12ADABEC5 + +Count = 583 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E71C0ADAE91ED3FE1B42EB04A115BBA93 + +Count = 584 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E903300E36E61BA4B41338870AFE9069A + +Count = 585 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18EEE0C2B73595731E16E16D8B9BD23B910 + +Count = 586 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E94A833B33C87296A82FF49589C4C7C6B + +Count = 587 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18EE42059ABE40C5F660D9DDF85EDBA83BD + +Count = 588 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E6DF3C4BE67BCB2EBF5226795A167C0F0 + +Count = 589 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E36C8DCAAD2B8E3D1855B7D5509BFB22C + +Count = 590 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18EC0DD0924E49BBFB63F2198DC136CD629 + +Count = 591 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E31812F2448D88ACF040FCCBAEBB52A59 + +Count = 592 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E81AFC556A333D3787336062A4F75BCF4 + +Count = 593 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18EE9E630971DE7E456F6B351C89B4CEB2C + +Count = 594 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E0A90471D9B89107E7D3A7EDA5E9D131B + +Count = 595 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41C554F3287CACFCABA1FB3A8655949655 + +Count = 596 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4133231B39A72CFCC5EC5CF84675CC0D34 + +Count = 597 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41E70E047D0873937278F23C94020F3104 + +Count = 598 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41AACE3EF3D7B84933ABBEE7AF85EE77AA + +Count = 599 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E412C93628CF8D6DCFAA0193C27B83B130E + +Count = 600 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4169DCFC275C0E810F4828E436C59A47DD + +Count = 601 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4136BBBE4F332A2E38ED2CA42A901D2E76 + +Count = 602 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E416018DA305FBDBC363E9199DB6FEE7941 + +Count = 603 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E414B995622A7028DE80ED1BF4291920D82 + +Count = 604 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4130BB618D5C68EBF37B03C304D5A65801 + +Count = 605 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41AAE7DEDBB0DC441780D07A35E069FB09 + +Count = 606 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E416C79A6039C7057726F1289CF8013F8BA + +Count = 607 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41921FF698338EB9CA177DAFFF9803BA42 + +Count = 608 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E413FD16EA7897B677760C8B0967E5B0CF9 + +Count = 609 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41211242E8549F08B35CB215605EE355D8 + +Count = 610 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4158F7467531B50A0547AB748B484B0C30 + +Count = 611 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E411DE82CAE627F80E08FB7A8F69105ADE8 + +Count = 612 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4155292CE83DD84784B4B4940D0A7693D3 + +Count = 613 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E411EEE777B1B060282A54644CECFCC4551 + +Count = 614 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4176FB040351F58C920998300EA14D5441 + +Count = 615 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E418843F20FD7C96F35D850ED11E2ED97D2 + +Count = 616 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4122591C78826A71873BEFEF0C985BAE60 + +Count = 617 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E419CDEA8BCB0CB8A00A9E1B47EE35E07F8 + +Count = 618 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41E879287C7885EF052B4BDA29C03CE07F + +Count = 619 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41B94D0D1F94483BE31B4409F422D1666D + +Count = 620 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41BBA8EC487062058E5B1680D6BC965B84 + +Count = 621 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41E9AB1DF23C0536A0CA6D53797D652EEB + +Count = 622 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E413B30F1E00C1BB5A4786E5186C8E91686 + +Count = 623 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41CCC0407C6B25BDB98DCB9468507E38D7 + +Count = 624 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41848DF51C131FCA521C12D03D343CF296 + +Count = 625 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41E4844C06788C4B01CDD1BAEFD24C319A + +Count = 626 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E414456D396D45C9F35641A2C14D6153A1D + +Count = 627 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41DEC6C812B74CFC544FA6FC52369B0AB5 + +Count = 628 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180F634B267E6843918461E1887819EF5AE + +Count = 629 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41807C122914126B9D4F79017B89EA8C990D + +Count = 630 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41803A7090E68FA8E27BC6214FF5C6D5950D + +Count = 631 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41809F7E16D76AD14BD3292B2E5C0D3405CC + +Count = 632 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180F65BD32BF1BE9516632C2FEE99E253FE + +Count = 633 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E418045FD641487F7394CFD5EB8F639192476 + +Count = 634 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41805CE90573CF0E9F34096D1AC5C615D45A + +Count = 635 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180494814BE1907F557BE7A89B935CEFBFA + +Count = 636 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180A0205029B1E06804784E4F30EA407853 + +Count = 637 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180F9C71C8DE721415B6443F66D749F3926 + +Count = 638 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41805193F71BA23926FEAEC5477DB3CFC70D + +Count = 639 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180E815C0F306CFD3D9542100957DE89641 + +Count = 640 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41806960AD209A9ECB4F320EA999B4FA7CAE + +Count = 641 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180905149E9CB767A4F3078816BDED0957B + +Count = 642 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41803DE65F55DF152E2743AB82EA7C9C4851 + +Count = 643 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180F43EAF171D6E29976BB30B099CE3DB49 + +Count = 644 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180A0DCC4D6E240CF1FACDCF953EF165D24 + +Count = 645 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180E16D883081B0F425BDD41DC779B85973 + +Count = 646 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180FAAB3A293CE3ED5646FECAEFC8D1DADD + +Count = 647 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41804A7391B628211A562EB77254C589FA1F + +Count = 648 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180B6643C21D581C3C32769ECA357D11798 + +Count = 649 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E418078F3995285FE8D52E3746BDCA6C4F5E0 + +Count = 650 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E418056500A5DDD964645326899EEA6AD610A + +Count = 651 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41800C5B76A98CAED735EAE4339CB5B4910B + +Count = 652 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41804600F1966F3A893DE355092ECF66C00F + +Count = 653 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E418082B4906A72EE3E413F610D5BEFD0B4CC + +Count = 654 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E418006470CFE7E31D0D4D0B411B483CAF56D + +Count = 655 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E418062E1E0CDB7A05F118A8220DF09EB2859 + +Count = 656 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E418010A4B58ADD714BD9A2878DEB2ADA4520 + +Count = 657 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41807DF38F67D4F25ED75C3BEA7A7A741B12 + +Count = 658 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41803A3CD12B3086EBF7F0B4E545732AF62A + +Count = 659 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801C1742B703A9C0D43C075D2FBD8212CA + +Count = 660 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41806321002FE4B19AFABEB064205DBF0F53 + +Count = 661 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801AEAFB9D9068CDBAB03780D9A7C065CCB2 + +Count = 662 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A6858F54E41355024E1634012908612EA + +Count = 663 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A3FF9DE4AE7FB0A7FE9108391B2465862 + +Count = 664 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A5C8DD64824BF860C9B4376B9A7D452A6 + +Count = 665 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A9E1B529D33BEDCA46623F409529F4433 + +Count = 666 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A77AF9E8F46D6E4C3C6E653B9D5229E3B + +Count = 667 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A3666896D6D27493DC1E9AD8BF192B301 + +Count = 668 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A4BF6045D7F14D5F3BF76C30A49FC8C86 + +Count = 669 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A977F84572EE09C9D258E1355566E9FB4 + +Count = 670 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8FEB0319D2D9F51461580885DD09A2D2 + +Count = 671 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A9519D462AF481328148B22E368DCB847 + +Count = 672 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A98A25BF407F0D40206AC2F986C749850 + +Count = 673 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A043E454714D5B4C05F590C73BD2F34B1 + +Count = 674 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A1228079C41A762D46CADD5A0E2CBEF89 + +Count = 675 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A446D1D79E28D8BE94FFA54F2145C777D + +Count = 676 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A3ADC9BBE9A27D56F33E38757D5EB3A78 + +Count = 677 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801AC93CC620E0A216101094B85532A5C5BC + +Count = 678 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A3AF760A3CE2B2E580929C542CE0F0EF3 + +Count = 679 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A4236FD70702B2825796CE78B1E1A93BA + +Count = 680 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A9A2C0416E39DA4EBCED04C2C9DC66A1E + +Count = 681 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801AD90947AC62E80429397393EC4F7A6ED1 + +Count = 682 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A58999F1F16A045D081DD8C3F86CB2D98 + +Count = 683 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A3B58A8AC45523BBEF4C26A2FF0EA373E + +Count = 684 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801AA18911250245CA9C46B99E3319FCEC85 + +Count = 685 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A092F0D221802E7D23C8C4FC70FAB9747 + +Count = 686 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A0F0367592D19792D53D0D6DBC34A9B70 + +Count = 687 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801AE526BC2E89FD54DE4B9C7C5AA756FCC1 + +Count = 688 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801AF97F950C200A588C8A6D50654F86AA4C + +Count = 689 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801AD4248376565387424853CC3B6AFA17F0 + +Count = 690 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A7E9155D02F147E598CF67692D6F1D8EE + +Count = 691 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A452B23FCD5794188A7DEB7250C7C2C01 + +Count = 692 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A3ED0506A8DE8D156F987B507CD97BD91 + +Count = 693 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A36657E4B554463EF41605E68E1EDBEA5 + +Count = 694 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8136683EB7150EFA47682D4F7129A40D68 + +Count = 695 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81C35BC43F490CFDD1BA6B309FF2E258A9 + +Count = 696 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A818F52D6F83C0E0EB65B55EF8BBA6F1E31 + +Count = 697 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8187AC2AED7D3528BC6447AFE4ECB0A9C1 + +Count = 698 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8102C49F5C0D3CF9E33C1E18BB520FD722 + +Count = 699 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8174AEE911918734B70D38E2A351F2AC67 + +Count = 700 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A811D77D320267029FB5CD0E1D3ACD6FF36 + +Count = 701 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8192BC2734133B80523B21D9ACB72EDF9C + +Count = 702 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81A37C15B1755956312176C87B9BAFAA7E + +Count = 703 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8108984341196C1A42AD698FB606615F23 + +Count = 704 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81867AB6AFF35FFA46CECE687D8D278352 + +Count = 705 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8174557F52EE27AA8A1E336ED230E3CC15 + +Count = 706 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8165BB3CAE14DF4B31B3E581B5D63C538C + +Count = 707 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81463BAE27D5B82D9901E89F43BE76BBFA + +Count = 708 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81D9BAC2568EFEEED95DFBBDE189D5DD2E + +Count = 709 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81A2DAFC066199BFCDA84A18E748DEDA4D + +Count = 710 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A810475C8C0F2F41F32CE2FFCD21198B2A8 + +Count = 711 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81C09A3B3A544FEA6127BF28D8FF5374A7 + +Count = 712 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81B8F3C6ECA4E6CBA88A94D583F050094F + +Count = 713 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814552D4F57E19AB8B2D23AF57113484E1 + +Count = 714 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A811E89C402BE7A8763CF90E1E9BBE7C1E4 + +Count = 715 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8168486FC8A04F23EFB41362DFA232DEA8 + +Count = 716 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8114F25463C2B6F3CA0AEA1E788111A50F + +Count = 717 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A818F3CBD29D12A05E89EF00F8B3C74C447 + +Count = 718 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81FDE966A0A0B8473BD01A52076685CCAB + +Count = 719 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8189ABBEDAF2BB24D87850E13E205A969E + +Count = 720 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8179435BAB5D3D96E61F0B400DFE960B3E + +Count = 721 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81BD3C8A205904042875A38C420F6AF64E + +Count = 722 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A812B28A12A5C5E83C7838D682F9D398CDA + +Count = 723 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81DE1ACB8B61993B4BB48DDAE3B4BD2EA4 + +Count = 724 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81A24B6224D9F7A074C17A3C75E79B1B5D + +Count = 725 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81160D4E2EC23E1EE4939AC0776C4F1331 + +Count = 726 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81190F5EF6FDC2399F38F52232B9DE2B1C + +Count = 727 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A623924DF0888AAE00C96DCE0C6F632ED + +Count = 728 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A697A1125FB46C892860A4FC63668F4BF + +Count = 729 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814ABF60AF4452CF744FC7D376735792D677 + +Count = 730 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A5DA25C2325A42911F12E0567B3A24DEB + +Count = 731 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A44C033DC6FCA741433FADB5D39F81363 + +Count = 732 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A24756C3BEEDD0A76CD1CA537CFB20CE9 + +Count = 733 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A23AC43B7CFEEE8A4CAE7DBAC1B499FA2 + +Count = 734 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A8420926506CE73281BF444DE0686903B + +Count = 735 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814AF3E67633FD57FA8C29D3012751D673C2 + +Count = 736 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A30B9700F912F34AD10FBDD0BA58CCDD8 + +Count = 737 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814AAFB884972EC059D43801258A2598A6B6 + +Count = 738 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A17289965CD8CC215446CF25931189C53 + +Count = 739 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A4ECACFCA979F3F66401B5A2C4DB635C0 + +Count = 740 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A1E4AE9974422FAE1A4C5721863B1FA3C + +Count = 741 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814AED2427A847B5FC8F199B36090FBB97AF + +Count = 742 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814ACFAC9956B142C95596B605ED36573248 + +Count = 743 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A7FA24C1F70CFC3368DF6D312B156047C + +Count = 744 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A87E3D7F0001FE5758F5A48593BA14AA8 + +Count = 745 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A30EC6DCEF5B29BDB2B15C94B5235AF80 + +Count = 746 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A1A2421828A1DEA6B3CF790B33458100F + +Count = 747 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A6AD69C1A3766D78126EA09EC83A33072 + +Count = 748 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814AA7C71A519939D64B01B5EEFA90A196B9 + +Count = 749 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A6347F0F7850DC7FA7791DB6EE2F80A75 + +Count = 750 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A475B4C3E94770C74A94738F27643D6F4 + +Count = 751 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A64461681038D876E0549EBFBE370709A + +Count = 752 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A4FAEF88A99531CC4364843E543E33179 + +Count = 753 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814ADC94C34230E843DDCF5E76CC37D63275 + +Count = 754 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A2BC56141CE2D0A0790BB47603148F5AB + +Count = 755 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A6C2AE7155C35FB192BCEA18E6203F6F7 + +Count = 756 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A10DD54ACFEB7E4E415C9CA211D02193B + +Count = 757 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A8983900867316B71AD0F329317AB4EDC + +Count = 758 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A4A842F39D3F9FD95088E64B939AFF497 + +Count = 759 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A07181DE5287482DCC039B8F3901B85AA + +Count = 760 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29554614C4B0A261CED81A7A0B37324985 + +Count = 761 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A298B992D890781169A35C88743C5C01FFE + +Count = 762 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29AD63633956E5E34A60D0C31F82DDCDE9 + +Count = 763 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A2948A8486A1E9D97D1F6B2102EDF1A8803 + +Count = 764 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A299D76430FE2F2D92D0AB8F51A74CE4ED4 + +Count = 765 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29F54F740E9446DE7D445A2AD70B8E1DEA + +Count = 766 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29E9415BD4FFDAFE57C72BB5C48D352233 + +Count = 767 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29FE4FE0DB0BE5C4971C1A450996D414A2 + +Count = 768 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A295E8DBCD96D0F396C71AA09EA1F8D53D7 + +Count = 769 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A293C3C04F09CB04CBC640FF49A5BBB5A9C + +Count = 770 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29C0D346565C72898E9CB1F46C93D16C20 + +Count = 771 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A2946E3500BD4A77E3EFF16EFABD6CCA575 + +Count = 772 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A2961F52A3F7FEAA0A8A17E86FB89CDF00D + +Count = 773 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A290BEC1185B216482A9A6B957A65F7A484 + +Count = 774 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A297FBB17F7140952C5A9F6CDE61710AF1E + +Count = 775 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29D86A562307D412740067397EA78043AC + +Count = 776 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A2913BF0521CC12562B554012B1BA29AED6 + +Count = 777 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29FEC88A473A016A9D7E38B596B29EA6F7 + +Count = 778 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A2924B5420C663091EAC540023B8E523DCC + +Count = 779 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29961E743F609F441D02939B100A4C8C50 + +Count = 780 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A2982936683902838722BB798DF1A7252FB + +Count = 781 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29E38527720B6495FE32A18C151EF757A6 + +Count = 782 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29DD5FBA58499800EA6C3DA864313F46E7 + +Count = 783 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A2952861AE07C09F2685A7285CAA977AB4C + +Count = 784 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29EDC97D2803CEAE25EEB4596A55C323BF + +Count = 785 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29F87EB80FDF2D29DAE45EF0E1C86CD4CD + +Count = 786 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A2949EA61556ABBBC388A106DB8D4D7F9A4 + +Count = 787 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29320D6B2DE897D40EDEC22D672858AF42 + +Count = 788 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29F00A621F28839E4FEF6CE7E158E27746 + +Count = 789 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A292754CC2B129E866289A271F7DC6ABF0C + +Count = 790 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29CE7AECDAE92FC6B3925252488349E5AA + +Count = 791 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29C7F911893DCEC6A31043BA6E5DB219D8 + +Count = 792 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A292C2E51B949F56CB2D5651CF5CF911FC5 + +Count = 793 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A95B2B6A5E9F80CC3DFD5F723195C13D2C + +Count = 794 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A97779C58004D67160006453F75354D09F + +Count = 795 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A982FE7479B6074F4925A0462DDDCBC7B7 + +Count = 796 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9FB3E9D4D4548FE700736918614BBDA26 + +Count = 797 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9A63ECB62BD6ED739D64F68AA160ADF89 + +Count = 798 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A988759BB3F97FAAD94F0BACE69A2758A8 + +Count = 799 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A929F0DC426376D3B0BDFD902E5A4638E0 + +Count = 800 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A92A2A392FF85FC70CD9DC35E14138B384 + +Count = 801 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9B0052078C1D8403CC18BB0E41440D999 + +Count = 802 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A90AA7507E6E12223770FE2ACB53C1D72F + +Count = 803 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A97CBA25E8DEDAB272F3CF82DB3800507A + +Count = 804 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A97D80067F36C114D44D307F54748F27E8 + +Count = 805 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A996374E2DDC7EDD12FE18A1C24B450306 + +Count = 806 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9F7EDF747B1576D549A8B7C5DAE12405A + +Count = 807 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9BA23DA5A375CAE4D7DADD0B9435DE601 + +Count = 808 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99AC90D1208978C1F129CC9AD497AF885 + +Count = 809 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9FE95F843C0344705686B9A934E47A5F3 + +Count = 810 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9300BB06D3A756568322D06B746BA14AA + +Count = 811 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A937B891C4ADB74932118F52CF541C811E + +Count = 812 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9D54479C9597691687CBB1006E055FDD2 + +Count = 813 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9A38656F0524795637B4CE8EA441F8503 + +Count = 814 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A935976A21FF87B3A9A84D6EF904D0ABED + +Count = 815 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9CD75680EEF0F95EB4F1B4DE962B69905 + +Count = 816 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9E78B6D3C0530411F2C7BB531A6161A55 + +Count = 817 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9E10672D13A02B8142EF24DB86EE25632 + +Count = 818 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A93EFB1F1423D8ECD183AD79E3CFE11572 + +Count = 819 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A95A86B7490865D98003428958B37CE6D7 + +Count = 820 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9F4FD80289823994FF9863DC576510866 + +Count = 821 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99C2DEA77240638690515B6585B3C4634 + +Count = 822 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9B6EEA52A8A873C2A3580CA9D94B8DD0E + +Count = 823 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9FB4689CCD2D98A2D501238FC6AEA5E74 + +Count = 824 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A96E8C12784701A2D9CA1178E7892488DB + +Count = 825 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A934CC80C9B29034A30AC7D768DBF58954 + +Count = 826 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999E22051013CF302E9A2857EBC42205F29 + +Count = 827 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9994A3A8DCE0CEB748B0157858A8D09AB2F + +Count = 828 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99982BCC857C4E773141C8D0CA2D958EADF + +Count = 829 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991364CA654274BDC9A38FD15A6A4E4227 + +Count = 830 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9998079ADCFCCF981842DD6A1CE243038CB + +Count = 831 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99921A0D7BF9B3BB0656BE7390842698AC9 + +Count = 832 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99960285CF209349CAFBB74BA75AD894214 + +Count = 833 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9999E366C9534024922B9C6AE92626FA33A + +Count = 834 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999089C641E4779397CC9505E39D2D19611 + +Count = 835 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999C8BD336D8FD32363EA2E45E2A0A471FD + +Count = 836 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9997B2C0C61ED892EBD2059A1237DF50E83 + +Count = 837 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999B72740F9AE4557E60192FDCEF9DED589 + +Count = 838 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991C31F396F38185D7A54A194034DE9984 + +Count = 839 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9997514124C47D1CC1818561E270EF3FCBE + +Count = 840 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999DE754B5DCECB0D9561D42F51CF4F4FA9 + +Count = 841 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99981EA34F0302AE45A0BA6C7538490407D + +Count = 842 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999C8B6C96FA75112D34FD48F4E995A0DBA + +Count = 843 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99955B21F24C67640D63CB6C581301C8103 + +Count = 844 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999DA7F24C4A043A3A8E92115FB8D00CC1D + +Count = 845 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999D7215129C6EC900FF8445449D4E27264 + +Count = 846 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99992F6B812D78886F96FCE165111479177 + +Count = 847 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999D6A45474346F5E4E372038AC40DCFCC4 + +Count = 848 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999A0FC0C85AEEC72A4A0073E12157B7778 + +Count = 849 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99960449A12F5A771D60A43FC0BA84DA5B2 + +Count = 850 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99940F83A57F877400ED8A551E305F032B4 + +Count = 851 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9999FAAFCB7369CDC9C108937D29DDCBDD5 + +Count = 852 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999F4F7D304F10A03A648B777958977E473 + +Count = 853 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999B3A0020C661989046FD898EB1A2D4463 + +Count = 854 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999472BFC98AB2DA31BF8D7BC8295906BF5 + +Count = 855 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999BF02CDCC3C792C486074AE24CF2A83B0 + +Count = 856 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999917F8096575230F586D12A74FA34A73D + +Count = 857 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99945560D2146AD54E1D402FAC347FA7D00 + +Count = 858 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99976B095BBC5C6E33CC24076CA3EDCA399 + +Count = 859 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991049B1E8456F62DC0EEFE7E7812238FCCE + +Count = 860 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991019BE6C90953BC7C4E087E60F31E89755 + +Count = 861 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910DA79182AD345C410BDF54B408AA7E336 + +Count = 862 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910891B2EBC8209926FA045703C027CA189 + +Count = 863 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991025A68AEEC1239053F15B597983BEC285 + +Count = 864 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999109E3890FF80127C8D5320AA073ADBFB26 + +Count = 865 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910184DADD5A0A129CD0D4A8B26FE7E6DD8 + +Count = 866 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999105D7C7882F995C6086172DBC4E9DA016C + +Count = 867 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102FC88D1F1301E21BB8CAED46B51B374D + +Count = 868 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991055D0201EFEB2646E979AD4DFAF719FD1 + +Count = 869 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999108C2D999991C0494C614936FBA393F49F + +Count = 870 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910DBE3AF91876B3465F2F2825FD2467001 + +Count = 871 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991070D59566EB24DDE17AD6323811B2C54D + +Count = 872 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910069B58E3EFBC864C7ABE641DABDA2EC2 + +Count = 873 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910C581778A96663C1EDAA3FE1E6DB13BB3 + +Count = 874 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910924B703E5633C65C6CF3FF2631A37EDA + +Count = 875 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910B814EBF68DE37BDA95CB179BD0912715 + +Count = 876 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999109144602FC5CFBB9DB083B3A2C1689756 + +Count = 877 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999100AEEC8D88E2A0EF3737D2B8637142C21 + +Count = 878 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910190EE50ED99506CE8303B875AA52C5AE + +Count = 879 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991099E45A8A83DCC8DE8F295648F2CDCD59 + +Count = 880 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910286E7792949C674882B656D4467CB7EB + +Count = 881 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910684B45ADB1D19C8784E1BEFAEBFC352D + +Count = 882 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910EE58909F71449BD974F0E3C45FDC8F19 + +Count = 883 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910879A0E6D6402A197746F17A59ABB46BC + +Count = 884 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910B9A8F5DD1777669267E2498D75FC188D + +Count = 885 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910BEDB1410AE8A4CED499C2E9E930C9564 + +Count = 886 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910AF1B6B34443C9C943E4B230FA7ADA5E2 + +Count = 887 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999104AE5C3176C3CC34DEF5F5599C3AB0D37 + +Count = 888 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999101F3FDFCA42DC51744628C22DE3F23F21 + +Count = 889 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910E01006F123DCE690E0E60CDAE5F72A79 + +Count = 890 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999101961AC5828C4A7A47DC9E0C9A229F3B2 + +Count = 891 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910B095EF33C3458301BFB1DD562E950646 + +Count = 892 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102238294E0E1042B8B45937CFD49996CDE4 + +Count = 893 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910222E76C65366CA7B4A51711E695A9E704F + +Count = 894 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022516FE56312719D0DF55A357D2420D077 + +Count = 895 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022374E71A936A3FE9674ADCB0BB010077A + +Count = 896 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022C5C19CB3EADEC93D4FA4B8A3D0DE16D2 + +Count = 897 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102213DFE3DC6135C5F0F5C61D54840F8C2B + +Count = 898 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022A0B9A8101F039195B25E3E48B10A8909 + +Count = 899 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102224D6C528316E330EE55AD64E843D6893 + +Count = 900 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022FA5D72D281C014F48C1BC1C92D84CCFE + +Count = 901 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102215DB7D0C5A132FFCB4767F9D397FED02 + +Count = 902 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022C9A5B9F848E350CBC2484541B463F4D7 + +Count = 903 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910224326292FBB94B5E3F53D05EBEE789018 + +Count = 904 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022D027C02B91496BE869B7D84309FB7C50 + +Count = 905 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910224FF4E8D765C935F69DBD18A69FBEFE9D + +Count = 906 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102212812B10B6346FBDE7B2AE0D06E0B8BF + +Count = 907 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022D321ECFCB4BF81FA4FB23899D2BE8F68 + +Count = 908 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022C049A5DC3323699911AF3A1620E52CFE + +Count = 909 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102255F0AE85A6301A21236D0EE348A55DB9 + +Count = 910 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910222B05AEBA516990872D0F76D344252935 + +Count = 911 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022CA138C6753D66A4E4F06661B1ABA04B3 + +Count = 912 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102234D10EBED1C7DCE181C1DFB53670FCE6 + +Count = 913 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022EF8E7E112381F1E6E9183F9761EE8414 + +Count = 914 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022C9FB1AB8FD3B54863E2ACDBAF34FC9FB + +Count = 915 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022DBFD68CEBE34D104CC9B251C4F515863 + +Count = 916 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910227A78AEB1B5568551CAA37E465D5FB5CD + +Count = 917 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910222A65CBA4F81406E49F0B5358C9143B8F + +Count = 918 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910221F4F917D7E313172C123820CF2243DB4 + +Count = 919 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910225B37D3BACE78FB1D2E0B2FD25D7212A0 + +Count = 920 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910228C70110138B430827A8235253B77B8A1 + +Count = 921 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022013A5288ECAD36D45550EDB982C87536 + +Count = 922 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022141E32B3840A1A008A6B993F5C08185A + +Count = 923 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910226B9633670B2A0BDDE7EB021C460265D5 + +Count = 924 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022685ADA9630A026947752B66F6F9FABD1 + +Count = 925 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022270DD14D3CC82DA59CEE6EE34CB515DF1D + +Count = 926 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227CE89549DE0664A0EC7697051058C0FAE + +Count = 927 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022274EA03F3621B913B3B61BE18B92402368 + +Count = 928 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022275AFB0843FB657CFDF2A63840BA89D1BF + +Count = 929 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022274C2F03EEEA791D3F9C0D14DF5AAAEAF3 + +Count = 930 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227E460175FE80CF56864E1AD69F4027D67 + +Count = 931 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227DFD712E48459F7D2768BD6CE62C99F0F + +Count = 932 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022277CD043681FFAACE9E58B169E532E1C92 + +Count = 933 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227540A847EEFD2BF47A624CF189714D4E1 + +Count = 934 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227F252D7F65260708A501700ED225BADDE + +Count = 935 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227F1D80A5A9CC682FF44C9B353F77F3F37 + +Count = 936 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022275FA277A41606D0ECB94715A775D15BED + +Count = 937 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227862355DE5A2DB6D66319F0A5BB6360BE + +Count = 938 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022274D94880A662D6B03CA0465C39F785644 + +Count = 939 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022277EE3731C877A61D12160394C38961E53 + +Count = 940 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227030B7CBF61A7207CD71B62DCA07CA23F + +Count = 941 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022273F04DED12D21685C94DD61F137C8BF74 + +Count = 942 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227D13B1FBD0C8A703C256FC166565FE2F0 + +Count = 943 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227B2540B7E2FA6FD239E1177D5C2E0E982 + +Count = 944 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227F2174302E5BD10B9E72549F4984F2AB3 + +Count = 945 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910222710996CE902A0EF103972D1559422861D + +Count = 946 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910222788E81A066CB34D71E5702C16B12CB2C9 + +Count = 947 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227667DCD19BE1511E92922B76040E75F45 + +Count = 948 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A98691035B63BBFC0E80984CA3E81E62 + +Count = 949 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022274FBB1F3FD30815BCB56C0D3237E49632 + +Count = 950 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910222772B322764A2DC06B3228B797C2006F9A + +Count = 951 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022275E3CD7D3AD3E15F4FB4FEECD04E2E3E9 + +Count = 952 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227800F9F55396A3D59948359DBBD655430 + +Count = 953 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910222749267F5CA16D2281CC5890E175E9247B + +Count = 954 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022271B988EBA575A2CE0402D5B9D603D2F6C + +Count = 955 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227C183F113931C4718E085E8B3C62EB51D + +Count = 956 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227F9D5B884E7A831DA770B4744B6281AF0 + +Count = 957 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227C16E05A144321E3DBF1AB9CA9F0C68A2 + +Count = 958 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4D4B9269507E3B5D30F8BC2D5AAC24B48 + +Count = 959 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A467A4412844107F7C30E894E51E3CC45F + +Count = 960 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A413BD8BA45E962AED3329A8E23DB8D2C2 + +Count = 961 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A43C173CAC68507D4780B6B1AAEA272D28 + +Count = 962 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4360D7B0011A9AFB21CC3C98790B429A7 + +Count = 963 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A48EB03BD7B6AD9263CACBC1C57C984AEF + +Count = 964 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4757BCDCAAAF6875F1A6E56E3E8BF7CF5 + +Count = 965 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4402657FD5065E6E4D8915EDB12D40688 + +Count = 966 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4F69C166AFE1B6439C47B2CCB5CFE7C56 + +Count = 967 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4B231E7E6B49009CA29217DBE78FD28F9 + +Count = 968 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A406B43EBC51E671C48823F9E369B0312F + +Count = 969 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A40C3672136F6FFB4D338B7856CB86E552 + +Count = 970 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A48C2A179009A566E77AE65204DE00053C + +Count = 971 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4C8DE9EA8DBD3FC35B654ABD1A9F7B270 + +Count = 972 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4816073F3B7A0ED7F1272B2532E750A2F + +Count = 973 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A42E00F837D1D0D73EB5015B0869449ED5 + +Count = 974 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A42CC14A5E044E35A26F7EFF9836B0BE87 + +Count = 975 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4E991B90BE4ECCC89BAE4EA8759C47934 + +Count = 976 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4CE8B45EA2A5A2EB0DF969CB89F76D428 + +Count = 977 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A42EBC389E42DE379CC5C3F78CB6FB214D + +Count = 978 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A48E590478D06D516B99F06E6553662728 + +Count = 979 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A48347BC66BB35A2FAD75945CE8C582C9C + +Count = 980 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4487463593C28A96B3A2B4C38FEFFF9B8 + +Count = 981 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4B2657F94AD19E3DC7BEB29E5231B47F2 + +Count = 982 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A41DA08B5EB3272C4EFED5014DC69D7031 + +Count = 983 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4A2885D1CC7E435C369A58CC562A6B073 + +Count = 984 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A41646991BAD22A29AE2BE2811FA2AEE6E + +Count = 985 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A456FCD79A51279C8088C70C0CA8126FA0 + +Count = 986 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A48C97BB093839B09B24B3616E1BE7057D + +Count = 987 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4EDB67FAF0CC98C16194BA36B37E6797D + +Count = 988 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4507D73942A13FF6223564276DA5A7E13 + +Count = 989 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A400D59B691309C0F33D62BDFD7AAA4AD6 + +Count = 990 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4DFD999E84D5D727A7A3FAF7A3FE480CB + +Count = 991 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA26CBE60D9ECA2E5C14F92B18B5D86446 + +Count = 992 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA2FEB11DB5DF0AD14DE315D5E686A5394 + +Count = 993 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA630BD77581D8CA3012903246F70ED6CD + +Count = 994 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA167F76B9945FC6629126CE226C5B0C93 + +Count = 995 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AAFE3B7B913CCE2EA764D9DDC4F9617CDD + +Count = 996 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA219C295ABD2E06B7E317DB3CAF1C4A9F + +Count = 997 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA0DA95776667E6B423951525BECFEE70E + +Count = 998 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA51F1ED85333478A6E0F05B60795F47E9 + +Count = 999 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA36A4E8ADEFFC076941B70E6396D9AC4B + +Count = 1000 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA83353324356277CEAF8410883BCE6B4F + +Count = 1001 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA7DE3073CE78AC4A2B9F8036670F9D0C7 + +Count = 1002 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA319F661C6F0B9E4D324C57C46AD20861 + +Count = 1003 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA4591868FEBF6995256F3F6F0AE83FCBB + +Count = 1004 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA1A9B0EDC1206E663A6E9E4664579B5FE + +Count = 1005 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA90968FB0961EE1D5686A62F10C08455B + +Count = 1006 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AAE7330C4BA5493FACE33B4106D5525410 + +Count = 1007 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA1738E48895F0AD587D79580DB5E7D6A5 + +Count = 1008 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA03ECC4E949DC91DCEA9B04CBE28239A4 + +Count = 1009 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AAAB519F3FC8BB035214D538A557911DC7 + +Count = 1010 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AAFE6A11F81938B771DC0010E77564C920 + +Count = 1011 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA8C3B49D28386B24C2678E0268711EA0B + +Count = 1012 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA58DBC13B9C8C4525C1CCB63A21CC3833 + +Count = 1013 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AADD9E19FC9B3EEEFCCFCD81281A588436 + +Count = 1014 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA78D16D4ECA8EB9525EF6ECF50CB15D70 + +Count = 1015 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA07C6ADEB4B91A61E2AF5C837AF0E92EB + +Count = 1016 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AAFCDB7B79CCA9DB3FEF7FDD8C2EDC8B42 + +Count = 1017 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA9C5E6E83D79744303CA297E65D83681C + +Count = 1018 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA49896CA5A4BFD68A3E45094CF622A647 + +Count = 1019 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AADD7797BE5EE43BB87715E6E28301470E + +Count = 1020 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA9CE503D75B0CFD71B3E4280B0C528002 + +Count = 1021 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA5E951CDA367D47594827B0508196B981 + +Count = 1022 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA310319BA0A9521DE22BAE7C48357397C + +Count = 1023 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA7F862A54E078CC3F14E2E49F2BE0FD45 + +Count = 1024 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747F5F4D884AF540717AFB426A465CE1C1 + +Count = 1025 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74CC379E578FFEF4CDF0D787685FC10E0B + +Count = 1026 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA741E4F8726543D8557600697544D8AA9E2 + +Count = 1027 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74457E056E212D3FE2337F79DE65FD8E41 + +Count = 1028 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74BC44DA86870A772D2AEFEE629F37A1D8 + +Count = 1029 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74CD1FE3C34811CA6AE1C7A38A39582442 + +Count = 1030 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA7481A91698D3A3DC4DD0452B61206643B8 + +Count = 1031 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA7442B371B0E595852C475156C20BE66320 + +Count = 1032 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74BDBB8041DD046593C3F18AB98F8CB8BA + +Count = 1033 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74449004907DDFB2AB27E4E1E271597453 + +Count = 1034 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74CBE763B3BDD64F4D961E23D11994C052 + +Count = 1035 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74A10CDD0DC92A7FBC9C53B695A44BC2AB + +Count = 1036 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA742D343EBD7F099FC98E744144A18BC071 + +Count = 1037 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74D57BEC5E2E141FC0C1062FA5A5048C71 + +Count = 1038 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA742D19FBABBA1B245ACC6572975A6605F0 + +Count = 1039 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA749E208FBAEE5AD2F458905AA73B2FE4EC + +Count = 1040 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74A817CFF08A4F353E67626E285502EAF6 + +Count = 1041 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA7489FF95D1D97159A435DEA52671C958AC + +Count = 1042 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA7499AA343EEF3A10E7E750ED7DC7880767 + +Count = 1043 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74C474E3484E3A8E0023819B2821FFB62B + +Count = 1044 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74C020AAAE6356FDCB80CB7C4B3DFE63EB + +Count = 1045 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA741AF7C83064A725B941FB3DED382D2687 + +Count = 1046 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA7433382637EEE4076233A09D321A8FA0A4 + +Count = 1047 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA744F4B7F635EF62D53CF115C4480A05962 + +Count = 1048 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA7487A2B2CCF7A414B3474DE49F29F21E00 + +Count = 1049 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74A3A3746FF7177B2C29475013C2D73834 + +Count = 1050 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA7423FC72C718BC524E35800740D3CDD72E + +Count = 1051 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74CFF58417451260847A2D955BE72D4F96 + +Count = 1052 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74B97D1AA4F9D18F754D09CF2E6336C49E + +Count = 1053 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74268D1F6D9ED4BA1456A3F9116490EA6D + +Count = 1054 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA745D3F5BDF438E226A32E40C28B7B67DE1 + +Count = 1055 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74870E0EB1EEA2D5F886DE88080BBE7073 + +Count = 1056 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74C09C59C6B235DD0AA810DF6B252898A1 + +Count = 1057 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BF6920F9ACCA8AFA96D00D84E01734133 + +Count = 1058 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B6E71650336184E09683FBEC5C30B1398 + +Count = 1059 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B64FBCE52AAFEA8C99FC2606E9AD736A8 + +Count = 1060 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BC81DD6B2E53A5F031CB4E64A8AAEE0C7 + +Count = 1061 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B28961CB421A62BF9C1B52404DEC42A36 + +Count = 1062 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001020304 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BE130C0981B2DA2B6AFA41E9D284E0FCA + +Count = 1063 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B2304B4790296B1F65723C9024A91BE70 + +Count = 1064 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203040506 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BBCC075425C6C89542584F613C9A18520 + +Count = 1065 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001020304050607 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B06C0A931C933A274F312AD07B27AB5A4 + +Count = 1066 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B5F40233D3C419FB059A0859C8EF7C680 + +Count = 1067 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203040506070809 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B44E331F68EFD6EB894752A4146A7DE80 + +Count = 1068 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B1158CF25EBFF90CF97995DF81E283D0A + +Count = 1069 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BC0C3D8519DA52BBC2B5CBD4796AFDDD6 + +Count = 1070 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B73ACC8A1EB9E9800112DD0463CB54009 + +Count = 1071 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B111E7AF8A5F611DEEDC675FF4E31FF88 + +Count = 1072 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B54C5CD45AA5B97FC5D53676B83B07369 + +Count = 1073 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B572961901A91269791412B22F6A79C17 + +Count = 1074 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BC459C64B48A11F7BCE42FF8679368C2A + +Count = 1075 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BA645B469D288F679FAAFAC729B82A22D + +Count = 1076 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BE8FED2DB12F0146CDF15C6E5D01A53E2 + +Count = 1077 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B3BA4FF69FC6478EBBA56F913FF6BE8B9 + +Count = 1078 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B8531FF47806B28001842829C2F5639BE + +Count = 1079 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B3A11D0E0DAB9E4A0DFA0A33EB224E111 + +Count = 1080 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BFE6DAD972933EB32F0B00AB76D4652EB + +Count = 1081 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BF74B4722E3F58712A192F335C67647E2 + +Count = 1082 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B0186729D5BFE475AD57C85C16CE6F5C8 + +Count = 1083 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B199F4737FCB78EE24235FBAB3C94F307 + +Count = 1084 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BA2AA0710F654A79E7E7865D977E9A1D3 + +Count = 1085 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BF04F5C861DB963CF2CD057A71614BB6B + +Count = 1086 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B4EF91F9E7B03C35838C2742E04B2D074 + +Count = 1087 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B1EED3A1CEDAC3BBD58BD95BE1FFD4CFE + +Count = 1088 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BA31E7A2651F8E0E07DEB160871A2E40D + +Count = 1089 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BA0FAC4D683F5B1CFBF3683112F3FCC1B + diff --git a/isap/Implementations/crypto_aead/isapa128v20/ref/LWC_AEAD_KAT_128_128.txt b/isap/Implementations/crypto_aead/isapa128v20/ref/LWC_AEAD_KAT_128_128.txt deleted file mode 100644 index 0b11aea..0000000 --- a/isap/Implementations/crypto_aead/isapa128v20/ref/LWC_AEAD_KAT_128_128.txt +++ /dev/null @@ -1,7623 +0,0 @@ -Count = 1 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = -CT = 79A08D4D8B9F23D3699CBB91174DD67B - -Count = 2 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00 -CT = 1C08E1C57809657AE74AB46A0C788990 - -Count = 3 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 0001 -CT = 0D10BF42FF4747E85E82B56E7BF6971F - -Count = 4 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102 -CT = 2CE0E5D2A62B7147AD115447EC82F973 - -Count = 5 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00010203 -CT = 0DCD47EB63C6D8747F1615CEB8DCBD41 - -Count = 6 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 0001020304 -CT = 69E5D506E54E4DC1A425CA3A8DDCFCEA - -Count = 7 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405 -CT = 912C71B754056032794554A2416DAFFC - -Count = 8 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00010203040506 -CT = 945EDDD648DE63D39E59CE082442EE32 - -Count = 9 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 0001020304050607 -CT = 6CA1782866E3A3C02A69808ACD90E116 - -Count = 10 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708 -CT = 0EA86DB28155B24BE09E1DD51512BCE8 - -Count = 11 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00010203040506070809 -CT = 619FD7C25C53F0650967790094FE60CB - -Count = 12 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A -CT = 395A0E0C1751A9E5828C2C1A01671FD8 - -Count = 13 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B -CT = FCC741F5758C9A23781BAB0816E6D70F - -Count = 14 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C -CT = 575333F4FE2F43383B5741C6DC678BAC - -Count = 15 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D -CT = 33403F908770AC8E7EC3F6A550FC8665 - -Count = 16 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E -CT = 32675670733ED9901E3A111E44A61265 - -Count = 17 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F -CT = 649D22260EC3AFBEFFD56CD41D55AE0D - -Count = 18 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 73A7D6F99838A3AFE6F43B0E420ABFC5 - -Count = 19 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 6F5161A7B19846B085661C4A0E5CBAE9 - -Count = 20 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 200CF404403A63EE5ACF37BB5973C361 - -Count = 21 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 898F3D7A9BC1A1A1FD74A32C7CF7CEB4 - -Count = 22 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 8F7D0211E6A58554E973D7176833C7DA - -Count = 23 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = E50705103326C58475E0F2B06A6E6A8A - -Count = 24 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75B9DE37312119173D22207B8B905094 - -Count = 25 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = AC54A2482BB21C1D7DDB91B60357F691 - -Count = 26 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 995ED8B85E29554F68E684D176359E29 - -Count = 27 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 675740FE838B0870213EE2902C31A327 - -Count = 28 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = F433BD8DF5887CB3C5022D84A1BF31CC - -Count = 29 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = BEC1C573ED6A54301B653DAA9ABA039C - -Count = 30 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 44BE8F10DAA6804EE7E8F14DB2EF898C - -Count = 31 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = E91D9D193F7A54BDF5EFB46B5DE002F9 - -Count = 32 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = ECB3991BED7CB6BBB04D392357315959 - -Count = 33 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 1143900669E7333140265FB02B63EDEF - -Count = 34 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = -CT = B8681B221A6DAE4BFD96E8FCC8FB6FF81C - -Count = 35 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00 -CT = B8CDEA5650EB1A63E8FF96E7C641CDB731 - -Count = 36 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 0001 -CT = B8096428E3C142B7E0E9AC46193376AC1D - -Count = 37 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102 -CT = B82679F00439DFC49690C61C74E52C0B07 - -Count = 38 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00010203 -CT = B81018F1535A3EEFA33B5363B7CCF19267 - -Count = 39 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 0001020304 -CT = B8DB7F86AE6BE2EBB98BAC259F61A0BAB6 - -Count = 40 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405 -CT = B87377493B158FF695263CD237BDAE074B - -Count = 41 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00010203040506 -CT = B8E9159D7EBEB0438E1507486A98EFD944 - -Count = 42 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 0001020304050607 -CT = B8B60D5CFA4BA475562A012357E2B73CD7 - -Count = 43 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708 -CT = B87199BBFB81E2929FAD276AA94E6D9C65 - -Count = 44 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00010203040506070809 -CT = B89B4B92B070E7C8D414236154392E6262 - -Count = 45 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A -CT = B82767410B6A6F459841F8E2ED49005136 - -Count = 46 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B -CT = B877039F49FAF3072B6DBAE4C944365FCC - -Count = 47 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C -CT = B8051AACAA175E74B33EC4B2EB4D69138A - -Count = 48 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D -CT = B8DAEC24B12290C06E3B7426F11E901A9A - -Count = 49 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E -CT = B8E372D624567E33B0E0AA12D27AD43CCB - -Count = 50 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F -CT = B8898DB55ECC68FCB0E4D9AB0F1313D84F - -Count = 51 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B87BE8F0573E1DFB6892615B1445CADBEB - -Count = 52 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8F7EECF208A5AECC7D5D02F89BF04B609 - -Count = 53 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8B586094F925345890946EC859CE6CC09 - -Count = 54 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8AF8376A8C30EE517D990430E424DB760 - -Count = 55 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B86BBD40F7AC94F99CB3D53B69010E4E61 - -Count = 56 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8AC77834AA8CB332804FE78FA1CA00D46 - -Count = 57 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8CD611A73E66262A8AE93E5BA05E1EDFA - -Count = 58 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8187AD36AE90CBD60000FEEC1AFB7EA2A - -Count = 59 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B87A979B9C98145B534EDE723AEAC09AB9 - -Count = 60 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8A21A416E8627086A8C6B7CB18ADF08E4 - -Count = 61 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B80626F0935933C10A89B5A0A76A51D2DC - -Count = 62 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B80C69A13AB6AD619CD5624AF2A98973A6 - -Count = 63 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B824124B716A638658C5AA7ADE79D492CD - -Count = 64 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8410E59E06D4B2ABC709528DA9A2EB7AA - -Count = 65 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B83B3D6781E635E35C6C9054D761A0C8CE - -Count = 66 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8C1B1262E9155CCCBCD7620A4D3578EF3 - -Count = 67 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = -CT = B852318142C985AB74058BCB2C80C3B034D0 - -Count = 68 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00 -CT = B852AD7BA1B1E573B794A52BA482A128054E - -Count = 69 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 0001 -CT = B852878BC591E97BE148469CA563950D3C8F - -Count = 70 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102 -CT = B8525A263427AB77BDA2CD08FEC68D4F867D - -Count = 71 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00010203 -CT = B852B678A3B68C61498BF59553B121BF4CBD - -Count = 72 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 0001020304 -CT = B8520505635FC3CFC65E7B78D8494DD71E0A - -Count = 73 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405 -CT = B852AE9E7BEF230CDA1EB1118CBF4CFFECFE - -Count = 74 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00010203040506 -CT = B852D59A5308A4E3A29BE62E34BFB7660884 - -Count = 75 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 0001020304050607 -CT = B8528C9E53E7DD2D4308800CAD9BEB3CF409 - -Count = 76 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708 -CT = B852AC2F36729DF4BDF45F4EE297A37A17AA - -Count = 77 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00010203040506070809 -CT = B8524DD6358938F12FDCD80CD8417E0C44BB - -Count = 78 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A -CT = B852223DE26A176CA33CFB7E52E6BF3EA4A2 - -Count = 79 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B -CT = B8520A96D211483B19FD3FC3F8539ECC4723 - -Count = 80 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C -CT = B8527623F514F9C6EE6DF1528C1FF00AD6B6 - -Count = 81 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D -CT = B85220F540F47D0563D2D450FA2883200663 - -Count = 82 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E -CT = B852764AEF6DB525993D5781EDDC31638281 - -Count = 83 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F -CT = B852474C7BD71D243CCFADA77A15D36DECB9 - -Count = 84 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B852F3C2CDD920C52023FA86A991BE384654 - -Count = 85 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B852E490C66B89696B867C46375C5862BE76 - -Count = 86 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B852DE06C05A2C3471D86A79C838AF4FCC2A - -Count = 87 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B85268129C5DCA81B30826965C7BE3D6ED0E - -Count = 88 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B85205C308294E329A37E3112E69B644F90C - -Count = 89 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B852B9AAA719447308B34C01830E20D1F5D4 - -Count = 90 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8528B66D63B75F04A632E1B5E12C96654D5 - -Count = 91 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8520A66B6DF2343E181AF5AFA7AC560C764 - -Count = 92 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B852A4731937090EEB35A7012C6198F83DDA - -Count = 93 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B85260B91AF2ECC7B618B36B09C870D3F38A - -Count = 94 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B852E2DCCCA6CA5403E0AAC57714B16E2250 - -Count = 95 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B852628B9A79D9C97F52B6C0C7E780636ECF - -Count = 96 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B852A45EB9C0CDD06817A4F0C28827D38682 - -Count = 97 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B852EAB8FBEF49547AF7446851EC55807BFE - -Count = 98 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8526261116DCF1B386DA9EFDDCA7E17CFDB - -Count = 99 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B852A7AFD2E02707BF948893482D00C0920A - -Count = 100 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = -CT = B8529B87184E3591353EB3CED177DF850FA31F - -Count = 101 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00 -CT = B8529BC28C2991A6FED868869F700E711356A1 - -Count = 102 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 0001 -CT = B8529B69BE6ABEF571F4C1C12F1205C13764BA - -Count = 103 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102 -CT = B8529B816CACBA2546E6D005282D72C793964B - -Count = 104 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00010203 -CT = B8529B3819F5DA572D3720F24C76A4D64EAF09 - -Count = 105 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 0001020304 -CT = B8529BD3AC39641FBBADBD098F198EF076DC34 - -Count = 106 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405 -CT = B8529BFEAEBA66D206308AADB218E780747BDE - -Count = 107 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00010203040506 -CT = B8529BEDE79A25686309967E3D777A86C5221E - -Count = 108 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 0001020304050607 -CT = B8529BB51AC90CB3501D0A61CD03E1224A087A - -Count = 109 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708 -CT = B8529BECA8B96B32E8FEDE529020293E356110 - -Count = 110 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00010203040506070809 -CT = B8529B0050E28BE528EFA05E3D89D7DB157FFD - -Count = 111 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A -CT = B8529B82B7F6C7056D33881B31006D314C7556 - -Count = 112 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B -CT = B8529B0B9FA419F6B0C9C991F108B45494C99D - -Count = 113 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C -CT = B8529BDACF7A0FCBEC6B1E0192FC4D04EADEE8 - -Count = 114 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D -CT = B8529BDA44384B938B3E554254F51DCB680E53 - -Count = 115 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E -CT = B8529BEFD4DF6217A54467E24291CBE91C9999 - -Count = 116 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BFADD92DCDDDA9260D3CD1F3C38563078 - -Count = 117 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529B177A000EFE6076278C2639B02DA5B3DC - -Count = 118 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529B47DDAA7B572440CE612EEB358CC3E8DC - -Count = 119 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BB7765A6DC2B115AF80FBE16C19F2F900 - -Count = 120 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BC7A7558A5E1FA4CD4ECA57920D40ADB7 - -Count = 121 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529B38F2484235168C3EAF4FC5925C143EA9 - -Count = 122 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529B598F82F1F81ACE7F1C80964AF4DAD387 - -Count = 123 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529B7E76CF83F5470D3ADB2E8A264216A707 - -Count = 124 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BC500BDE3C02E014692886462C2F48AA4 - -Count = 125 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BD6AF42FE16542C99FC925AB171E447B9 - -Count = 126 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529B5114F0C9E79A988E518F1DD8AAE256E0 - -Count = 127 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BE35A812C7CAB780380DA6E2B287DEFC9 - -Count = 128 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529B771333F389BB9AFC3C2145C2D27CA7E0 - -Count = 129 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BD503296662D8FF09947721D7D5F6CEB2 - -Count = 130 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCAE1EE3AA5BDE04800F2EEDFD379BCEF - -Count = 131 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529B7C47EEB439001372B7FFAB95835745C4 - -Count = 132 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529B167689C1D0BA76010FC68131E9859EBB - -Count = 133 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = -CT = B8529BCE6EE52F1740275BD9AE7F2824A766A504 - -Count = 134 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00 -CT = B8529BCE0769964CFB73E2E7D8BA9E5F0BD13742 - -Count = 135 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 0001 -CT = B8529BCE0403B2C936C0467D1A04B97853D007A8 - -Count = 136 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102 -CT = B8529BCEFD8B6E21407015E108B1D54516231C7A - -Count = 137 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00010203 -CT = B8529BCE3724B769F12F7C5ED260E521896E8439 - -Count = 138 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 0001020304 -CT = B8529BCECEEA14D2EC32F6A8DCDAF81358CA496F - -Count = 139 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405 -CT = B8529BCEE24D614587E741308C79A53C74A9195B - -Count = 140 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00010203040506 -CT = B8529BCE1AEB30C042C14C47A8119A4F6085DE2D - -Count = 141 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 0001020304050607 -CT = B8529BCE33263FB060C69686B3F0C050FAD15CA9 - -Count = 142 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708 -CT = B8529BCE7FE1F7947F2591484065068978F95050 - -Count = 143 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00010203040506070809 -CT = B8529BCE661AFAD91919991F3763AB704DEE7768 - -Count = 144 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A -CT = B8529BCEF5D39846DF302AA609E2974B9D06EE90 - -Count = 145 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B -CT = B8529BCE2C1B7566034765363E8653D136C45E30 - -Count = 146 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C -CT = B8529BCE6817754E174F7D0E4B17B51DDA679682 - -Count = 147 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D -CT = B8529BCE71D73EC88951280B9D009928EFDACD0D - -Count = 148 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE86CF56CB4468E2BC5899EBCD26CD12DC - -Count = 149 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE4A9B1FA6183AD8C398804E7CD30AEF9C - -Count = 150 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE222EFE6DD52A550700FD9BAD79A14C36 - -Count = 151 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE3ED857D06B98849B2491CAAF823ACF25 - -Count = 152 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCEBCEC28DD1289459B90308D58D5E61AB5 - -Count = 153 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE46C33A21DD19D257A888A8AB14FAEAC6 - -Count = 154 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE8DEB2F3D20DF2D3A6DEE69CE0674C788 - -Count = 155 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE8ABF89EF4E3740FFD5CAA89072497E12 - -Count = 156 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE5C3127EB242E06AC12F12C351F159212 - -Count = 157 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCEBDBA60546092D35A0BEDB75D8B82A703 - -Count = 158 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCEA73BFC1C3149A6715620B81E1B975377 - -Count = 159 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE756DB8A2CDBCDA6D3F670E3B5B7DB336 - -Count = 160 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCEFF749AD0C9F33C8B237088895F0FF614 - -Count = 161 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE19EDA038C55252CD8A82322F532FE143 - -Count = 162 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCED9C26018101876F449409B5214E2C796 - -Count = 163 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCECD9082ADE141EF25212CC0A5BA3A5751 - -Count = 164 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE091364894986D6F550CE2787DE77E2A8 - -Count = 165 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE347979AAC0E18C6821BD5C5EDB33C34C - -Count = 166 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = -CT = B8529BCE1B14A150C8AABEB762993FB3CFD470E9D3 - -Count = 167 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00 -CT = B8529BCE1B061E0CB600F6478EC6F9EE2F378CAF2F - -Count = 168 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 0001 -CT = B8529BCE1B1BBFA2B6866761A9F9BDDE0245B3CC68 - -Count = 169 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102 -CT = B8529BCE1B9A77BF121DFFEE7FEFAED531AA0E5FED - -Count = 170 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00010203 -CT = B8529BCE1B4E67DFCE78F68F0AFBA2517E637650E8 - -Count = 171 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 0001020304 -CT = B8529BCE1B5B061BC0399F9E63347F422904912AAC - -Count = 172 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405 -CT = B8529BCE1BEB89140BEEF56CFBEF9ACBF1F2E88E6B - -Count = 173 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00010203040506 -CT = B8529BCE1B19BEB28DAB995A79C27A8F60D39E47B1 - -Count = 174 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 0001020304050607 -CT = B8529BCE1B809DFE9EF59C75B2A1725C50137601A5 - -Count = 175 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708 -CT = B8529BCE1B3688738717A14074C0F5726111796E9B - -Count = 176 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00010203040506070809 -CT = B8529BCE1BFEC45002B93C8BCD2C066A7E17E19993 - -Count = 177 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A -CT = B8529BCE1BDA96290B6876016B7F47D5C8773C3931 - -Count = 178 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B -CT = B8529BCE1BFF7E35F3FF5679237511F10954C696FA - -Count = 179 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C -CT = B8529BCE1B7953822C5D48345D83C8C554C9C77080 - -Count = 180 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B84CFE7C59DDB0874217C5C0CEB53355C - -Count = 181 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1BF1EB24CBA72C418D38E98EA024335ABF - -Count = 182 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B9F388F9FA26C143764831BCB90CC6479 - -Count = 183 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B2CAE16781B62F4DE3A9ECE7B8EAF4DBE - -Count = 184 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1BB84ABD60143FD6BD5F6528B7FB890227 - -Count = 185 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B2DCAED1F6755639287B90A60EB63FB95 - -Count = 186 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B5629F92C2C9D050C5AF627C664E13AE2 - -Count = 187 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B157D161371D053F53C6D68FB001109D3 - -Count = 188 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1BB6FA9727BC5208210E08BC28FF7FDAC2 - -Count = 189 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B6C156592EB6D13AA267CF7E5665E415D - -Count = 190 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1BBB5219113F8634C53FC06B6C691CB203 - -Count = 191 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1BDF5F7E359DFA0073D477C48FA3570193 - -Count = 192 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B82D47E472F48B5C7DDF37A733C22DE6A - -Count = 193 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B1A2482AF4E6213BE95AB7B6036759436 - -Count = 194 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B67C08C5796BD29E61AFD7156E72E3D6A - -Count = 195 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B2D1045C573050391BADA95C6DFB4B51A - -Count = 196 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B4872BA691A27C2BFEB6D8AD23A6D310C - -Count = 197 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B9125BB53A5504CB8480B330C3981D976 - -Count = 198 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1BEADCBA59F19DB38245A4BCC6476BF958 - -Count = 199 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = -CT = B8529BCE1B3F2FD9637B5A4B0A5B1DEF63AE4393ECF0 - -Count = 200 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00 -CT = B8529BCE1B3F861EE186192B223F0CEA0D52732A4356 - -Count = 201 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 0001 -CT = B8529BCE1B3F726B2F07F3403F017A1021448AD994C1 - -Count = 202 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102 -CT = B8529BCE1B3F74A7CF24428B1FF03BF8B4486D726039 - -Count = 203 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00010203 -CT = B8529BCE1B3FC43619EE3FDD95ED98ABDE200DC30F33 - -Count = 204 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 0001020304 -CT = B8529BCE1B3F7F16444EEAB278F56D230AC8D5731398 - -Count = 205 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405 -CT = B8529BCE1B3F0CC7211A73D2797F324B9121252A3DC7 - -Count = 206 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00010203040506 -CT = B8529BCE1B3F7199FE1730FAAF5CF97318CA9EF56710 - -Count = 207 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 0001020304050607 -CT = B8529BCE1B3F4268056CBE21B6A00BE27E68B2BA22B2 - -Count = 208 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708 -CT = B8529BCE1B3FD4935323A3113CCC2CB0759FE7E9FA44 - -Count = 209 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00010203040506070809 -CT = B8529BCE1B3FCDFF16387C16CC8525B15A3E72CBD3E7 - -Count = 210 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A -CT = B8529BCE1B3FE47A036FA085262DA5BE9D0859CF87A2 - -Count = 211 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B -CT = B8529BCE1B3F4C2E0B319AB3466D612F542D54E9A248 - -Count = 212 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F8E3F4C8371757DACF8C5AE7B9AB30DEF - -Count = 213 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F3FBE893FD5BC191A52E178AAB5C28EF5 - -Count = 214 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3FBA5FF63C5600680A0BAA4826B523F40C - -Count = 215 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9F14AC3BB4B5D394955BAD54EA4D940A - -Count = 216 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F73B38A9738F3DE88D612612C96A7B5C0 - -Count = 217 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3FF1D052E838940D66A71302383DAA13AA - -Count = 218 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F38076F437BD7D7F309DBB6F734CBA71F - -Count = 219 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F8676EA6251EE51A2AF9537F773C4A188 - -Count = 220 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3FAAC4AB5EEEB0A44D7721F5140C90B8BA - -Count = 221 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3FD00755950FABE8D890DC3227B4FA43AD - -Count = 222 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F5E365815469228DF04495054E54F432F - -Count = 223 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3FD8AAF80CBC1496FD7D513948B883FAD8 - -Count = 224 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F220C07AE5438E20B9C169CFAB5DBF28B - -Count = 225 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3FE69BB8DA05F6C2D64CAA036F0681994A - -Count = 226 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F482059E662915211FAE18933DF58D5CD - -Count = 227 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3FFBDFA33627ED8BEADB1B024ED2D3C452 - -Count = 228 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F02D1CFCECCC483E5C2CBADAEE2324E01 - -Count = 229 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F921F9378AC7686B7349EE2EC16D82508 - -Count = 230 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F6A7403E7B7C81DAAC1FF71CC9C08F593 - -Count = 231 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F4F0F18F095A0526DA14AE1D4A2B8620A - -Count = 232 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = -CT = B8529BCE1B3F9D809167647867D987D5E81331D614C8CB - -Count = 233 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00 -CT = B8529BCE1B3F9D097B116174F92A0F82D1BCBAD5BC4202 - -Count = 234 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 0001 -CT = B8529BCE1B3F9D7996DC8D60DF511AF9ED7D2EEF90FB7C - -Count = 235 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102 -CT = B8529BCE1B3F9DFCF7E81AB4B2B01BFD3FA4E1DCEE8F6E - -Count = 236 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00010203 -CT = B8529BCE1B3F9D2DF3F3A7475400671A148F2EE2CFD921 - -Count = 237 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 0001020304 -CT = B8529BCE1B3F9D62EDFCEE9721E75799F8EDED99BD7809 - -Count = 238 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405 -CT = B8529BCE1B3F9D4010C50E9160D97BBE9B25CA4CE07E5F - -Count = 239 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00010203040506 -CT = B8529BCE1B3F9DA140DFBFBF18F687939D46930C2F43C4 - -Count = 240 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 0001020304050607 -CT = B8529BCE1B3F9D9DDA8ABF780146BBC9C233CBCEAF8E1E - -Count = 241 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708 -CT = B8529BCE1B3F9DA6F92B5C2EB20B5337F87F775B6700C5 - -Count = 242 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00010203040506070809 -CT = B8529BCE1B3F9D889689C0310B67B829C31BF3E9790743 - -Count = 243 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A -CT = B8529BCE1B3F9D55FD0ED71AA26E0A6934215CBBA615BF - -Count = 244 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D52D6DA3EA742DCE5C9DB4A7C28E8B7EB - -Count = 245 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D37FCCC33A6308AD707C60C89C2047DFA - -Count = 246 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9DCB15E357BAD6F11DFCD39B69E3B674FF - -Count = 247 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9DCBD74EC487AA738E955B404828DECDD0 - -Count = 248 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D62AC6ED1D7BFDE0BE63E392318714211 - -Count = 249 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D7C49ECBB65874D14507A86DB03EC2D5F - -Count = 250 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9DB2BFF11E4F3F2CDCA2C1D189681D7DB3 - -Count = 251 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9DC6DA1FF98DEC0DFFDACC690F9F94457A - -Count = 252 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D65B6C35FCCBE498026BCDFA73BB1F48E - -Count = 253 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D7E406D47A29A4A3521909405DA1AFC6D - -Count = 254 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D34DF239320D11B1B56546DB2B1D20089 - -Count = 255 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9DA137DD38B2EB43CA5CDE0867D9DA8EAB - -Count = 256 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9DE8269539DCAE9CE146708EE5E00473EE - -Count = 257 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9DEA0CC2F6BC6927DC47A8AA3D9336FB53 - -Count = 258 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D2C6E91521AB9197AEC2F9F6AA573A108 - -Count = 259 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D7F59DF7A3648FD2BE95CFFEA40E02C53 - -Count = 260 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9DCE2E3AFCAC3043109DD75AA2BDF36448 - -Count = 261 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9DD9E7C956D0478E99971080B7138EC35D - -Count = 262 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9DA98200BFA115F3DBA73C08D3779DA4CD - -Count = 263 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9DC01B8611BBA7DBA4D2EB0A3227BA5F92 - -Count = 264 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9DD4AA450FA8071E610DA9C83D5D579738 - -Count = 265 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = -CT = B8529BCE1B3F9D0D86EEF74C15732A03B996956EF8F6B4D1 - -Count = 266 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00 -CT = B8529BCE1B3F9D0D2814047F43AFB17CA2DDC8039B265318 - -Count = 267 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 0001 -CT = B8529BCE1B3F9D0DF4B03CC74A810D3E869FBEF0AF71424B - -Count = 268 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102 -CT = B8529BCE1B3F9D0D5455EBD9E712D49BBD8184823D05C2FF - -Count = 269 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00010203 -CT = B8529BCE1B3F9D0D413A38A2B4F631AD90499ED5D5CE8729 - -Count = 270 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 0001020304 -CT = B8529BCE1B3F9D0D00C6F71FB1D62A3F814D1F85FB406A02 - -Count = 271 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405 -CT = B8529BCE1B3F9D0D7A4868F7E6C237ABC6BCD44E7476AC61 - -Count = 272 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00010203040506 -CT = B8529BCE1B3F9D0D43F504638CA61B8A18498C0A1319E351 - -Count = 273 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DBCD13B18FFA99D381349E71B8473BA98 - -Count = 274 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708 -CT = B8529BCE1B3F9D0D773BDB5AF899D1AEB6515E46B60D7031 - -Count = 275 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0D5610B091005171287A325D65A27D7330 - -Count = 276 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0D8C1043648D6507D63B2271C47AF08201 - -Count = 277 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0D05E859BA7F9183563C4D08FB5358F779 - -Count = 278 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DD71A3C3D969BF381784DC19BE4C0823C - -Count = 279 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0D0E74D5A014237838FD29971DEF989E86 - -Count = 280 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0D5D43BE1D2BDDEBD67391DBDEE1E52C9D - -Count = 281 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0D2540F297410A67F78DA7573065FB5727 - -Count = 282 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DAA4F3D0B893E66D4591DD88CD495DBCE - -Count = 283 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0D22E800460AEC298FE9345221F7E649FA - -Count = 284 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0D00CD0F3ABD6E6233A374B9429F18A43D - -Count = 285 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0D0081D40824F8810FDD97725A68DE4DCD - -Count = 286 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0D0BCBB148BCA6D38C845EE8E9E75404D6 - -Count = 287 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0D85A2DCABFE23FA59D3EED5D11FBAC652 - -Count = 288 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DD6521FD996139020CDF4AC5AFD4FFBDC - -Count = 289 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0D2CAF18E9ACAEB0F3204CC0D1479B2E69 - -Count = 290 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DAF65132241AD1D4DD92D4B08F653EB83 - -Count = 291 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0D1E7D3922CDA81797A7D35EEBE6EAA822 - -Count = 292 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0D22BD59A54B655EFF813DA396372C3797 - -Count = 293 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DC3AE00638EE469506202F9A657B7E70F - -Count = 294 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0D2525F5A02A6560848208A646051544AD - -Count = 295 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0D3119A5491E01C290610E778AC47E4CF3 - -Count = 296 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0D82F3C64B75FF96BB4AC49A021E2135F4 - -Count = 297 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0D1B48E302CD5F75A91A43E208B053B269 - -Count = 298 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = -CT = B8529BCE1B3F9D0DB7803E6407B8A7AFDCB970FA0E00D3F94A - -Count = 299 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00 -CT = B8529BCE1B3F9D0DB71A0DC7172C258C7A81408A3F39D80C24 - -Count = 300 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 0001 -CT = B8529BCE1B3F9D0DB7D51F83ADAD45224771B2C0051B1D3F40 - -Count = 301 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102 -CT = B8529BCE1B3F9D0DB7A1044E612019EC1CCF9DCC063DC7F354 - -Count = 302 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00010203 -CT = B8529BCE1B3F9D0DB7ECA5C1E6DACFDD97F7B7C85239DDDEBC - -Count = 303 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7378D07D8EDA2334D2B5B2D67E2CFCF5C - -Count = 304 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7F0DB484947671BC1EEAB33E09D724DE0 - -Count = 305 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7DBA6FA5AB3BB657032316E85B44075E6 - -Count = 306 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A3532233C0472E4EEF48D61B4496635D - -Count = 307 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB76ECA9E00AFEF3D6A83E7DCAF16275B73 - -Count = 308 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB71FED9E3C7617B7E9279C6A711D399834 - -Count = 309 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7520EA592ECC383F86975752A772FC4A9 - -Count = 310 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB74894B7B31697140C74106E5D273C0D0B - -Count = 311 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7784CB26A02B09419DBD435769E9F334E - -Count = 312 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7F080C503E3D24C722D3837AC2C000F46 - -Count = 313 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB794CF00C6960D99AC07547DEFBBDFEBA6 - -Count = 314 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7CDDB99252F57C72DD6F28AF19C7799B4 - -Count = 315 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB72BB9907E27549B3F9B77A718525ACDC3 - -Count = 316 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB73233B451D583F8E867A1F27390582DE8 - -Count = 317 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB77FD46538E6E75465A825CCBAA030BD87 - -Count = 318 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A779CE4C45B67748E382DDB0ECCC0799 - -Count = 319 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7E826322CA65F42105CAEFE40553A0EAA - -Count = 320 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A0ED49D164EB3095FB66C6843AEE2789 - -Count = 321 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7D597FB15880A29E9F71B0A524B5263AA - -Count = 322 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7780FDFEC2BACFDF11A4B61B8B461B16B - -Count = 323 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB70ECC10B02E9B4F55DBA2227CA939DA0E - -Count = 324 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB78F5584DC3D108A93A52120C9AFEAF135 - -Count = 325 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7CD4784EF593F6C4E94A68AE46E9B1DC6 - -Count = 326 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7B7489622D915C53B989971C1CBBE1F0C - -Count = 327 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB779E60116D7EDFB157C6D049C789CEBB5 - -Count = 328 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB79D26081622C324F2E68CCB557892D6FD - -Count = 329 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7E38456C5ADC471A7C58CF1FAA8D1DF0A - -Count = 330 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A991DF053CAAB572AA253BD629701ADC - -Count = 331 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = -CT = B8529BCE1B3F9D0DB7A9EF388A9886B3DB05FD0F40F565FF0F4F - -Count = 332 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00 -CT = B8529BCE1B3F9D0DB7A9CFBD92D5ED45C3B6782710327E1E0854 - -Count = 333 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 0001 -CT = B8529BCE1B3F9D0DB7A98EDFA8BEEB5A714C41468758579E7648 - -Count = 334 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102 -CT = B8529BCE1B3F9D0DB7A969CEA61B25D81B1B0B24E0625CB7A7A4 - -Count = 335 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9EA99DC0B1D68BB7885916A722AAF11BA - -Count = 336 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9455311C5DEBF2C13302DABCA4738D5A5 - -Count = 337 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A97A912D52558EDFD98297025411041E84 - -Count = 338 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9B04C281C6C1C8E694ECE14616191BA65 - -Count = 339 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9CE2FFE6B970999B81A2C6A1334514465 - -Count = 340 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A93165F2C3E02DEB948F0CF819F22D4880 - -Count = 341 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A92EE5F3E708B4BDE58F75DE80CFC23FAE - -Count = 342 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A992447A48F3626B6D202E1021FD5B795F - -Count = 343 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9EE6FEB0469D09FD621587AC16054A360 - -Count = 344 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9347EE754389120FAD6E21F2C3B425F93 - -Count = 345 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A94BF540AF30E355FD3E81F9106C304477 - -Count = 346 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9EF46DCA699D5DC550C50335ECAE50ABF - -Count = 347 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9B90B41CD081883325DEBEB659A0EF32B - -Count = 348 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9F5C64A98AA333D1BB74D43065C0981A7 - -Count = 349 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A932FDBDE453E724E546A08AE545950E82 - -Count = 350 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A97E1630D140BC9BBFD1D60CB37044D53B - -Count = 351 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9A322845DC5533D5609D5F3F92D2F577B - -Count = 352 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A97C2CF8E6C8B329E29CE2B5A22A79826F - -Count = 353 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9D9667567A4F2B5DB148A0B785ED9D2E7 - -Count = 354 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9F307C6C18733577768F6822BAD3EF616 - -Count = 355 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9B222311922626206EC7680572F89497B - -Count = 356 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9F5C5DA8359C95C7195B99D4B61E22675 - -Count = 357 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9E912320852171EFF2A5315ABAA38C22B - -Count = 358 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9BA46C173C0275969B0E78F320D1319FA - -Count = 359 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9E1AA36827BD37D7CE41A24F044FF19AD - -Count = 360 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9DFFF82756188D64FC684B04327734523 - -Count = 361 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A90EF3B48A74DAA9D15A2404C4EA07B0A6 - -Count = 362 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A928076BC4F5464F54109911AF5E4B35CE - -Count = 363 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A989E8C78D37D375F4AD43A7052F76D2C2 - -Count = 364 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = -CT = B8529BCE1B3F9D0DB7A9C834181EBE0DEB4BE30F600B849AF7D421 - -Count = 365 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C84967DA0DEB9E8F04C210B80C44E818A7 - -Count = 366 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8B09B7F50D77FBC7026F32D4A596E9B48 - -Count = 367 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C80D8BFC12DADE810F67CD1C1ABC10CD17 - -Count = 368 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C80591C70555C673923532E62672C1418C - -Count = 369 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C84354284A8DDDD6CAC64F2A977FF4D0BD - -Count = 370 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8B9DF6E6EE70AD6033216946D2F2EEE0A - -Count = 371 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C885C503F6EEDFA2A972B92DC7F9DB2166 - -Count = 372 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8C7B15C91AE848582FA98E89131C7B26A - -Count = 373 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C85F184898545394BE3BF7619FAC9A7136 - -Count = 374 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8527ACF1451BD737F0F2E3EAD99473405 - -Count = 375 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DE1C857884A54214FF857287152D7182 - -Count = 376 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8E10E3AFD4D71AFF7DC9076D1FAC3F038 - -Count = 377 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C84D6A05E0367A943DBE61C7AE46BE4CFB - -Count = 378 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8B6D0B5A047A4E41A64199ECB1CE91F8D - -Count = 379 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8062135D802990569C8A414EF2396967F - -Count = 380 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8B9B4101BD74EA602A653B06949C0CC45 - -Count = 381 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8F851F76C13A9934418D911F77A77042A - -Count = 382 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8BFC5EDDF255796DB438F0EB96253A692 - -Count = 383 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C86A88756856DC1922C534544DA13CAD23 - -Count = 384 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C84E40018EEB1B0ECC47759224CFFE48EB - -Count = 385 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C82E1C70DC893BE332D90ED99B3C6F6411 - -Count = 386 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C894B72C3F744C608EA6855F715C7D8C61 - -Count = 387 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C847930F66700E418A881D576C73FA6AB9 - -Count = 388 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8861AA9EF179D2FE78C32AF0BF6ABB327 - -Count = 389 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C884CE476737F9A02FA690C93A68CFC12D - -Count = 390 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8547BDE8EF418AA4B5CFAAA50E74C3FEC - -Count = 391 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C80FA6BE0218B0AF86C5786DC5985A336E - -Count = 392 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C85707ED35E2696AFF4B4E08999BA04861 - -Count = 393 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C869C5CF1564FFDA7BE6A882F150341B39 - -Count = 394 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C83194F6F0C56BB82308D6500155C63765 - -Count = 395 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C84E1ABCF895510664F82FD7FDF5060B4C - -Count = 396 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C85C8FFBC476C0D7E2CF2721789A1CEF4F - -Count = 397 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = -CT = B8529BCE1B3F9D0DB7A9C8DDF1492DAF87AF6DD5AF904F443505E375 - -Count = 398 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD743397B1E40BBFDBBD34C43F2E200EAC - -Count = 399 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD20FDB4B64461985A1AC8354352CB27FD - -Count = 400 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD10D98F37EBB99DBC1E854CFE31A1CA36 - -Count = 401 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD72A1F79F796100528279FD40502BD271 - -Count = 402 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DDD3479EFCDEAC9052D09FC4BB1D02F533 - -Count = 403 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DDEB9097F94F0D13603F42529B065FA5DA - -Count = 404 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DDBE7F400FC139968BECC001BFA7DDC78D - -Count = 405 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD715D23B5DF30C754E8D37B582D4EB064 - -Count = 406 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD87E8FFEB527FF47A5326C7B0EEECFD69 - -Count = 407 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD1C81DB290427B42866815B738D053AAC - -Count = 408 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD2A1E6641345AA1BEF66F61B78DF1C18C - -Count = 409 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DDF36CBF4AA98E722189F3EA203AB4101A - -Count = 410 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DDCC7208489C6D5141B50181C70B02CD12 - -Count = 411 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD25CD466DCEE42CCE6E16372056EB8294 - -Count = 412 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DDA63DF33CF9398A65A49056A59F8CC393 - -Count = 413 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DDEC4D09492CB9331B6B250B91D689F9DF - -Count = 414 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DDC0EDBD52782DF061DE6922B000B86941 - -Count = 415 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD5AD028B2C565779C42B972097DBC6C38 - -Count = 416 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD57E1C3B445C253917838E8AF1023D378 - -Count = 417 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD98064D16B4515B3DB65248298AA00265 - -Count = 418 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DDED2C88260F1EFEC94A92CF302BCF2D3E - -Count = 419 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD5E19C23EB0142DC22FC002E099485100 - -Count = 420 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DDF029702F2D9F8B020BCE99377075FE05 - -Count = 421 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DDCAD15358889BDEBD3E1FA140E8DD1B25 - -Count = 422 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD82A463A7B23073FF084932ABDED247C7 - -Count = 423 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD7DAE0F634E58D44EDB73E417E49A0083 - -Count = 424 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DDC89843310A13903D1F73F68F33018271 - -Count = 425 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD7BB0CEC3C3B76771DB9D863B4A93B391 - -Count = 426 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD8123603E5F4007FFF757A814612A73E9 - -Count = 427 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DDB5E395E49E9826B7494B6EFCC89F1E7F - -Count = 428 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DDA82446507AACAB865EAE622FE00E8F28 - -Count = 429 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD0B30C7B3198481B0C3D31065F84CC4D1 - -Count = 430 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = -CT = B8529BCE1B3F9D0DB7A9C8DD438986BFFA515D6022A65D9A48CAF530ED - -Count = 431 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD4391B02E7C387B0E0A7A3D7A34ABC3276F - -Count = 432 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD43EE1DAC189CF7FFEDD94CB89B78B5BEA7 - -Count = 433 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD43C33AF877C578A1D6F69164EA24276A90 - -Count = 434 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD43EE3B86176F08F3136B3300B4535E2397 - -Count = 435 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DD43BE7F33A7C9675DD01228608D13FC3207 - -Count = 436 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DD43F0C42D5CBDFCAA848BAD6B01C499A21E - -Count = 437 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DD43E00AF9504046B655F60D8A6D015A6748 - -Count = 438 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD43DE54D00AF80B16C07FA112BE9218B468 - -Count = 439 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD43499B225D07C0019FD88C645276475B7E - -Count = 440 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD432AF63DFD98EBBEFD649F71C460DFF05E - -Count = 441 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD43721030FBBB39CCB3911E6D9908978825 - -Count = 442 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DD4336FBFDA66026CA32CDBB856FE80340B9 - -Count = 443 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DD43A9397FCF99D885D45FF0497ABDE0DB75 - -Count = 444 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD431A80033BF7347E8812364EAA88992F61 - -Count = 445 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DD433DD8F30805C81D8C63B8E3E41A89762C - -Count = 446 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DD4316A4BEDB73ECB9BAD98D0156D121264D - -Count = 447 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DD43B86C04219D3A405A61AA418D227D773B - -Count = 448 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD43921A654FA11903A01E71CB32C71D2FB8 - -Count = 449 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD43930417E42B5DDAABFCB88CF7C00C4C53 - -Count = 450 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD4346ECD40C260EF8D334163DA70FCDAA97 - -Count = 451 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DD43ECFC0C64D23B48612C4383FAB60BC48C - -Count = 452 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD43FC82119FF2A1A854E245F9EEF0AC085A - -Count = 453 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DD432D6E7EAF0B122DB223375D786AEDD1A8 - -Count = 454 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DD43D10ECA3AD266A49986219E8CABAC23D8 - -Count = 455 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD431516ED47E25B0630D6CDF685E317545D - -Count = 456 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD43988493E7C492C44E833EFE6E41B39EA2 - -Count = 457 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DD432A9D36A800A67D2D41DA9AF0F88A38B1 - -Count = 458 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD43EC4017B799F01604CD634BC17375E0CD - -Count = 459 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD43C71FBDB4F770652349915C7D3A6755E0 - -Count = 460 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DD43D03491E166D9FAEC265060C3AE038D42 - -Count = 461 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DD43FF2D14C622CD8ACCBC69EC6A9253AF7B - -Count = 462 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD439823720098F9009704AAF43AACD84F39 - -Count = 463 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = -CT = B8529BCE1B3F9D0DB7A9C8DD43DD4E1C9E8547FAB1FB1488CF64655E711C - -Count = 464 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD43DDFBD7865D0087D8409FBCB4752F7C63E9 - -Count = 465 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD9D509644B4BB81106EFBBF5844241C4A - -Count = 466 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD43DDD995AFD4B0CD4EFDCF0FEEFCC9296A26 - -Count = 467 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD728AA6B81A37BD5B0F5DACA26854457A - -Count = 468 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD77B39005B17915216785F362CDD59ECB - -Count = 469 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD7A5C4E61C44A09CA061E65CEE31017F7 - -Count = 470 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD259A00FC2A532FB9EE7A44F5B592A554 - -Count = 471 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD31D60281AB47FDD4B751B00DF82BED49 - -Count = 472 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD73CF1321E13E0EBF45985F965F2B129E - -Count = 473 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD43DDC3DF7A3C0D8B800E6ADADC0FDF979B1A - -Count = 474 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD43DDCD06B5978218B6AFCCED012666AEFEEC - -Count = 475 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD23A02F1BEAE8E130CDA9B393A5699003 - -Count = 476 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD61EC22C4B75104D7B9FB5A7857B8E83C - -Count = 477 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD7A3A677C714BA68B9BA3C64474C89291 - -Count = 478 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DD43DDC9514009F510226E8CEA18C26C7B4DF7 - -Count = 479 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD2C479DA8FFAFA0065C1F2A439686ED3C - -Count = 480 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD54BB5D7740C02BD4BFB8B8E77DA60660 - -Count = 481 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD43DDA4B5C26C830948BD4343E9ADBD09E09A - -Count = 482 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD1B3E5AFD58341D17CB56F7078D29DAF4 - -Count = 483 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD75F48900A100A14CCC0B1339BC72E076 - -Count = 484 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD3A824D4126C91BC8A95AAAD78DDF6F74 - -Count = 485 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD8BB592CC16C8A3DE4528C5BDC868BC07 - -Count = 486 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD68C9FA23524A19E0AF3C0CFDD42AD55F - -Count = 487 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD8FD89B4EE3B9E43836A5D5D9C9DEF155 - -Count = 488 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD43DDADDE711E91CE3350BBFF07E389778748 - -Count = 489 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD9EEA5912006A50C932D058575C3B678A - -Count = 490 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD785C54E92B1BE3E84C6BE43240A45AC6 - -Count = 491 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD9ED70AA8B8C4D582B84A139BEACC6177 - -Count = 492 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD0F52B6ED96D97D5A0421D3570EDC2E91 - -Count = 493 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DD43DDFF5421C83B554A8A84E7B45FA6695AD3 - -Count = 494 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD65F1A73BD68726E4651365854D6CFE61 - -Count = 495 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD4FDCDFE6A6FCAEAAB050A2B921E148B9 - -Count = 496 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = -CT = B8529BCE1B3F9D0DB7A9C8DD43DD357631F17DCF4C125D115868A8F0FEA9EF - -Count = 497 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35C361768DD682FA9907B6F92860C33847 - -Count = 498 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD356F857DD2EEB4C7E53D640F108E0ABFEC - -Count = 499 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35E168DC5A440A9DC21D52DCC1F1A2022F - -Count = 500 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D7302D19AECC4FBAA40020F86E39F388 - -Count = 501 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35C231DBE101E98D3B70475A865E25CFBF - -Count = 502 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD352721B85AA8B9955A0667C45A32E0CC35 - -Count = 503 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35FD913B6DF38DB1E3683584F6363F68F1 - -Count = 504 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD352DFB75F00C0079C34F02846859C9BB1A - -Count = 505 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD3516A5398BE40151B6F917552A6C323505 - -Count = 506 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35C6C04ED6239242989EB15BFFD0B2F803 - -Count = 507 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35EA51032708CBE7A533F5A8133B80B175 - -Count = 508 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD3508855BDB48D026E9A772F928BA240763 - -Count = 509 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD3530D91F0762134859715668AE6E1CF606 - -Count = 510 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD354CE5731168A4409B803CC5A89315AE50 - -Count = 511 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD358F77D580B50633EEDF64962C373B23F0 - -Count = 512 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD3509063471A1D56513B6FF81EDD9373228 - -Count = 513 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD3591C2DC0088458215501A1D11AE10EE56 - -Count = 514 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD3536662D214B996DBC5EBC27BD43BFA242 - -Count = 515 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD3528133D3F59E9635F67CAE6854E6D16D7 - -Count = 516 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD357C2EE005AC5228AC19A1498098372572 - -Count = 517 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD3527202060EEB55CA94CC1E4570F90114A - -Count = 518 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD3594E93BC7EDE97A590E9D04D27AB465AC - -Count = 519 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD356139620CD1E39AC0EF21D2498BDAC00F - -Count = 520 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD355A5FC0893DF05F0602DE53591BC8CCDB - -Count = 521 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35E6E4CB0E9608AD021408742B1AE4B1E3 - -Count = 522 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35C43087E48ED9306FD45F2A7783ED92A6 - -Count = 523 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35E4DE22C2A7A7C3E52868D54AAB14B124 - -Count = 524 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD351F94A4749D0CA1E1155E8660F5721E3D - -Count = 525 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD354F6498F5A151D40EF82A979991E79244 - -Count = 526 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35433B190C228DCB8853F16D88052B8703 - -Count = 527 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD354A8F62B3A786DF22B8CBC79C99602A0A - -Count = 528 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD3583D7522371A71285B8061BDF7CD2E647 - -Count = 529 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D179DBFF926A5A9358CADBCDEB9BF68826 - -Count = 530 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1525F88D07FA3AA9931573EA6B070DA97 - -Count = 531 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D13628D7C6A36E5CB86BF7AFCD454B0388 - -Count = 532 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1F81E0BD4141C128C97FAEBF88C32A52A - -Count = 533 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D14EBDF2F1139B2081F543BAA67EB35A15 - -Count = 534 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1BF0E6A9BE00F34A2C829BA3CDD9F4380 - -Count = 535 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D157267ECDD2CB7735116989C103C96880 - -Count = 536 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1C505BF43066DDFCA20B57940F1A66994 - -Count = 537 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1D0AE25C47AB6DA2EC86EC0348FA7B518 - -Count = 538 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D14C727DDABB30D37D5C8CDD8ABAF23C42 - -Count = 539 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1DA2E76C40995B31DD1BCE6AEDD5AA62B - -Count = 540 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D117D5F77BF780817B2F3E5CFDF3D829B7 - -Count = 541 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1ADD2E6374F545DDED587764656FFD6C5 - -Count = 542 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1FFC2EBDD4CB4A9AEB61A65E64E40C856 - -Count = 543 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1A956A4FCAA749C607417844D556EA6B0 - -Count = 544 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1B22C00D31482C34B61E1CE103EC276FE - -Count = 545 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1BC1D03CD44D9E01E216894DA0839F508 - -Count = 546 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1FB49CE33ED2FC9EC261178FEA819794A - -Count = 547 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D16D5FFB24FF5C6A7D4B6D667A5718B53D - -Count = 548 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D19F2D5B7644D6D01BA99066A5E61A8B9F - -Count = 549 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1E8D2906C227A118207B7C96D8251516F - -Count = 550 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1197264729B0728BBD943105126884EC9 - -Count = 551 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D10DEE6AEA0208AA73B2B867097175C3A0 - -Count = 552 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1DDEC83267D1651BDDC0597C7325E91F7 - -Count = 553 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D11A9D7E0FFD55432C976F9FA90FBFCC23 - -Count = 554 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1FF6CF68A82039CE4BD113731B3EC55BA - -Count = 555 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1F4D97FB07BB061B954AEE2DA7458717B - -Count = 556 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D13B543E600A82A64A805983622B4CFBF2 - -Count = 557 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1F217D5F963949A2C081D58052E9CD2CC - -Count = 558 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1FA5BC67976D78F68FD3FE975A21E4017 - -Count = 559 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1254B522E1874403EC9EAE2BCC04E3A8B - -Count = 560 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1B4FCF80C6AED9384F56D5388D933CFBB - -Count = 561 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D1AAC41F3A2C60DFE5C78C76EC40AED1A7 - -Count = 562 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E1EFE9123D180703C05B80C427FE6778F - -Count = 563 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18EB046DE9FF4E2563FEB1D9D37CC09F05B - -Count = 564 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E38A5EDBBAF8FDDEEDBFA7BA75016F194 - -Count = 565 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18EE98F64C7DBDDF1BD8B9FD05DE0CA1BEC - -Count = 566 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18EF1ECA5802AAA5F9BB2A5335FC196C7CC - -Count = 567 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E22AF64D7971DE4CD860EB3A49529C45A - -Count = 568 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E3C021C6CA64129C84916175D83237E1E - -Count = 569 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18EC4475E89E879C1BD4C9E0BECEEC49D23 - -Count = 570 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E793B0548A7F8287C9F364408FAD5A5ED - -Count = 571 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E8EBC0EB92ED9B7E3228BCB029E00D401 - -Count = 572 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E326CDE536E9BA0E665D6B269BF081DB6 - -Count = 573 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E969FB495D0AAE2E38ECC22753E2F1AB4 - -Count = 574 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18EFB0CC00FE2A3144FE55BF72221586C9E - -Count = 575 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18EB838AB9CA3196EDE74A3FEBB61CE499E - -Count = 576 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E3C72FACB2B77CFEE13F6AA579C5BCDCC - -Count = 577 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E53BDA299C22DED08A8BA03926D657A38 - -Count = 578 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E8C0A4AD9CC5A574F6B31498730100EEF - -Count = 579 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E6F957D2FEF265026A03479D1AA9E1B59 - -Count = 580 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18ED8AE14937E042D33529E91141F12CB5D - -Count = 581 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E651AC35DA6D80A2265121A30D496EECF - -Count = 582 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E7C90AC25EA8B25D6894EBBE12ADABEC5 - -Count = 583 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E71C0ADAE91ED3FE1B42EB04A115BBA93 - -Count = 584 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E903300E36E61BA4B41338870AFE9069A - -Count = 585 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18EEE0C2B73595731E16E16D8B9BD23B910 - -Count = 586 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E94A833B33C87296A82FF49589C4C7C6B - -Count = 587 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18EE42059ABE40C5F660D9DDF85EDBA83BD - -Count = 588 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E6DF3C4BE67BCB2EBF5226795A167C0F0 - -Count = 589 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E36C8DCAAD2B8E3D1855B7D5509BFB22C - -Count = 590 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18EC0DD0924E49BBFB63F2198DC136CD629 - -Count = 591 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E31812F2448D88ACF040FCCBAEBB52A59 - -Count = 592 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E81AFC556A333D3787336062A4F75BCF4 - -Count = 593 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18EE9E630971DE7E456F6B351C89B4CEB2C - -Count = 594 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E0A90471D9B89107E7D3A7EDA5E9D131B - -Count = 595 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41C554F3287CACFCABA1FB3A8655949655 - -Count = 596 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4133231B39A72CFCC5EC5CF84675CC0D34 - -Count = 597 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41E70E047D0873937278F23C94020F3104 - -Count = 598 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41AACE3EF3D7B84933ABBEE7AF85EE77AA - -Count = 599 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E412C93628CF8D6DCFAA0193C27B83B130E - -Count = 600 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4169DCFC275C0E810F4828E436C59A47DD - -Count = 601 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4136BBBE4F332A2E38ED2CA42A901D2E76 - -Count = 602 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E416018DA305FBDBC363E9199DB6FEE7941 - -Count = 603 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E414B995622A7028DE80ED1BF4291920D82 - -Count = 604 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4130BB618D5C68EBF37B03C304D5A65801 - -Count = 605 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41AAE7DEDBB0DC441780D07A35E069FB09 - -Count = 606 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E416C79A6039C7057726F1289CF8013F8BA - -Count = 607 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41921FF698338EB9CA177DAFFF9803BA42 - -Count = 608 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E413FD16EA7897B677760C8B0967E5B0CF9 - -Count = 609 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41211242E8549F08B35CB215605EE355D8 - -Count = 610 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4158F7467531B50A0547AB748B484B0C30 - -Count = 611 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E411DE82CAE627F80E08FB7A8F69105ADE8 - -Count = 612 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4155292CE83DD84784B4B4940D0A7693D3 - -Count = 613 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E411EEE777B1B060282A54644CECFCC4551 - -Count = 614 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4176FB040351F58C920998300EA14D5441 - -Count = 615 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E418843F20FD7C96F35D850ED11E2ED97D2 - -Count = 616 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4122591C78826A71873BEFEF0C985BAE60 - -Count = 617 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E419CDEA8BCB0CB8A00A9E1B47EE35E07F8 - -Count = 618 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41E879287C7885EF052B4BDA29C03CE07F - -Count = 619 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41B94D0D1F94483BE31B4409F422D1666D - -Count = 620 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41BBA8EC487062058E5B1680D6BC965B84 - -Count = 621 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41E9AB1DF23C0536A0CA6D53797D652EEB - -Count = 622 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E413B30F1E00C1BB5A4786E5186C8E91686 - -Count = 623 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41CCC0407C6B25BDB98DCB9468507E38D7 - -Count = 624 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41848DF51C131FCA521C12D03D343CF296 - -Count = 625 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41E4844C06788C4B01CDD1BAEFD24C319A - -Count = 626 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E414456D396D45C9F35641A2C14D6153A1D - -Count = 627 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41DEC6C812B74CFC544FA6FC52369B0AB5 - -Count = 628 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180F634B267E6843918461E1887819EF5AE - -Count = 629 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41807C122914126B9D4F79017B89EA8C990D - -Count = 630 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41803A7090E68FA8E27BC6214FF5C6D5950D - -Count = 631 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41809F7E16D76AD14BD3292B2E5C0D3405CC - -Count = 632 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180F65BD32BF1BE9516632C2FEE99E253FE - -Count = 633 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E418045FD641487F7394CFD5EB8F639192476 - -Count = 634 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41805CE90573CF0E9F34096D1AC5C615D45A - -Count = 635 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180494814BE1907F557BE7A89B935CEFBFA - -Count = 636 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180A0205029B1E06804784E4F30EA407853 - -Count = 637 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180F9C71C8DE721415B6443F66D749F3926 - -Count = 638 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41805193F71BA23926FEAEC5477DB3CFC70D - -Count = 639 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180E815C0F306CFD3D9542100957DE89641 - -Count = 640 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41806960AD209A9ECB4F320EA999B4FA7CAE - -Count = 641 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180905149E9CB767A4F3078816BDED0957B - -Count = 642 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41803DE65F55DF152E2743AB82EA7C9C4851 - -Count = 643 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180F43EAF171D6E29976BB30B099CE3DB49 - -Count = 644 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180A0DCC4D6E240CF1FACDCF953EF165D24 - -Count = 645 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180E16D883081B0F425BDD41DC779B85973 - -Count = 646 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180FAAB3A293CE3ED5646FECAEFC8D1DADD - -Count = 647 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41804A7391B628211A562EB77254C589FA1F - -Count = 648 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E4180B6643C21D581C3C32769ECA357D11798 - -Count = 649 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E418078F3995285FE8D52E3746BDCA6C4F5E0 - -Count = 650 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E418056500A5DDD964645326899EEA6AD610A - -Count = 651 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41800C5B76A98CAED735EAE4339CB5B4910B - -Count = 652 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41804600F1966F3A893DE355092ECF66C00F - -Count = 653 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E418082B4906A72EE3E413F610D5BEFD0B4CC - -Count = 654 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E418006470CFE7E31D0D4D0B411B483CAF56D - -Count = 655 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E418062E1E0CDB7A05F118A8220DF09EB2859 - -Count = 656 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E418010A4B58ADD714BD9A2878DEB2ADA4520 - -Count = 657 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41807DF38F67D4F25ED75C3BEA7A7A741B12 - -Count = 658 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41803A3CD12B3086EBF7F0B4E545732AF62A - -Count = 659 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801C1742B703A9C0D43C075D2FBD8212CA - -Count = 660 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41806321002FE4B19AFABEB064205DBF0F53 - -Count = 661 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801AEAFB9D9068CDBAB03780D9A7C065CCB2 - -Count = 662 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A6858F54E41355024E1634012908612EA - -Count = 663 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A3FF9DE4AE7FB0A7FE9108391B2465862 - -Count = 664 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A5C8DD64824BF860C9B4376B9A7D452A6 - -Count = 665 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A9E1B529D33BEDCA46623F409529F4433 - -Count = 666 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A77AF9E8F46D6E4C3C6E653B9D5229E3B - -Count = 667 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A3666896D6D27493DC1E9AD8BF192B301 - -Count = 668 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A4BF6045D7F14D5F3BF76C30A49FC8C86 - -Count = 669 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A977F84572EE09C9D258E1355566E9FB4 - -Count = 670 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8FEB0319D2D9F51461580885DD09A2D2 - -Count = 671 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A9519D462AF481328148B22E368DCB847 - -Count = 672 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A98A25BF407F0D40206AC2F986C749850 - -Count = 673 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A043E454714D5B4C05F590C73BD2F34B1 - -Count = 674 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A1228079C41A762D46CADD5A0E2CBEF89 - -Count = 675 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A446D1D79E28D8BE94FFA54F2145C777D - -Count = 676 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A3ADC9BBE9A27D56F33E38757D5EB3A78 - -Count = 677 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801AC93CC620E0A216101094B85532A5C5BC - -Count = 678 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A3AF760A3CE2B2E580929C542CE0F0EF3 - -Count = 679 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A4236FD70702B2825796CE78B1E1A93BA - -Count = 680 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A9A2C0416E39DA4EBCED04C2C9DC66A1E - -Count = 681 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801AD90947AC62E80429397393EC4F7A6ED1 - -Count = 682 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A58999F1F16A045D081DD8C3F86CB2D98 - -Count = 683 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A3B58A8AC45523BBEF4C26A2FF0EA373E - -Count = 684 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801AA18911250245CA9C46B99E3319FCEC85 - -Count = 685 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A092F0D221802E7D23C8C4FC70FAB9747 - -Count = 686 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A0F0367592D19792D53D0D6DBC34A9B70 - -Count = 687 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801AE526BC2E89FD54DE4B9C7C5AA756FCC1 - -Count = 688 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801AF97F950C200A588C8A6D50654F86AA4C - -Count = 689 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801AD4248376565387424853CC3B6AFA17F0 - -Count = 690 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A7E9155D02F147E598CF67692D6F1D8EE - -Count = 691 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A452B23FCD5794188A7DEB7250C7C2C01 - -Count = 692 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A3ED0506A8DE8D156F987B507CD97BD91 - -Count = 693 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A36657E4B554463EF41605E68E1EDBEA5 - -Count = 694 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8136683EB7150EFA47682D4F7129A40D68 - -Count = 695 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81C35BC43F490CFDD1BA6B309FF2E258A9 - -Count = 696 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A818F52D6F83C0E0EB65B55EF8BBA6F1E31 - -Count = 697 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8187AC2AED7D3528BC6447AFE4ECB0A9C1 - -Count = 698 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8102C49F5C0D3CF9E33C1E18BB520FD722 - -Count = 699 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8174AEE911918734B70D38E2A351F2AC67 - -Count = 700 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A811D77D320267029FB5CD0E1D3ACD6FF36 - -Count = 701 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8192BC2734133B80523B21D9ACB72EDF9C - -Count = 702 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81A37C15B1755956312176C87B9BAFAA7E - -Count = 703 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8108984341196C1A42AD698FB606615F23 - -Count = 704 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81867AB6AFF35FFA46CECE687D8D278352 - -Count = 705 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8174557F52EE27AA8A1E336ED230E3CC15 - -Count = 706 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8165BB3CAE14DF4B31B3E581B5D63C538C - -Count = 707 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81463BAE27D5B82D9901E89F43BE76BBFA - -Count = 708 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81D9BAC2568EFEEED95DFBBDE189D5DD2E - -Count = 709 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81A2DAFC066199BFCDA84A18E748DEDA4D - -Count = 710 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A810475C8C0F2F41F32CE2FFCD21198B2A8 - -Count = 711 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81C09A3B3A544FEA6127BF28D8FF5374A7 - -Count = 712 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81B8F3C6ECA4E6CBA88A94D583F050094F - -Count = 713 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814552D4F57E19AB8B2D23AF57113484E1 - -Count = 714 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A811E89C402BE7A8763CF90E1E9BBE7C1E4 - -Count = 715 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8168486FC8A04F23EFB41362DFA232DEA8 - -Count = 716 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8114F25463C2B6F3CA0AEA1E788111A50F - -Count = 717 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A818F3CBD29D12A05E89EF00F8B3C74C447 - -Count = 718 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81FDE966A0A0B8473BD01A52076685CCAB - -Count = 719 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8189ABBEDAF2BB24D87850E13E205A969E - -Count = 720 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A8179435BAB5D3D96E61F0B400DFE960B3E - -Count = 721 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81BD3C8A205904042875A38C420F6AF64E - -Count = 722 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A812B28A12A5C5E83C7838D682F9D398CDA - -Count = 723 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81DE1ACB8B61993B4BB48DDAE3B4BD2EA4 - -Count = 724 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81A24B6224D9F7A074C17A3C75E79B1B5D - -Count = 725 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81160D4E2EC23E1EE4939AC0776C4F1331 - -Count = 726 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A81190F5EF6FDC2399F38F52232B9DE2B1C - -Count = 727 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A623924DF0888AAE00C96DCE0C6F632ED - -Count = 728 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A697A1125FB46C892860A4FC63668F4BF - -Count = 729 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814ABF60AF4452CF744FC7D376735792D677 - -Count = 730 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A5DA25C2325A42911F12E0567B3A24DEB - -Count = 731 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A44C033DC6FCA741433FADB5D39F81363 - -Count = 732 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A24756C3BEEDD0A76CD1CA537CFB20CE9 - -Count = 733 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A23AC43B7CFEEE8A4CAE7DBAC1B499FA2 - -Count = 734 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A8420926506CE73281BF444DE0686903B - -Count = 735 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814AF3E67633FD57FA8C29D3012751D673C2 - -Count = 736 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A30B9700F912F34AD10FBDD0BA58CCDD8 - -Count = 737 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814AAFB884972EC059D43801258A2598A6B6 - -Count = 738 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A17289965CD8CC215446CF25931189C53 - -Count = 739 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A4ECACFCA979F3F66401B5A2C4DB635C0 - -Count = 740 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A1E4AE9974422FAE1A4C5721863B1FA3C - -Count = 741 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814AED2427A847B5FC8F199B36090FBB97AF - -Count = 742 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814ACFAC9956B142C95596B605ED36573248 - -Count = 743 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A7FA24C1F70CFC3368DF6D312B156047C - -Count = 744 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A87E3D7F0001FE5758F5A48593BA14AA8 - -Count = 745 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A30EC6DCEF5B29BDB2B15C94B5235AF80 - -Count = 746 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A1A2421828A1DEA6B3CF790B33458100F - -Count = 747 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A6AD69C1A3766D78126EA09EC83A33072 - -Count = 748 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814AA7C71A519939D64B01B5EEFA90A196B9 - -Count = 749 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A6347F0F7850DC7FA7791DB6EE2F80A75 - -Count = 750 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A475B4C3E94770C74A94738F27643D6F4 - -Count = 751 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A64461681038D876E0549EBFBE370709A - -Count = 752 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A4FAEF88A99531CC4364843E543E33179 - -Count = 753 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814ADC94C34230E843DDCF5E76CC37D63275 - -Count = 754 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A2BC56141CE2D0A0790BB47603148F5AB - -Count = 755 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A6C2AE7155C35FB192BCEA18E6203F6F7 - -Count = 756 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A10DD54ACFEB7E4E415C9CA211D02193B - -Count = 757 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A8983900867316B71AD0F329317AB4EDC - -Count = 758 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A4A842F39D3F9FD95088E64B939AFF497 - -Count = 759 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A07181DE5287482DCC039B8F3901B85AA - -Count = 760 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29554614C4B0A261CED81A7A0B37324985 - -Count = 761 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A298B992D890781169A35C88743C5C01FFE - -Count = 762 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29AD63633956E5E34A60D0C31F82DDCDE9 - -Count = 763 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A2948A8486A1E9D97D1F6B2102EDF1A8803 - -Count = 764 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A299D76430FE2F2D92D0AB8F51A74CE4ED4 - -Count = 765 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29F54F740E9446DE7D445A2AD70B8E1DEA - -Count = 766 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29E9415BD4FFDAFE57C72BB5C48D352233 - -Count = 767 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29FE4FE0DB0BE5C4971C1A450996D414A2 - -Count = 768 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A295E8DBCD96D0F396C71AA09EA1F8D53D7 - -Count = 769 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A293C3C04F09CB04CBC640FF49A5BBB5A9C - -Count = 770 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29C0D346565C72898E9CB1F46C93D16C20 - -Count = 771 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A2946E3500BD4A77E3EFF16EFABD6CCA575 - -Count = 772 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A2961F52A3F7FEAA0A8A17E86FB89CDF00D - -Count = 773 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A290BEC1185B216482A9A6B957A65F7A484 - -Count = 774 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A297FBB17F7140952C5A9F6CDE61710AF1E - -Count = 775 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29D86A562307D412740067397EA78043AC - -Count = 776 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A2913BF0521CC12562B554012B1BA29AED6 - -Count = 777 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29FEC88A473A016A9D7E38B596B29EA6F7 - -Count = 778 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A2924B5420C663091EAC540023B8E523DCC - -Count = 779 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29961E743F609F441D02939B100A4C8C50 - -Count = 780 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A2982936683902838722BB798DF1A7252FB - -Count = 781 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29E38527720B6495FE32A18C151EF757A6 - -Count = 782 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29DD5FBA58499800EA6C3DA864313F46E7 - -Count = 783 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A2952861AE07C09F2685A7285CAA977AB4C - -Count = 784 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29EDC97D2803CEAE25EEB4596A55C323BF - -Count = 785 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29F87EB80FDF2D29DAE45EF0E1C86CD4CD - -Count = 786 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A2949EA61556ABBBC388A106DB8D4D7F9A4 - -Count = 787 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29320D6B2DE897D40EDEC22D672858AF42 - -Count = 788 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29F00A621F28839E4FEF6CE7E158E27746 - -Count = 789 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A292754CC2B129E866289A271F7DC6ABF0C - -Count = 790 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29CE7AECDAE92FC6B3925252488349E5AA - -Count = 791 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29C7F911893DCEC6A31043BA6E5DB219D8 - -Count = 792 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A292C2E51B949F56CB2D5651CF5CF911FC5 - -Count = 793 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A95B2B6A5E9F80CC3DFD5F723195C13D2C - -Count = 794 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A97779C58004D67160006453F75354D09F - -Count = 795 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A982FE7479B6074F4925A0462DDDCBC7B7 - -Count = 796 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9FB3E9D4D4548FE700736918614BBDA26 - -Count = 797 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9A63ECB62BD6ED739D64F68AA160ADF89 - -Count = 798 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A988759BB3F97FAAD94F0BACE69A2758A8 - -Count = 799 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A929F0DC426376D3B0BDFD902E5A4638E0 - -Count = 800 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A92A2A392FF85FC70CD9DC35E14138B384 - -Count = 801 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9B0052078C1D8403CC18BB0E41440D999 - -Count = 802 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A90AA7507E6E12223770FE2ACB53C1D72F - -Count = 803 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A97CBA25E8DEDAB272F3CF82DB3800507A - -Count = 804 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A97D80067F36C114D44D307F54748F27E8 - -Count = 805 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A996374E2DDC7EDD12FE18A1C24B450306 - -Count = 806 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9F7EDF747B1576D549A8B7C5DAE12405A - -Count = 807 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9BA23DA5A375CAE4D7DADD0B9435DE601 - -Count = 808 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99AC90D1208978C1F129CC9AD497AF885 - -Count = 809 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9FE95F843C0344705686B9A934E47A5F3 - -Count = 810 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9300BB06D3A756568322D06B746BA14AA - -Count = 811 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A937B891C4ADB74932118F52CF541C811E - -Count = 812 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9D54479C9597691687CBB1006E055FDD2 - -Count = 813 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9A38656F0524795637B4CE8EA441F8503 - -Count = 814 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A935976A21FF87B3A9A84D6EF904D0ABED - -Count = 815 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9CD75680EEF0F95EB4F1B4DE962B69905 - -Count = 816 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9E78B6D3C0530411F2C7BB531A6161A55 - -Count = 817 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9E10672D13A02B8142EF24DB86EE25632 - -Count = 818 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A93EFB1F1423D8ECD183AD79E3CFE11572 - -Count = 819 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A95A86B7490865D98003428958B37CE6D7 - -Count = 820 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9F4FD80289823994FF9863DC576510866 - -Count = 821 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99C2DEA77240638690515B6585B3C4634 - -Count = 822 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9B6EEA52A8A873C2A3580CA9D94B8DD0E - -Count = 823 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9FB4689CCD2D98A2D501238FC6AEA5E74 - -Count = 824 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A96E8C12784701A2D9CA1178E7892488DB - -Count = 825 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A934CC80C9B29034A30AC7D768DBF58954 - -Count = 826 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999E22051013CF302E9A2857EBC42205F29 - -Count = 827 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9994A3A8DCE0CEB748B0157858A8D09AB2F - -Count = 828 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99982BCC857C4E773141C8D0CA2D958EADF - -Count = 829 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991364CA654274BDC9A38FD15A6A4E4227 - -Count = 830 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9998079ADCFCCF981842DD6A1CE243038CB - -Count = 831 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99921A0D7BF9B3BB0656BE7390842698AC9 - -Count = 832 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99960285CF209349CAFBB74BA75AD894214 - -Count = 833 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9999E366C9534024922B9C6AE92626FA33A - -Count = 834 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999089C641E4779397CC9505E39D2D19611 - -Count = 835 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999C8BD336D8FD32363EA2E45E2A0A471FD - -Count = 836 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9997B2C0C61ED892EBD2059A1237DF50E83 - -Count = 837 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999B72740F9AE4557E60192FDCEF9DED589 - -Count = 838 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991C31F396F38185D7A54A194034DE9984 - -Count = 839 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9997514124C47D1CC1818561E270EF3FCBE - -Count = 840 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999DE754B5DCECB0D9561D42F51CF4F4FA9 - -Count = 841 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99981EA34F0302AE45A0BA6C7538490407D - -Count = 842 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999C8B6C96FA75112D34FD48F4E995A0DBA - -Count = 843 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99955B21F24C67640D63CB6C581301C8103 - -Count = 844 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999DA7F24C4A043A3A8E92115FB8D00CC1D - -Count = 845 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999D7215129C6EC900FF8445449D4E27264 - -Count = 846 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99992F6B812D78886F96FCE165111479177 - -Count = 847 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999D6A45474346F5E4E372038AC40DCFCC4 - -Count = 848 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999A0FC0C85AEEC72A4A0073E12157B7778 - -Count = 849 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99960449A12F5A771D60A43FC0BA84DA5B2 - -Count = 850 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99940F83A57F877400ED8A551E305F032B4 - -Count = 851 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9999FAAFCB7369CDC9C108937D29DDCBDD5 - -Count = 852 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999F4F7D304F10A03A648B777958977E473 - -Count = 853 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999B3A0020C661989046FD898EB1A2D4463 - -Count = 854 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999472BFC98AB2DA31BF8D7BC8295906BF5 - -Count = 855 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999BF02CDCC3C792C486074AE24CF2A83B0 - -Count = 856 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999917F8096575230F586D12A74FA34A73D - -Count = 857 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99945560D2146AD54E1D402FAC347FA7D00 - -Count = 858 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99976B095BBC5C6E33CC24076CA3EDCA399 - -Count = 859 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991049B1E8456F62DC0EEFE7E7812238FCCE - -Count = 860 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991019BE6C90953BC7C4E087E60F31E89755 - -Count = 861 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910DA79182AD345C410BDF54B408AA7E336 - -Count = 862 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910891B2EBC8209926FA045703C027CA189 - -Count = 863 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991025A68AEEC1239053F15B597983BEC285 - -Count = 864 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999109E3890FF80127C8D5320AA073ADBFB26 - -Count = 865 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910184DADD5A0A129CD0D4A8B26FE7E6DD8 - -Count = 866 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999105D7C7882F995C6086172DBC4E9DA016C - -Count = 867 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102FC88D1F1301E21BB8CAED46B51B374D - -Count = 868 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991055D0201EFEB2646E979AD4DFAF719FD1 - -Count = 869 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999108C2D999991C0494C614936FBA393F49F - -Count = 870 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910DBE3AF91876B3465F2F2825FD2467001 - -Count = 871 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991070D59566EB24DDE17AD6323811B2C54D - -Count = 872 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910069B58E3EFBC864C7ABE641DABDA2EC2 - -Count = 873 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910C581778A96663C1EDAA3FE1E6DB13BB3 - -Count = 874 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910924B703E5633C65C6CF3FF2631A37EDA - -Count = 875 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910B814EBF68DE37BDA95CB179BD0912715 - -Count = 876 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999109144602FC5CFBB9DB083B3A2C1689756 - -Count = 877 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999100AEEC8D88E2A0EF3737D2B8637142C21 - -Count = 878 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910190EE50ED99506CE8303B875AA52C5AE - -Count = 879 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991099E45A8A83DCC8DE8F295648F2CDCD59 - -Count = 880 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910286E7792949C674882B656D4467CB7EB - -Count = 881 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910684B45ADB1D19C8784E1BEFAEBFC352D - -Count = 882 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910EE58909F71449BD974F0E3C45FDC8F19 - -Count = 883 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910879A0E6D6402A197746F17A59ABB46BC - -Count = 884 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910B9A8F5DD1777669267E2498D75FC188D - -Count = 885 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910BEDB1410AE8A4CED499C2E9E930C9564 - -Count = 886 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910AF1B6B34443C9C943E4B230FA7ADA5E2 - -Count = 887 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999104AE5C3176C3CC34DEF5F5599C3AB0D37 - -Count = 888 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999101F3FDFCA42DC51744628C22DE3F23F21 - -Count = 889 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910E01006F123DCE690E0E60CDAE5F72A79 - -Count = 890 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999101961AC5828C4A7A47DC9E0C9A229F3B2 - -Count = 891 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910B095EF33C3458301BFB1DD562E950646 - -Count = 892 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102238294E0E1042B8B45937CFD49996CDE4 - -Count = 893 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910222E76C65366CA7B4A51711E695A9E704F - -Count = 894 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022516FE56312719D0DF55A357D2420D077 - -Count = 895 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022374E71A936A3FE9674ADCB0BB010077A - -Count = 896 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022C5C19CB3EADEC93D4FA4B8A3D0DE16D2 - -Count = 897 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102213DFE3DC6135C5F0F5C61D54840F8C2B - -Count = 898 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022A0B9A8101F039195B25E3E48B10A8909 - -Count = 899 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102224D6C528316E330EE55AD64E843D6893 - -Count = 900 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022FA5D72D281C014F48C1BC1C92D84CCFE - -Count = 901 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102215DB7D0C5A132FFCB4767F9D397FED02 - -Count = 902 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022C9A5B9F848E350CBC2484541B463F4D7 - -Count = 903 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910224326292FBB94B5E3F53D05EBEE789018 - -Count = 904 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022D027C02B91496BE869B7D84309FB7C50 - -Count = 905 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910224FF4E8D765C935F69DBD18A69FBEFE9D - -Count = 906 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102212812B10B6346FBDE7B2AE0D06E0B8BF - -Count = 907 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022D321ECFCB4BF81FA4FB23899D2BE8F68 - -Count = 908 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022C049A5DC3323699911AF3A1620E52CFE - -Count = 909 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102255F0AE85A6301A21236D0EE348A55DB9 - -Count = 910 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910222B05AEBA516990872D0F76D344252935 - -Count = 911 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022CA138C6753D66A4E4F06661B1ABA04B3 - -Count = 912 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102234D10EBED1C7DCE181C1DFB53670FCE6 - -Count = 913 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022EF8E7E112381F1E6E9183F9761EE8414 - -Count = 914 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022C9FB1AB8FD3B54863E2ACDBAF34FC9FB - -Count = 915 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022DBFD68CEBE34D104CC9B251C4F515863 - -Count = 916 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910227A78AEB1B5568551CAA37E465D5FB5CD - -Count = 917 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910222A65CBA4F81406E49F0B5358C9143B8F - -Count = 918 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910221F4F917D7E313172C123820CF2243DB4 - -Count = 919 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910225B37D3BACE78FB1D2E0B2FD25D7212A0 - -Count = 920 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910228C70110138B430827A8235253B77B8A1 - -Count = 921 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022013A5288ECAD36D45550EDB982C87536 - -Count = 922 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022141E32B3840A1A008A6B993F5C08185A - -Count = 923 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910226B9633670B2A0BDDE7EB021C460265D5 - -Count = 924 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022685ADA9630A026947752B66F6F9FABD1 - -Count = 925 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022270DD14D3CC82DA59CEE6EE34CB515DF1D - -Count = 926 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227CE89549DE0664A0EC7697051058C0FAE - -Count = 927 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022274EA03F3621B913B3B61BE18B92402368 - -Count = 928 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022275AFB0843FB657CFDF2A63840BA89D1BF - -Count = 929 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022274C2F03EEEA791D3F9C0D14DF5AAAEAF3 - -Count = 930 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227E460175FE80CF56864E1AD69F4027D67 - -Count = 931 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227DFD712E48459F7D2768BD6CE62C99F0F - -Count = 932 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022277CD043681FFAACE9E58B169E532E1C92 - -Count = 933 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227540A847EEFD2BF47A624CF189714D4E1 - -Count = 934 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227F252D7F65260708A501700ED225BADDE - -Count = 935 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227F1D80A5A9CC682FF44C9B353F77F3F37 - -Count = 936 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022275FA277A41606D0ECB94715A775D15BED - -Count = 937 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227862355DE5A2DB6D66319F0A5BB6360BE - -Count = 938 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022274D94880A662D6B03CA0465C39F785644 - -Count = 939 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022277EE3731C877A61D12160394C38961E53 - -Count = 940 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227030B7CBF61A7207CD71B62DCA07CA23F - -Count = 941 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022273F04DED12D21685C94DD61F137C8BF74 - -Count = 942 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227D13B1FBD0C8A703C256FC166565FE2F0 - -Count = 943 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227B2540B7E2FA6FD239E1177D5C2E0E982 - -Count = 944 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227F2174302E5BD10B9E72549F4984F2AB3 - -Count = 945 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910222710996CE902A0EF103972D1559422861D - -Count = 946 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910222788E81A066CB34D71E5702C16B12CB2C9 - -Count = 947 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227667DCD19BE1511E92922B76040E75F45 - -Count = 948 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A98691035B63BBFC0E80984CA3E81E62 - -Count = 949 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022274FBB1F3FD30815BCB56C0D3237E49632 - -Count = 950 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910222772B322764A2DC06B3228B797C2006F9A - -Count = 951 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022275E3CD7D3AD3E15F4FB4FEECD04E2E3E9 - -Count = 952 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227800F9F55396A3D59948359DBBD655430 - -Count = 953 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A99910222749267F5CA16D2281CC5890E175E9247B - -Count = 954 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A9991022271B988EBA575A2CE0402D5B9D603D2F6C - -Count = 955 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227C183F113931C4718E085E8B3C62EB51D - -Count = 956 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227F9D5B884E7A831DA770B4744B6281AF0 - -Count = 957 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227C16E05A144321E3DBF1AB9CA9F0C68A2 - -Count = 958 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4D4B9269507E3B5D30F8BC2D5AAC24B48 - -Count = 959 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A467A4412844107F7C30E894E51E3CC45F - -Count = 960 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A413BD8BA45E962AED3329A8E23DB8D2C2 - -Count = 961 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A43C173CAC68507D4780B6B1AAEA272D28 - -Count = 962 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4360D7B0011A9AFB21CC3C98790B429A7 - -Count = 963 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A48EB03BD7B6AD9263CACBC1C57C984AEF - -Count = 964 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4757BCDCAAAF6875F1A6E56E3E8BF7CF5 - -Count = 965 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4402657FD5065E6E4D8915EDB12D40688 - -Count = 966 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4F69C166AFE1B6439C47B2CCB5CFE7C56 - -Count = 967 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4B231E7E6B49009CA29217DBE78FD28F9 - -Count = 968 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A406B43EBC51E671C48823F9E369B0312F - -Count = 969 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A40C3672136F6FFB4D338B7856CB86E552 - -Count = 970 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A48C2A179009A566E77AE65204DE00053C - -Count = 971 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4C8DE9EA8DBD3FC35B654ABD1A9F7B270 - -Count = 972 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4816073F3B7A0ED7F1272B2532E750A2F - -Count = 973 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A42E00F837D1D0D73EB5015B0869449ED5 - -Count = 974 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A42CC14A5E044E35A26F7EFF9836B0BE87 - -Count = 975 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4E991B90BE4ECCC89BAE4EA8759C47934 - -Count = 976 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4CE8B45EA2A5A2EB0DF969CB89F76D428 - -Count = 977 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A42EBC389E42DE379CC5C3F78CB6FB214D - -Count = 978 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A48E590478D06D516B99F06E6553662728 - -Count = 979 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A48347BC66BB35A2FAD75945CE8C582C9C - -Count = 980 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4487463593C28A96B3A2B4C38FEFFF9B8 - -Count = 981 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4B2657F94AD19E3DC7BEB29E5231B47F2 - -Count = 982 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A41DA08B5EB3272C4EFED5014DC69D7031 - -Count = 983 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4A2885D1CC7E435C369A58CC562A6B073 - -Count = 984 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A41646991BAD22A29AE2BE2811FA2AEE6E - -Count = 985 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A456FCD79A51279C8088C70C0CA8126FA0 - -Count = 986 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A48C97BB093839B09B24B3616E1BE7057D - -Count = 987 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4EDB67FAF0CC98C16194BA36B37E6797D - -Count = 988 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4507D73942A13FF6223564276DA5A7E13 - -Count = 989 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A400D59B691309C0F33D62BDFD7AAA4AD6 - -Count = 990 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4DFD999E84D5D727A7A3FAF7A3FE480CB - -Count = 991 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA26CBE60D9ECA2E5C14F92B18B5D86446 - -Count = 992 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA2FEB11DB5DF0AD14DE315D5E686A5394 - -Count = 993 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA630BD77581D8CA3012903246F70ED6CD - -Count = 994 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA167F76B9945FC6629126CE226C5B0C93 - -Count = 995 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AAFE3B7B913CCE2EA764D9DDC4F9617CDD - -Count = 996 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA219C295ABD2E06B7E317DB3CAF1C4A9F - -Count = 997 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA0DA95776667E6B423951525BECFEE70E - -Count = 998 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA51F1ED85333478A6E0F05B60795F47E9 - -Count = 999 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA36A4E8ADEFFC076941B70E6396D9AC4B - -Count = 1000 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA83353324356277CEAF8410883BCE6B4F - -Count = 1001 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA7DE3073CE78AC4A2B9F8036670F9D0C7 - -Count = 1002 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA319F661C6F0B9E4D324C57C46AD20861 - -Count = 1003 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA4591868FEBF6995256F3F6F0AE83FCBB - -Count = 1004 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA1A9B0EDC1206E663A6E9E4664579B5FE - -Count = 1005 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA90968FB0961EE1D5686A62F10C08455B - -Count = 1006 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AAE7330C4BA5493FACE33B4106D5525410 - -Count = 1007 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA1738E48895F0AD587D79580DB5E7D6A5 - -Count = 1008 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA03ECC4E949DC91DCEA9B04CBE28239A4 - -Count = 1009 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AAAB519F3FC8BB035214D538A557911DC7 - -Count = 1010 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AAFE6A11F81938B771DC0010E77564C920 - -Count = 1011 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA8C3B49D28386B24C2678E0268711EA0B - -Count = 1012 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA58DBC13B9C8C4525C1CCB63A21CC3833 - -Count = 1013 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AADD9E19FC9B3EEEFCCFCD81281A588436 - -Count = 1014 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA78D16D4ECA8EB9525EF6ECF50CB15D70 - -Count = 1015 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA07C6ADEB4B91A61E2AF5C837AF0E92EB - -Count = 1016 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AAFCDB7B79CCA9DB3FEF7FDD8C2EDC8B42 - -Count = 1017 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA9C5E6E83D79744303CA297E65D83681C - -Count = 1018 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA49896CA5A4BFD68A3E45094CF622A647 - -Count = 1019 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AADD7797BE5EE43BB87715E6E28301470E - -Count = 1020 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA9CE503D75B0CFD71B3E4280B0C528002 - -Count = 1021 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA5E951CDA367D47594827B0508196B981 - -Count = 1022 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA310319BA0A9521DE22BAE7C48357397C - -Count = 1023 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA7F862A54E078CC3F14E2E49F2BE0FD45 - -Count = 1024 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747F5F4D884AF540717AFB426A465CE1C1 - -Count = 1025 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74CC379E578FFEF4CDF0D787685FC10E0B - -Count = 1026 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA741E4F8726543D8557600697544D8AA9E2 - -Count = 1027 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74457E056E212D3FE2337F79DE65FD8E41 - -Count = 1028 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74BC44DA86870A772D2AEFEE629F37A1D8 - -Count = 1029 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74CD1FE3C34811CA6AE1C7A38A39582442 - -Count = 1030 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA7481A91698D3A3DC4DD0452B61206643B8 - -Count = 1031 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA7442B371B0E595852C475156C20BE66320 - -Count = 1032 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74BDBB8041DD046593C3F18AB98F8CB8BA - -Count = 1033 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74449004907DDFB2AB27E4E1E271597453 - -Count = 1034 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74CBE763B3BDD64F4D961E23D11994C052 - -Count = 1035 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74A10CDD0DC92A7FBC9C53B695A44BC2AB - -Count = 1036 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA742D343EBD7F099FC98E744144A18BC071 - -Count = 1037 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74D57BEC5E2E141FC0C1062FA5A5048C71 - -Count = 1038 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA742D19FBABBA1B245ACC6572975A6605F0 - -Count = 1039 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA749E208FBAEE5AD2F458905AA73B2FE4EC - -Count = 1040 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74A817CFF08A4F353E67626E285502EAF6 - -Count = 1041 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA7489FF95D1D97159A435DEA52671C958AC - -Count = 1042 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA7499AA343EEF3A10E7E750ED7DC7880767 - -Count = 1043 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74C474E3484E3A8E0023819B2821FFB62B - -Count = 1044 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74C020AAAE6356FDCB80CB7C4B3DFE63EB - -Count = 1045 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA741AF7C83064A725B941FB3DED382D2687 - -Count = 1046 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA7433382637EEE4076233A09D321A8FA0A4 - -Count = 1047 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA744F4B7F635EF62D53CF115C4480A05962 - -Count = 1048 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA7487A2B2CCF7A414B3474DE49F29F21E00 - -Count = 1049 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74A3A3746FF7177B2C29475013C2D73834 - -Count = 1050 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA7423FC72C718BC524E35800740D3CDD72E - -Count = 1051 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74CFF58417451260847A2D955BE72D4F96 - -Count = 1052 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74B97D1AA4F9D18F754D09CF2E6336C49E - -Count = 1053 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74268D1F6D9ED4BA1456A3F9116490EA6D - -Count = 1054 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA745D3F5BDF438E226A32E40C28B7B67DE1 - -Count = 1055 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74870E0EB1EEA2D5F886DE88080BBE7073 - -Count = 1056 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA74C09C59C6B235DD0AA810DF6B252898A1 - -Count = 1057 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BF6920F9ACCA8AFA96D00D84E01734133 - -Count = 1058 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B6E71650336184E09683FBEC5C30B1398 - -Count = 1059 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B64FBCE52AAFEA8C99FC2606E9AD736A8 - -Count = 1060 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BC81DD6B2E53A5F031CB4E64A8AAEE0C7 - -Count = 1061 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B28961CB421A62BF9C1B52404DEC42A36 - -Count = 1062 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BE130C0981B2DA2B6AFA41E9D284E0FCA - -Count = 1063 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B2304B4790296B1F65723C9024A91BE70 - -Count = 1064 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BBCC075425C6C89542584F613C9A18520 - -Count = 1065 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304050607 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B06C0A931C933A274F312AD07B27AB5A4 - -Count = 1066 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B5F40233D3C419FB059A0859C8EF7C680 - -Count = 1067 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506070809 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B44E331F68EFD6EB894752A4146A7DE80 - -Count = 1068 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B1158CF25EBFF90CF97995DF81E283D0A - -Count = 1069 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BC0C3D8519DA52BBC2B5CBD4796AFDDD6 - -Count = 1070 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B73ACC8A1EB9E9800112DD0463CB54009 - -Count = 1071 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B111E7AF8A5F611DEEDC675FF4E31FF88 - -Count = 1072 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B54C5CD45AA5B97FC5D53676B83B07369 - -Count = 1073 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B572961901A91269791412B22F6A79C17 - -Count = 1074 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BC459C64B48A11F7BCE42FF8679368C2A - -Count = 1075 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BA645B469D288F679FAAFAC729B82A22D - -Count = 1076 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BE8FED2DB12F0146CDF15C6E5D01A53E2 - -Count = 1077 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B3BA4FF69FC6478EBBA56F913FF6BE8B9 - -Count = 1078 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B8531FF47806B28001842829C2F5639BE - -Count = 1079 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B3A11D0E0DAB9E4A0DFA0A33EB224E111 - -Count = 1080 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BFE6DAD972933EB32F0B00AB76D4652EB - -Count = 1081 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BF74B4722E3F58712A192F335C67647E2 - -Count = 1082 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B0186729D5BFE475AD57C85C16CE6F5C8 - -Count = 1083 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B199F4737FCB78EE24235FBAB3C94F307 - -Count = 1084 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BA2AA0710F654A79E7E7865D977E9A1D3 - -Count = 1085 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BF04F5C861DB963CF2CD057A71614BB6B - -Count = 1086 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B4EF91F9E7B03C35838C2742E04B2D074 - -Count = 1087 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747B1EED3A1CEDAC3BBD58BD95BE1FFD4CFE - -Count = 1088 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BA31E7A2651F8E0E07DEB160871A2E40D - -Count = 1089 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B8529BCE1B3F9D0DB7A9C8DD43DD35D18E41801A814A29A999102227A4AA747BA0FAC4D683F5B1CFBF3683112F3FCC1B - diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys/aead-common.c b/isap/Implementations/crypto_aead/isapa128v20/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128v20/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys/aead-common.h b/isap/Implementations/crypto_aead/isapa128v20/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128v20/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys/api.h b/isap/Implementations/crypto_aead/isapa128v20/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128v20/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys/encrypt.c b/isap/Implementations/crypto_aead/isapa128v20/rhys/encrypt.c new file mode 100644 index 0000000..7b2bc3a --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128v20/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "isap.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return isap_ascon_128_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return isap_ascon_128_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-ascon.c b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-ascon.c new file mode 100644 index 0000000..12a8ec6 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-ascon.c @@ -0,0 +1,76 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-ascon.h" + +void ascon_permute(ascon_state_t *state, uint8_t first_round) +{ + uint64_t t0, t1, t2, t3, t4; +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = be_load_word64(state->B); + uint64_t x1 = be_load_word64(state->B + 8); + uint64_t x2 = be_load_word64(state->B + 16); + uint64_t x3 = be_load_word64(state->B + 24); + uint64_t x4 = be_load_word64(state->B + 32); +#else + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; + uint64_t x4 = state->S[4]; +#endif + while (first_round < 12) { + /* Add the round constant to the state */ + x2 ^= ((0x0F - first_round) << 4) | first_round; + + /* Substitution layer - apply the s-box using bit-slicing + * according to the algorithm recommended in the specification */ + x0 ^= x4; x4 ^= x3; x2 ^= x1; + t0 = ~x0; t1 = ~x1; t2 = ~x2; t3 = ~x3; t4 = ~x4; + t0 &= x1; t1 &= x2; t2 &= x3; t3 &= x4; t4 &= x0; + x0 ^= t1; x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t0; + x1 ^= x0; x0 ^= x4; x3 ^= x2; x2 = ~x2; + + /* Linear diffusion layer */ + x0 ^= rightRotate19_64(x0) ^ rightRotate28_64(x0); + x1 ^= rightRotate61_64(x1) ^ rightRotate39_64(x1); + x2 ^= rightRotate1_64(x2) ^ rightRotate6_64(x2); + x3 ^= rightRotate10_64(x3) ^ rightRotate17_64(x3); + x4 ^= rightRotate7_64(x4) ^ rightRotate41_64(x4); + + /* Move onto the next round */ + ++first_round; + } +#if defined(LW_UTIL_LITTLE_ENDIAN) + be_store_word64(state->B, x0); + be_store_word64(state->B + 8, x1); + be_store_word64(state->B + 16, x2); + be_store_word64(state->B + 24, x3); + be_store_word64(state->B + 32, x4); +#else + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; + state->S[4] = x4; +#endif +} diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-ascon.h b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-ascon.h new file mode 100644 index 0000000..d3fa3ca --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-ascon.h @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_ASCON_H +#define LW_INTERNAL_ASCON_H + +#include "internal-util.h" + +/** + * \file internal-ascon.h + * \brief Internal implementation of the ASCON permutation. + * + * References: http://competitions.cr.yp.to/round3/asconv12.pdf, + * http://ascon.iaik.tugraz.at/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Structure of the internal state of the ASCON permutation. + */ +typedef union +{ + uint64_t S[5]; /**< Words of the state */ + uint8_t B[40]; /**< Bytes of the state */ + +} ascon_state_t; + +/** + * \brief Permutes the ASCON state. + * + * \param state The ASCON state to be permuted. + * \param first_round The first round (of 12) to be performed; 0, 4, or 6. + * + * The input and output \a state will be in big-endian byte order. + */ +void ascon_permute(ascon_state_t *state, uint8_t first_round); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-isap.h b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-isap.h new file mode 100644 index 0000000..ba99f2a --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-isap.h @@ -0,0 +1,249 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +/* We expect a number of macros to be defined before this file + * is included to configure the underlying ISAP variant. + * + * ISAP_ALG_NAME Name of the ISAP algorithm; e.g. isap_keccak_128 + * ISAP_RATE Number of bytes in the rate for hashing and encryption. + * ISAP_sH Number of rounds for hashing. + * ISAP_sE Number of rounds for encryption. + * ISAP_sB Number of rounds for key bit absorption. + * ISAP_sK Number of rounds for keying. + * ISAP_STATE Type for the permuation state; e.g. ascon_state_t + * ISAP_PERMUTE(s,r) Permutes the state "s" with number of rounds "r". + */ +#if defined(ISAP_ALG_NAME) + +#define ISAP_CONCAT_INNER(name,suffix) name##suffix +#define ISAP_CONCAT(name,suffix) ISAP_CONCAT_INNER(name,suffix) + +/* IV string for initialising the associated data */ +static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_A) + [sizeof(ISAP_STATE) - ISAP_NONCE_SIZE] = { + 0x01, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, + ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK +}; + +/* IV string for authenticating associated data */ +static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_KA) + [sizeof(ISAP_STATE) - ISAP_KEY_SIZE] = { + 0x02, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, + ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK +}; + +/* IV string for encrypting payload data */ +static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_KE) + [sizeof(ISAP_STATE) - ISAP_KEY_SIZE] = { + 0x03, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, + ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK +}; + +/** + * \brief Re-keys the ISAP permutation state. + * + * \param state The permutation state to be re-keyed. + * \param k Points to the 128-bit key for the ISAP cipher. + * \param iv Points to the initialization vector for this re-keying operation. + * \param data Points to the data to be absorbed to perform the re-keying. + * \param data_len Length of the data to be absorbed. + * + * The output key will be left in the leading bytes of \a state. + */ +static void ISAP_CONCAT(ISAP_ALG_NAME,_rekey) + (ISAP_STATE *state, const unsigned char *k, const unsigned char *iv, + const unsigned char *data, unsigned data_len) +{ + unsigned bit, num_bits; + + /* Initialize the state with the key and IV */ + memcpy(state->B, k, ISAP_KEY_SIZE); + memcpy(state->B + ISAP_KEY_SIZE, iv, sizeof(state->B) - ISAP_KEY_SIZE); + ISAP_PERMUTE(state, ISAP_sK); + + /* Absorb all of the bits of the data buffer one by one */ + num_bits = data_len * 8 - 1; + for (bit = 0; bit < num_bits; ++bit) { + state->B[0] ^= (data[bit / 8] << (bit % 8)) & 0x80; + ISAP_PERMUTE(state, ISAP_sB); + } + state->B[0] ^= (data[bit / 8] << (bit % 8)) & 0x80; + ISAP_PERMUTE(state, ISAP_sK); +} + +/** + * \brief Encrypts (or decrypts) a message payload with ISAP. + * + * \param state ISAP permutation state. + * \param k Points to the 128-bit key for the ISAP cipher. + * \param npub Points to the 128-bit nonce for the ISAP cipher. + * \param c Buffer to receive the output ciphertext. + * \param m Buffer to receive the input plaintext. + * \param mlen Length of the input plaintext. + */ +static void ISAP_CONCAT(ISAP_ALG_NAME,_encrypt) + (ISAP_STATE *state, const unsigned char *k, const unsigned char *npub, + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Set up the re-keyed encryption key and nonce in the state */ + ISAP_CONCAT(ISAP_ALG_NAME,_rekey) + (state, k, ISAP_CONCAT(ISAP_ALG_NAME,_IV_KE), npub, ISAP_NONCE_SIZE); + memcpy(state->B + sizeof(ISAP_STATE) - ISAP_NONCE_SIZE, + npub, ISAP_NONCE_SIZE); + + /* Encrypt the plaintext to produce the ciphertext */ + while (mlen >= ISAP_RATE) { + ISAP_PERMUTE(state, ISAP_sE); + lw_xor_block_2_src(c, state->B, m, ISAP_RATE); + c += ISAP_RATE; + m += ISAP_RATE; + mlen -= ISAP_RATE; + } + if (mlen > 0) { + ISAP_PERMUTE(state, ISAP_sE); + lw_xor_block_2_src(c, state->B, m, (unsigned)mlen); + } +} + +/** + * \brief Authenticates the associated data and ciphertext using ISAP. + * + * \param state ISAP permutation state. + * \param k Points to the 128-bit key for the ISAP cipher. + * \param npub Points to the 128-bit nonce for the ISAP cipher. + * \param ad Buffer containing the associated data. + * \param adlen Length of the associated data. + * \param c Buffer containing the ciphertext. + * \param clen Length of the ciphertext. + */ +static void ISAP_CONCAT(ISAP_ALG_NAME,_mac) + (ISAP_STATE *state, const unsigned char *k, const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *c, unsigned long long clen, + unsigned char *tag) +{ + unsigned char preserve[sizeof(ISAP_STATE) - ISAP_TAG_SIZE]; + unsigned temp; + + /* Absorb the associated data */ + memcpy(state->B, npub, ISAP_NONCE_SIZE); + memcpy(state->B + ISAP_NONCE_SIZE, ISAP_CONCAT(ISAP_ALG_NAME,_IV_A), + sizeof(state->B) - ISAP_NONCE_SIZE); + ISAP_PERMUTE(state, ISAP_sH); + while (adlen >= ISAP_RATE) { + lw_xor_block(state->B, ad, ISAP_RATE); + ISAP_PERMUTE(state, ISAP_sH); + ad += ISAP_RATE; + adlen -= ISAP_RATE; + } + temp = (unsigned)adlen; + lw_xor_block(state->B, ad, temp); + state->B[temp] ^= 0x80; /* padding */ + ISAP_PERMUTE(state, ISAP_sH); + state->B[sizeof(state->B) - 1] ^= 0x01; /* domain separation */ + + /* Absorb the ciphertext */ + while (clen >= ISAP_RATE) { + lw_xor_block(state->B, c, ISAP_RATE); + ISAP_PERMUTE(state, ISAP_sH); + c += ISAP_RATE; + clen -= ISAP_RATE; + } + temp = (unsigned)clen; + lw_xor_block(state->B, c, temp); + state->B[temp] ^= 0x80; /* padding */ + ISAP_PERMUTE(state, ISAP_sH); + + /* Re-key the state and generate the authentication tag */ + memcpy(tag, state->B, ISAP_TAG_SIZE); + memcpy(preserve, state->B + ISAP_TAG_SIZE, sizeof(preserve)); + ISAP_CONCAT(ISAP_ALG_NAME,_rekey) + (state, k, ISAP_CONCAT(ISAP_ALG_NAME,_IV_KA), tag, ISAP_TAG_SIZE); + memcpy(state->B + ISAP_TAG_SIZE, preserve, sizeof(preserve)); + ISAP_PERMUTE(state, ISAP_sH); + memcpy(tag, state->B, ISAP_TAG_SIZE); +} + +int ISAP_CONCAT(ISAP_ALG_NAME,_aead_encrypt) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + ISAP_STATE state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ISAP_TAG_SIZE; + + /* Encrypt the plaintext to produce the ciphertext */ + ISAP_CONCAT(ISAP_ALG_NAME,_encrypt)(&state, k, npub, c, m, mlen); + + /* Authenticate the associated data and ciphertext to generate the tag */ + ISAP_CONCAT(ISAP_ALG_NAME,_mac) + (&state, k, npub, ad, adlen, c, mlen, c + mlen); + return 0; +} + +int ISAP_CONCAT(ISAP_ALG_NAME,_aead_decrypt) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + ISAP_STATE state; + unsigned char tag[ISAP_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ISAP_TAG_SIZE) + return -1; + *mlen = clen - ISAP_TAG_SIZE; + + /* Authenticate the associated data and ciphertext to generate the tag */ + ISAP_CONCAT(ISAP_ALG_NAME,_mac)(&state, k, npub, ad, adlen, c, *mlen, tag); + + /* Decrypt the ciphertext to produce the plaintext */ + ISAP_CONCAT(ISAP_ALG_NAME,_encrypt)(&state, k, npub, m, c, *mlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, tag, c + *mlen, ISAP_TAG_SIZE); +} + +#endif /* ISAP_ALG_NAME */ + +/* Now undefine everything so that we can include this file again for + * another variant on the ISAP algorithm */ +#undef ISAP_ALG_NAME +#undef ISAP_RATE +#undef ISAP_sH +#undef ISAP_sE +#undef ISAP_sB +#undef ISAP_sK +#undef ISAP_STATE +#undef ISAP_PERMUTE +#undef ISAP_CONCAT_INNER +#undef ISAP_CONCAT diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak.c b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak.c new file mode 100644 index 0000000..c3c4011 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak.c @@ -0,0 +1,204 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-keccak.h" + +/* Faster method to compute ((x + y) % 5) that avoids the division */ +static unsigned char const addMod5Table[9] = { + 0, 1, 2, 3, 4, 0, 1, 2, 3 +}; +#define addMod5(x, y) (addMod5Table[(x) + (y)]) + +void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds) +{ + static uint8_t const RC[18] = { + 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, + 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, + 0x02, 0x80 + }; + uint8_t B[5][5]; + uint8_t D; + unsigned round; + unsigned index, index2; + for (round = 18 - rounds; round < 18; ++round) { + /* Step mapping theta. The specification mentions two temporary + * arrays of size 5 called C and D. To save a bit of memory, + * we use the first row of B to store C and compute D on the fly */ + for (index = 0; index < 5; ++index) { + B[0][index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; + } + for (index = 0; index < 5; ++index) { + D = B[0][addMod5(index, 4)] ^ + leftRotate1_8(B[0][addMod5(index, 1)]); + for (index2 = 0; index2 < 5; ++index2) + state->A[index2][index] ^= D; + } + + /* Step mapping rho and pi combined into a single step. + * Rotate all lanes by a specific offset and rearrange */ + B[0][0] = state->A[0][0]; + B[1][0] = leftRotate4_8(state->A[0][3]); + B[2][0] = leftRotate1_8(state->A[0][1]); + B[3][0] = leftRotate3_8(state->A[0][4]); + B[4][0] = leftRotate6_8(state->A[0][2]); + B[0][1] = leftRotate4_8(state->A[1][1]); + B[1][1] = leftRotate4_8(state->A[1][4]); + B[2][1] = leftRotate6_8(state->A[1][2]); + B[3][1] = leftRotate4_8(state->A[1][0]); + B[4][1] = leftRotate7_8(state->A[1][3]); + B[0][2] = leftRotate3_8(state->A[2][2]); + B[1][2] = leftRotate3_8(state->A[2][0]); + B[2][2] = leftRotate1_8(state->A[2][3]); + B[3][2] = leftRotate2_8(state->A[2][1]); + B[4][2] = leftRotate7_8(state->A[2][4]); + B[0][3] = leftRotate5_8(state->A[3][3]); + B[1][3] = leftRotate5_8(state->A[3][1]); + B[2][3] = state->A[3][4]; + B[3][3] = leftRotate7_8(state->A[3][2]); + B[4][3] = leftRotate1_8(state->A[3][0]); + B[0][4] = leftRotate6_8(state->A[4][4]); + B[1][4] = leftRotate5_8(state->A[4][2]); + B[2][4] = leftRotate2_8(state->A[4][0]); + B[3][4] = state->A[4][3]; + B[4][4] = leftRotate2_8(state->A[4][1]); + + /* Step mapping chi. Combine each lane with two others in its row */ + for (index = 0; index < 5; ++index) { + for (index2 = 0; index2 < 5; ++index2) { + state->A[index2][index] = + B[index2][index] ^ + ((~B[index2][addMod5(index, 1)]) & + B[index2][addMod5(index, 2)]); + } + } + + /* Step mapping iota. XOR A[0][0] with the round constant */ + state->A[0][0] ^= RC[round]; + } +} + +#if defined(LW_UTIL_LITTLE_ENDIAN) +#define keccakp_400_permute_host keccakp_400_permute +#endif + +/* Keccak-p[400] that assumes that the input is already in host byte order */ +void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) +{ + static uint16_t const RC[20] = { + 0x0001, 0x8082, 0x808A, 0x8000, 0x808B, 0x0001, 0x8081, 0x8009, + 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, + 0x8002, 0x0080, 0x800A, 0x000A + }; + uint16_t B[5][5]; + uint16_t D; + unsigned round; + unsigned index, index2; + for (round = 20 - rounds; round < 20; ++round) { + /* Step mapping theta. The specification mentions two temporary + * arrays of size 5 called C and D. To save a bit of memory, + * we use the first row of B to store C and compute D on the fly */ + for (index = 0; index < 5; ++index) { + B[0][index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; + } + for (index = 0; index < 5; ++index) { + D = B[0][addMod5(index, 4)] ^ + leftRotate1_16(B[0][addMod5(index, 1)]); + for (index2 = 0; index2 < 5; ++index2) + state->A[index2][index] ^= D; + } + + /* Step mapping rho and pi combined into a single step. + * Rotate all lanes by a specific offset and rearrange */ + B[0][0] = state->A[0][0]; + B[1][0] = leftRotate12_16(state->A[0][3]); + B[2][0] = leftRotate1_16 (state->A[0][1]); + B[3][0] = leftRotate11_16(state->A[0][4]); + B[4][0] = leftRotate14_16(state->A[0][2]); + B[0][1] = leftRotate12_16(state->A[1][1]); + B[1][1] = leftRotate4_16 (state->A[1][4]); + B[2][1] = leftRotate6_16 (state->A[1][2]); + B[3][1] = leftRotate4_16 (state->A[1][0]); + B[4][1] = leftRotate7_16 (state->A[1][3]); + B[0][2] = leftRotate11_16(state->A[2][2]); + B[1][2] = leftRotate3_16 (state->A[2][0]); + B[2][2] = leftRotate9_16 (state->A[2][3]); + B[3][2] = leftRotate10_16(state->A[2][1]); + B[4][2] = leftRotate7_16 (state->A[2][4]); + B[0][3] = leftRotate5_16 (state->A[3][3]); + B[1][3] = leftRotate13_16(state->A[3][1]); + B[2][3] = leftRotate8_16 (state->A[3][4]); + B[3][3] = leftRotate15_16(state->A[3][2]); + B[4][3] = leftRotate9_16 (state->A[3][0]); + B[0][4] = leftRotate14_16(state->A[4][4]); + B[1][4] = leftRotate13_16(state->A[4][2]); + B[2][4] = leftRotate2_16 (state->A[4][0]); + B[3][4] = leftRotate8_16 (state->A[4][3]); + B[4][4] = leftRotate2_16 (state->A[4][1]); + + /* Step mapping chi. Combine each lane with two others in its row */ + for (index = 0; index < 5; ++index) { + for (index2 = 0; index2 < 5; ++index2) { + state->A[index2][index] = + B[index2][index] ^ + ((~B[index2][addMod5(index, 1)]) & + B[index2][addMod5(index, 2)]); + } + } + + /* Step mapping iota. XOR A[0][0] with the round constant */ + state->A[0][0] ^= RC[round]; + } +} + +#if !defined(LW_UTIL_LITTLE_ENDIAN) + +/** + * \brief Reverses the bytes in a Keccak-p[400] state. + * + * \param state The Keccak-p[400] state to apply byte-reversal to. + */ +static void keccakp_400_reverse_bytes(keccakp_400_state_t *state) +{ + unsigned index; + unsigned char temp1; + unsigned char temp2; + for (index = 0; index < 50; index += 2) { + temp1 = state->B[index]; + temp2 = state->B[index + 1]; + state->B[index] = temp2; + state->B[index + 1] = temp1; + } +} + +/* Keccak-p[400] that requires byte reversal on input and output */ +void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) +{ + keccakp_400_reverse_bytes(state); + keccakp_400_permute_host(state, rounds); + keccakp_400_reverse_bytes(state); +} + +#endif diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak.h b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak.h new file mode 100644 index 0000000..026da50 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak.h @@ -0,0 +1,88 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_KECCAK_H +#define LW_INTERNAL_KECCAK_H + +#include "internal-util.h" + +/** + * \file internal-keccak.h + * \brief Internal implementation of the Keccak-p permutation. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the state for the Keccak-p[200] permutation. + */ +#define KECCAKP_200_STATE_SIZE 25 + +/** + * \brief Size of the state for the Keccak-p[400] permutation. + */ +#define KECCAKP_400_STATE_SIZE 50 + +/** + * \brief Structure of the internal state of the Keccak-p[200] permutation. + */ +typedef union +{ + uint8_t A[5][5]; /**< Keccak-p[200] state as a 5x5 array of lanes */ + uint8_t B[25]; /**< Keccak-p[200] state as a byte array */ + +} keccakp_200_state_t; + +/** + * \brief Structure of the internal state of the Keccak-p[400] permutation. + */ +typedef union +{ + uint16_t A[5][5]; /**< Keccak-p[400] state as a 5x5 array of lanes */ + uint8_t B[50]; /**< Keccak-p[400] state as a byte array */ + +} keccakp_400_state_t; + +/** + * \brief Permutes the Keccak-p[200] state. + * + * \param state The Keccak-p[200] state to be permuted. + * \param rounds The number of rounds to perform (up to 18). + */ +void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds); + +/** + * \brief Permutes the Keccak-p[400] state, which is assumed to be in + * little-endian byte order. + * + * \param state The Keccak-p[400] state to be permuted. + * \param rounds The number of rounds to perform (up to 20). + */ +void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-util.h b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys/isap.c b/isap/Implementations/crypto_aead/isapa128v20/rhys/isap.c new file mode 100644 index 0000000..26d50a3 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128v20/rhys/isap.c @@ -0,0 +1,110 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "isap.h" +#include "internal-keccak.h" +#include "internal-ascon.h" +#include + +aead_cipher_t const isap_keccak_128a_cipher = { + "ISAP-K-128A", + ISAP_KEY_SIZE, + ISAP_NONCE_SIZE, + ISAP_TAG_SIZE, + AEAD_FLAG_NONE, + isap_keccak_128a_aead_encrypt, + isap_keccak_128a_aead_decrypt +}; + +aead_cipher_t const isap_ascon_128a_cipher = { + "ISAP-A-128A", + ISAP_KEY_SIZE, + ISAP_NONCE_SIZE, + ISAP_TAG_SIZE, + AEAD_FLAG_NONE, + isap_ascon_128a_aead_encrypt, + isap_ascon_128a_aead_decrypt +}; + +aead_cipher_t const isap_keccak_128_cipher = { + "ISAP-K-128", + ISAP_KEY_SIZE, + ISAP_NONCE_SIZE, + ISAP_TAG_SIZE, + AEAD_FLAG_NONE, + isap_keccak_128_aead_encrypt, + isap_keccak_128_aead_decrypt +}; + +aead_cipher_t const isap_ascon_128_cipher = { + "ISAP-A-128", + ISAP_KEY_SIZE, + ISAP_NONCE_SIZE, + ISAP_TAG_SIZE, + AEAD_FLAG_NONE, + isap_ascon_128_aead_encrypt, + isap_ascon_128_aead_decrypt +}; + +/* ISAP-K-128A */ +#define ISAP_ALG_NAME isap_keccak_128a +#define ISAP_RATE (144 / 8) +#define ISAP_sH 16 +#define ISAP_sE 8 +#define ISAP_sB 1 +#define ISAP_sK 8 +#define ISAP_STATE keccakp_400_state_t +#define ISAP_PERMUTE(s,r) keccakp_400_permute((s), (r)) +#include "internal-isap.h" + +/* ISAP-A-128A */ +#define ISAP_ALG_NAME isap_ascon_128a +#define ISAP_RATE (64 / 8) +#define ISAP_sH 12 +#define ISAP_sE 6 +#define ISAP_sB 1 +#define ISAP_sK 12 +#define ISAP_STATE ascon_state_t +#define ISAP_PERMUTE(s,r) ascon_permute((s), 12 - (r)) +#include "internal-isap.h" + +/* ISAP-K-128 */ +#define ISAP_ALG_NAME isap_keccak_128 +#define ISAP_RATE (144 / 8) +#define ISAP_sH 20 +#define ISAP_sE 12 +#define ISAP_sB 12 +#define ISAP_sK 12 +#define ISAP_STATE keccakp_400_state_t +#define ISAP_PERMUTE(s,r) keccakp_400_permute((s), (r)) +#include "internal-isap.h" + +/* ISAP-A-128 */ +#define ISAP_ALG_NAME isap_ascon_128 +#define ISAP_RATE (64 / 8) +#define ISAP_sH 12 +#define ISAP_sE 12 +#define ISAP_sB 12 +#define ISAP_sK 12 +#define ISAP_STATE ascon_state_t +#define ISAP_PERMUTE(s,r) ascon_permute((s), 12 - (r)) +#include "internal-isap.h" diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys/isap.h b/isap/Implementations/crypto_aead/isapa128v20/rhys/isap.h new file mode 100644 index 0000000..ddf8203 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128v20/rhys/isap.h @@ -0,0 +1,330 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ISAP_H +#define LWCRYPTO_ISAP_H + +#include "aead-common.h" + +/** + * \file isap.h + * \brief ISAP authenticated encryption algorithm. + * + * ISAP is a family of authenticated encryption algorithms that are built + * around the Keccak-p[400] or ASCON permutations. There are four algorithms + * in the family, each of which have a 128-bit key, a 128-bit nonce, and a + * 128-bit tag: + * + * \li ISAP-K-128A based around the Keccak-p[400] permutation with a + * reduced number of rounds. This is the primary member in the family. + * \li ISAP-A-128A based around the ASCON permutation with a reduced + * number of rounds. + * \li ISAP-K-128 based around the Keccak-p[400] permutation. + * \li ISAP-A-128 based around the ASCON permutation. + * + * ISAP is designed to provide some protection against adversaries + * using differential power analysis to determine the key. The + * downside is that key setup is very slow. + * + * References: https://isap.iaik.tugraz.at/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all ISAP family members. + */ +#define ISAP_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for all ISAP family members. + */ +#define ISAP_TAG_SIZE 16 + +/** + * \brief Size of the nonce for all ISAP family members. + */ +#define ISAP_NONCE_SIZE 16 + +/** + * \brief Meta-information block for the ISAP-K-128A cipher. + */ +extern aead_cipher_t const isap_keccak_128a_cipher; + +/** + * \brief Meta-information block for the ISAP-A-128A cipher. + */ +extern aead_cipher_t const isap_ascon_128a_cipher; + +/** + * \brief Meta-information block for the ISAP-K-128 cipher. + */ +extern aead_cipher_t const isap_keccak_128_cipher; + +/** + * \brief Meta-information block for the ISAP-A-128 cipher. + */ +extern aead_cipher_t const isap_ascon_128_cipher; + +/** + * \brief Encrypts and authenticates a packet with ISAP-K-128A. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa isap_keccak_128a_aead_decrypt() + */ +int isap_keccak_128a_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ISAP-K-128A. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa isap_keccak_128a_aead_encrypt() + */ +int isap_keccak_128a_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with ISAP-A-128A. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa isap_ascon_128a_aead_decrypt() + */ +int isap_ascon_128a_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ISAP-A-128A. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa isap_ascon_128a_aead_encrypt() + */ +int isap_ascon_128a_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with ISAP-K-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa isap_keccak_128_aead_decrypt() + */ +int isap_keccak_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ISAP-K-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa isap_keccak_128_aead_encrypt() + */ +int isap_keccak_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with ISAP-A-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa isap_ascon_128_aead_decrypt() + */ +int isap_ascon_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ISAP-A-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa isap_ascon_128_aead_encrypt() + */ +int isap_ascon_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/isap/Implementations/crypto_aead/isapk128av20/LWC_AEAD_KAT_128_128.txt b/isap/Implementations/crypto_aead/isapk128av20/LWC_AEAD_KAT_128_128.txt new file mode 100644 index 0000000..dfc83be --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128av20/LWC_AEAD_KAT_128_128.txt @@ -0,0 +1,7623 @@ +Count = 1 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = +CT = 1AA1F2F89901A41B0664C695D4D7ABB9 + +Count = 2 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00 +CT = 33BF957B81B9CCA10D45F824D2019420 + +Count = 3 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 0001 +CT = 7DBF38E3AD657BFCC4B5E4BFCB66C81A + +Count = 4 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102 +CT = 0FA8F5A6B5C2958A6C242F195E4B275E + +Count = 5 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00010203 +CT = 728B741F8BE2162D1B5899785C643BA6 + +Count = 6 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 0001020304 +CT = 978FD728A6B79E2529FB31547D98380B + +Count = 7 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405 +CT = AD3C7CE2C9ECC55365C449A5D7EE46DB + +Count = 8 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00010203040506 +CT = BB5F5A12CDDECBD77748E6C5586937E7 + +Count = 9 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 0001020304050607 +CT = 9391826631608E74FD34A556637699D4 + +Count = 10 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708 +CT = 6D22C308533673998AC3929049703054 + +Count = 11 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00010203040506070809 +CT = 68E2ADE27131CAD8F31E5D922C509C6D + +Count = 12 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A +CT = 3030DBFFD44883B3176B4F433A63692B + +Count = 13 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B +CT = 14E1DB64845A71B78C98FEBA4A0F8913 + +Count = 14 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C +CT = 077FF023618FD972B879D77814272773 + +Count = 15 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D +CT = 0FB485D55B88DB7FFB271E2BAF1269C3 + +Count = 16 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E +CT = 794592DB42B63F861A6649C9E1772FAA + +Count = 17 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F +CT = 370C491560C55C81D60A38AB3F2D4DF4 + +Count = 18 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 11FFA8C94BA33BF3E9FEDF151EA52D98 + +Count = 19 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = CBB62B2387F24003C9194CDF7E8FA41B + +Count = 20 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 7D9C53BFC3CA9F657DFA40738625694C + +Count = 21 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = ACA43986E03D6B944C4646222F7F4FBF + +Count = 22 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = A3010DC6DB7692EAFF76CA25429AEBA7 + +Count = 23 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 3647C9919B63906F50B0081C41925BCF + +Count = 24 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 7F49019E04613C46F4B291902DEE113A + +Count = 25 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = F24B4CAE0EC3464B9C28768887A383CD + +Count = 26 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 5CF189D5570AE952540C7B6E50248948 + +Count = 27 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 72563A7102FA23D0342A44795C4AC9DD + +Count = 28 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 85E09B09FCA12DBF81F251AC7217E537 + +Count = 29 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = B872EBA11D77957723D9C1687080CC2A + +Count = 30 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 49CEFF4602FD916E8BA48B66FCE9AF7C + +Count = 31 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = FCCB4F587B48A99C2A8FAEC4F9D49566 + +Count = 32 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = A9230705B74ACB506B0C57EBFB71D4E5 + +Count = 33 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 34510D5032A4973EADF3EF3A8CBAB767 + +Count = 34 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = +CT = 0146D98980E2F815A5A5A43B48EABDF748 + +Count = 35 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00 +CT = 011B2A04399AAA12F0ADFD11E4378F11E4 + +Count = 36 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 0001 +CT = 01ED20FC4314FFAD81FB3683DBA553FFD6 + +Count = 37 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102 +CT = 01087B82D477F5ECCF88F710F71D79A701 + +Count = 38 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00010203 +CT = 01914DCF64871898CC6BCC4B5B43916A3E + +Count = 39 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 0001020304 +CT = 01EC3AE7A929CB2B55291BD307AAD8E692 + +Count = 40 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405 +CT = 01B74FDD289D23F813815C6B20174B9B20 + +Count = 41 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00010203040506 +CT = 0192B30CABBF52BFBC7B12EA8A184886CA + +Count = 42 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 0001020304050607 +CT = 01040C3C0F36E434ECC83B3B32FF9069EA + +Count = 43 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708 +CT = 0184742AA1A50ECA82439D530E8C5A84D8 + +Count = 44 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00010203040506070809 +CT = 0126E28612AB6CB8850035127EDCA7AD1D + +Count = 45 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A +CT = 012715C0F27990C30086DC28FC51BD5BC1 + +Count = 46 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B +CT = 017C07212CF75E81C3BF9E99059D43B7F7 + +Count = 47 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C +CT = 015AD1EB4B1524444A8FC0AF83AFA2ADE9 + +Count = 48 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D +CT = 01EBD673A8AFA761C80E0DE3B20567ED79 + +Count = 49 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E +CT = 0164D31ECD2960260D739AA3A3F788EF0C + +Count = 50 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F +CT = 01400D938DCEE581B618BBD32F97A1DA6D + +Count = 51 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 0141D5EF51E6281B8A738BBAFEFBF062B7 + +Count = 52 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01615C3E48CAF828F963D0852DE0293B1E + +Count = 53 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01D214F34271EB15D51B89EDF13FA9F842 + +Count = 54 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 017A7B708DAAC7471BDB88CECC4674AF08 + +Count = 55 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 0114D9BE9E7144E3067AEE72D7DEE8FD29 + +Count = 56 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 0184ECCD71F23559025802DFF9447757DE + +Count = 57 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01E027971AD2F6ADE026B37D1B0A6D28F9 + +Count = 58 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01DCAAC76CF3DE553C79CC113F859FACE8 + +Count = 59 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 016C4220BAB840347253FED1D19442F442 + +Count = 60 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 011D696B627BAB18C888A319FA5F122C86 + +Count = 61 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 0149242CFF481595C459F80BDFC4DB8496 + +Count = 62 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 013C2578D88EAF336284B513102BC0EE36 + +Count = 63 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 015132BC8250CEFAF8100FF316D6215625 + +Count = 64 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01B5587FE2E0CF843DC380F415E55806C6 + +Count = 65 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 019E4A84821B6073F1DD62C6C47977A6A3 + +Count = 66 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01AD82A30364463F0212B8798DD843995B + +Count = 67 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = +CT = 01BC75BE53579960EBB26373F3961E837231 + +Count = 68 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00 +CT = 01BC9A456AAB906F974AF1BFC60E92279F98 + +Count = 69 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 0001 +CT = 01BC19B59983D80688FB12CD3397B2DA281A + +Count = 70 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102 +CT = 01BC8E617D280CFCFCD4247F270351BD5E54 + +Count = 71 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00010203 +CT = 01BC6CAC51B0A1DB5C8A5574AE5359C8DF30 + +Count = 72 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 0001020304 +CT = 01BCE2E07026BA6713B594CCF9879BEB725E + +Count = 73 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405 +CT = 01BC90260A3FC1B48CEA3646343D6AE26EB7 + +Count = 74 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00010203040506 +CT = 01BC717AA4B1CE8191C283A7B7BAE2B7F532 + +Count = 75 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 0001020304050607 +CT = 01BCCB1492E74961EC684FACFF465D80FDEF + +Count = 76 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708 +CT = 01BC98100D0D8C303F18A0D5297EF3A120E6 + +Count = 77 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00010203040506070809 +CT = 01BC6EBAD333B65A59CAB5E480E7AB740466 + +Count = 78 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A +CT = 01BC59B4E6CCAE77E74E8AEF4AF7406B636D + +Count = 79 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B +CT = 01BC573AAA1D7710A6F9BD446EFF9662A2CF + +Count = 80 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C +CT = 01BCCFF0C9455B6162F6B80644F35E389346 + +Count = 81 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D +CT = 01BCFAD003D2AF7F95ABF3737572A106B3D2 + +Count = 82 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E +CT = 01BC2FD76C40D653CE8E700D3A90D0F91494 + +Count = 83 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BCD12633093ACA1BA3AFF9556AC724696F + +Count = 84 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC5C2E63E9B8EF34C5E6D03A02DB27342D + +Count = 85 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BCE39109B4F22AB07745B36F06C543C5FC + +Count = 86 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC8E2637CE1895E0278DBB35524B7F2EDD + +Count = 87 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC64006A329E176040B0F0AC2BA552F512 + +Count = 88 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC78850A17F17DCC6B906FFF8AB050585C + +Count = 89 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC6ABD510D81DFB8ABBE321D52D4740EED + +Count = 90 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BCD2984DE5E043587D2C3AEEC17D8CDA39 + +Count = 91 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BCC43A670C6AE4A31A53708E2222B777D8 + +Count = 92 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC045F1B91D7D10FCF1B0CAA56FB7EAF70 + +Count = 93 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC3BAB6EC47542AE9D25F95C5407120358 + +Count = 94 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC5134ED6BCD5D44FFFE14A1A4D136B98B + +Count = 95 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC55DDBB428E00FB57DE67738638E9C6B7 + +Count = 96 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BCDA01A655F7558F43D146B0479E0809F5 + +Count = 97 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC6510494E43C317CBCACF78A08487C539 + +Count = 98 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC32914FABD18DCE06945A8B7D6D7F8585 + +Count = 99 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BCB404118EE8EBA405416A8FA8B779E2FB + +Count = 100 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = +CT = 01BC9C10ACEC5F3210CDEFD44775AEE022A560 + +Count = 101 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00 +CT = 01BC9CAC9BD0C98B8371765E08DD8E595003F0 + +Count = 102 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 0001 +CT = 01BC9C01314CC353E5495662480FAA9B052720 + +Count = 103 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102 +CT = 01BC9C8E76567162C7802EF1B5222BC375B3B7 + +Count = 104 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00010203 +CT = 01BC9CACE42F3382D4C2E4DEB7CB47AA74DCCD + +Count = 105 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 0001020304 +CT = 01BC9C3DE4EA47DE4A0CB3DC50A77E4C858D63 + +Count = 106 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405 +CT = 01BC9CECDD7B0AEDE5CE7B79135F3F737B4D3C + +Count = 107 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00010203040506 +CT = 01BC9C8F056442F5359B21E1530F84B4F6ABDE + +Count = 108 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 0001020304050607 +CT = 01BC9C39E3CC81C8203F5B7A37DACC70B70666 + +Count = 109 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708 +CT = 01BC9C7E967532DD3390E7EF3D23B231C42523 + +Count = 110 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00010203040506070809 +CT = 01BC9CBED0D77A5E43449BE46BE5BC3967A47A + +Count = 111 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A +CT = 01BC9C7B66A8FB835EF10268DA851CF34BEE3A + +Count = 112 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B +CT = 01BC9CA8F26BBAB072C97EEB590A62767BB55F + +Count = 113 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C +CT = 01BC9CEBE33CA1F8490F7E975A5BE191107F24 + +Count = 114 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D +CT = 01BC9C247801ED09633FDD2160FAC22DE7542A + +Count = 115 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CBC2F449431E0ADD78C60348D6448746D + +Count = 116 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CB56D86BB002987742C1690EB97833732 + +Count = 117 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9C0833D570B06C261E99E7FA9FF71B04A7 + +Count = 118 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9C3DF51B9D425914EB3670569EA424F831 + +Count = 119 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CE61C126855B7853534019C90019555E0 + +Count = 120 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CF66BCCD3299174FAC0E0068AAA10318B + +Count = 121 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9C4E2E2E4F3F03FCEDC0B2A1120548AC04 + +Count = 122 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB2148D017EC5ED8B2B29ED4E8ACE574 + +Count = 123 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9C3552DE082F162FB30009AC3B4F4E0577 + +Count = 124 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CED89B3D0F1168775FA5BC8E605F6D0F9 + +Count = 125 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CB94AA5DC73DFD982FCB2665AB4E51E12 + +Count = 126 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CBE96D880FC42F5FB52B9B44E1806AD81 + +Count = 127 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CFBDB67E611A8D5DF5A1E61262DB2513D + +Count = 128 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9C711BE36671B8E5E18A80F546371A0967 + +Count = 129 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9C9FE9A2373FC7C8F4F0E874F4016CFE66 + +Count = 130 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CC236DAC483C6A297471EAF07AA9B4DD7 + +Count = 131 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CBA24870080A9FE310BFDFFC5CD3FB471 + +Count = 132 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CC18EC19D187B658BB80C53F2D18055EC + +Count = 133 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = +CT = 01BC9CCB013C8AC7E5D6811A50B3DAED4861DBDC + +Count = 134 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00 +CT = 01BC9CCB1109A8FFE94935F0430E3D1C8B4DCE29 + +Count = 135 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 0001 +CT = 01BC9CCBF2B3E13EF07356A44AEC634D7C058121 + +Count = 136 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102 +CT = 01BC9CCB4DA500F17E7DE92D2E465C30E94A17B9 + +Count = 137 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00010203 +CT = 01BC9CCB133FC82A23D70294C0CEEB65635CCE7F + +Count = 138 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 0001020304 +CT = 01BC9CCB50635A27E38CD933DC3A6A6A66EC934B + +Count = 139 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405 +CT = 01BC9CCBE6933233E0A3FA7CD84F6019BE7FAF72 + +Count = 140 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00010203040506 +CT = 01BC9CCB26943586B4BD949B63D05DD51C051FB7 + +Count = 141 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 0001020304050607 +CT = 01BC9CCB704B9BFA1E0CF95422E3E55DB05956D0 + +Count = 142 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708 +CT = 01BC9CCB478C78C1AED4C2F0CD2831E4E58060E8 + +Count = 143 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00010203040506070809 +CT = 01BC9CCB4CACCAD1F1948B3292681044099DEC52 + +Count = 144 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A +CT = 01BC9CCB092F4E12278DD4ED184D60B088B51D2F + +Count = 145 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B +CT = 01BC9CCB869A1BD2A733FC7000C90F1DABDA8A9A + +Count = 146 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C +CT = 01BC9CCBD594015C338FA6D6E6796D862DDBE7ED + +Count = 147 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB06EC8B81B675AB2527925BB3EAF5A949 + +Count = 148 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB5D64F608C8C016237ECEAAB8C4B57E86 + +Count = 149 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB96A4DDC8560C6F96349273E17E01C202 + +Count = 150 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB9FC073A47C7F2C7A8537DC9FCF47FF5B + +Count = 151 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB91BF949A718FE019879AFF7F151FCE5C + +Count = 152 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCBF665AC6B947812240AF424667C8F7BF1 + +Count = 153 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB36C40D7E6B65045946ADEC83F7A7D77C + +Count = 154 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCBC0CDD3A8D0160A7D9D6323E67DA5C068 + +Count = 155 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB74AD3D169F85C89D84122DEC94221D6B + +Count = 156 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB477927EE080D8EBF91F316F0A98FFB15 + +Count = 157 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB73E71CB89E2A701201BD567458FDCD62 + +Count = 158 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCBE65DE68C795821404C1213640E0CEABD + +Count = 159 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB305E37C1A1D4729AFC9A5E49C6C819B2 + +Count = 160 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB3724FB2EBED02B4852869D4F420E2F62 + +Count = 161 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCBC209BC2F0426414786E96615DA8EBAF1 + +Count = 162 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCBFD1B1C3DFF4A3600F7440522A9576751 + +Count = 163 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB3F9628672F618C7E22327BCBFBABE94D + +Count = 164 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB55AA16E34C0BFB3409E93B7A50DD921C + +Count = 165 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCBABE848B9367445AD040B8DF9FBAC4810 + +Count = 166 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = +CT = 01BC9CCB183C28CA07B118875A1F9CFAFC096AA900 + +Count = 167 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00 +CT = 01BC9CCB18A58F638EA6E7B94CB84A84C2E6B51223 + +Count = 168 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 0001 +CT = 01BC9CCB1841EB7CAE126B909704080326076A9F66 + +Count = 169 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102 +CT = 01BC9CCB1865FF19F417F3762A1369223F7CBD0FA0 + +Count = 170 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00010203 +CT = 01BC9CCB189AABC743304F4E2F18DDA29209151C7F + +Count = 171 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 0001020304 +CT = 01BC9CCB18D222B67E7288FF85F48067D611A7E715 + +Count = 172 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405 +CT = 01BC9CCB1830A457922E83A2BDE361F9CCF8A1115A + +Count = 173 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00010203040506 +CT = 01BC9CCB183845AA10C6CD1960FAB97A1D874CAC61 + +Count = 174 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 0001020304050607 +CT = 01BC9CCB1862F14000982FAC21A150E39C90BBD48D + +Count = 175 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708 +CT = 01BC9CCB1845E45B4234DA8D212D996161DAC75EFC + +Count = 176 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00010203040506070809 +CT = 01BC9CCB186D2F387C7B1C04E7890C7F9D01789B9F + +Count = 177 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A +CT = 01BC9CCB18841D9B626BC3609CF49218E7ABEA183C + +Count = 178 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B +CT = 01BC9CCB186B7C971493166FE259BFF87A1B0A04F9 + +Count = 179 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C +CT = 01BC9CCB18D5986496F6EE96278920B4AB3EC01AD4 + +Count = 180 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB187FA7CE2E16E99262FBCF394CEA28F48E + +Count = 181 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB18937615B6AA50590E6FB28C58605BD3B0 + +Count = 182 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB18288D9A3105449AA271BA30EF33AFCE2F + +Count = 183 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB18BF1524848C42249DDD04B0387F643EC1 + +Count = 184 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB183843D791ECC36FFB12D5DB685BE55EC6 + +Count = 185 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB185441F4D340C0AAFB1A0F97AD030312F3 + +Count = 186 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186A97EAA3E98C0DF4FA9CF690408B2C9D + +Count = 187 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB181D233C88DDF4F6FE508D5C674E522CE2 + +Count = 188 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB18470425F96A63B02273775635110CEEB7 + +Count = 189 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB18EC40A1979B223D26F135B4B176E71DDD + +Count = 190 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB18EE6FA7A8332D7D3A3D7A74161D9D3778 + +Count = 191 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB1827ECC9A1DAF719E754307965B6CBBC32 + +Count = 192 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB18ABB0DD687419A7A20CA81948609F11A8 + +Count = 193 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB180C9F10B6E5D8EFE6D8AB33870FC89593 + +Count = 194 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB182329D3B384EBD4DBE56C52D0352B7866 + +Count = 195 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB180E5795BF39C7F50014025C34FAE78FC3 + +Count = 196 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB18E85B966BE16CF79AA2FCBC22E55780DA + +Count = 197 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186AFB196A254D2DC1693C44A342E19BB3 + +Count = 198 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB189594C2C6C1542C0B97DDD00CCC40881B + +Count = 199 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = +CT = 01BC9CCB186E5DD3A7A138CB4ED6F3034CF84B99CAC2 + +Count = 200 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00 +CT = 01BC9CCB186EB94C9F4AFEC39CDF104F18B8479281A6 + +Count = 201 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 0001 +CT = 01BC9CCB186E126A08CD395EC2E24057C9CC71183E04 + +Count = 202 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102 +CT = 01BC9CCB186E8655B460C92E8AD37395945899065797 + +Count = 203 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00010203 +CT = 01BC9CCB186E2D6F4C4C1B16A3F57B8F7CA9BB040A04 + +Count = 204 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 0001020304 +CT = 01BC9CCB186E616F78995B7BE336B03F71B222671F6A + +Count = 205 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405 +CT = 01BC9CCB186ECD4C0A88476854F72323394D4727DAB1 + +Count = 206 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00010203040506 +CT = 01BC9CCB186E62E5A0A80F46B15C4C25B160EF6BDE34 + +Count = 207 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 0001020304050607 +CT = 01BC9CCB186E05B6079C416B1DE6B1A24C020FD83398 + +Count = 208 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708 +CT = 01BC9CCB186EEEA92856B6C2BB9A2F98AF4120B45EFA + +Count = 209 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00010203040506070809 +CT = 01BC9CCB186E4D9D762CAE58DDAD4BAC6B1644E2C462 + +Count = 210 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A +CT = 01BC9CCB186E0B4351A35128568694DCB61CDBB56ED6 + +Count = 211 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B +CT = 01BC9CCB186EE1BFC31B5974E1B304AD69CEADA9CA64 + +Count = 212 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186EE8A4C111A29729D551A306283F5BAFA5 + +Count = 213 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4D7EC16DBB23B9EFE4FCB732E59C8732 + +Count = 214 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E9644D90E649135885D85985B31543236 + +Count = 215 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186EE40804022E38D5B83C1BCF370768922A + +Count = 216 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E8BC1E94575DEDCF88D0809C90E9DFCA7 + +Count = 217 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186ECE5282BFFB6F976F454A298BF21E0116 + +Count = 218 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186EABE57562D2B1F779CF080A1A5A0BF58C + +Count = 219 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186EF22D41563B743330BB9A9A57C1F77DBD + +Count = 220 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E2B5A6F04358F29C1FAE429B5BCD9B0ED + +Count = 221 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E3670D9042251B0219C36576FAB197D1E + +Count = 222 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E6B86E82FD2ED4BA3D11440519261671C + +Count = 223 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E6FE337ABA790171E49AB726D38C09F14 + +Count = 224 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E37EEA43B38BD66339D9C7414FCBD6A33 + +Count = 225 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186EDE3215E66DEC730CE3BBD1F163391D15 + +Count = 226 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E2FC276150960B007BF688CB96B0D900E + +Count = 227 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186ED10EBBBDA48B231B0268B07CB034CAC9 + +Count = 228 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E0C848B83A244C6A5990B06BD896AF178 + +Count = 229 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E5436593B911780BE482A70097547AFF8 + +Count = 230 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186EF81AD592A7E94D7D34831B6799F05521 + +Count = 231 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E0F0802311836DF830405E16AB512144F + +Count = 232 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = +CT = 01BC9CCB186E4A23B27355859C77129EBDF5492FED5464 + +Count = 233 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00 +CT = 01BC9CCB186E4A3EE953E108F29E757CA842A1A381AE8E + +Count = 234 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 0001 +CT = 01BC9CCB186E4A45F78E67D2CD7A910A2FF142ECB05769 + +Count = 235 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102 +CT = 01BC9CCB186E4AF3EA59CA6DE0A734B97191E8E3220892 + +Count = 236 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00010203 +CT = 01BC9CCB186E4A7466C4372D56169BA3500B415055A4F4 + +Count = 237 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 0001020304 +CT = 01BC9CCB186E4A2F28F57957F6A357795617B3A5BFC60E + +Count = 238 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405 +CT = 01BC9CCB186E4AE1A4315B8AE4C8F53F234252D642B8ED + +Count = 239 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00010203040506 +CT = 01BC9CCB186E4A7EB4AE74E0E17542D3BB80BB724379E6 + +Count = 240 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 0001020304050607 +CT = 01BC9CCB186E4AF8B465180BF4C239AAB4E01EAEE4E27D + +Count = 241 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708 +CT = 01BC9CCB186E4A83B3A643D39D1A41F8ACEAABAC507DEA + +Count = 242 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00010203040506070809 +CT = 01BC9CCB186E4AD26D97C172D7D4BF0E8A5122A19EF1AE + +Count = 243 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A +CT = 01BC9CCB186E4A6AC4F057591D348B6A9E0B2D3B82BBA2 + +Count = 244 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A46B952F1D262795C482BCB6FBD17E961 + +Count = 245 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A5137D743BB6D08A6B02ABB3CABE784FC + +Count = 246 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A1BA882656B2F4BED8A347D817DD366CF + +Count = 247 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A75D9E07F5981394E0210A318F4998927 + +Count = 248 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A67F940DA825B4A0401FD76FFDA3B9BE8 + +Count = 249 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A524D2038FCC356C9D65F8C07339D72A0 + +Count = 250 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A0BF44E8AB34FC634E505CBC898346330 + +Count = 251 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4AFADF774CFC4643C3D66C542206792EF3 + +Count = 252 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A25E0DEA73CF4B74D473FC3E501A2BC86 + +Count = 253 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4AAA54DD27D71C651CE9B07E245ABC0781 + +Count = 254 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4ADD87007AD9DDA93052E7A734DDE28ABE + +Count = 255 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A9D4D3D6A30DF8A48A53F9C81A2BD97BF + +Count = 256 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4AD98FB2E8394C540EA569EAB82788CB39 + +Count = 257 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4AF65B50208263699932B33A2981CED102 + +Count = 258 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4AC77B65D67BB54E69AB09BB2373D80C2F + +Count = 259 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A2B75EE548CFCA2B48BA9DF6D8A45F30A + +Count = 260 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A620A6353C05A821875C09337961AA0D2 + +Count = 261 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4AB2E76BEFCC96838E8749B2E30C43DE8F + +Count = 262 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A80D262BEAB22929B798773CDECC64511 + +Count = 263 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A1985BF9EB0CADEB66A44A061D6C1DA29 + +Count = 264 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4AE4706BD494725B172D0B673F09B0FDF0 + +Count = 265 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = +CT = 01BC9CCB186E4A3787E19BC739E3B5972E7EFB07331CD1AC + +Count = 266 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00 +CT = 01BC9CCB186E4A37A1A65CECD6D76C170555E90C4D34E74A + +Count = 267 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 0001 +CT = 01BC9CCB186E4A373EDFE88E791A64808D76592D66D4A697 + +Count = 268 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102 +CT = 01BC9CCB186E4A37585B80C4A6401179879C2451C992B8C3 + +Count = 269 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00010203 +CT = 01BC9CCB186E4A37E7DA775540A818D234263CEE7B003E09 + +Count = 270 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 0001020304 +CT = 01BC9CCB186E4A374F323E8D5074EEB7A69DBD26C2672794 + +Count = 271 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405 +CT = 01BC9CCB186E4A37FBE4172B33BA8D9F4C0A5E8457C910B2 + +Count = 272 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00010203040506 +CT = 01BC9CCB186E4A375F81F79F5DCE57B07EC93AD0DF8FA32E + +Count = 273 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 0001020304050607 +CT = 01BC9CCB186E4A37F5169EE58ECB4ECC836495B6B3893ADD + +Count = 274 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708 +CT = 01BC9CCB186E4A379D910AD3EA6B318AD8D4071A11D3DE63 + +Count = 275 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3783B07084B196A2BFB9AFBA0B41522B6D + +Count = 276 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A +CT = 01BC9CCB186E4A37C701C0212E819FD7C46ABA4748FEB41F + +Count = 277 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A37D0C7DEDE32ED270AB32508F0D3FBBBA7 + +Count = 278 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3773A2C578F52392096F790E162D283B20 + +Count = 279 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A37CC5C747C2241D634EE26D6D8B88B4C05 + +Count = 280 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A37BF6320EFE703CC9369084939BC792952 + +Count = 281 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A37900805BF323C091480792E9FD86AB2B7 + +Count = 282 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3748753E1062F481509DB7D287DCF2B491 + +Count = 283 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3730EBA5BE9740949691C7E471CD871A72 + +Count = 284 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A373FD24B7D6B32E0B63C0207F36ACDC9CF + +Count = 285 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A37038088125D3365CE302FE6F59954A8ED + +Count = 286 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A372BFA498F3B76882B837647E4BF62D3FA + +Count = 287 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A37D8ABE960B0E2D3237CAC93E9F1605FDC + +Count = 288 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3765D03D41563C550C843972BF00190B00 + +Count = 289 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A379EC5880A524B50C06CE24DA51CAF28F2 + +Count = 290 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A378AD99F612C8502DE8780A0114E1B8A98 + +Count = 291 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3756070CC14A381E8A7A259F8A6FC2E270 + +Count = 292 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A37F4A1E34108A9314ADAA96D02C8E5562E + +Count = 293 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A372D0B0D282D6CF14C41AD0006442EC146 + +Count = 294 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A379904648B977311E6F8D7433E8EA72653 + +Count = 295 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A37B224710D15A1731A28CFE20329B16F16 + +Count = 296 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3794425279421D941CB9E30771378F0106 + +Count = 297 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A37C50A71B05CE3E6BF50B1A7D2DD4841E9 + +Count = 298 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = +CT = 01BC9CCB186E4A37324638F43CB514289D09F43A8944AEEFA6 + +Count = 299 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00 +CT = 01BC9CCB186E4A3732BF8136E8AECE10E569C6A3BADFA78140 + +Count = 300 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 0001 +CT = 01BC9CCB186E4A37320B46CCBE6352685626854874453C3540 + +Count = 301 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102 +CT = 01BC9CCB186E4A3732753CBE7F87194673042091EAC51B58EA + +Count = 302 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00010203 +CT = 01BC9CCB186E4A3732A5CA165B73D5F1F6C0B5013C29D967D6 + +Count = 303 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 0001020304 +CT = 01BC9CCB186E4A3732E8CA3C4BF76943DD7E7CDDFACFC7AE64 + +Count = 304 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405 +CT = 01BC9CCB186E4A37320A35382F317C3B081A2DF68199D2587E + +Count = 305 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00010203040506 +CT = 01BC9CCB186E4A37325987CB69FAAAEC8F2E145783D6EA0D77 + +Count = 306 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732008F1CD49876AE1F03AC99CFE1C7AABA + +Count = 307 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732DA8A4D4B391F527E80A32B76FFD16E78 + +Count = 308 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732AEA90E523BD34A79135B8711A653706B + +Count = 309 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A +CT = 01BC9CCB186E4A373201E99DF91985F719F49919A90404A3A5 + +Count = 310 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732EB5FE37039C6D0293FFB9313A458A901 + +Count = 311 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732CBCED3A94A526A17A77204FBE19C990D + +Count = 312 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A373222B2D21958E98200B78031070D7D8C75 + +Count = 313 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A373293A80A0C96C30DB2D5F05063EE8AD71C + +Count = 314 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A373263C9ADD3C13E854A81393B876FAACA00 + +Count = 315 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732BB52EC03E591BD9EFD079BC60C845C8E + +Count = 316 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A373205E587F1EBD227D4A85FDFCBEC24E703 + +Count = 317 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732B5AAEFF6738DF7343BE90E39D3347817 + +Count = 318 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732F7A17F79DE19FAD7C8224FF6B5F768C2 + +Count = 319 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E23AA2CA3364533808FCE50FB78F73B0 + +Count = 320 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732023F88339D5CC69E319478D475F2FAE2 + +Count = 321 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A37320325E897991CB05B2DB00BD1422A3855 + +Count = 322 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732C4719E95DC9C20815EBD5F05DFCD3284 + +Count = 323 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732EE45407E6AA471C77B9757D39DFAB846 + +Count = 324 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A37325BAA4DBC616C4B7370F71F04614E71FA + +Count = 325 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A373206F7E6505F68F59EF4EA0551811B996D + +Count = 326 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A37324B1AE7ED4ED26211042BD12357014693 + +Count = 327 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732F25A7BD930CB89492F5F0CD1C31938A6 + +Count = 328 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732255726E99D454D61886A772040D7C0B4 + +Count = 329 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732CCBA9458FBFFB35F77AFB356A92AFA31 + +Count = 330 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E4195315441095BE5FFE63718B959978 + +Count = 331 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = +CT = 01BC9CCB186E4A3732E81673F1A1566A31A2BB3B1CC24287321D + +Count = 332 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00 +CT = 01BC9CCB186E4A3732E87E5D45AEBED3C551BC9F9793C5DE0572 + +Count = 333 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 0001 +CT = 01BC9CCB186E4A3732E81A96AFB2DDD53CB41395D2BE7C36912E + +Count = 334 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102 +CT = 01BC9CCB186E4A3732E8926BF51CE1BAEB5B45E39123BF43A527 + +Count = 335 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00010203 +CT = 01BC9CCB186E4A3732E8760726D4B9AE36E38E7D32DF07AFFE10 + +Count = 336 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 0001020304 +CT = 01BC9CCB186E4A3732E8A8D0E427508CC0D8858FF71EDE4282FD + +Count = 337 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405 +CT = 01BC9CCB186E4A3732E8C12BB5AFBCF6052F6D164289B1E2848A + +Count = 338 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E8ADA8BE2C72529727B47299BF843CADF4 + +Count = 339 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E8218941B627A6629E17CE0F946C876DB7 + +Count = 340 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E85411EF48A8A6CED9283A25D29DFD169E + +Count = 341 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E85867168BDD2070BA7C4BD848AEB38B0C + +Count = 342 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E87012A9924131E278F8727D4CECBB0240 + +Count = 343 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E882A6289F21A69007093B73D7E91C7344 + +Count = 344 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E85260E1BCD62D08EA9498DA384AF9174A + +Count = 345 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E82312F8007743CBC3592EF53E51CF3D49 + +Count = 346 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E82506DD56364617CF33EBF4EEDDA24103 + +Count = 347 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E8E9FE4B0EF87FB75973D68A64301D8A13 + +Count = 348 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E826989A3B2E546B5FCFFCF937477949F5 + +Count = 349 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E84682FA441AA40C719CCF7D79DDFBB257 + +Count = 350 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E8BEBB7109BC75336454093E8147469989 + +Count = 351 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E8C5135AC90B125FBE313DB93EFB41FEEF + +Count = 352 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E836B3B343D3B289B186648F2BAA10EEF8 + +Count = 353 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E82FC741DD3D839B17FE31BFD846E4A391 + +Count = 354 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E88121EBB2F3C6F1960B02DAD2145AA78B + +Count = 355 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E8AFDE1633DA88218923B9F36795147D43 + +Count = 356 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E8AA7AFC177EFAB2134512F72DC5B52232 + +Count = 357 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E8A299C3BF8DAE7F1197981FF3C7BB0F8F + +Count = 358 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E8103743432ECF4095A52FF2CC0CF2EC0E + +Count = 359 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E871523489BA621B160C628713ED41C441 + +Count = 360 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E85B1D066CCDAAED1BF864D10454F4C65F + +Count = 361 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E8CFD3C867030B88D4D8B04BE1F19904C4 + +Count = 362 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E83B6D108F8A57C4A21371EAA014BF1B48 + +Count = 363 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E8F454E48DE490DCD04AF3DEC3338B0542 + +Count = 364 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = +CT = 01BC9CCB186E4A3732E86BFAB6EBEBCD14A656A60D80D5FBFD472B + +Count = 365 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00 +CT = 01BC9CCB186E4A3732E86B502B03DAFC6EBCE81B0D2F6527EE58EC + +Count = 366 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 0001 +CT = 01BC9CCB186E4A3732E86BAB66ACEAC0AB6F3AF3580D800F6E29F3 + +Count = 367 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102 +CT = 01BC9CCB186E4A3732E86B6FEE586B7BB5F2A0DF9485EA94136CC3 + +Count = 368 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B422CA9927F8D8517A0C67C2AA696AA9B + +Count = 369 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B0071C915942696815F422BCC0FAD29A4 + +Count = 370 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86BBD0186EF6FB0DB9BF1F1C4DAFE4D2F6F + +Count = 371 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B5CC3C2E51BBF5065E6F3C773776C9C88 + +Count = 372 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B3B324558B2192F32B9F17003A6DD124B + +Count = 373 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86BD53AD1D9D2F83012754552012CA9189D + +Count = 374 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B636F3F7170812A057E8A45E95697395C + +Count = 375 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86BF66BE66B89E6DF8AE6DB09B6E74BE861 + +Count = 376 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B0F0D6152B83E7A4C0E8C7A1F59192039 + +Count = 377 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B27D745B964F2FCA9752741534FB28C2C + +Count = 378 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86BC70CD1F573ABF07751CBFF36F6AA6805 + +Count = 379 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B1CEE7B8D636680D67572CF05F2B6CBAE + +Count = 380 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86BA8529DD987CF19F3C8D8EA049C4F68CE + +Count = 381 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B17CAAF23725C1FD0BD322DD56CB0E7FE + +Count = 382 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86BA251BD777689BC29332C0E90E6B52F5D + +Count = 383 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B78FC8BEA173DCB732D23FB7752EB7AAE + +Count = 384 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86BF386B1EF43FAF916BD300A6077B99003 + +Count = 385 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9D2C1D7671207D2AE3D1B046EEDCC634 + +Count = 386 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B7C0A48FE08F33E8757A249856C54B0D4 + +Count = 387 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B50AD0F88BD277EA10B4B4886F38B1881 + +Count = 388 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B74973DAF8F6E9EBEE01D0834F1D866F8 + +Count = 389 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86BE25F4EABB582BB5DE7DA08DB325FE559 + +Count = 390 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B05C415901F69DD9B7C355A02F3E5C99D + +Count = 391 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86BD19F4D0DAD803B7BAEC092B707209F80 + +Count = 392 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B870F870A5E78CA8BDFC6564CE41D89BA + +Count = 393 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B814DCA56E26968DD71090CC3C493151B + +Count = 394 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86BFFAFF08D845F4D10DEC8C26D08CC89D5 + +Count = 395 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86BD5534C94D910442427A1009516389046 + +Count = 396 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B2A346C842C64CAFBA9746E7C263A3165 + +Count = 397 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = +CT = 01BC9CCB186E4A3732E86B9F73E1B1280D1648EAA310F531BC99C1C0 + +Count = 398 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00 +CT = 01BC9CCB186E4A3732E86B9F9EC37FAEB8A9FFB951EA2F59766F68B6 + +Count = 399 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FC7DBC83ADFA752B981C5516F73A2C8E1 + +Count = 400 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9F44830AC19101964CE0E1719B85C922E6 + +Count = 401 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9F64866EA974FF25A6F303CE77BB6EB291 + +Count = 402 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9F5608613D341793650437FFABEF0DCD0C + +Count = 403 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FC9DC9F0E6949B092930748AC9D80F0F8 + +Count = 404 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9F3AD31F4C18B7B8B08D8FFCC413718909 + +Count = 405 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9F1BDD161D75E2BBA330083D48342678B5 + +Count = 406 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FFEF4D5A423B46C977CB9AE376B607197 + +Count = 407 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FBD7B4A1177FCB7721AD92202C8B1B003 + +Count = 408 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9F9C3DD51F3D80AECE356F1F0C9DEA110F + +Count = 409 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9F6E0B9441D4B9F6E572D36367A345B3A3 + +Count = 410 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9F241C2DF3987B5F98B26EB9D60A48CD6C + +Count = 411 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FB6EB9CA75F76927DA2342D150CDF97C6 + +Count = 412 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FA7FCBF63484CC2F820BE9CB337D52F1B + +Count = 413 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FA368CAFA6A3332C5720ED33FB8550901 + +Count = 414 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9F879465B25B6C7108D632B3B3202F27DD + +Count = 415 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9F18F95DC2827A6C7A2FEB5AFA61238EDB + +Count = 416 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9F9C9F32313D3465F7004EEF9359DCFB85 + +Count = 417 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FEEBD041906DE5E9D253286983641342F + +Count = 418 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9F6CE32B1FE6A4DDEE52676DDBB76B05F9 + +Count = 419 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9F20C0BD5B4C64A99F9F66C3C7FE9714E8 + +Count = 420 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FE98FBA58E390FC002BC8DD881277DD50 + +Count = 421 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FB4A6A610CB204662A2A6E1E42F94C8E5 + +Count = 422 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9F6EC65C3E71E5B9497AAA60EF50D56122 + +Count = 423 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FDEC8B153ADF81504395274505212A94C + +Count = 424 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9F4365F4214CA23D4E0760FCBBADA05B42 + +Count = 425 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FD092E0ABF35FC5515CF5D8CF2227B0F5 + +Count = 426 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FC9DD3CBC49271EA05ABAD546D84A7EC2 + +Count = 427 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FC9AC210CD0AC00FD656FD360AD12DBA0 + +Count = 428 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9F20E553B857CDD177245F7E16161018B6 + +Count = 429 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FCB7402837A5C9D3569B6F3C6E277FFE4 + +Count = 430 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = +CT = 01BC9CCB186E4A3732E86B9FAC401D961BD41D543AC1603FA0A50C2B9F + +Count = 431 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00 +CT = 01BC9CCB186E4A3732E86B9FAC518F8987EBA976647BA3426F7D1E94A4 + +Count = 432 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FAC4A737D2DE2E809FA3B6E34B1480B5FA9 + +Count = 433 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9FACB773BC024AACCD1B6CCEB196D1D926EE + +Count = 434 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9FAC0A742CD6CF716CEE663BFED7B1F7218E + +Count = 435 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9FAC788DA22F72405916679BE156D430F32C + +Count = 436 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FAC95F3D631791BE83C16498BC97E5358FD + +Count = 437 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9FACF02886AB9C91B88DCFB66C881BEEDB25 + +Count = 438 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9FAC6BC16286170802ADDC6D6761D91DE751 + +Count = 439 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FACB11B76F79D526ACBE222BBCC8753617C + +Count = 440 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FAC7DA0676554D9353CFFFEAB6E30586677 + +Count = 441 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9FAC8952122198F998B8D6ECF8543BA28BF3 + +Count = 442 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9FAC0E9C730E4D81E533E8296A6B74FC603D + +Count = 443 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9FAC1A08CF4EF0D535A8B47360B0A20D7271 + +Count = 444 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FAC3200C27BD756A6D6D534F212E5B8D331 + +Count = 445 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FACA1BBA755C3204856CFA061165FC42C40 + +Count = 446 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FAC1BA30DB059403667E168F8D821810EC4 + +Count = 447 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9FAC35A852B02A4A6DE9A8A8B3E505CA0E6A + +Count = 448 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9FAC2E8BD2C2F5F8673ED56E496ACABD6898 + +Count = 449 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9FACB306317A7C8AD0D24342451FD66D5BB9 + +Count = 450 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FACF9DFD894D6931736888A556948FA10EC + +Count = 451 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9FAC99888D72617175483572E7FACBE4534A + +Count = 452 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9FACC60B6E5E924DB514921DA1EFB85F1D11 + +Count = 453 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FAC576A4C8D6927629111776D99E75F544F + +Count = 454 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FACDCAA0779AEA6A9852C5ECD561D90DC2F + +Count = 455 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9FACD8AA18321510177914D27A89CAA4BB92 + +Count = 456 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FACF45F88A0CA2F7167B6DCD3AE8DF22FF2 + +Count = 457 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9FAC2922364570D3949AB8BCDC2BA9C8C5AA + +Count = 458 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FAC8FC6980ADDA1FDF78B3A1816398C949F + +Count = 459 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FACEC83788CE1F1B10FB469F216ADEB596B + +Count = 460 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FAC64B6C9C20A0FEFF6FAFB60A5B9F69EEE + +Count = 461 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9FAC07021C98759FB08D78866091A26A7496 + +Count = 462 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FAC43EE750629DE742CE5D30C409FA095CF + +Count = 463 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = +CT = 01BC9CCB186E4A3732E86B9FAC4A7DE7C24473190C3A616F9562517D9095 + +Count = 464 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00 +CT = 01BC9CCB186E4A3732E86B9FAC4A6F1AB6EAD07880DF4C34B9B27CD61306 + +Count = 465 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FAC4A235524E4DF196776A6F2DB0C7ED77C0C + +Count = 466 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9FAC4A80FCCE0936A39FEAB746FE67E2B0318D + +Count = 467 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9FAC4A8E9F02E81FA496F8DCF9115CCB530E8A + +Count = 468 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9FAC4AA799EA648CA4D6FA36ECB4B422195197 + +Count = 469 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FAC4A6FF1377CE1E218E2C8F604B0CF71F580 + +Count = 470 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9FAC4AF72DF689F9699C3C5149B2D0FA2F6739 + +Count = 471 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9FAC4AF1DD6C8945A2DBD0F7545CE5864D8671 + +Count = 472 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FAC4A65A9CE6CA2D419E2A0BBB89022CAD327 + +Count = 473 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FAC4A6F2E79B20C11EF9782885AD409C4C8CC + +Count = 474 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9FAC4A0649368CAFF4AEB489B6A758A03AAF45 + +Count = 475 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9FAC4A896BD015142C9E45A86AF51B002C120A + +Count = 476 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9FAC4AFE02E6B7660957A9FFC4C1FF8DB7F333 + +Count = 477 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FAC4A5CEEF5C4EF67841A1BC6D1FAAE334A99 + +Count = 478 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FAC4A524AD0E9DD9C68A3F9C0284DEFB2DA52 + +Count = 479 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FAC4AEC5782B37AC8E857DCD464EC29A2DD79 + +Count = 480 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9FAC4AC7A581351DDE24E5DF2C529150D383F8 + +Count = 481 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9FAC4AEB3F0930549D64CB49A82E723EB3509B + +Count = 482 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9FAC4A6D55D684746503C3C86704FB21097A24 + +Count = 483 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FAC4A2781B6E58B1FC70CD942CE54F8D834A2 + +Count = 484 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9FAC4AA89C47A932AD0D30A11F7FDD78134919 + +Count = 485 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9FAC4A3EACAEAA346F52EE2A502C03845028E4 + +Count = 486 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FAC4A200ADD38A9A4F0E758BB281661028468 + +Count = 487 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FAC4ABC961D07EB493CA09F484EF2A591DF88 + +Count = 488 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9FAC4A43703CBF2ABCEE68D0F2133070A6568F + +Count = 489 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FAC4AE47A1450DCCC7D0186669AB155079406 + +Count = 490 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9FAC4A9A48E97CB72FAEFFCE0CF01680154A4B + +Count = 491 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FAC4A723414434D60872648FC630E55EE10B7 + +Count = 492 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FAC4A5A417F0A7AF9C840CA150BFC3E7F7523 + +Count = 493 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FAC4A980771810E477D4F6915ED13A26ED6B5 + +Count = 494 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9FAC4A6DEF3A172D9D1846216F6D88CAEF6E9F + +Count = 495 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FAC4A35D90BBD035D3378E5A4AE3513C2CE68 + +Count = 496 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = +CT = 01BC9CCB186E4A3732E86B9FAC4ABF80960B2603A93BEB396F1F4B965B2358 + +Count = 497 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF0D2A4272944C46006DF60E6AFA9D8F7F + +Count = 498 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FAC4ABFA29A127E3C0D2F477CEE4184EFA5D636 + +Count = 499 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9FAC4ABFD0A59308712685DE4F0F76590A334F3D + +Count = 500 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9FAC4ABFB26E09C2B10CA3274A5CD31759B39BBB + +Count = 501 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF139B5734BEAEB928E17CB51FAFF33B1B + +Count = 502 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3CACC9B0F63DE7DDC5965AC10CCEDAD0 + +Count = 503 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9FAC4ABFA58E9B14895325ED46D015019BA9FA55 + +Count = 504 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9FAC4ABFF8552F6007F8776956014CF43D3DD420 + +Count = 505 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF740F2E212179B8F7BB3E479171623784 + +Count = 506 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FAC4ABFB0BD81B8C288C98C4228889EA134EDA7 + +Count = 507 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF12FD1E3E97BFE2021550146EE509CDC4 + +Count = 508 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3C3D74367C516EF3E475854D64F42902 + +Count = 509 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF8797235ACECED5F494C48484B9C1C225 + +Count = 510 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FAC4ABFEFDBDBD4C5C1E0F3E66DD79A373FE9B9 + +Count = 511 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF45025F862A56B8D7D4EA26B35BB787A0 + +Count = 512 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF01BF0D09AC64A02A89A71C150DEEC009 + +Count = 513 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF8910563C8976B1DC35253BCF44792C1D + +Count = 514 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF65B52AADAA524D07D7DCF26D4836F42A + +Count = 515 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF90E9B97B1BBD65A6E8BC7CA66E9C3B80 + +Count = 516 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF513CD675F472009BFB8F182994C853E1 + +Count = 517 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF46721BCF9892D6F26AC28EEF5C8B192C + +Count = 518 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF9AC312F19267AE11116024C052FF5A47 + +Count = 519 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF60600AF266FA85E34E1F1CD059CF5630 + +Count = 520 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF17C2060665E186B03B5A1AD5FFDACD96 + +Count = 521 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9FAC4ABFF3317C8A5D2B421D58D7C1EB1BE5AC13 + +Count = 522 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FAC4ABFEFF1C4D9D2CC31C6724654DC4D5FD8F3 + +Count = 523 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF1C17DC9D7F4B5F594DC5CFF0059DA2AC + +Count = 524 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF106DB6A213D791B7AA9FE1AE850B1359 + +Count = 525 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF8A555713AFAAAFD5B8B1051FF0D216A3 + +Count = 526 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF07C52335BABEF530BBEFF5AB8794CA94 + +Count = 527 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF2C7F8DA912E426CFBAD11753790B8024 + +Count = 528 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF43A90B1005F8F1B31F230761D2C2A6D4 + +Count = 529 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EB89E6B0E91A693127B21A2FD98C8BE79 + +Count = 530 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EC28854328C96BCAD6673789A878CAEFB + +Count = 531 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E44680250C8A38AA6BAA9F7BB56EF7EF8 + +Count = 532 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E3722270C141499E640C83055EF0F9625 + +Count = 533 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EE47167EAE8E62E1219C534FA678B8476 + +Count = 534 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EC297D85B154A24FEE903BE4ECFCE2339 + +Count = 535 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E21FC1AD32A524861BED34145091EED88 + +Count = 536 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E22AB5CBEBAB2D2268A292BE44BA9C0A1 + +Count = 537 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E0A56CE07579D9F0136DF5D56E290CEF7 + +Count = 538 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E15A9BB2C855EA8A4E2CF0BD3670718B4 + +Count = 539 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E86B4150A221DE98EF329D2826090D558 + +Count = 540 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EF829D0DB3422DBC8B88969949A141306 + +Count = 541 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EDB7247768241A6274C1F18C620C85978 + +Count = 542 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6E9EDA24D0A5EDD3B2245984D27FBD2A + +Count = 543 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E9ED495328799A3C230581D372E1B40B7 + +Count = 544 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EF7FAEB54D1407130BBD97945763407B0 + +Count = 545 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E61011220E6379839275EF7232789A64D + +Count = 546 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EEA8F9DB9BEF9568E68C5711C8E7DA391 + +Count = 547 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E98172CCCDF47BF54A7C66CCE83C8A0FF + +Count = 548 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E0A076D1DFE32FCFB005E81577A40F30D + +Count = 549 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EB394DD6532D2F7C7F723C0E72B3BED99 + +Count = 550 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E26C4AEACA227EA5C48248C082BA91E08 + +Count = 551 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EC0D492EB7D217B71AC4B629511A54C9E + +Count = 552 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EA79175646A1BAF10EB32AC8C8AF5A4EC + +Count = 553 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EC55548631628A57BC6F9289E685C36D4 + +Count = 554 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E2F45B1EDF96EDF6609DB27D393D0CFF2 + +Count = 555 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E94AA93B8A4BAA6CAB82F4736CBD5E539 + +Count = 556 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EFDA602A9773E02EBC356EA7532ED847D + +Count = 557 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E0D4D9B0DD8B4D4F0DBB3E835A380A7E9 + +Count = 558 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3ED2C95F1FEB5DCFB0D50CA801CEBA8EE0 + +Count = 559 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E155981F9B4AD2E836B3FC9C8ADE65EE9 + +Count = 560 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3ECD5D5E261AEB36EF8367B2FB66B3DB53 + +Count = 561 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E5773165AC795FD7C5753655B809A4A67 + +Count = 562 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C1485159AD7C781595B283C2B080A72B4 + +Count = 563 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CB176670E286113BC60313B8F4079DE62 + +Count = 564 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CAA952460F31C7458EB2645B49766A473 + +Count = 565 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CFE689CD4FE525E3BE438D518AFF2635F + +Count = 566 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C8D17CF6D834693B3577528D30094752E + +Count = 567 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C92FFE981CA1344DF61B0CFF7830D3AFA + +Count = 568 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C3646742A3DC36853BFD913346B97119A + +Count = 569 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C1DE701E876110788FDB9A0879B461DBE + +Count = 570 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C33661483D36F1C836BD368F22F9649D2 + +Count = 571 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C26A8926AABD612482F7782BF0CFC7AB4 + +Count = 572 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C49154D72BC0DCEAA6413F5E4F0AC0A87 + +Count = 573 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C8B45E9B6AADA312B732B7C39CCD02207 + +Count = 574 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C777B4DAFA0882CCD5B50829590F219A7 + +Count = 575 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C57AA15066D92A1F2144B296D8C0F195E + +Count = 576 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C73E740974671B2E35E887D34D2CC6091 + +Count = 577 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CEF24B7BE99EE51E61CBEE962344821C7 + +Count = 578 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C625B4B87F3B520597B4A89496B5620F7 + +Count = 579 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C43866B0F23B8E952A7BD78B4B1FA217B + +Count = 580 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CA55B9B8F589A3DFC8AF78E934910C47A + +Count = 581 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C308EA832F6FE4E12FC3F44875AA69E02 + +Count = 582 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C7C33C55FD9AD7A21BDDE5CAC541EF013 + +Count = 583 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C10456E209214853B38E8F2ED6EA711E6 + +Count = 584 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CCE0BC4FDB9F6DDEE483903C72B50FB6D + +Count = 585 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CF2BD6609F73E9FB0E70CEF1966E1965F + +Count = 586 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CBDDDEF713A527238453E367AD620C5A0 + +Count = 587 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C8C4483A25154C02DAD7B7B89E3A423CD + +Count = 588 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4F7AAF6995B901C90CCB4B824A9812ED + +Count = 589 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C749E80AA5422091362A9AD88DA3B03CC + +Count = 590 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CA3D3FDE1F7EA8C4AC2FDDDC1E792C64B + +Count = 591 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C5A79B33B80BCCB4612497B7C8EA99081 + +Count = 592 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CFFFC0F74F35F93E571EFA088E1C9DEB9 + +Count = 593 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CBE72AA64B54C5D57ECE7958A4DDC17E8 + +Count = 594 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CFB6200DB12DF5B66139E4193FC579CCF + +Count = 595 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A7C710F567358487ABE78EF90E0CC833F + +Count = 596 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4ADD7E17978EE40F71938C01D17BBE4FE7 + +Count = 597 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A34DF9A7D6F0F3E275F8F83C30C418FDE + +Count = 598 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A64C64376C10F7C8D93CE6609F6FC285A + +Count = 599 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A17051FD7CB9CAD020C98643606ED474C + +Count = 600 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4AA53F6DC75BCB9EF9BF73B1429E1EF264 + +Count = 601 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4AD26CB9678F27108CE29A0443EAF8D1E7 + +Count = 602 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A09188E6F506CAACF005C27DD8E49DD2E + +Count = 603 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A4B5FE718320FA61BC0E081D75EA40C8B + +Count = 604 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A07F02FAE2DE835252D8961401EF470C4 + +Count = 605 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A75BE1695CFBAD6096B3B5F59D8FD8380 + +Count = 606 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A48188557BC0EEAB91D224AEEC4F8742C + +Count = 607 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A60A1F8A51F68C5A1F9A2A9ED7A956D34 + +Count = 608 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A93D0E05AFE58924A15EB8CB8EF020FD1 + +Count = 609 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A01745A22B229602401E0E5DD0690D06F + +Count = 610 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A7E149418EC53FC43DA572C1700FAC22A + +Count = 611 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A3E4BC1D60E3AFB0A33EF5750F3C0A08B + +Count = 612 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4AB5CB2570F6CE0FD92D2094DCF5C7E43A + +Count = 613 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A063E6AAF227EFA80FDD2EDA9079BBDB8 + +Count = 614 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A73C0E2B4048B427D7C03F97068EB31FF + +Count = 615 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4AA88EC0285D68A3EFC1B428921DD7F8A9 + +Count = 616 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A88EEC981605891C68ACF39B80B7F6F0F + +Count = 617 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A050AF1C8C4D18EB2900D955A1C0D26FA + +Count = 618 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4ABAF592047B0E31B763D33038BD1FFFE0 + +Count = 619 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4AB8CD6ABCBAEABC05CF860D28C3986C7A + +Count = 620 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A785A925228D82A1EBE72CE6C92084B55 + +Count = 621 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4AC8C5570C721097D5673DA43142F4F6EC + +Count = 622 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4AB40F39E7A0D6407C7F78AE8AD27CB6F7 + +Count = 623 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A2CC01E731E9D5D2331B22F24353F2A3E + +Count = 624 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A3D04CE3954ACDE2F0B82132B7E1BFC8B + +Count = 625 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4AA546342DA09A5CE78263CC305AF726B8 + +Count = 626 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A4A85A55963BBA05249BA7E05502CCC90 + +Count = 627 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A96E3B7B217C798F3280C7DE21222BE88 + +Count = 628 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82EFCC3780B3F710C1E03D59300F953BDA + +Count = 629 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82DCB942F5929A67E360385297A2E768A3 + +Count = 630 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8248E6BB3465953A0855188661AA711ED5 + +Count = 631 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82B1CE34DCFC4D179F0EE20F52AB7EB13C + +Count = 632 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82834230D2E3FC79DC0DA1FF3E1F78AEEC + +Count = 633 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82C8F3E977CE7FE992C05C84AF8AE2C640 + +Count = 634 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A827AE6D01AB7DF9ADBDA8CBF8EE8BF573B + +Count = 635 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82DF7FBD3B327F529C6ABEBC90A9EE9687 + +Count = 636 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82B24C05BF85315B91532D39B9C541CD29 + +Count = 637 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82DB00DA537973A0EECB08E929FF97AE91 + +Count = 638 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8200A992B605EA03569D72E198DB815E3A + +Count = 639 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8215F8A968F7A7005C7D198B94A0A6E5C7 + +Count = 640 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8214F02156C3D039B4EDB2C7DD71D2939E + +Count = 641 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A823D11373773071E0798E6310AACC9F785 + +Count = 642 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82AC59B07AA17E8621EE7CC088BCBAC5EA + +Count = 643 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8243FF289EC111990077A5198C930C7909 + +Count = 644 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82B3641C40804C5B967EB3EF52850F78A3 + +Count = 645 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A822CDCCE34E8DD34ACD5C9BE7478E22F37 + +Count = 646 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82062F4917C2CE97108D493A40C4D5349E + +Count = 647 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82F92CB4E24DC033F540D4C08118495077 + +Count = 648 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82353CBFE72D212D37898912E8F22A79DA + +Count = 649 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82435F69F4EA94C44926B50D4F3BA90771 + +Count = 650 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82D66AA00CEC52C357882A94F6A6ACFB2D + +Count = 651 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8217232E65022A6A9F3F22316CD3914E86 + +Count = 652 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82FDFADF0DD945ACE3E7DB3ECC1E01DFB1 + +Count = 653 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82A65DEA1F10F11E787EF3C8968ADFB871 + +Count = 654 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A829C68ECF22482C5FCAA95F3641FD37CA9 + +Count = 655 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82E558634AB352491E2F682331C4C67020 + +Count = 656 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A825385B476F344D7586A688153D641B4EF + +Count = 657 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A827342341EAEAB8211125D391D23C2CAE9 + +Count = 658 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82FA93A9A69BDF17381C9D036DDD1E9B40 + +Count = 659 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8268CB07BFDD7BE8DDCC1AA967E6E739EA + +Count = 660 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8284235072E32B688124F43FA99C07CB4A + +Count = 661 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82741314BF502D26243869A68BB5AC99EEFA + +Count = 662 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A827412B995749A2BE0362DEFF0BF989D877E + +Count = 663 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A827484D3776A1AC445F0435F63B686046885 + +Count = 664 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274D37B16E3A5DEB272664F6F589E978954 + +Count = 665 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274125F0556B157080D0C4503E978AD6AD3 + +Count = 666 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274515C841A58D96821FC5D7AF533222AEA + +Count = 667 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82741C9CC909A820A1A651A616D73D9D0513 + +Count = 668 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274682BB29EC1EFF608ED9DB696A31F4A2D + +Count = 669 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A827438537FBAECA2DAEF3D47E8876D86CA07 + +Count = 670 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274F1079FC9C8CE3FCE7BB2890B65536C58 + +Count = 671 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82742127A8EC4A3230F43E0F3A7E526CD5A5 + +Count = 672 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274CDB9A21BB42C371BE51BF46FC614FDF8 + +Count = 673 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274970B691C518A64D9018511CB23D91C90 + +Count = 674 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274156622246F0DFB3B1A1509B77305EA15 + +Count = 675 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82740C8B221715985CDA79E9C306B716D903 + +Count = 676 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A827468C4FE717546E5CD93B4374EDB9A17A8 + +Count = 677 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274E80A11747A81F3F140CF766DD2ED8F87 + +Count = 678 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274CDC5A9B95676476E4E1FE9000F0219F3 + +Count = 679 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274D9D8AB7C1F64E96C3CDC5B06CB78F9F2 + +Count = 680 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274B76D66CE8BC5AD907277168A34703FE8 + +Count = 681 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82749EDCB523B435C8CAFE8F99336315C8BC + +Count = 682 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82747AFCCFD945D45B33EFF64DC43ABA96C8 + +Count = 683 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A82BA8DC8217409D6BF57EF9E6FFB31E + +Count = 684 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82744F392881CFF8E29924B0F87BEC79B76D + +Count = 685 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82748D277ECF9A4362934D2DD436359D212D + +Count = 686 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A827448FB138DE56898B67A5D36FEBB0BA1D0 + +Count = 687 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82745F13E8D994472537197813EB9BA1C1D1 + +Count = 688 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A827485D3F6E757FE5C99EDC739759FE52767 + +Count = 689 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A827494D8D07C349E5B9CCC27EB66EDDC4725 + +Count = 690 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274D8A2935D6FA82BA71A0193F10456628B + +Count = 691 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82747CE5A83987FB78ADC44F1E7E860756B2 + +Count = 692 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274C6314A3A6781B281B43E6B664978E60D + +Count = 693 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A827414DB2EE8A8955F488D41A402FE2E3DF7 + +Count = 694 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1C2C3FD6F3B52F7152EFF4047C0FF82C8 + +Count = 695 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A10F3C657762A095C773FFF8507EB30346 + +Count = 696 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1578ACFEFDFCD4ED6D83A1E45E9EDBDB9 + +Count = 697 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1A6D50A7E871832F5CCF84FC332A18660 + +Count = 698 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A143DE68D7F7FD5BD519B02207C1400E57 + +Count = 699 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A139FB835EFEF3A5A07252EFBE1008EDCE + +Count = 700 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1A6EBCD2EE9A5A4E0823B84327D08E4C5 + +Count = 701 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A11343D06D504D835098DE8BF6D67535A1 + +Count = 702 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A18C996E65BD73FBA09B0BF06EC628C178 + +Count = 703 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A19C1D9C33EC6DE14F30345A700614B4CB + +Count = 704 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A170776E5687B960B22EE95830007CB6E3 + +Count = 705 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1AD669D02E6BE47FF6CAEF9753752A447 + +Count = 706 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1A33EE0E41AB4AA5D343F450223FC8422 + +Count = 707 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A13B61B1951B52DE4BF7C400C84C72B1AC + +Count = 708 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A145C64EB683444F2FA25DD50B79C1D6B1 + +Count = 709 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A172E30B795E668E19DCEA9D43D913A083 + +Count = 710 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A10785E3226655A727A8061C4E1E29516B + +Count = 711 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1A3960645FB45F78B5DF4D5E8F3E9A8D8 + +Count = 712 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1623C8E5F236344B4961644347330AF3A + +Count = 713 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1E6A75547C72899575D158DB28897B854 + +Count = 714 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A13892B0B38259946A6C828C5A4079581B + +Count = 715 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1C130ED80AC949228E2DAF3F84918751F + +Count = 716 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1A7F28AB31A9949AB16C2AA515036CC92 + +Count = 717 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A15564A8258B54103D729DFAD5F0A097B1 + +Count = 718 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A18780B413ECE061784BCCE1CF657C5C0B + +Count = 719 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A13237E6111610D2D08405C4E0869ACD05 + +Count = 720 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1665A6CA483CAC209D566CF5C2FD6CD65 + +Count = 721 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A19507828132E175648C2AC36FCD418804 + +Count = 722 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1D3A7B40569A254E4A7E4CE3BE2CBBDFD + +Count = 723 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1C32E9FB2D8FCF931259D534247C45C19 + +Count = 724 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A176D6967C80E7B4418F625AFAF627BBAE + +Count = 725 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A15AA8EA79542AFA100BDCC92319A21E2D + +Count = 726 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1FCA34F9709ECC3A89A50D051860D8DA7 + +Count = 727 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185F2D9CB58BF1B9929F1AE683F6936F2C5 + +Count = 728 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A18545742DBE333EEAA8961D98838125458A + +Count = 729 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A18567DDE2FBCEBBC8C04910B84F4122B23C + +Count = 730 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1855DA9B8C3C87CC3E344204277D0DABFFD + +Count = 731 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1850C98AB1AD70EB1B7C93D6FD7A413297B + +Count = 732 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1859B7C652867D5097D5342F4DBA208FE57 + +Count = 733 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185E32E64D21256C3319999107524969402 + +Count = 734 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1854A141A64740AEAB77DCD9A252BCCED0A + +Count = 735 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185BFFD3B9C9E7D6B06C6095DF5B13A9CB4 + +Count = 736 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185EB7DF021861EA61BC6311E64D72BACBE + +Count = 737 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A18540792087A2D05EE5C895D1C5079E7B5D + +Count = 738 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185217F1F06ED81A6499D62A506978E826A + +Count = 739 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A18552AB9689B30DC3D4E266BE937FB78CC6 + +Count = 740 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1852D575EBE9E8E6B03A333F46769CA437D + +Count = 741 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1850B9CDFDBFE84B8978F9DE3692D92FAD8 + +Count = 742 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A18500FAE2653BF38A9B43760B091E733AF6 + +Count = 743 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1852EC10598ED1383027029D763B9ED88B7 + +Count = 744 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1859FE69C82A3CF8D13883E95DAEB2A9637 + +Count = 745 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1858C3C52E9B04713609BAA1E1DB3171DC8 + +Count = 746 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1852780D6C9608EA5ECD31559D0CAA58BD4 + +Count = 747 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185243D5525ECDDB90CBFF0214A2154A24E + +Count = 748 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1857622E28C957C39BBF903C14DBB44404A + +Count = 749 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185C982F2FA62A26C84C1FD5B4143AE36D7 + +Count = 750 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185B20431E5A30CB073DFBBB90560F098DB + +Count = 751 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185AC919A508EE606DEE9D7B5E87E39D206 + +Count = 752 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185BA16E9AC3909FED7444649A2270F8963 + +Count = 753 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185585DD3BAC0BBF7D1A9D2B77ED96004B3 + +Count = 754 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1850EF8D958434569450AD3D196B302D798 + +Count = 755 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185F49DDA9F30B8A9B73B9AEDD53E497340 + +Count = 756 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185F968AF5BC41CA9D12C784B1F6216EE30 + +Count = 757 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185224F1D953BC5D94D01EBE75E9865A84C + +Count = 758 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1857B2E3A36F49A388ADF608CA574BC31F6 + +Count = 759 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1852797D571BCF62DE982C9412C083BAFCF + +Count = 760 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFADD3B720BCB28D0BDE125E76C453E18D + +Count = 761 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFF37E19C08644E5926BCFF1C136EF5787 + +Count = 762 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF2B165779216CEC474755AF32F467C657 + +Count = 763 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF0EADD5489A3E3B00C1CD5CA118CD9601 + +Count = 764 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF679ADC1055A5B726954014C305186963 + +Count = 765 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF56DD099BCCC5620EEDBAFA139CBE8F84 + +Count = 766 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF330A57ADC7907E97AA97B8922F8CA4BB + +Count = 767 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF48AE2AB3DE406C25C117C8F773A4D05B + +Count = 768 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFB1E2F00618D768BB8995ADE408D04105 + +Count = 769 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFE8BC5E68DE47534502558888C4C7705F + +Count = 770 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF715AD1A0BE9868F47140F28DBA8BEE31 + +Count = 771 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF1F7A1B9A98C623F126568CBADA74FAB5 + +Count = 772 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF349C2C47CEF6D7CB570995E4EEB189CC + +Count = 773 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF2AE6C170A1617CCA33C445F9C4DC2365 + +Count = 774 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF4D3942A78CF8F442E4C87E507D87D427 + +Count = 775 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFDB954BF34722DEF743B79C9401A1D21E + +Count = 776 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF8C484EEDC4471ACCFCF61E89D46F544E + +Count = 777 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF9F8E065699E0A65340134CF6F569664D + +Count = 778 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF7E35A2EE11DB2600D7809533C95FB545 + +Count = 779 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFE67295F0B33CC450EA09A555A4136764 + +Count = 780 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF161CDA2B132352BC8C651F509F99CCD5 + +Count = 781 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF0548C99CF2EEBDB8791273D5D70DAD28 + +Count = 782 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFC85274577F92589EC6131F05240DD5A8 + +Count = 783 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF7073E5A048058A4D6BFC6E1FB2403AA2 + +Count = 784 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3EFCEF899FDC6E32933A3BE00720DC71 + +Count = 785 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF4577D7482C1978054CE6F608590DEEBE + +Count = 786 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFBC69B4E8CD2DE23B33BCAA9102EC32D3 + +Count = 787 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFC6FD418C301E67C2AA6F8C3D1AB0A07E + +Count = 788 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFFF5AFFC8DFE00BF453AF329976163D1D + +Count = 789 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF83D233A317CD92425BBA9D035A7EC747 + +Count = 790 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFBFD9DAF957D9FF8082ACE0E23CC9A162 + +Count = 791 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF1277857A9086B6A1940E61C6D0CB9AE8 + +Count = 792 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF50F5E064824127C1F4A8DA7FA2843304 + +Count = 793 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3497006E743E42D35778BAC45748D69FFF + +Count = 794 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF345830B1F148DE7189589D2A7D67405778 + +Count = 795 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34E1B74D94C7C6E63424DA901F0851DE11 + +Count = 796 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34A8D7AC3E9CE30DD54A8468F160185484 + +Count = 797 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34D640F07F12918FC696DA766AE9C634F1 + +Count = 798 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34DA477E48DAF745F7C2306C923B2568B8 + +Count = 799 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34357675A394782AE8F975F2FF879AF395 + +Count = 800 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34DD537A7FC9B3E02640AE0A65C97D6ED9 + +Count = 801 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34C05D0DAF3000E849DFDEF60345A38A3F + +Count = 802 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34D877F3619E3184C64E22D886B971BC29 + +Count = 803 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34FF09D75FABC6A5C2B10760CFEC857A8B + +Count = 804 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF348A7C7AB237E315FE73387BE8D9E03F02 + +Count = 805 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3452D846B0288E4FBC3EEAC4C0F3CF188C + +Count = 806 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF349A08FDCF9357493FF337EFF571659811 + +Count = 807 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34C0C9EF89093890395C0D70885D0A99D3 + +Count = 808 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34F845CB10E2A4DAAF236D43FD631ADD43 + +Count = 809 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF348273E8DA3A0BA2233B0618BF002BEFD3 + +Count = 810 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34A3D8D4C90E955AFA9FF8A28FF8D1AB9B + +Count = 811 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34CC5A1650A1AE302F61B17FB88BE9BA3D + +Count = 812 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34E53101444DB3A0F4987881262B8DF152 + +Count = 813 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34DD2FFBEC5F43899EC958D7419513FBE0 + +Count = 814 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3488E39BB3A7CA4D993AD2BA65CA40BA52 + +Count = 815 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34C98654E793BD747535C42460B3E2CFF9 + +Count = 816 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF341790B4F41839FF7D31AC5E70DDA469FC + +Count = 817 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34D1AF401DAAC747242CD4E14D31203F26 + +Count = 818 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3496F3E049774E7F1DDEA95E1D19376641 + +Count = 819 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344F92784F2D67CB87235A3232F474F63D + +Count = 820 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3482F93BAD3D714CB690A3653A0669C371 + +Count = 821 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34AC8B0776186861050EB0D188356397A8 + +Count = 822 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF346EE8669A81CC1406DBAA9391840AD100 + +Count = 823 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34407999AAACEFF2A18BFD428C7D5358CD + +Count = 824 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3448D2A5EC90B34FD18939DA481247F8DF + +Count = 825 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3405236500604D339630E1CBDE6BEE9F48 + +Count = 826 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443DEF77D123F940587FDAA3624DE9783FA + +Count = 827 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443504A2C04965A9171C7D3A326734F7C3C + +Count = 828 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344356E42C2CE13F390437F90AD42E456E6B + +Count = 829 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34435809913334B9A5F6BFF0AE5325BE4CF8 + +Count = 830 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34430DE288A21C6D6F9F4EBDFD45E2A90E5B + +Count = 831 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443711561CCC911E1C1C9B9F8796F3E6730 + +Count = 832 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34433C91EADF2C8AA11B37094ECC93EBF8DD + +Count = 833 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34436EC0DF00A3584A2F216618DD630803B2 + +Count = 834 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34439496D5E5BA088A1F0E88FDA64DCA306E + +Count = 835 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344309C7FAAA5DB3C2BB9CFAB55AEB47B6F0 + +Count = 836 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443945470C08FBE7CF9A6E2002A7838F8AF + +Count = 837 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34436A2D41A3948FBEB6902ADE216826B7DB + +Count = 838 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443A6F9B56C2C9CCE5E4718DAF590DC24A6 + +Count = 839 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443C443EAAABB92FF493E9DAA337C36F268 + +Count = 840 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443156921C3740A86AE33414370BDD6942A + +Count = 841 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34437876EC2A080DD3BE918F76669B434637 + +Count = 842 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443D3C8315E8F2D318DAC4A8DCB6522364A + +Count = 843 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443F9511CB7B2FDCCF80B933C5385CDA6C1 + +Count = 844 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443FB61D18B8802C231C210D7B04D0AF1BD + +Count = 845 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443C96A6A10335AF2207C37E859F9CA9C72 + +Count = 846 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443081B519FB1029B4A734A514DED68A142 + +Count = 847 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443AAC5C0F7558C7160C624811F164AD67D + +Count = 848 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443F1A2F284C4AAE53AA7470D63234D4B61 + +Count = 849 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443C28585A5D6421A208D21279E04AEA208 + +Count = 850 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34433A7BF55D38B43C9D11693C29452D9F3D + +Count = 851 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34430F5F733F907C5E901562A67A7C16EA20 + +Count = 852 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443DFAAA9FF37AC40EADD750B9A149D8986 + +Count = 853 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344316AB168D61A44DBD58065B9EDDA4FC54 + +Count = 854 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34434EB86D8F8C35ABEDED59DC68EB0E7F58 + +Count = 855 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34433C4620C1E6DFC5E79AA5DAA2A5AEEFD2 + +Count = 856 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443E3346509BCAEB86D5F5B014CF542FFB2 + +Count = 857 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34431A74CC92BF10A31D6688864599BC42C2 + +Count = 858 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443058B51F3CC92F444EA41484C66A3F520 + +Count = 859 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315A79923C10F7F0CA455AA1DA9180DF650 + +Count = 860 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443153455D42A62B3A804050EF9E8ACA3CBB8 + +Count = 861 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315D1293220F94F8D62414D78122D7E7530 + +Count = 862 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315FA980E779EE4E84AC8D8B265A56E9BC7 + +Count = 863 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34431576AF5BF3AAD29A63F8C39B3BFAB86D9B + +Count = 864 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443152C3169DB7262A3CB952707C825CFA729 + +Count = 865 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34431533F0D55289A5676CCB97986520AB8339 + +Count = 866 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315A72D159CF2EF67A727EFD2D5C263E680 + +Count = 867 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34431563A90165D16991165F33A1528854231E + +Count = 868 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315D30C07AD220DF8C6335EFDCEDB9FFD20 + +Count = 869 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315AC4DEFE4997C6EFABD4CDB4B7EC219B5 + +Count = 870 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34431563E08CC63CA7256E3AAD1BD6313A2290 + +Count = 871 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315934B9AE130BA8C9F7921233F1658685C + +Count = 872 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443159640E273FF8D92ED1224E298E6649B51 + +Count = 873 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315314A18DE251959177A2E1C6021578B54 + +Count = 874 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34431574B882EFC8F250BC03066969AF906DED + +Count = 875 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315B0C62B6AFD574E030DF8300528224CAA + +Count = 876 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443152F4376B34F163E56F2E5D35C0985F529 + +Count = 877 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443159FC4D4DAA9D2259DDFD0EBCA735C5245 + +Count = 878 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443157FBC238B14D0E57E57C581D370325DD8 + +Count = 879 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443153D7AF65EC956CBAC3A082C116B1A5349 + +Count = 880 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315681545225822A2BE375BBB3D91117730 + +Count = 881 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315FACD5A403419238FE671644DD0021688 + +Count = 882 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315939E31619FEFF304609F71C748C831B7 + +Count = 883 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315A60DF598D9C81C380DDD45EC86DBE5B6 + +Count = 884 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315A494ED08EC14430C9EEDED19BFE1F471 + +Count = 885 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443153A0DA6786EF7FD5370634344CC577C7F + +Count = 886 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315647FEE0F7A93A450CDE339AC5312D0BE + +Count = 887 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34431569DA14A717FCE40748B3C41F27C268BD + +Count = 888 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443154EC759DBF97EDD0D69D58479454532A4 + +Count = 889 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34431524DA86A19013AD485B54E1D71B4AC36B + +Count = 890 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34431597576B8341B48888F2DDBB3018F9B983 + +Count = 891 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315EB20F48A9C0B72FE18BFF05896A2CD60 + +Count = 892 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C57343F63AA5828A0060D9E9AF3B3D828 + +Count = 893 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C287495D3D0639C1D4279DEE2C0647A97 + +Count = 894 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C97FD0877DFBFAB7076487E41F98DAE93 + +Count = 895 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C039203D22E1E3D8B65E95BED19B6E0EE + +Count = 896 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C1A3041F00DD5C0D5CA28E5F289A02E84 + +Count = 897 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC64D1CE7C6BF51C0FCF7A97E98BC833D + +Count = 898 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CCB7637C6F01286285613AEA665B76077 + +Count = 899 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CDB776353669FC43F7E4A5828B6EEA290 + +Count = 900 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CF6B5CE3245270C78003F12D569F297BA + +Count = 901 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C222C98266811056C99AC5FB49A735188 + +Count = 902 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C83AD740361228DDB487FD09C608B2BC5 + +Count = 903 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C9F93BE2F54C7E77BFD3B835755867F57 + +Count = 904 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C482DE8DC237929A4F37154CABB33F48E + +Count = 905 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C448FD9B5DB9157C362A01E4D4C84BF07 + +Count = 906 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CE47E7BBFEC559371F88E82E0295A8C3B + +Count = 907 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C052B9DF5F0806EAAEA4A97640483A039 + +Count = 908 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C252FC35E45FFA86788D77E2B9CA6DB07 + +Count = 909 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C43CF918EA777F07F6E533D647C05CF68 + +Count = 910 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C3C86DBB62CE523DF8FEFC59F54320611 + +Count = 911 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C4B9EB4AF2B4F50DC9369E6CBE795910A + +Count = 912 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C25ABC5E26D6BF36C3AB5BFC1061EF18B + +Count = 913 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CEDE50474039E77B0CC11F6190F9F595D + +Count = 914 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C5E83057A4B7AC18E2FFD3FEEEEED16F4 + +Count = 915 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CCC925DA211157171D6BC57FB69343ADE + +Count = 916 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C28119B694DA152B21848C58DE53A84AE + +Count = 917 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC898DA7D55D8BC5AFAB1597D4153D263 + +Count = 918 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CE1F1AC5E7390F324EEC8355DD1EF2BAC + +Count = 919 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C49041B143A49CB4D9E6D49878DE8CF07 + +Count = 920 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C8603CD75C3E2788C2410FD76342D6049 + +Count = 921 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C27317AF9125768370CBF3EA7A1B70135 + +Count = 922 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CFAF4CDD26DA034ADAB7AC583F15AD433 + +Count = 923 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C0354DA82DC438D9EE9D315197850FDB1 + +Count = 924 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CB701D152AD5E38F61FA5267020C2889E + +Count = 925 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC51B8A39E81847D6F7ACEE703E3370962D + +Count = 926 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5DEC343EF82DCF17D78A6A396A644094D + +Count = 927 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5B6298CD321BA7F975947B6A268589062 + +Count = 928 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC58FBABD78473A3A5377313BF5D1111499 + +Count = 929 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5B04A04EF67A76591A90292FF13BC7A07 + +Count = 930 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5B9CE065176A49AEAA1F253BF3C91571D + +Count = 931 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5EA1F1062CD8ADD219440F29F53ECA5F4 + +Count = 932 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5CCF62628892B2880C2E35B1B3C761CBF + +Count = 933 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5E08F4D804F8021B97D3D1D10427FA4C9 + +Count = 934 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5F2F8A4AE3B7D403DD43E86BCE08469DE + +Count = 935 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC58A823A49547CEE14778492F8C0454FA5 + +Count = 936 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5DE34BFEDD0878ED8E4B8736F90362A0B + +Count = 937 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5C78CE1B58DE390E58919B86FE9897C79 + +Count = 938 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5A9DAA229DDFD391499F0CFA570B8ED90 + +Count = 939 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC54196E93B94E2E5298FB2F595E1673194 + +Count = 940 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5ECCCAB252308732156BDF37CEB8D4C12 + +Count = 941 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5699C649B2C466EB0E4FE0FB7C4DE446D + +Count = 942 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5701D972412295D14E200D2B97CF128FC + +Count = 943 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56A547D405F5A0CC8DAD1544FC66BEA64 + +Count = 944 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5B98F152D5A64A476CBA5C6D8AE4C67BF + +Count = 945 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5A5739C9AEC423F39BA4DB5A9C76FC763 + +Count = 946 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5603EA7C4894709FDD217A2A92F7B62CF + +Count = 947 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5CEF7C684999AB79FA6FBE4524F374A11 + +Count = 948 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC59203A80108036D494753D5E97FB46714 + +Count = 949 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5FD40802D5E11BFD635D989B0A750D79E + +Count = 950 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5BC7E4723AA7DE2D25C0400126B0983FF + +Count = 951 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC590A67795A679087E3C1FF48D84264285 + +Count = 952 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5D5D212DB2090F9B59B857C74A9E30E8F + +Count = 953 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC54A75A4D02A554DAA4DFE646E311AC147 + +Count = 954 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5BE82F0433699A3B4279C8300E03B8E20 + +Count = 955 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5569A9131A9C3D1309498A9D4F7041D1F + +Count = 956 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC59B9ABB4FA0583E4AA97FE36675D5400D + +Count = 957 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5144CD804B7224118752D6CB599E4584D + +Count = 958 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56FC4435B9545DFC9C2501F0AE3DD1F4EB7 + +Count = 959 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F42D582BF72D9B0E70B1B80E3F9170E72 + +Count = 960 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F71218F5D4D3152E77990C003ED0D9A90 + +Count = 961 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56FEC65AFAC0B91004013B4F12A312F0A7F + +Count = 962 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F27D9871C73E4B456DDB666A51ECF689E + +Count = 963 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F43F92A8D3D2A649D9845F3D9E0B651F8 + +Count = 964 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F2F0A1CF4D16776660F834BDE59F36D22 + +Count = 965 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F6A2AB2FA1EDBE7E047A9783511CC02E7 + +Count = 966 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56FD13E03AA8BF36DBABCA7A1B0ECFFD858 + +Count = 967 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F0A386770D19EBE01B61EB8F84215B93D + +Count = 968 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F307EB4F08A4B4A2F9A033CBC479D5F66 + +Count = 969 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F28AE044EC987E3882E83ED88AFBB3FD0 + +Count = 970 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F8AFCC09CB9B276F6ADFDE51687FDF776 + +Count = 971 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56FA934DA00C1334A16647E15A6E9D22AA0 + +Count = 972 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F9EB9FC392614D41817E5AF9238576DBF + +Count = 973 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F841B4A4A85D13D2671D3BA139E0A10C8 + +Count = 974 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F6FF8EBD3AD75930D21FE990719CAD957 + +Count = 975 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F0D384796A0EDBA944CD237DFD3D43015 + +Count = 976 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56FEB9F5F4D62AE1B00D1E6E090E1C7B950 + +Count = 977 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F18BE7D9D86B267D5163CC107F28DF4EF + +Count = 978 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F58B77CD3AC994EACA3E9D9D259F6D620 + +Count = 979 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F0654C2228C863360B2AC94DCF96B772B + +Count = 980 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F4AC98F2FE00DDC1289CAEA253E5E1582 + +Count = 981 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F4F1CFA9D3D7ABBF8E9D3D77B7E568AE4 + +Count = 982 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F272F1F29135CA08A343BE6423A7015AE + +Count = 983 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F984B6B325C6800411EB37528DCC6379D + +Count = 984 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56FE85CA229A8F9737CE9C5D1368D4357DD + +Count = 985 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F8BE2AF5271DC3A420E7FDC860C782415 + +Count = 986 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56FD45E8F766203A10615F44197F8CF15C4 + +Count = 987 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1872D4AFD9BBD63C1FA2F5059C56C2BE + +Count = 988 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F036D8D475E48363E8C101915D13AB6E2 + +Count = 989 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F79E73D662AD42AEF4D44A5FA2D3A28FB + +Count = 990 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1B3E1606ACBA610135520C82230E98A8 + +Count = 991 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1359F22C3C0B9D317CEAC57B2DE2F915F8 + +Count = 992 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13E5746E05604D3AE35EC5C4C1C29A9CEF + +Count = 993 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13ABC1B519EEF8F571E8D30F3AE71BA156 + +Count = 994 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13EACE6C64EF6C6C06621F3B8372122560 + +Count = 995 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13080394117B9E52C0631D9107BA371847 + +Count = 996 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13E50AA11649A7E86B2E631594FD8D3A00 + +Count = 997 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F135BB8F79F09481B8C75CE51E8C98774B6 + +Count = 998 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1301E74BE97D6B239F093E93AB71C7B6D0 + +Count = 999 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F132AA318B90D4F0485FE2E80CAF5D88993 + +Count = 1000 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13FDC152FF6EB01967BD31D9C280BB0AB4 + +Count = 1001 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1304B3AF6E96B4EF29B288A4B521D0C7E4 + +Count = 1002 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F139E3DBC714D2E6A0775E3958571655E97 + +Count = 1003 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13CC161126D83D4D824DE0F980FEE50935 + +Count = 1004 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F135FA318EF00D68DACE43639756E0C0ED9 + +Count = 1005 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1322043360A6633B716EE761C32C627E83 + +Count = 1006 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1377BA701C16F48E249BC0250CAB917936 + +Count = 1007 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F132F53466FF6BAD6DD522ADEF70AA53818 + +Count = 1008 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1328F4620D009DA5AE6B835523C0978152 + +Count = 1009 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1345F40C128E374553EFDD282364D089E3 + +Count = 1010 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5B2B8290254ADDAF4AC1AFFCF54D1D4 + +Count = 1011 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1361C947E45255273B7AFA5E6C2BFF31BB + +Count = 1012 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13997F0B2AEBD88FB55D389E2B463C4D8D + +Count = 1013 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1388D62F9BBEAB45179116893CFF8C959F + +Count = 1014 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13AE6D12FCFB2EA9325D8892F4B71F9E0C + +Count = 1015 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13652609061217106C7577E0336C8F0C59 + +Count = 1016 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13D45A8658FC51D6457835B864D4909C67 + +Count = 1017 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13A138A2FA287BD28046D19BA4D7FCFDC0 + +Count = 1018 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1359B9568383B1F941162FACC55E4AFF30 + +Count = 1019 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13AA879868DFFD3277FCB109317488708C + +Count = 1020 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13D1C3B5000B19A38ECDE01C250F45B5EA + +Count = 1021 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B3ECD002BFF19219044AE5BFA12DD2AC + +Count = 1022 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13C18FEB73F648E1863D42610CABD2272C + +Count = 1023 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F132225051D523177454F2852DAE044E0E0 + +Count = 1024 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B591497A595B4A8E0F1DD6D3334B4EE3BB + +Count = 1025 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5888905DADE5E6F88EE62F54FFAEBC8FD + +Count = 1026 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5179717F7CEBB6143D771C4F93A8A01FE + +Count = 1027 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5007910D1269132007FB75298455498D7 + +Count = 1028 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5EF5BE30531E3BB62E0270701AC71A85A + +Count = 1029 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B57CAE1B01366E885A62A9B41DE00029A7 + +Count = 1030 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5D89A8F62B3180C26D537295FA461B940 + +Count = 1031 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B531F400E5D5B70A90B120F404B57A44E8 + +Count = 1032 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B57A16D365E58337577ACA6D1C8D46BF05 + +Count = 1033 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5304AE34CD0E200767EF610A8B1C5329B + +Count = 1034 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5E8FFA627EE2AFDCA1C32DF0A721B2BC1 + +Count = 1035 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5634958428295AE10254C8237C2E16D19 + +Count = 1036 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59E90675DF410167AF9C188CA3293DE9A + +Count = 1037 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5F6C8124669F30619633E69C633954504 + +Count = 1038 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B52DCC1CFFFABDB252D812CB8FAC3931F7 + +Count = 1039 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5108639103881D69E1F4F351049A57674 + +Count = 1040 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B57AE536D7BCF8DBA5FE77FE025A3EC9B9 + +Count = 1041 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5EE0D2C8B7F9AEF77A6BE997E8FF879CD + +Count = 1042 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5A5A31F3D31A22272C38C392B5D2CC44E + +Count = 1043 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5C69F0638B58BA2A78600B1622AAADDDF + +Count = 1044 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5123FC7BF407BDD5B3D363B2EDD2F3CB2 + +Count = 1045 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5B4A0BE4E74EA514890CC40ED39E75669 + +Count = 1046 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59C20092A5AF43C1C29418030B1D39F04 + +Count = 1047 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B54DDEB2072D1B4AAA59E1D2095E6DD143 + +Count = 1048 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5FB2427FAB8C4519EECC05885E6E68DC6 + +Count = 1049 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B54B98DB30DD9A0ACB2D30A99FCFE8B75D + +Count = 1050 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5DC77889BF41DA00982EC937E54D85A05 + +Count = 1051 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B570F547C291C6C08A2FC5C03560E9E79E + +Count = 1052 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5617A1DCEDDE56EF7DCAC75CF8109DE8C + +Count = 1053 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B551C30CE982C45F52B2CF4FB176DD25A9 + +Count = 1054 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B50FA3BA7232E677D7AFEB2B91606540E3 + +Count = 1055 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B55F06310545AC8B896AD01C1C61112568 + +Count = 1056 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59CB65F7D4E99C5466172C4B81EBC4E3F + +Count = 1057 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A0530EE63AC2F5557A78313692F7CACD4 + +Count = 1058 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A70A6D4704F282DCCFAB90699C6F1E75D + +Count = 1059 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59AC968DB1373580FB448C543135A062FD1 + +Count = 1060 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A647349FA86759C822C995B2FEDE9FEFC + +Count = 1061 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A34366C7EB3A53F8F2DE75D9692FB34C8 + +Count = 1062 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001020304 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59AB845864382301DED84ED4055D07868E1 + +Count = 1063 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A736CE4BC21FA417BF3F70A58018A408E + +Count = 1064 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203040506 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A12582A9A5E1F1959A368ACAAE51FB000 + +Count = 1065 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001020304050607 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A9EF5AD88D51A435AAE0E5613FD5988CB + +Count = 1066 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A6D6DEA50D87756FD4AC058EECEA53B5E + +Count = 1067 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203040506070809 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59ACC0FE3B224507BB3C3FC1D1F45CDDD45 + +Count = 1068 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A435A9B708AB438D8B9FE9F8A5E54BFB8 + +Count = 1069 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59ADBF65C902E024A4A6A0440665C33A81C + +Count = 1070 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A49372E620C2FC3D071E74D3527324A1D + +Count = 1071 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59AD218CAA7DB74E05E80C4551CE53857F7 + +Count = 1072 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A5C115C930C3E99E14533CE47B3C11DFD + +Count = 1073 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59AD1FD63E63F54C396D6A938C8646EFB65 + +Count = 1074 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A04B0B3A944DBD783EDCDD95C60096604 + +Count = 1075 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A3A1E6D0B9947CFFB220E910D641D56E2 + +Count = 1076 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59AC70B11D1E6137F4E0995A799023465A6 + +Count = 1077 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59ADD0830C65124F7FE260243C9C9C3B89D + +Count = 1078 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A4C99A441E87474CE8C02BFC2184196C3 + +Count = 1079 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59AA7E6C63938F014243FA667FCB37DF64A + +Count = 1080 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A68FA974F3DEEE29674A1D840006991FB + +Count = 1081 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A200B7EAB5F11717455F0E5BE6AF709DC + +Count = 1082 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59AD3C58ED54ABAB6D3B9248B5169D27898 + +Count = 1083 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A57BDED4E0133724A55C874D9403A6608 + +Count = 1084 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A2DDCAA7A8E785C42A59D2DDEA55DF25C + +Count = 1085 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59AB00DCEA6A4CCAA7E18B6B05176D10AEB + +Count = 1086 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A249ABC7AED396AACF12548C7595CD661 + +Count = 1087 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A2FD2EEA5AD1D5B1FF120D6FA380E457A + +Count = 1088 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59AD39F4E9234E8C13C38E2BF8FA114DC4C + +Count = 1089 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A0B6851D49C3E6049B766C013443433EC + diff --git a/isap/Implementations/crypto_aead/isapk128av20/ref/LWC_AEAD_KAT_128_128.txt b/isap/Implementations/crypto_aead/isapk128av20/ref/LWC_AEAD_KAT_128_128.txt deleted file mode 100644 index dfc83be..0000000 --- a/isap/Implementations/crypto_aead/isapk128av20/ref/LWC_AEAD_KAT_128_128.txt +++ /dev/null @@ -1,7623 +0,0 @@ -Count = 1 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = -CT = 1AA1F2F89901A41B0664C695D4D7ABB9 - -Count = 2 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00 -CT = 33BF957B81B9CCA10D45F824D2019420 - -Count = 3 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 0001 -CT = 7DBF38E3AD657BFCC4B5E4BFCB66C81A - -Count = 4 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102 -CT = 0FA8F5A6B5C2958A6C242F195E4B275E - -Count = 5 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00010203 -CT = 728B741F8BE2162D1B5899785C643BA6 - -Count = 6 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 0001020304 -CT = 978FD728A6B79E2529FB31547D98380B - -Count = 7 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405 -CT = AD3C7CE2C9ECC55365C449A5D7EE46DB - -Count = 8 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00010203040506 -CT = BB5F5A12CDDECBD77748E6C5586937E7 - -Count = 9 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 0001020304050607 -CT = 9391826631608E74FD34A556637699D4 - -Count = 10 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708 -CT = 6D22C308533673998AC3929049703054 - -Count = 11 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00010203040506070809 -CT = 68E2ADE27131CAD8F31E5D922C509C6D - -Count = 12 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A -CT = 3030DBFFD44883B3176B4F433A63692B - -Count = 13 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B -CT = 14E1DB64845A71B78C98FEBA4A0F8913 - -Count = 14 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C -CT = 077FF023618FD972B879D77814272773 - -Count = 15 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D -CT = 0FB485D55B88DB7FFB271E2BAF1269C3 - -Count = 16 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E -CT = 794592DB42B63F861A6649C9E1772FAA - -Count = 17 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F -CT = 370C491560C55C81D60A38AB3F2D4DF4 - -Count = 18 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 11FFA8C94BA33BF3E9FEDF151EA52D98 - -Count = 19 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = CBB62B2387F24003C9194CDF7E8FA41B - -Count = 20 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 7D9C53BFC3CA9F657DFA40738625694C - -Count = 21 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ACA43986E03D6B944C4646222F7F4FBF - -Count = 22 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = A3010DC6DB7692EAFF76CA25429AEBA7 - -Count = 23 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 3647C9919B63906F50B0081C41925BCF - -Count = 24 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 7F49019E04613C46F4B291902DEE113A - -Count = 25 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = F24B4CAE0EC3464B9C28768887A383CD - -Count = 26 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5CF189D5570AE952540C7B6E50248948 - -Count = 27 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 72563A7102FA23D0342A44795C4AC9DD - -Count = 28 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 85E09B09FCA12DBF81F251AC7217E537 - -Count = 29 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B872EBA11D77957723D9C1687080CC2A - -Count = 30 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 49CEFF4602FD916E8BA48B66FCE9AF7C - -Count = 31 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FCCB4F587B48A99C2A8FAEC4F9D49566 - -Count = 32 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = A9230705B74ACB506B0C57EBFB71D4E5 - -Count = 33 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 34510D5032A4973EADF3EF3A8CBAB767 - -Count = 34 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = -CT = 0146D98980E2F815A5A5A43B48EABDF748 - -Count = 35 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00 -CT = 011B2A04399AAA12F0ADFD11E4378F11E4 - -Count = 36 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 0001 -CT = 01ED20FC4314FFAD81FB3683DBA553FFD6 - -Count = 37 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102 -CT = 01087B82D477F5ECCF88F710F71D79A701 - -Count = 38 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00010203 -CT = 01914DCF64871898CC6BCC4B5B43916A3E - -Count = 39 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 0001020304 -CT = 01EC3AE7A929CB2B55291BD307AAD8E692 - -Count = 40 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405 -CT = 01B74FDD289D23F813815C6B20174B9B20 - -Count = 41 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00010203040506 -CT = 0192B30CABBF52BFBC7B12EA8A184886CA - -Count = 42 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 0001020304050607 -CT = 01040C3C0F36E434ECC83B3B32FF9069EA - -Count = 43 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708 -CT = 0184742AA1A50ECA82439D530E8C5A84D8 - -Count = 44 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00010203040506070809 -CT = 0126E28612AB6CB8850035127EDCA7AD1D - -Count = 45 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A -CT = 012715C0F27990C30086DC28FC51BD5BC1 - -Count = 46 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B -CT = 017C07212CF75E81C3BF9E99059D43B7F7 - -Count = 47 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C -CT = 015AD1EB4B1524444A8FC0AF83AFA2ADE9 - -Count = 48 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D -CT = 01EBD673A8AFA761C80E0DE3B20567ED79 - -Count = 49 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E -CT = 0164D31ECD2960260D739AA3A3F788EF0C - -Count = 50 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F -CT = 01400D938DCEE581B618BBD32F97A1DA6D - -Count = 51 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 0141D5EF51E6281B8A738BBAFEFBF062B7 - -Count = 52 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01615C3E48CAF828F963D0852DE0293B1E - -Count = 53 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01D214F34271EB15D51B89EDF13FA9F842 - -Count = 54 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 017A7B708DAAC7471BDB88CECC4674AF08 - -Count = 55 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 0114D9BE9E7144E3067AEE72D7DEE8FD29 - -Count = 56 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 0184ECCD71F23559025802DFF9447757DE - -Count = 57 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01E027971AD2F6ADE026B37D1B0A6D28F9 - -Count = 58 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01DCAAC76CF3DE553C79CC113F859FACE8 - -Count = 59 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 016C4220BAB840347253FED1D19442F442 - -Count = 60 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 011D696B627BAB18C888A319FA5F122C86 - -Count = 61 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 0149242CFF481595C459F80BDFC4DB8496 - -Count = 62 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 013C2578D88EAF336284B513102BC0EE36 - -Count = 63 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 015132BC8250CEFAF8100FF316D6215625 - -Count = 64 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01B5587FE2E0CF843DC380F415E55806C6 - -Count = 65 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 019E4A84821B6073F1DD62C6C47977A6A3 - -Count = 66 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01AD82A30364463F0212B8798DD843995B - -Count = 67 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = -CT = 01BC75BE53579960EBB26373F3961E837231 - -Count = 68 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00 -CT = 01BC9A456AAB906F974AF1BFC60E92279F98 - -Count = 69 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 0001 -CT = 01BC19B59983D80688FB12CD3397B2DA281A - -Count = 70 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102 -CT = 01BC8E617D280CFCFCD4247F270351BD5E54 - -Count = 71 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00010203 -CT = 01BC6CAC51B0A1DB5C8A5574AE5359C8DF30 - -Count = 72 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 0001020304 -CT = 01BCE2E07026BA6713B594CCF9879BEB725E - -Count = 73 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405 -CT = 01BC90260A3FC1B48CEA3646343D6AE26EB7 - -Count = 74 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00010203040506 -CT = 01BC717AA4B1CE8191C283A7B7BAE2B7F532 - -Count = 75 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 0001020304050607 -CT = 01BCCB1492E74961EC684FACFF465D80FDEF - -Count = 76 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708 -CT = 01BC98100D0D8C303F18A0D5297EF3A120E6 - -Count = 77 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00010203040506070809 -CT = 01BC6EBAD333B65A59CAB5E480E7AB740466 - -Count = 78 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A -CT = 01BC59B4E6CCAE77E74E8AEF4AF7406B636D - -Count = 79 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B -CT = 01BC573AAA1D7710A6F9BD446EFF9662A2CF - -Count = 80 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C -CT = 01BCCFF0C9455B6162F6B80644F35E389346 - -Count = 81 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D -CT = 01BCFAD003D2AF7F95ABF3737572A106B3D2 - -Count = 82 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E -CT = 01BC2FD76C40D653CE8E700D3A90D0F91494 - -Count = 83 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BCD12633093ACA1BA3AFF9556AC724696F - -Count = 84 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC5C2E63E9B8EF34C5E6D03A02DB27342D - -Count = 85 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BCE39109B4F22AB07745B36F06C543C5FC - -Count = 86 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC8E2637CE1895E0278DBB35524B7F2EDD - -Count = 87 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC64006A329E176040B0F0AC2BA552F512 - -Count = 88 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC78850A17F17DCC6B906FFF8AB050585C - -Count = 89 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC6ABD510D81DFB8ABBE321D52D4740EED - -Count = 90 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BCD2984DE5E043587D2C3AEEC17D8CDA39 - -Count = 91 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BCC43A670C6AE4A31A53708E2222B777D8 - -Count = 92 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC045F1B91D7D10FCF1B0CAA56FB7EAF70 - -Count = 93 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC3BAB6EC47542AE9D25F95C5407120358 - -Count = 94 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC5134ED6BCD5D44FFFE14A1A4D136B98B - -Count = 95 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC55DDBB428E00FB57DE67738638E9C6B7 - -Count = 96 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BCDA01A655F7558F43D146B0479E0809F5 - -Count = 97 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC6510494E43C317CBCACF78A08487C539 - -Count = 98 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC32914FABD18DCE06945A8B7D6D7F8585 - -Count = 99 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BCB404118EE8EBA405416A8FA8B779E2FB - -Count = 100 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = -CT = 01BC9C10ACEC5F3210CDEFD44775AEE022A560 - -Count = 101 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00 -CT = 01BC9CAC9BD0C98B8371765E08DD8E595003F0 - -Count = 102 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 0001 -CT = 01BC9C01314CC353E5495662480FAA9B052720 - -Count = 103 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102 -CT = 01BC9C8E76567162C7802EF1B5222BC375B3B7 - -Count = 104 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00010203 -CT = 01BC9CACE42F3382D4C2E4DEB7CB47AA74DCCD - -Count = 105 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 0001020304 -CT = 01BC9C3DE4EA47DE4A0CB3DC50A77E4C858D63 - -Count = 106 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405 -CT = 01BC9CECDD7B0AEDE5CE7B79135F3F737B4D3C - -Count = 107 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00010203040506 -CT = 01BC9C8F056442F5359B21E1530F84B4F6ABDE - -Count = 108 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 0001020304050607 -CT = 01BC9C39E3CC81C8203F5B7A37DACC70B70666 - -Count = 109 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708 -CT = 01BC9C7E967532DD3390E7EF3D23B231C42523 - -Count = 110 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00010203040506070809 -CT = 01BC9CBED0D77A5E43449BE46BE5BC3967A47A - -Count = 111 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A -CT = 01BC9C7B66A8FB835EF10268DA851CF34BEE3A - -Count = 112 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B -CT = 01BC9CA8F26BBAB072C97EEB590A62767BB55F - -Count = 113 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C -CT = 01BC9CEBE33CA1F8490F7E975A5BE191107F24 - -Count = 114 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D -CT = 01BC9C247801ED09633FDD2160FAC22DE7542A - -Count = 115 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CBC2F449431E0ADD78C60348D6448746D - -Count = 116 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CB56D86BB002987742C1690EB97833732 - -Count = 117 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9C0833D570B06C261E99E7FA9FF71B04A7 - -Count = 118 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9C3DF51B9D425914EB3670569EA424F831 - -Count = 119 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CE61C126855B7853534019C90019555E0 - -Count = 120 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CF66BCCD3299174FAC0E0068AAA10318B - -Count = 121 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9C4E2E2E4F3F03FCEDC0B2A1120548AC04 - -Count = 122 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB2148D017EC5ED8B2B29ED4E8ACE574 - -Count = 123 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9C3552DE082F162FB30009AC3B4F4E0577 - -Count = 124 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CED89B3D0F1168775FA5BC8E605F6D0F9 - -Count = 125 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CB94AA5DC73DFD982FCB2665AB4E51E12 - -Count = 126 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CBE96D880FC42F5FB52B9B44E1806AD81 - -Count = 127 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CFBDB67E611A8D5DF5A1E61262DB2513D - -Count = 128 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9C711BE36671B8E5E18A80F546371A0967 - -Count = 129 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9C9FE9A2373FC7C8F4F0E874F4016CFE66 - -Count = 130 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CC236DAC483C6A297471EAF07AA9B4DD7 - -Count = 131 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CBA24870080A9FE310BFDFFC5CD3FB471 - -Count = 132 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CC18EC19D187B658BB80C53F2D18055EC - -Count = 133 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = -CT = 01BC9CCB013C8AC7E5D6811A50B3DAED4861DBDC - -Count = 134 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00 -CT = 01BC9CCB1109A8FFE94935F0430E3D1C8B4DCE29 - -Count = 135 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 0001 -CT = 01BC9CCBF2B3E13EF07356A44AEC634D7C058121 - -Count = 136 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102 -CT = 01BC9CCB4DA500F17E7DE92D2E465C30E94A17B9 - -Count = 137 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00010203 -CT = 01BC9CCB133FC82A23D70294C0CEEB65635CCE7F - -Count = 138 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 0001020304 -CT = 01BC9CCB50635A27E38CD933DC3A6A6A66EC934B - -Count = 139 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405 -CT = 01BC9CCBE6933233E0A3FA7CD84F6019BE7FAF72 - -Count = 140 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00010203040506 -CT = 01BC9CCB26943586B4BD949B63D05DD51C051FB7 - -Count = 141 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 0001020304050607 -CT = 01BC9CCB704B9BFA1E0CF95422E3E55DB05956D0 - -Count = 142 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708 -CT = 01BC9CCB478C78C1AED4C2F0CD2831E4E58060E8 - -Count = 143 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00010203040506070809 -CT = 01BC9CCB4CACCAD1F1948B3292681044099DEC52 - -Count = 144 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A -CT = 01BC9CCB092F4E12278DD4ED184D60B088B51D2F - -Count = 145 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B -CT = 01BC9CCB869A1BD2A733FC7000C90F1DABDA8A9A - -Count = 146 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C -CT = 01BC9CCBD594015C338FA6D6E6796D862DDBE7ED - -Count = 147 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB06EC8B81B675AB2527925BB3EAF5A949 - -Count = 148 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB5D64F608C8C016237ECEAAB8C4B57E86 - -Count = 149 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB96A4DDC8560C6F96349273E17E01C202 - -Count = 150 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB9FC073A47C7F2C7A8537DC9FCF47FF5B - -Count = 151 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB91BF949A718FE019879AFF7F151FCE5C - -Count = 152 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCBF665AC6B947812240AF424667C8F7BF1 - -Count = 153 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB36C40D7E6B65045946ADEC83F7A7D77C - -Count = 154 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCBC0CDD3A8D0160A7D9D6323E67DA5C068 - -Count = 155 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB74AD3D169F85C89D84122DEC94221D6B - -Count = 156 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB477927EE080D8EBF91F316F0A98FFB15 - -Count = 157 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB73E71CB89E2A701201BD567458FDCD62 - -Count = 158 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCBE65DE68C795821404C1213640E0CEABD - -Count = 159 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB305E37C1A1D4729AFC9A5E49C6C819B2 - -Count = 160 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB3724FB2EBED02B4852869D4F420E2F62 - -Count = 161 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCBC209BC2F0426414786E96615DA8EBAF1 - -Count = 162 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCBFD1B1C3DFF4A3600F7440522A9576751 - -Count = 163 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB3F9628672F618C7E22327BCBFBABE94D - -Count = 164 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB55AA16E34C0BFB3409E93B7A50DD921C - -Count = 165 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCBABE848B9367445AD040B8DF9FBAC4810 - -Count = 166 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = -CT = 01BC9CCB183C28CA07B118875A1F9CFAFC096AA900 - -Count = 167 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00 -CT = 01BC9CCB18A58F638EA6E7B94CB84A84C2E6B51223 - -Count = 168 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 0001 -CT = 01BC9CCB1841EB7CAE126B909704080326076A9F66 - -Count = 169 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102 -CT = 01BC9CCB1865FF19F417F3762A1369223F7CBD0FA0 - -Count = 170 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00010203 -CT = 01BC9CCB189AABC743304F4E2F18DDA29209151C7F - -Count = 171 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 0001020304 -CT = 01BC9CCB18D222B67E7288FF85F48067D611A7E715 - -Count = 172 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405 -CT = 01BC9CCB1830A457922E83A2BDE361F9CCF8A1115A - -Count = 173 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00010203040506 -CT = 01BC9CCB183845AA10C6CD1960FAB97A1D874CAC61 - -Count = 174 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 0001020304050607 -CT = 01BC9CCB1862F14000982FAC21A150E39C90BBD48D - -Count = 175 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708 -CT = 01BC9CCB1845E45B4234DA8D212D996161DAC75EFC - -Count = 176 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00010203040506070809 -CT = 01BC9CCB186D2F387C7B1C04E7890C7F9D01789B9F - -Count = 177 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A -CT = 01BC9CCB18841D9B626BC3609CF49218E7ABEA183C - -Count = 178 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B -CT = 01BC9CCB186B7C971493166FE259BFF87A1B0A04F9 - -Count = 179 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C -CT = 01BC9CCB18D5986496F6EE96278920B4AB3EC01AD4 - -Count = 180 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB187FA7CE2E16E99262FBCF394CEA28F48E - -Count = 181 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB18937615B6AA50590E6FB28C58605BD3B0 - -Count = 182 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB18288D9A3105449AA271BA30EF33AFCE2F - -Count = 183 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB18BF1524848C42249DDD04B0387F643EC1 - -Count = 184 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB183843D791ECC36FFB12D5DB685BE55EC6 - -Count = 185 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB185441F4D340C0AAFB1A0F97AD030312F3 - -Count = 186 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186A97EAA3E98C0DF4FA9CF690408B2C9D - -Count = 187 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB181D233C88DDF4F6FE508D5C674E522CE2 - -Count = 188 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB18470425F96A63B02273775635110CEEB7 - -Count = 189 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB18EC40A1979B223D26F135B4B176E71DDD - -Count = 190 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB18EE6FA7A8332D7D3A3D7A74161D9D3778 - -Count = 191 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB1827ECC9A1DAF719E754307965B6CBBC32 - -Count = 192 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB18ABB0DD687419A7A20CA81948609F11A8 - -Count = 193 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB180C9F10B6E5D8EFE6D8AB33870FC89593 - -Count = 194 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB182329D3B384EBD4DBE56C52D0352B7866 - -Count = 195 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB180E5795BF39C7F50014025C34FAE78FC3 - -Count = 196 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB18E85B966BE16CF79AA2FCBC22E55780DA - -Count = 197 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186AFB196A254D2DC1693C44A342E19BB3 - -Count = 198 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB189594C2C6C1542C0B97DDD00CCC40881B - -Count = 199 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = -CT = 01BC9CCB186E5DD3A7A138CB4ED6F3034CF84B99CAC2 - -Count = 200 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00 -CT = 01BC9CCB186EB94C9F4AFEC39CDF104F18B8479281A6 - -Count = 201 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 0001 -CT = 01BC9CCB186E126A08CD395EC2E24057C9CC71183E04 - -Count = 202 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102 -CT = 01BC9CCB186E8655B460C92E8AD37395945899065797 - -Count = 203 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00010203 -CT = 01BC9CCB186E2D6F4C4C1B16A3F57B8F7CA9BB040A04 - -Count = 204 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 0001020304 -CT = 01BC9CCB186E616F78995B7BE336B03F71B222671F6A - -Count = 205 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405 -CT = 01BC9CCB186ECD4C0A88476854F72323394D4727DAB1 - -Count = 206 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00010203040506 -CT = 01BC9CCB186E62E5A0A80F46B15C4C25B160EF6BDE34 - -Count = 207 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 0001020304050607 -CT = 01BC9CCB186E05B6079C416B1DE6B1A24C020FD83398 - -Count = 208 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708 -CT = 01BC9CCB186EEEA92856B6C2BB9A2F98AF4120B45EFA - -Count = 209 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00010203040506070809 -CT = 01BC9CCB186E4D9D762CAE58DDAD4BAC6B1644E2C462 - -Count = 210 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A -CT = 01BC9CCB186E0B4351A35128568694DCB61CDBB56ED6 - -Count = 211 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B -CT = 01BC9CCB186EE1BFC31B5974E1B304AD69CEADA9CA64 - -Count = 212 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186EE8A4C111A29729D551A306283F5BAFA5 - -Count = 213 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4D7EC16DBB23B9EFE4FCB732E59C8732 - -Count = 214 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E9644D90E649135885D85985B31543236 - -Count = 215 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186EE40804022E38D5B83C1BCF370768922A - -Count = 216 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E8BC1E94575DEDCF88D0809C90E9DFCA7 - -Count = 217 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186ECE5282BFFB6F976F454A298BF21E0116 - -Count = 218 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186EABE57562D2B1F779CF080A1A5A0BF58C - -Count = 219 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186EF22D41563B743330BB9A9A57C1F77DBD - -Count = 220 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E2B5A6F04358F29C1FAE429B5BCD9B0ED - -Count = 221 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E3670D9042251B0219C36576FAB197D1E - -Count = 222 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E6B86E82FD2ED4BA3D11440519261671C - -Count = 223 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E6FE337ABA790171E49AB726D38C09F14 - -Count = 224 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E37EEA43B38BD66339D9C7414FCBD6A33 - -Count = 225 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186EDE3215E66DEC730CE3BBD1F163391D15 - -Count = 226 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E2FC276150960B007BF688CB96B0D900E - -Count = 227 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186ED10EBBBDA48B231B0268B07CB034CAC9 - -Count = 228 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E0C848B83A244C6A5990B06BD896AF178 - -Count = 229 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E5436593B911780BE482A70097547AFF8 - -Count = 230 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186EF81AD592A7E94D7D34831B6799F05521 - -Count = 231 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E0F0802311836DF830405E16AB512144F - -Count = 232 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = -CT = 01BC9CCB186E4A23B27355859C77129EBDF5492FED5464 - -Count = 233 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00 -CT = 01BC9CCB186E4A3EE953E108F29E757CA842A1A381AE8E - -Count = 234 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 0001 -CT = 01BC9CCB186E4A45F78E67D2CD7A910A2FF142ECB05769 - -Count = 235 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102 -CT = 01BC9CCB186E4AF3EA59CA6DE0A734B97191E8E3220892 - -Count = 236 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00010203 -CT = 01BC9CCB186E4A7466C4372D56169BA3500B415055A4F4 - -Count = 237 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 0001020304 -CT = 01BC9CCB186E4A2F28F57957F6A357795617B3A5BFC60E - -Count = 238 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405 -CT = 01BC9CCB186E4AE1A4315B8AE4C8F53F234252D642B8ED - -Count = 239 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00010203040506 -CT = 01BC9CCB186E4A7EB4AE74E0E17542D3BB80BB724379E6 - -Count = 240 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 0001020304050607 -CT = 01BC9CCB186E4AF8B465180BF4C239AAB4E01EAEE4E27D - -Count = 241 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708 -CT = 01BC9CCB186E4A83B3A643D39D1A41F8ACEAABAC507DEA - -Count = 242 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00010203040506070809 -CT = 01BC9CCB186E4AD26D97C172D7D4BF0E8A5122A19EF1AE - -Count = 243 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A -CT = 01BC9CCB186E4A6AC4F057591D348B6A9E0B2D3B82BBA2 - -Count = 244 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A46B952F1D262795C482BCB6FBD17E961 - -Count = 245 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A5137D743BB6D08A6B02ABB3CABE784FC - -Count = 246 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A1BA882656B2F4BED8A347D817DD366CF - -Count = 247 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A75D9E07F5981394E0210A318F4998927 - -Count = 248 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A67F940DA825B4A0401FD76FFDA3B9BE8 - -Count = 249 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A524D2038FCC356C9D65F8C07339D72A0 - -Count = 250 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A0BF44E8AB34FC634E505CBC898346330 - -Count = 251 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4AFADF774CFC4643C3D66C542206792EF3 - -Count = 252 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A25E0DEA73CF4B74D473FC3E501A2BC86 - -Count = 253 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4AAA54DD27D71C651CE9B07E245ABC0781 - -Count = 254 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4ADD87007AD9DDA93052E7A734DDE28ABE - -Count = 255 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A9D4D3D6A30DF8A48A53F9C81A2BD97BF - -Count = 256 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4AD98FB2E8394C540EA569EAB82788CB39 - -Count = 257 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4AF65B50208263699932B33A2981CED102 - -Count = 258 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4AC77B65D67BB54E69AB09BB2373D80C2F - -Count = 259 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A2B75EE548CFCA2B48BA9DF6D8A45F30A - -Count = 260 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A620A6353C05A821875C09337961AA0D2 - -Count = 261 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4AB2E76BEFCC96838E8749B2E30C43DE8F - -Count = 262 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A80D262BEAB22929B798773CDECC64511 - -Count = 263 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A1985BF9EB0CADEB66A44A061D6C1DA29 - -Count = 264 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4AE4706BD494725B172D0B673F09B0FDF0 - -Count = 265 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = -CT = 01BC9CCB186E4A3787E19BC739E3B5972E7EFB07331CD1AC - -Count = 266 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00 -CT = 01BC9CCB186E4A37A1A65CECD6D76C170555E90C4D34E74A - -Count = 267 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 0001 -CT = 01BC9CCB186E4A373EDFE88E791A64808D76592D66D4A697 - -Count = 268 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102 -CT = 01BC9CCB186E4A37585B80C4A6401179879C2451C992B8C3 - -Count = 269 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00010203 -CT = 01BC9CCB186E4A37E7DA775540A818D234263CEE7B003E09 - -Count = 270 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 0001020304 -CT = 01BC9CCB186E4A374F323E8D5074EEB7A69DBD26C2672794 - -Count = 271 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405 -CT = 01BC9CCB186E4A37FBE4172B33BA8D9F4C0A5E8457C910B2 - -Count = 272 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00010203040506 -CT = 01BC9CCB186E4A375F81F79F5DCE57B07EC93AD0DF8FA32E - -Count = 273 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 0001020304050607 -CT = 01BC9CCB186E4A37F5169EE58ECB4ECC836495B6B3893ADD - -Count = 274 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708 -CT = 01BC9CCB186E4A379D910AD3EA6B318AD8D4071A11D3DE63 - -Count = 275 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3783B07084B196A2BFB9AFBA0B41522B6D - -Count = 276 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A -CT = 01BC9CCB186E4A37C701C0212E819FD7C46ABA4748FEB41F - -Count = 277 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A37D0C7DEDE32ED270AB32508F0D3FBBBA7 - -Count = 278 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3773A2C578F52392096F790E162D283B20 - -Count = 279 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A37CC5C747C2241D634EE26D6D8B88B4C05 - -Count = 280 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A37BF6320EFE703CC9369084939BC792952 - -Count = 281 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A37900805BF323C091480792E9FD86AB2B7 - -Count = 282 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3748753E1062F481509DB7D287DCF2B491 - -Count = 283 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3730EBA5BE9740949691C7E471CD871A72 - -Count = 284 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A373FD24B7D6B32E0B63C0207F36ACDC9CF - -Count = 285 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A37038088125D3365CE302FE6F59954A8ED - -Count = 286 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A372BFA498F3B76882B837647E4BF62D3FA - -Count = 287 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A37D8ABE960B0E2D3237CAC93E9F1605FDC - -Count = 288 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3765D03D41563C550C843972BF00190B00 - -Count = 289 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A379EC5880A524B50C06CE24DA51CAF28F2 - -Count = 290 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A378AD99F612C8502DE8780A0114E1B8A98 - -Count = 291 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3756070CC14A381E8A7A259F8A6FC2E270 - -Count = 292 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A37F4A1E34108A9314ADAA96D02C8E5562E - -Count = 293 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A372D0B0D282D6CF14C41AD0006442EC146 - -Count = 294 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A379904648B977311E6F8D7433E8EA72653 - -Count = 295 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A37B224710D15A1731A28CFE20329B16F16 - -Count = 296 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3794425279421D941CB9E30771378F0106 - -Count = 297 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A37C50A71B05CE3E6BF50B1A7D2DD4841E9 - -Count = 298 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = -CT = 01BC9CCB186E4A37324638F43CB514289D09F43A8944AEEFA6 - -Count = 299 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00 -CT = 01BC9CCB186E4A3732BF8136E8AECE10E569C6A3BADFA78140 - -Count = 300 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 0001 -CT = 01BC9CCB186E4A37320B46CCBE6352685626854874453C3540 - -Count = 301 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102 -CT = 01BC9CCB186E4A3732753CBE7F87194673042091EAC51B58EA - -Count = 302 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00010203 -CT = 01BC9CCB186E4A3732A5CA165B73D5F1F6C0B5013C29D967D6 - -Count = 303 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 0001020304 -CT = 01BC9CCB186E4A3732E8CA3C4BF76943DD7E7CDDFACFC7AE64 - -Count = 304 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405 -CT = 01BC9CCB186E4A37320A35382F317C3B081A2DF68199D2587E - -Count = 305 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00010203040506 -CT = 01BC9CCB186E4A37325987CB69FAAAEC8F2E145783D6EA0D77 - -Count = 306 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732008F1CD49876AE1F03AC99CFE1C7AABA - -Count = 307 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732DA8A4D4B391F527E80A32B76FFD16E78 - -Count = 308 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732AEA90E523BD34A79135B8711A653706B - -Count = 309 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A -CT = 01BC9CCB186E4A373201E99DF91985F719F49919A90404A3A5 - -Count = 310 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732EB5FE37039C6D0293FFB9313A458A901 - -Count = 311 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732CBCED3A94A526A17A77204FBE19C990D - -Count = 312 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A373222B2D21958E98200B78031070D7D8C75 - -Count = 313 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A373293A80A0C96C30DB2D5F05063EE8AD71C - -Count = 314 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A373263C9ADD3C13E854A81393B876FAACA00 - -Count = 315 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732BB52EC03E591BD9EFD079BC60C845C8E - -Count = 316 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A373205E587F1EBD227D4A85FDFCBEC24E703 - -Count = 317 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732B5AAEFF6738DF7343BE90E39D3347817 - -Count = 318 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732F7A17F79DE19FAD7C8224FF6B5F768C2 - -Count = 319 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E23AA2CA3364533808FCE50FB78F73B0 - -Count = 320 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732023F88339D5CC69E319478D475F2FAE2 - -Count = 321 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A37320325E897991CB05B2DB00BD1422A3855 - -Count = 322 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732C4719E95DC9C20815EBD5F05DFCD3284 - -Count = 323 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732EE45407E6AA471C77B9757D39DFAB846 - -Count = 324 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A37325BAA4DBC616C4B7370F71F04614E71FA - -Count = 325 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A373206F7E6505F68F59EF4EA0551811B996D - -Count = 326 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A37324B1AE7ED4ED26211042BD12357014693 - -Count = 327 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732F25A7BD930CB89492F5F0CD1C31938A6 - -Count = 328 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732255726E99D454D61886A772040D7C0B4 - -Count = 329 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732CCBA9458FBFFB35F77AFB356A92AFA31 - -Count = 330 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E4195315441095BE5FFE63718B959978 - -Count = 331 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = -CT = 01BC9CCB186E4A3732E81673F1A1566A31A2BB3B1CC24287321D - -Count = 332 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00 -CT = 01BC9CCB186E4A3732E87E5D45AEBED3C551BC9F9793C5DE0572 - -Count = 333 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 0001 -CT = 01BC9CCB186E4A3732E81A96AFB2DDD53CB41395D2BE7C36912E - -Count = 334 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102 -CT = 01BC9CCB186E4A3732E8926BF51CE1BAEB5B45E39123BF43A527 - -Count = 335 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00010203 -CT = 01BC9CCB186E4A3732E8760726D4B9AE36E38E7D32DF07AFFE10 - -Count = 336 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 0001020304 -CT = 01BC9CCB186E4A3732E8A8D0E427508CC0D8858FF71EDE4282FD - -Count = 337 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405 -CT = 01BC9CCB186E4A3732E8C12BB5AFBCF6052F6D164289B1E2848A - -Count = 338 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E8ADA8BE2C72529727B47299BF843CADF4 - -Count = 339 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E8218941B627A6629E17CE0F946C876DB7 - -Count = 340 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E85411EF48A8A6CED9283A25D29DFD169E - -Count = 341 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E85867168BDD2070BA7C4BD848AEB38B0C - -Count = 342 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E87012A9924131E278F8727D4CECBB0240 - -Count = 343 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E882A6289F21A69007093B73D7E91C7344 - -Count = 344 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E85260E1BCD62D08EA9498DA384AF9174A - -Count = 345 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E82312F8007743CBC3592EF53E51CF3D49 - -Count = 346 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E82506DD56364617CF33EBF4EEDDA24103 - -Count = 347 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E8E9FE4B0EF87FB75973D68A64301D8A13 - -Count = 348 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E826989A3B2E546B5FCFFCF937477949F5 - -Count = 349 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E84682FA441AA40C719CCF7D79DDFBB257 - -Count = 350 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E8BEBB7109BC75336454093E8147469989 - -Count = 351 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E8C5135AC90B125FBE313DB93EFB41FEEF - -Count = 352 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E836B3B343D3B289B186648F2BAA10EEF8 - -Count = 353 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E82FC741DD3D839B17FE31BFD846E4A391 - -Count = 354 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E88121EBB2F3C6F1960B02DAD2145AA78B - -Count = 355 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E8AFDE1633DA88218923B9F36795147D43 - -Count = 356 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E8AA7AFC177EFAB2134512F72DC5B52232 - -Count = 357 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E8A299C3BF8DAE7F1197981FF3C7BB0F8F - -Count = 358 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E8103743432ECF4095A52FF2CC0CF2EC0E - -Count = 359 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E871523489BA621B160C628713ED41C441 - -Count = 360 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E85B1D066CCDAAED1BF864D10454F4C65F - -Count = 361 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E8CFD3C867030B88D4D8B04BE1F19904C4 - -Count = 362 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E83B6D108F8A57C4A21371EAA014BF1B48 - -Count = 363 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E8F454E48DE490DCD04AF3DEC3338B0542 - -Count = 364 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = -CT = 01BC9CCB186E4A3732E86BFAB6EBEBCD14A656A60D80D5FBFD472B - -Count = 365 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00 -CT = 01BC9CCB186E4A3732E86B502B03DAFC6EBCE81B0D2F6527EE58EC - -Count = 366 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 0001 -CT = 01BC9CCB186E4A3732E86BAB66ACEAC0AB6F3AF3580D800F6E29F3 - -Count = 367 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102 -CT = 01BC9CCB186E4A3732E86B6FEE586B7BB5F2A0DF9485EA94136CC3 - -Count = 368 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B422CA9927F8D8517A0C67C2AA696AA9B - -Count = 369 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B0071C915942696815F422BCC0FAD29A4 - -Count = 370 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86BBD0186EF6FB0DB9BF1F1C4DAFE4D2F6F - -Count = 371 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B5CC3C2E51BBF5065E6F3C773776C9C88 - -Count = 372 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B3B324558B2192F32B9F17003A6DD124B - -Count = 373 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86BD53AD1D9D2F83012754552012CA9189D - -Count = 374 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B636F3F7170812A057E8A45E95697395C - -Count = 375 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86BF66BE66B89E6DF8AE6DB09B6E74BE861 - -Count = 376 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B0F0D6152B83E7A4C0E8C7A1F59192039 - -Count = 377 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B27D745B964F2FCA9752741534FB28C2C - -Count = 378 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86BC70CD1F573ABF07751CBFF36F6AA6805 - -Count = 379 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B1CEE7B8D636680D67572CF05F2B6CBAE - -Count = 380 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86BA8529DD987CF19F3C8D8EA049C4F68CE - -Count = 381 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B17CAAF23725C1FD0BD322DD56CB0E7FE - -Count = 382 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86BA251BD777689BC29332C0E90E6B52F5D - -Count = 383 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B78FC8BEA173DCB732D23FB7752EB7AAE - -Count = 384 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86BF386B1EF43FAF916BD300A6077B99003 - -Count = 385 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9D2C1D7671207D2AE3D1B046EEDCC634 - -Count = 386 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B7C0A48FE08F33E8757A249856C54B0D4 - -Count = 387 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B50AD0F88BD277EA10B4B4886F38B1881 - -Count = 388 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B74973DAF8F6E9EBEE01D0834F1D866F8 - -Count = 389 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86BE25F4EABB582BB5DE7DA08DB325FE559 - -Count = 390 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B05C415901F69DD9B7C355A02F3E5C99D - -Count = 391 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86BD19F4D0DAD803B7BAEC092B707209F80 - -Count = 392 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B870F870A5E78CA8BDFC6564CE41D89BA - -Count = 393 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B814DCA56E26968DD71090CC3C493151B - -Count = 394 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86BFFAFF08D845F4D10DEC8C26D08CC89D5 - -Count = 395 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86BD5534C94D910442427A1009516389046 - -Count = 396 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B2A346C842C64CAFBA9746E7C263A3165 - -Count = 397 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = -CT = 01BC9CCB186E4A3732E86B9F73E1B1280D1648EAA310F531BC99C1C0 - -Count = 398 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00 -CT = 01BC9CCB186E4A3732E86B9F9EC37FAEB8A9FFB951EA2F59766F68B6 - -Count = 399 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FC7DBC83ADFA752B981C5516F73A2C8E1 - -Count = 400 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9F44830AC19101964CE0E1719B85C922E6 - -Count = 401 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9F64866EA974FF25A6F303CE77BB6EB291 - -Count = 402 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9F5608613D341793650437FFABEF0DCD0C - -Count = 403 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FC9DC9F0E6949B092930748AC9D80F0F8 - -Count = 404 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9F3AD31F4C18B7B8B08D8FFCC413718909 - -Count = 405 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9F1BDD161D75E2BBA330083D48342678B5 - -Count = 406 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FFEF4D5A423B46C977CB9AE376B607197 - -Count = 407 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FBD7B4A1177FCB7721AD92202C8B1B003 - -Count = 408 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9F9C3DD51F3D80AECE356F1F0C9DEA110F - -Count = 409 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9F6E0B9441D4B9F6E572D36367A345B3A3 - -Count = 410 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9F241C2DF3987B5F98B26EB9D60A48CD6C - -Count = 411 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FB6EB9CA75F76927DA2342D150CDF97C6 - -Count = 412 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FA7FCBF63484CC2F820BE9CB337D52F1B - -Count = 413 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FA368CAFA6A3332C5720ED33FB8550901 - -Count = 414 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9F879465B25B6C7108D632B3B3202F27DD - -Count = 415 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9F18F95DC2827A6C7A2FEB5AFA61238EDB - -Count = 416 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9F9C9F32313D3465F7004EEF9359DCFB85 - -Count = 417 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FEEBD041906DE5E9D253286983641342F - -Count = 418 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9F6CE32B1FE6A4DDEE52676DDBB76B05F9 - -Count = 419 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9F20C0BD5B4C64A99F9F66C3C7FE9714E8 - -Count = 420 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FE98FBA58E390FC002BC8DD881277DD50 - -Count = 421 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FB4A6A610CB204662A2A6E1E42F94C8E5 - -Count = 422 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9F6EC65C3E71E5B9497AAA60EF50D56122 - -Count = 423 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FDEC8B153ADF81504395274505212A94C - -Count = 424 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9F4365F4214CA23D4E0760FCBBADA05B42 - -Count = 425 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FD092E0ABF35FC5515CF5D8CF2227B0F5 - -Count = 426 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FC9DD3CBC49271EA05ABAD546D84A7EC2 - -Count = 427 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FC9AC210CD0AC00FD656FD360AD12DBA0 - -Count = 428 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9F20E553B857CDD177245F7E16161018B6 - -Count = 429 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FCB7402837A5C9D3569B6F3C6E277FFE4 - -Count = 430 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = -CT = 01BC9CCB186E4A3732E86B9FAC401D961BD41D543AC1603FA0A50C2B9F - -Count = 431 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00 -CT = 01BC9CCB186E4A3732E86B9FAC518F8987EBA976647BA3426F7D1E94A4 - -Count = 432 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FAC4A737D2DE2E809FA3B6E34B1480B5FA9 - -Count = 433 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9FACB773BC024AACCD1B6CCEB196D1D926EE - -Count = 434 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9FAC0A742CD6CF716CEE663BFED7B1F7218E - -Count = 435 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9FAC788DA22F72405916679BE156D430F32C - -Count = 436 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FAC95F3D631791BE83C16498BC97E5358FD - -Count = 437 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9FACF02886AB9C91B88DCFB66C881BEEDB25 - -Count = 438 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9FAC6BC16286170802ADDC6D6761D91DE751 - -Count = 439 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FACB11B76F79D526ACBE222BBCC8753617C - -Count = 440 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FAC7DA0676554D9353CFFFEAB6E30586677 - -Count = 441 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9FAC8952122198F998B8D6ECF8543BA28BF3 - -Count = 442 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9FAC0E9C730E4D81E533E8296A6B74FC603D - -Count = 443 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9FAC1A08CF4EF0D535A8B47360B0A20D7271 - -Count = 444 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FAC3200C27BD756A6D6D534F212E5B8D331 - -Count = 445 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FACA1BBA755C3204856CFA061165FC42C40 - -Count = 446 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FAC1BA30DB059403667E168F8D821810EC4 - -Count = 447 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9FAC35A852B02A4A6DE9A8A8B3E505CA0E6A - -Count = 448 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9FAC2E8BD2C2F5F8673ED56E496ACABD6898 - -Count = 449 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9FACB306317A7C8AD0D24342451FD66D5BB9 - -Count = 450 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FACF9DFD894D6931736888A556948FA10EC - -Count = 451 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9FAC99888D72617175483572E7FACBE4534A - -Count = 452 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9FACC60B6E5E924DB514921DA1EFB85F1D11 - -Count = 453 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FAC576A4C8D6927629111776D99E75F544F - -Count = 454 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FACDCAA0779AEA6A9852C5ECD561D90DC2F - -Count = 455 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9FACD8AA18321510177914D27A89CAA4BB92 - -Count = 456 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FACF45F88A0CA2F7167B6DCD3AE8DF22FF2 - -Count = 457 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9FAC2922364570D3949AB8BCDC2BA9C8C5AA - -Count = 458 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FAC8FC6980ADDA1FDF78B3A1816398C949F - -Count = 459 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FACEC83788CE1F1B10FB469F216ADEB596B - -Count = 460 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FAC64B6C9C20A0FEFF6FAFB60A5B9F69EEE - -Count = 461 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9FAC07021C98759FB08D78866091A26A7496 - -Count = 462 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FAC43EE750629DE742CE5D30C409FA095CF - -Count = 463 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = -CT = 01BC9CCB186E4A3732E86B9FAC4A7DE7C24473190C3A616F9562517D9095 - -Count = 464 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00 -CT = 01BC9CCB186E4A3732E86B9FAC4A6F1AB6EAD07880DF4C34B9B27CD61306 - -Count = 465 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FAC4A235524E4DF196776A6F2DB0C7ED77C0C - -Count = 466 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9FAC4A80FCCE0936A39FEAB746FE67E2B0318D - -Count = 467 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9FAC4A8E9F02E81FA496F8DCF9115CCB530E8A - -Count = 468 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9FAC4AA799EA648CA4D6FA36ECB4B422195197 - -Count = 469 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FAC4A6FF1377CE1E218E2C8F604B0CF71F580 - -Count = 470 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9FAC4AF72DF689F9699C3C5149B2D0FA2F6739 - -Count = 471 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9FAC4AF1DD6C8945A2DBD0F7545CE5864D8671 - -Count = 472 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FAC4A65A9CE6CA2D419E2A0BBB89022CAD327 - -Count = 473 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FAC4A6F2E79B20C11EF9782885AD409C4C8CC - -Count = 474 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9FAC4A0649368CAFF4AEB489B6A758A03AAF45 - -Count = 475 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9FAC4A896BD015142C9E45A86AF51B002C120A - -Count = 476 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9FAC4AFE02E6B7660957A9FFC4C1FF8DB7F333 - -Count = 477 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FAC4A5CEEF5C4EF67841A1BC6D1FAAE334A99 - -Count = 478 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FAC4A524AD0E9DD9C68A3F9C0284DEFB2DA52 - -Count = 479 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FAC4AEC5782B37AC8E857DCD464EC29A2DD79 - -Count = 480 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9FAC4AC7A581351DDE24E5DF2C529150D383F8 - -Count = 481 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9FAC4AEB3F0930549D64CB49A82E723EB3509B - -Count = 482 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9FAC4A6D55D684746503C3C86704FB21097A24 - -Count = 483 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FAC4A2781B6E58B1FC70CD942CE54F8D834A2 - -Count = 484 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9FAC4AA89C47A932AD0D30A11F7FDD78134919 - -Count = 485 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9FAC4A3EACAEAA346F52EE2A502C03845028E4 - -Count = 486 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FAC4A200ADD38A9A4F0E758BB281661028468 - -Count = 487 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FAC4ABC961D07EB493CA09F484EF2A591DF88 - -Count = 488 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9FAC4A43703CBF2ABCEE68D0F2133070A6568F - -Count = 489 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FAC4AE47A1450DCCC7D0186669AB155079406 - -Count = 490 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9FAC4A9A48E97CB72FAEFFCE0CF01680154A4B - -Count = 491 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FAC4A723414434D60872648FC630E55EE10B7 - -Count = 492 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FAC4A5A417F0A7AF9C840CA150BFC3E7F7523 - -Count = 493 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FAC4A980771810E477D4F6915ED13A26ED6B5 - -Count = 494 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9FAC4A6DEF3A172D9D1846216F6D88CAEF6E9F - -Count = 495 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FAC4A35D90BBD035D3378E5A4AE3513C2CE68 - -Count = 496 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = -CT = 01BC9CCB186E4A3732E86B9FAC4ABF80960B2603A93BEB396F1F4B965B2358 - -Count = 497 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF0D2A4272944C46006DF60E6AFA9D8F7F - -Count = 498 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FAC4ABFA29A127E3C0D2F477CEE4184EFA5D636 - -Count = 499 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9FAC4ABFD0A59308712685DE4F0F76590A334F3D - -Count = 500 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9FAC4ABFB26E09C2B10CA3274A5CD31759B39BBB - -Count = 501 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF139B5734BEAEB928E17CB51FAFF33B1B - -Count = 502 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3CACC9B0F63DE7DDC5965AC10CCEDAD0 - -Count = 503 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9FAC4ABFA58E9B14895325ED46D015019BA9FA55 - -Count = 504 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9FAC4ABFF8552F6007F8776956014CF43D3DD420 - -Count = 505 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF740F2E212179B8F7BB3E479171623784 - -Count = 506 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FAC4ABFB0BD81B8C288C98C4228889EA134EDA7 - -Count = 507 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF12FD1E3E97BFE2021550146EE509CDC4 - -Count = 508 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3C3D74367C516EF3E475854D64F42902 - -Count = 509 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF8797235ACECED5F494C48484B9C1C225 - -Count = 510 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FAC4ABFEFDBDBD4C5C1E0F3E66DD79A373FE9B9 - -Count = 511 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF45025F862A56B8D7D4EA26B35BB787A0 - -Count = 512 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF01BF0D09AC64A02A89A71C150DEEC009 - -Count = 513 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF8910563C8976B1DC35253BCF44792C1D - -Count = 514 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF65B52AADAA524D07D7DCF26D4836F42A - -Count = 515 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF90E9B97B1BBD65A6E8BC7CA66E9C3B80 - -Count = 516 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF513CD675F472009BFB8F182994C853E1 - -Count = 517 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF46721BCF9892D6F26AC28EEF5C8B192C - -Count = 518 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF9AC312F19267AE11116024C052FF5A47 - -Count = 519 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF60600AF266FA85E34E1F1CD059CF5630 - -Count = 520 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF17C2060665E186B03B5A1AD5FFDACD96 - -Count = 521 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9FAC4ABFF3317C8A5D2B421D58D7C1EB1BE5AC13 - -Count = 522 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FAC4ABFEFF1C4D9D2CC31C6724654DC4D5FD8F3 - -Count = 523 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF1C17DC9D7F4B5F594DC5CFF0059DA2AC - -Count = 524 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF106DB6A213D791B7AA9FE1AE850B1359 - -Count = 525 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF8A555713AFAAAFD5B8B1051FF0D216A3 - -Count = 526 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF07C52335BABEF530BBEFF5AB8794CA94 - -Count = 527 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF2C7F8DA912E426CFBAD11753790B8024 - -Count = 528 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF43A90B1005F8F1B31F230761D2C2A6D4 - -Count = 529 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EB89E6B0E91A693127B21A2FD98C8BE79 - -Count = 530 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EC28854328C96BCAD6673789A878CAEFB - -Count = 531 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E44680250C8A38AA6BAA9F7BB56EF7EF8 - -Count = 532 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E3722270C141499E640C83055EF0F9625 - -Count = 533 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EE47167EAE8E62E1219C534FA678B8476 - -Count = 534 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EC297D85B154A24FEE903BE4ECFCE2339 - -Count = 535 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E21FC1AD32A524861BED34145091EED88 - -Count = 536 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E22AB5CBEBAB2D2268A292BE44BA9C0A1 - -Count = 537 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E0A56CE07579D9F0136DF5D56E290CEF7 - -Count = 538 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E15A9BB2C855EA8A4E2CF0BD3670718B4 - -Count = 539 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E86B4150A221DE98EF329D2826090D558 - -Count = 540 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EF829D0DB3422DBC8B88969949A141306 - -Count = 541 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EDB7247768241A6274C1F18C620C85978 - -Count = 542 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6E9EDA24D0A5EDD3B2245984D27FBD2A - -Count = 543 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E9ED495328799A3C230581D372E1B40B7 - -Count = 544 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EF7FAEB54D1407130BBD97945763407B0 - -Count = 545 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E61011220E6379839275EF7232789A64D - -Count = 546 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EEA8F9DB9BEF9568E68C5711C8E7DA391 - -Count = 547 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E98172CCCDF47BF54A7C66CCE83C8A0FF - -Count = 548 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E0A076D1DFE32FCFB005E81577A40F30D - -Count = 549 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EB394DD6532D2F7C7F723C0E72B3BED99 - -Count = 550 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E26C4AEACA227EA5C48248C082BA91E08 - -Count = 551 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EC0D492EB7D217B71AC4B629511A54C9E - -Count = 552 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EA79175646A1BAF10EB32AC8C8AF5A4EC - -Count = 553 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EC55548631628A57BC6F9289E685C36D4 - -Count = 554 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E2F45B1EDF96EDF6609DB27D393D0CFF2 - -Count = 555 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E94AA93B8A4BAA6CAB82F4736CBD5E539 - -Count = 556 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3EFDA602A9773E02EBC356EA7532ED847D - -Count = 557 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E0D4D9B0DD8B4D4F0DBB3E835A380A7E9 - -Count = 558 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3ED2C95F1FEB5DCFB0D50CA801CEBA8EE0 - -Count = 559 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E155981F9B4AD2E836B3FC9C8ADE65EE9 - -Count = 560 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3ECD5D5E261AEB36EF8367B2FB66B3DB53 - -Count = 561 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E5773165AC795FD7C5753655B809A4A67 - -Count = 562 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C1485159AD7C781595B283C2B080A72B4 - -Count = 563 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CB176670E286113BC60313B8F4079DE62 - -Count = 564 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CAA952460F31C7458EB2645B49766A473 - -Count = 565 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CFE689CD4FE525E3BE438D518AFF2635F - -Count = 566 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C8D17CF6D834693B3577528D30094752E - -Count = 567 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C92FFE981CA1344DF61B0CFF7830D3AFA - -Count = 568 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C3646742A3DC36853BFD913346B97119A - -Count = 569 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C1DE701E876110788FDB9A0879B461DBE - -Count = 570 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C33661483D36F1C836BD368F22F9649D2 - -Count = 571 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C26A8926AABD612482F7782BF0CFC7AB4 - -Count = 572 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C49154D72BC0DCEAA6413F5E4F0AC0A87 - -Count = 573 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C8B45E9B6AADA312B732B7C39CCD02207 - -Count = 574 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C777B4DAFA0882CCD5B50829590F219A7 - -Count = 575 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C57AA15066D92A1F2144B296D8C0F195E - -Count = 576 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C73E740974671B2E35E887D34D2CC6091 - -Count = 577 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CEF24B7BE99EE51E61CBEE962344821C7 - -Count = 578 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C625B4B87F3B520597B4A89496B5620F7 - -Count = 579 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C43866B0F23B8E952A7BD78B4B1FA217B - -Count = 580 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CA55B9B8F589A3DFC8AF78E934910C47A - -Count = 581 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C308EA832F6FE4E12FC3F44875AA69E02 - -Count = 582 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C7C33C55FD9AD7A21BDDE5CAC541EF013 - -Count = 583 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C10456E209214853B38E8F2ED6EA711E6 - -Count = 584 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CCE0BC4FDB9F6DDEE483903C72B50FB6D - -Count = 585 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CF2BD6609F73E9FB0E70CEF1966E1965F - -Count = 586 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CBDDDEF713A527238453E367AD620C5A0 - -Count = 587 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C8C4483A25154C02DAD7B7B89E3A423CD - -Count = 588 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4F7AAF6995B901C90CCB4B824A9812ED - -Count = 589 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C749E80AA5422091362A9AD88DA3B03CC - -Count = 590 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CA3D3FDE1F7EA8C4AC2FDDDC1E792C64B - -Count = 591 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C5A79B33B80BCCB4612497B7C8EA99081 - -Count = 592 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CFFFC0F74F35F93E571EFA088E1C9DEB9 - -Count = 593 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CBE72AA64B54C5D57ECE7958A4DDC17E8 - -Count = 594 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6CFB6200DB12DF5B66139E4193FC579CCF - -Count = 595 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A7C710F567358487ABE78EF90E0CC833F - -Count = 596 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4ADD7E17978EE40F71938C01D17BBE4FE7 - -Count = 597 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A34DF9A7D6F0F3E275F8F83C30C418FDE - -Count = 598 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A64C64376C10F7C8D93CE6609F6FC285A - -Count = 599 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A17051FD7CB9CAD020C98643606ED474C - -Count = 600 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4AA53F6DC75BCB9EF9BF73B1429E1EF264 - -Count = 601 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4AD26CB9678F27108CE29A0443EAF8D1E7 - -Count = 602 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A09188E6F506CAACF005C27DD8E49DD2E - -Count = 603 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A4B5FE718320FA61BC0E081D75EA40C8B - -Count = 604 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A07F02FAE2DE835252D8961401EF470C4 - -Count = 605 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A75BE1695CFBAD6096B3B5F59D8FD8380 - -Count = 606 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A48188557BC0EEAB91D224AEEC4F8742C - -Count = 607 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A60A1F8A51F68C5A1F9A2A9ED7A956D34 - -Count = 608 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A93D0E05AFE58924A15EB8CB8EF020FD1 - -Count = 609 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A01745A22B229602401E0E5DD0690D06F - -Count = 610 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A7E149418EC53FC43DA572C1700FAC22A - -Count = 611 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A3E4BC1D60E3AFB0A33EF5750F3C0A08B - -Count = 612 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4AB5CB2570F6CE0FD92D2094DCF5C7E43A - -Count = 613 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A063E6AAF227EFA80FDD2EDA9079BBDB8 - -Count = 614 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A73C0E2B4048B427D7C03F97068EB31FF - -Count = 615 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4AA88EC0285D68A3EFC1B428921DD7F8A9 - -Count = 616 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A88EEC981605891C68ACF39B80B7F6F0F - -Count = 617 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A050AF1C8C4D18EB2900D955A1C0D26FA - -Count = 618 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4ABAF592047B0E31B763D33038BD1FFFE0 - -Count = 619 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4AB8CD6ABCBAEABC05CF860D28C3986C7A - -Count = 620 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A785A925228D82A1EBE72CE6C92084B55 - -Count = 621 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4AC8C5570C721097D5673DA43142F4F6EC - -Count = 622 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4AB40F39E7A0D6407C7F78AE8AD27CB6F7 - -Count = 623 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A2CC01E731E9D5D2331B22F24353F2A3E - -Count = 624 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A3D04CE3954ACDE2F0B82132B7E1BFC8B - -Count = 625 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4AA546342DA09A5CE78263CC305AF726B8 - -Count = 626 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A4A85A55963BBA05249BA7E05502CCC90 - -Count = 627 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A96E3B7B217C798F3280C7DE21222BE88 - -Count = 628 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82EFCC3780B3F710C1E03D59300F953BDA - -Count = 629 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82DCB942F5929A67E360385297A2E768A3 - -Count = 630 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8248E6BB3465953A0855188661AA711ED5 - -Count = 631 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82B1CE34DCFC4D179F0EE20F52AB7EB13C - -Count = 632 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82834230D2E3FC79DC0DA1FF3E1F78AEEC - -Count = 633 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82C8F3E977CE7FE992C05C84AF8AE2C640 - -Count = 634 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A827AE6D01AB7DF9ADBDA8CBF8EE8BF573B - -Count = 635 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82DF7FBD3B327F529C6ABEBC90A9EE9687 - -Count = 636 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82B24C05BF85315B91532D39B9C541CD29 - -Count = 637 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82DB00DA537973A0EECB08E929FF97AE91 - -Count = 638 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8200A992B605EA03569D72E198DB815E3A - -Count = 639 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8215F8A968F7A7005C7D198B94A0A6E5C7 - -Count = 640 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8214F02156C3D039B4EDB2C7DD71D2939E - -Count = 641 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A823D11373773071E0798E6310AACC9F785 - -Count = 642 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82AC59B07AA17E8621EE7CC088BCBAC5EA - -Count = 643 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8243FF289EC111990077A5198C930C7909 - -Count = 644 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82B3641C40804C5B967EB3EF52850F78A3 - -Count = 645 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A822CDCCE34E8DD34ACD5C9BE7478E22F37 - -Count = 646 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82062F4917C2CE97108D493A40C4D5349E - -Count = 647 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82F92CB4E24DC033F540D4C08118495077 - -Count = 648 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82353CBFE72D212D37898912E8F22A79DA - -Count = 649 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82435F69F4EA94C44926B50D4F3BA90771 - -Count = 650 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82D66AA00CEC52C357882A94F6A6ACFB2D - -Count = 651 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8217232E65022A6A9F3F22316CD3914E86 - -Count = 652 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82FDFADF0DD945ACE3E7DB3ECC1E01DFB1 - -Count = 653 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82A65DEA1F10F11E787EF3C8968ADFB871 - -Count = 654 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A829C68ECF22482C5FCAA95F3641FD37CA9 - -Count = 655 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82E558634AB352491E2F682331C4C67020 - -Count = 656 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A825385B476F344D7586A688153D641B4EF - -Count = 657 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A827342341EAEAB8211125D391D23C2CAE9 - -Count = 658 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82FA93A9A69BDF17381C9D036DDD1E9B40 - -Count = 659 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8268CB07BFDD7BE8DDCC1AA967E6E739EA - -Count = 660 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8284235072E32B688124F43FA99C07CB4A - -Count = 661 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82741314BF502D26243869A68BB5AC99EEFA - -Count = 662 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A827412B995749A2BE0362DEFF0BF989D877E - -Count = 663 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A827484D3776A1AC445F0435F63B686046885 - -Count = 664 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274D37B16E3A5DEB272664F6F589E978954 - -Count = 665 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274125F0556B157080D0C4503E978AD6AD3 - -Count = 666 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274515C841A58D96821FC5D7AF533222AEA - -Count = 667 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82741C9CC909A820A1A651A616D73D9D0513 - -Count = 668 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274682BB29EC1EFF608ED9DB696A31F4A2D - -Count = 669 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A827438537FBAECA2DAEF3D47E8876D86CA07 - -Count = 670 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274F1079FC9C8CE3FCE7BB2890B65536C58 - -Count = 671 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82742127A8EC4A3230F43E0F3A7E526CD5A5 - -Count = 672 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274CDB9A21BB42C371BE51BF46FC614FDF8 - -Count = 673 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274970B691C518A64D9018511CB23D91C90 - -Count = 674 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274156622246F0DFB3B1A1509B77305EA15 - -Count = 675 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82740C8B221715985CDA79E9C306B716D903 - -Count = 676 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A827468C4FE717546E5CD93B4374EDB9A17A8 - -Count = 677 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274E80A11747A81F3F140CF766DD2ED8F87 - -Count = 678 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274CDC5A9B95676476E4E1FE9000F0219F3 - -Count = 679 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274D9D8AB7C1F64E96C3CDC5B06CB78F9F2 - -Count = 680 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274B76D66CE8BC5AD907277168A34703FE8 - -Count = 681 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82749EDCB523B435C8CAFE8F99336315C8BC - -Count = 682 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82747AFCCFD945D45B33EFF64DC43ABA96C8 - -Count = 683 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A82BA8DC8217409D6BF57EF9E6FFB31E - -Count = 684 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82744F392881CFF8E29924B0F87BEC79B76D - -Count = 685 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82748D277ECF9A4362934D2DD436359D212D - -Count = 686 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A827448FB138DE56898B67A5D36FEBB0BA1D0 - -Count = 687 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82745F13E8D994472537197813EB9BA1C1D1 - -Count = 688 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A827485D3F6E757FE5C99EDC739759FE52767 - -Count = 689 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A827494D8D07C349E5B9CCC27EB66EDDC4725 - -Count = 690 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274D8A2935D6FA82BA71A0193F10456628B - -Count = 691 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A82747CE5A83987FB78ADC44F1E7E860756B2 - -Count = 692 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274C6314A3A6781B281B43E6B664978E60D - -Count = 693 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A827414DB2EE8A8955F488D41A402FE2E3DF7 - -Count = 694 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1C2C3FD6F3B52F7152EFF4047C0FF82C8 - -Count = 695 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A10F3C657762A095C773FFF8507EB30346 - -Count = 696 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1578ACFEFDFCD4ED6D83A1E45E9EDBDB9 - -Count = 697 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1A6D50A7E871832F5CCF84FC332A18660 - -Count = 698 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A143DE68D7F7FD5BD519B02207C1400E57 - -Count = 699 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A139FB835EFEF3A5A07252EFBE1008EDCE - -Count = 700 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1A6EBCD2EE9A5A4E0823B84327D08E4C5 - -Count = 701 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A11343D06D504D835098DE8BF6D67535A1 - -Count = 702 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A18C996E65BD73FBA09B0BF06EC628C178 - -Count = 703 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A19C1D9C33EC6DE14F30345A700614B4CB - -Count = 704 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A170776E5687B960B22EE95830007CB6E3 - -Count = 705 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1AD669D02E6BE47FF6CAEF9753752A447 - -Count = 706 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1A33EE0E41AB4AA5D343F450223FC8422 - -Count = 707 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A13B61B1951B52DE4BF7C400C84C72B1AC - -Count = 708 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A145C64EB683444F2FA25DD50B79C1D6B1 - -Count = 709 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A172E30B795E668E19DCEA9D43D913A083 - -Count = 710 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A10785E3226655A727A8061C4E1E29516B - -Count = 711 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1A3960645FB45F78B5DF4D5E8F3E9A8D8 - -Count = 712 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1623C8E5F236344B4961644347330AF3A - -Count = 713 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1E6A75547C72899575D158DB28897B854 - -Count = 714 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A13892B0B38259946A6C828C5A4079581B - -Count = 715 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1C130ED80AC949228E2DAF3F84918751F - -Count = 716 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1A7F28AB31A9949AB16C2AA515036CC92 - -Count = 717 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A15564A8258B54103D729DFAD5F0A097B1 - -Count = 718 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A18780B413ECE061784BCCE1CF657C5C0B - -Count = 719 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A13237E6111610D2D08405C4E0869ACD05 - -Count = 720 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1665A6CA483CAC209D566CF5C2FD6CD65 - -Count = 721 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A19507828132E175648C2AC36FCD418804 - -Count = 722 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1D3A7B40569A254E4A7E4CE3BE2CBBDFD - -Count = 723 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1C32E9FB2D8FCF931259D534247C45C19 - -Count = 724 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A176D6967C80E7B4418F625AFAF627BBAE - -Count = 725 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A15AA8EA79542AFA100BDCC92319A21E2D - -Count = 726 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1FCA34F9709ECC3A89A50D051860D8DA7 - -Count = 727 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185F2D9CB58BF1B9929F1AE683F6936F2C5 - -Count = 728 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A18545742DBE333EEAA8961D98838125458A - -Count = 729 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A18567DDE2FBCEBBC8C04910B84F4122B23C - -Count = 730 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1855DA9B8C3C87CC3E344204277D0DABFFD - -Count = 731 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1850C98AB1AD70EB1B7C93D6FD7A413297B - -Count = 732 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1859B7C652867D5097D5342F4DBA208FE57 - -Count = 733 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185E32E64D21256C3319999107524969402 - -Count = 734 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1854A141A64740AEAB77DCD9A252BCCED0A - -Count = 735 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185BFFD3B9C9E7D6B06C6095DF5B13A9CB4 - -Count = 736 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185EB7DF021861EA61BC6311E64D72BACBE - -Count = 737 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A18540792087A2D05EE5C895D1C5079E7B5D - -Count = 738 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185217F1F06ED81A6499D62A506978E826A - -Count = 739 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A18552AB9689B30DC3D4E266BE937FB78CC6 - -Count = 740 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1852D575EBE9E8E6B03A333F46769CA437D - -Count = 741 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1850B9CDFDBFE84B8978F9DE3692D92FAD8 - -Count = 742 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A18500FAE2653BF38A9B43760B091E733AF6 - -Count = 743 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1852EC10598ED1383027029D763B9ED88B7 - -Count = 744 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1859FE69C82A3CF8D13883E95DAEB2A9637 - -Count = 745 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1858C3C52E9B04713609BAA1E1DB3171DC8 - -Count = 746 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1852780D6C9608EA5ECD31559D0CAA58BD4 - -Count = 747 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185243D5525ECDDB90CBFF0214A2154A24E - -Count = 748 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1857622E28C957C39BBF903C14DBB44404A - -Count = 749 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185C982F2FA62A26C84C1FD5B4143AE36D7 - -Count = 750 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185B20431E5A30CB073DFBBB90560F098DB - -Count = 751 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185AC919A508EE606DEE9D7B5E87E39D206 - -Count = 752 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185BA16E9AC3909FED7444649A2270F8963 - -Count = 753 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185585DD3BAC0BBF7D1A9D2B77ED96004B3 - -Count = 754 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1850EF8D958434569450AD3D196B302D798 - -Count = 755 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185F49DDA9F30B8A9B73B9AEDD53E497340 - -Count = 756 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185F968AF5BC41CA9D12C784B1F6216EE30 - -Count = 757 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185224F1D953BC5D94D01EBE75E9865A84C - -Count = 758 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1857B2E3A36F49A388ADF608CA574BC31F6 - -Count = 759 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A1852797D571BCF62DE982C9412C083BAFCF - -Count = 760 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFADD3B720BCB28D0BDE125E76C453E18D - -Count = 761 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFF37E19C08644E5926BCFF1C136EF5787 - -Count = 762 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF2B165779216CEC474755AF32F467C657 - -Count = 763 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF0EADD5489A3E3B00C1CD5CA118CD9601 - -Count = 764 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF679ADC1055A5B726954014C305186963 - -Count = 765 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF56DD099BCCC5620EEDBAFA139CBE8F84 - -Count = 766 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF330A57ADC7907E97AA97B8922F8CA4BB - -Count = 767 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF48AE2AB3DE406C25C117C8F773A4D05B - -Count = 768 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFB1E2F00618D768BB8995ADE408D04105 - -Count = 769 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFE8BC5E68DE47534502558888C4C7705F - -Count = 770 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF715AD1A0BE9868F47140F28DBA8BEE31 - -Count = 771 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF1F7A1B9A98C623F126568CBADA74FAB5 - -Count = 772 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF349C2C47CEF6D7CB570995E4EEB189CC - -Count = 773 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF2AE6C170A1617CCA33C445F9C4DC2365 - -Count = 774 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF4D3942A78CF8F442E4C87E507D87D427 - -Count = 775 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFDB954BF34722DEF743B79C9401A1D21E - -Count = 776 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF8C484EEDC4471ACCFCF61E89D46F544E - -Count = 777 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF9F8E065699E0A65340134CF6F569664D - -Count = 778 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF7E35A2EE11DB2600D7809533C95FB545 - -Count = 779 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFE67295F0B33CC450EA09A555A4136764 - -Count = 780 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF161CDA2B132352BC8C651F509F99CCD5 - -Count = 781 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF0548C99CF2EEBDB8791273D5D70DAD28 - -Count = 782 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFC85274577F92589EC6131F05240DD5A8 - -Count = 783 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF7073E5A048058A4D6BFC6E1FB2403AA2 - -Count = 784 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3EFCEF899FDC6E32933A3BE00720DC71 - -Count = 785 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF4577D7482C1978054CE6F608590DEEBE - -Count = 786 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFBC69B4E8CD2DE23B33BCAA9102EC32D3 - -Count = 787 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFC6FD418C301E67C2AA6F8C3D1AB0A07E - -Count = 788 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFFF5AFFC8DFE00BF453AF329976163D1D - -Count = 789 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF83D233A317CD92425BBA9D035A7EC747 - -Count = 790 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FFBFD9DAF957D9FF8082ACE0E23CC9A162 - -Count = 791 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF1277857A9086B6A1940E61C6D0CB9AE8 - -Count = 792 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF50F5E064824127C1F4A8DA7FA2843304 - -Count = 793 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3497006E743E42D35778BAC45748D69FFF - -Count = 794 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF345830B1F148DE7189589D2A7D67405778 - -Count = 795 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34E1B74D94C7C6E63424DA901F0851DE11 - -Count = 796 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34A8D7AC3E9CE30DD54A8468F160185484 - -Count = 797 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34D640F07F12918FC696DA766AE9C634F1 - -Count = 798 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34DA477E48DAF745F7C2306C923B2568B8 - -Count = 799 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34357675A394782AE8F975F2FF879AF395 - -Count = 800 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34DD537A7FC9B3E02640AE0A65C97D6ED9 - -Count = 801 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34C05D0DAF3000E849DFDEF60345A38A3F - -Count = 802 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34D877F3619E3184C64E22D886B971BC29 - -Count = 803 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34FF09D75FABC6A5C2B10760CFEC857A8B - -Count = 804 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF348A7C7AB237E315FE73387BE8D9E03F02 - -Count = 805 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3452D846B0288E4FBC3EEAC4C0F3CF188C - -Count = 806 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF349A08FDCF9357493FF337EFF571659811 - -Count = 807 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34C0C9EF89093890395C0D70885D0A99D3 - -Count = 808 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34F845CB10E2A4DAAF236D43FD631ADD43 - -Count = 809 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF348273E8DA3A0BA2233B0618BF002BEFD3 - -Count = 810 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34A3D8D4C90E955AFA9FF8A28FF8D1AB9B - -Count = 811 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34CC5A1650A1AE302F61B17FB88BE9BA3D - -Count = 812 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34E53101444DB3A0F4987881262B8DF152 - -Count = 813 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34DD2FFBEC5F43899EC958D7419513FBE0 - -Count = 814 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3488E39BB3A7CA4D993AD2BA65CA40BA52 - -Count = 815 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34C98654E793BD747535C42460B3E2CFF9 - -Count = 816 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF341790B4F41839FF7D31AC5E70DDA469FC - -Count = 817 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34D1AF401DAAC747242CD4E14D31203F26 - -Count = 818 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3496F3E049774E7F1DDEA95E1D19376641 - -Count = 819 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344F92784F2D67CB87235A3232F474F63D - -Count = 820 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3482F93BAD3D714CB690A3653A0669C371 - -Count = 821 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34AC8B0776186861050EB0D188356397A8 - -Count = 822 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF346EE8669A81CC1406DBAA9391840AD100 - -Count = 823 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34407999AAACEFF2A18BFD428C7D5358CD - -Count = 824 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3448D2A5EC90B34FD18939DA481247F8DF - -Count = 825 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3405236500604D339630E1CBDE6BEE9F48 - -Count = 826 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443DEF77D123F940587FDAA3624DE9783FA - -Count = 827 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443504A2C04965A9171C7D3A326734F7C3C - -Count = 828 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344356E42C2CE13F390437F90AD42E456E6B - -Count = 829 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34435809913334B9A5F6BFF0AE5325BE4CF8 - -Count = 830 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34430DE288A21C6D6F9F4EBDFD45E2A90E5B - -Count = 831 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443711561CCC911E1C1C9B9F8796F3E6730 - -Count = 832 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34433C91EADF2C8AA11B37094ECC93EBF8DD - -Count = 833 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34436EC0DF00A3584A2F216618DD630803B2 - -Count = 834 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34439496D5E5BA088A1F0E88FDA64DCA306E - -Count = 835 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344309C7FAAA5DB3C2BB9CFAB55AEB47B6F0 - -Count = 836 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443945470C08FBE7CF9A6E2002A7838F8AF - -Count = 837 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34436A2D41A3948FBEB6902ADE216826B7DB - -Count = 838 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443A6F9B56C2C9CCE5E4718DAF590DC24A6 - -Count = 839 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443C443EAAABB92FF493E9DAA337C36F268 - -Count = 840 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443156921C3740A86AE33414370BDD6942A - -Count = 841 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34437876EC2A080DD3BE918F76669B434637 - -Count = 842 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443D3C8315E8F2D318DAC4A8DCB6522364A - -Count = 843 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443F9511CB7B2FDCCF80B933C5385CDA6C1 - -Count = 844 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443FB61D18B8802C231C210D7B04D0AF1BD - -Count = 845 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443C96A6A10335AF2207C37E859F9CA9C72 - -Count = 846 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443081B519FB1029B4A734A514DED68A142 - -Count = 847 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443AAC5C0F7558C7160C624811F164AD67D - -Count = 848 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443F1A2F284C4AAE53AA7470D63234D4B61 - -Count = 849 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443C28585A5D6421A208D21279E04AEA208 - -Count = 850 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34433A7BF55D38B43C9D11693C29452D9F3D - -Count = 851 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34430F5F733F907C5E901562A67A7C16EA20 - -Count = 852 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443DFAAA9FF37AC40EADD750B9A149D8986 - -Count = 853 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344316AB168D61A44DBD58065B9EDDA4FC54 - -Count = 854 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34434EB86D8F8C35ABEDED59DC68EB0E7F58 - -Count = 855 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34433C4620C1E6DFC5E79AA5DAA2A5AEEFD2 - -Count = 856 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443E3346509BCAEB86D5F5B014CF542FFB2 - -Count = 857 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34431A74CC92BF10A31D6688864599BC42C2 - -Count = 858 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443058B51F3CC92F444EA41484C66A3F520 - -Count = 859 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315A79923C10F7F0CA455AA1DA9180DF650 - -Count = 860 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443153455D42A62B3A804050EF9E8ACA3CBB8 - -Count = 861 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315D1293220F94F8D62414D78122D7E7530 - -Count = 862 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315FA980E779EE4E84AC8D8B265A56E9BC7 - -Count = 863 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34431576AF5BF3AAD29A63F8C39B3BFAB86D9B - -Count = 864 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443152C3169DB7262A3CB952707C825CFA729 - -Count = 865 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34431533F0D55289A5676CCB97986520AB8339 - -Count = 866 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315A72D159CF2EF67A727EFD2D5C263E680 - -Count = 867 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34431563A90165D16991165F33A1528854231E - -Count = 868 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315D30C07AD220DF8C6335EFDCEDB9FFD20 - -Count = 869 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315AC4DEFE4997C6EFABD4CDB4B7EC219B5 - -Count = 870 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34431563E08CC63CA7256E3AAD1BD6313A2290 - -Count = 871 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315934B9AE130BA8C9F7921233F1658685C - -Count = 872 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443159640E273FF8D92ED1224E298E6649B51 - -Count = 873 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315314A18DE251959177A2E1C6021578B54 - -Count = 874 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34431574B882EFC8F250BC03066969AF906DED - -Count = 875 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315B0C62B6AFD574E030DF8300528224CAA - -Count = 876 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443152F4376B34F163E56F2E5D35C0985F529 - -Count = 877 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443159FC4D4DAA9D2259DDFD0EBCA735C5245 - -Count = 878 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443157FBC238B14D0E57E57C581D370325DD8 - -Count = 879 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443153D7AF65EC956CBAC3A082C116B1A5349 - -Count = 880 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315681545225822A2BE375BBB3D91117730 - -Count = 881 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315FACD5A403419238FE671644DD0021688 - -Count = 882 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315939E31619FEFF304609F71C748C831B7 - -Count = 883 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315A60DF598D9C81C380DDD45EC86DBE5B6 - -Count = 884 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315A494ED08EC14430C9EEDED19BFE1F471 - -Count = 885 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443153A0DA6786EF7FD5370634344CC577C7F - -Count = 886 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315647FEE0F7A93A450CDE339AC5312D0BE - -Count = 887 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34431569DA14A717FCE40748B3C41F27C268BD - -Count = 888 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443154EC759DBF97EDD0D69D58479454532A4 - -Count = 889 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34431524DA86A19013AD485B54E1D71B4AC36B - -Count = 890 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF34431597576B8341B48888F2DDBB3018F9B983 - -Count = 891 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF344315EB20F48A9C0B72FE18BFF05896A2CD60 - -Count = 892 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C57343F63AA5828A0060D9E9AF3B3D828 - -Count = 893 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C287495D3D0639C1D4279DEE2C0647A97 - -Count = 894 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C97FD0877DFBFAB7076487E41F98DAE93 - -Count = 895 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C039203D22E1E3D8B65E95BED19B6E0EE - -Count = 896 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C1A3041F00DD5C0D5CA28E5F289A02E84 - -Count = 897 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC64D1CE7C6BF51C0FCF7A97E98BC833D - -Count = 898 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CCB7637C6F01286285613AEA665B76077 - -Count = 899 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CDB776353669FC43F7E4A5828B6EEA290 - -Count = 900 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CF6B5CE3245270C78003F12D569F297BA - -Count = 901 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C222C98266811056C99AC5FB49A735188 - -Count = 902 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C83AD740361228DDB487FD09C608B2BC5 - -Count = 903 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C9F93BE2F54C7E77BFD3B835755867F57 - -Count = 904 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C482DE8DC237929A4F37154CABB33F48E - -Count = 905 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C448FD9B5DB9157C362A01E4D4C84BF07 - -Count = 906 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CE47E7BBFEC559371F88E82E0295A8C3B - -Count = 907 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C052B9DF5F0806EAAEA4A97640483A039 - -Count = 908 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C252FC35E45FFA86788D77E2B9CA6DB07 - -Count = 909 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C43CF918EA777F07F6E533D647C05CF68 - -Count = 910 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C3C86DBB62CE523DF8FEFC59F54320611 - -Count = 911 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C4B9EB4AF2B4F50DC9369E6CBE795910A - -Count = 912 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C25ABC5E26D6BF36C3AB5BFC1061EF18B - -Count = 913 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CEDE50474039E77B0CC11F6190F9F595D - -Count = 914 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C5E83057A4B7AC18E2FFD3FEEEEED16F4 - -Count = 915 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CCC925DA211157171D6BC57FB69343ADE - -Count = 916 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C28119B694DA152B21848C58DE53A84AE - -Count = 917 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC898DA7D55D8BC5AFAB1597D4153D263 - -Count = 918 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CE1F1AC5E7390F324EEC8355DD1EF2BAC - -Count = 919 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C49041B143A49CB4D9E6D49878DE8CF07 - -Count = 920 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C8603CD75C3E2788C2410FD76342D6049 - -Count = 921 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C27317AF9125768370CBF3EA7A1B70135 - -Count = 922 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CFAF4CDD26DA034ADAB7AC583F15AD433 - -Count = 923 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158C0354DA82DC438D9EE9D315197850FDB1 - -Count = 924 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CB701D152AD5E38F61FA5267020C2889E - -Count = 925 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC51B8A39E81847D6F7ACEE703E3370962D - -Count = 926 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5DEC343EF82DCF17D78A6A396A644094D - -Count = 927 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5B6298CD321BA7F975947B6A268589062 - -Count = 928 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC58FBABD78473A3A5377313BF5D1111499 - -Count = 929 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5B04A04EF67A76591A90292FF13BC7A07 - -Count = 930 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5B9CE065176A49AEAA1F253BF3C91571D - -Count = 931 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5EA1F1062CD8ADD219440F29F53ECA5F4 - -Count = 932 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5CCF62628892B2880C2E35B1B3C761CBF - -Count = 933 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5E08F4D804F8021B97D3D1D10427FA4C9 - -Count = 934 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5F2F8A4AE3B7D403DD43E86BCE08469DE - -Count = 935 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC58A823A49547CEE14778492F8C0454FA5 - -Count = 936 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5DE34BFEDD0878ED8E4B8736F90362A0B - -Count = 937 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5C78CE1B58DE390E58919B86FE9897C79 - -Count = 938 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5A9DAA229DDFD391499F0CFA570B8ED90 - -Count = 939 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC54196E93B94E2E5298FB2F595E1673194 - -Count = 940 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5ECCCAB252308732156BDF37CEB8D4C12 - -Count = 941 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5699C649B2C466EB0E4FE0FB7C4DE446D - -Count = 942 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5701D972412295D14E200D2B97CF128FC - -Count = 943 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56A547D405F5A0CC8DAD1544FC66BEA64 - -Count = 944 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5B98F152D5A64A476CBA5C6D8AE4C67BF - -Count = 945 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5A5739C9AEC423F39BA4DB5A9C76FC763 - -Count = 946 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5603EA7C4894709FDD217A2A92F7B62CF - -Count = 947 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5CEF7C684999AB79FA6FBE4524F374A11 - -Count = 948 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC59203A80108036D494753D5E97FB46714 - -Count = 949 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5FD40802D5E11BFD635D989B0A750D79E - -Count = 950 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5BC7E4723AA7DE2D25C0400126B0983FF - -Count = 951 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC590A67795A679087E3C1FF48D84264285 - -Count = 952 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5D5D212DB2090F9B59B857C74A9E30E8F - -Count = 953 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC54A75A4D02A554DAA4DFE646E311AC147 - -Count = 954 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5BE82F0433699A3B4279C8300E03B8E20 - -Count = 955 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5569A9131A9C3D1309498A9D4F7041D1F - -Count = 956 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC59B9ABB4FA0583E4AA97FE36675D5400D - -Count = 957 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC5144CD804B7224118752D6CB599E4584D - -Count = 958 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56FC4435B9545DFC9C2501F0AE3DD1F4EB7 - -Count = 959 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F42D582BF72D9B0E70B1B80E3F9170E72 - -Count = 960 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F71218F5D4D3152E77990C003ED0D9A90 - -Count = 961 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56FEC65AFAC0B91004013B4F12A312F0A7F - -Count = 962 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F27D9871C73E4B456DDB666A51ECF689E - -Count = 963 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F43F92A8D3D2A649D9845F3D9E0B651F8 - -Count = 964 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F2F0A1CF4D16776660F834BDE59F36D22 - -Count = 965 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F6A2AB2FA1EDBE7E047A9783511CC02E7 - -Count = 966 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56FD13E03AA8BF36DBABCA7A1B0ECFFD858 - -Count = 967 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F0A386770D19EBE01B61EB8F84215B93D - -Count = 968 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F307EB4F08A4B4A2F9A033CBC479D5F66 - -Count = 969 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F28AE044EC987E3882E83ED88AFBB3FD0 - -Count = 970 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F8AFCC09CB9B276F6ADFDE51687FDF776 - -Count = 971 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56FA934DA00C1334A16647E15A6E9D22AA0 - -Count = 972 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F9EB9FC392614D41817E5AF9238576DBF - -Count = 973 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F841B4A4A85D13D2671D3BA139E0A10C8 - -Count = 974 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F6FF8EBD3AD75930D21FE990719CAD957 - -Count = 975 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F0D384796A0EDBA944CD237DFD3D43015 - -Count = 976 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56FEB9F5F4D62AE1B00D1E6E090E1C7B950 - -Count = 977 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F18BE7D9D86B267D5163CC107F28DF4EF - -Count = 978 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F58B77CD3AC994EACA3E9D9D259F6D620 - -Count = 979 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F0654C2228C863360B2AC94DCF96B772B - -Count = 980 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F4AC98F2FE00DDC1289CAEA253E5E1582 - -Count = 981 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F4F1CFA9D3D7ABBF8E9D3D77B7E568AE4 - -Count = 982 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F272F1F29135CA08A343BE6423A7015AE - -Count = 983 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F984B6B325C6800411EB37528DCC6379D - -Count = 984 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56FE85CA229A8F9737CE9C5D1368D4357DD - -Count = 985 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F8BE2AF5271DC3A420E7FDC860C782415 - -Count = 986 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56FD45E8F766203A10615F44197F8CF15C4 - -Count = 987 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1872D4AFD9BBD63C1FA2F5059C56C2BE - -Count = 988 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F036D8D475E48363E8C101915D13AB6E2 - -Count = 989 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F79E73D662AD42AEF4D44A5FA2D3A28FB - -Count = 990 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1B3E1606ACBA610135520C82230E98A8 - -Count = 991 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1359F22C3C0B9D317CEAC57B2DE2F915F8 - -Count = 992 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13E5746E05604D3AE35EC5C4C1C29A9CEF - -Count = 993 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13ABC1B519EEF8F571E8D30F3AE71BA156 - -Count = 994 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13EACE6C64EF6C6C06621F3B8372122560 - -Count = 995 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13080394117B9E52C0631D9107BA371847 - -Count = 996 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13E50AA11649A7E86B2E631594FD8D3A00 - -Count = 997 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F135BB8F79F09481B8C75CE51E8C98774B6 - -Count = 998 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1301E74BE97D6B239F093E93AB71C7B6D0 - -Count = 999 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F132AA318B90D4F0485FE2E80CAF5D88993 - -Count = 1000 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13FDC152FF6EB01967BD31D9C280BB0AB4 - -Count = 1001 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1304B3AF6E96B4EF29B288A4B521D0C7E4 - -Count = 1002 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F139E3DBC714D2E6A0775E3958571655E97 - -Count = 1003 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13CC161126D83D4D824DE0F980FEE50935 - -Count = 1004 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F135FA318EF00D68DACE43639756E0C0ED9 - -Count = 1005 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1322043360A6633B716EE761C32C627E83 - -Count = 1006 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1377BA701C16F48E249BC0250CAB917936 - -Count = 1007 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F132F53466FF6BAD6DD522ADEF70AA53818 - -Count = 1008 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1328F4620D009DA5AE6B835523C0978152 - -Count = 1009 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1345F40C128E374553EFDD282364D089E3 - -Count = 1010 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5B2B8290254ADDAF4AC1AFFCF54D1D4 - -Count = 1011 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1361C947E45255273B7AFA5E6C2BFF31BB - -Count = 1012 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13997F0B2AEBD88FB55D389E2B463C4D8D - -Count = 1013 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1388D62F9BBEAB45179116893CFF8C959F - -Count = 1014 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13AE6D12FCFB2EA9325D8892F4B71F9E0C - -Count = 1015 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13652609061217106C7577E0336C8F0C59 - -Count = 1016 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13D45A8658FC51D6457835B864D4909C67 - -Count = 1017 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13A138A2FA287BD28046D19BA4D7FCFDC0 - -Count = 1018 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F1359B9568383B1F941162FACC55E4AFF30 - -Count = 1019 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13AA879868DFFD3277FCB109317488708C - -Count = 1020 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13D1C3B5000B19A38ECDE01C250F45B5EA - -Count = 1021 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B3ECD002BFF19219044AE5BFA12DD2AC - -Count = 1022 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13C18FEB73F648E1863D42610CABD2272C - -Count = 1023 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F132225051D523177454F2852DAE044E0E0 - -Count = 1024 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B591497A595B4A8E0F1DD6D3334B4EE3BB - -Count = 1025 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5888905DADE5E6F88EE62F54FFAEBC8FD - -Count = 1026 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5179717F7CEBB6143D771C4F93A8A01FE - -Count = 1027 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5007910D1269132007FB75298455498D7 - -Count = 1028 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5EF5BE30531E3BB62E0270701AC71A85A - -Count = 1029 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B57CAE1B01366E885A62A9B41DE00029A7 - -Count = 1030 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5D89A8F62B3180C26D537295FA461B940 - -Count = 1031 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B531F400E5D5B70A90B120F404B57A44E8 - -Count = 1032 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B57A16D365E58337577ACA6D1C8D46BF05 - -Count = 1033 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5304AE34CD0E200767EF610A8B1C5329B - -Count = 1034 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5E8FFA627EE2AFDCA1C32DF0A721B2BC1 - -Count = 1035 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5634958428295AE10254C8237C2E16D19 - -Count = 1036 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59E90675DF410167AF9C188CA3293DE9A - -Count = 1037 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5F6C8124669F30619633E69C633954504 - -Count = 1038 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B52DCC1CFFFABDB252D812CB8FAC3931F7 - -Count = 1039 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5108639103881D69E1F4F351049A57674 - -Count = 1040 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B57AE536D7BCF8DBA5FE77FE025A3EC9B9 - -Count = 1041 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5EE0D2C8B7F9AEF77A6BE997E8FF879CD - -Count = 1042 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5A5A31F3D31A22272C38C392B5D2CC44E - -Count = 1043 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5C69F0638B58BA2A78600B1622AAADDDF - -Count = 1044 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5123FC7BF407BDD5B3D363B2EDD2F3CB2 - -Count = 1045 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5B4A0BE4E74EA514890CC40ED39E75669 - -Count = 1046 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59C20092A5AF43C1C29418030B1D39F04 - -Count = 1047 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B54DDEB2072D1B4AAA59E1D2095E6DD143 - -Count = 1048 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5FB2427FAB8C4519EECC05885E6E68DC6 - -Count = 1049 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B54B98DB30DD9A0ACB2D30A99FCFE8B75D - -Count = 1050 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5DC77889BF41DA00982EC937E54D85A05 - -Count = 1051 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B570F547C291C6C08A2FC5C03560E9E79E - -Count = 1052 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B5617A1DCEDDE56EF7DCAC75CF8109DE8C - -Count = 1053 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B551C30CE982C45F52B2CF4FB176DD25A9 - -Count = 1054 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B50FA3BA7232E677D7AFEB2B91606540E3 - -Count = 1055 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B55F06310545AC8B896AD01C1C61112568 - -Count = 1056 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59CB65F7D4E99C5466172C4B81EBC4E3F - -Count = 1057 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A0530EE63AC2F5557A78313692F7CACD4 - -Count = 1058 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A70A6D4704F282DCCFAB90699C6F1E75D - -Count = 1059 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59AC968DB1373580FB448C543135A062FD1 - -Count = 1060 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A647349FA86759C822C995B2FEDE9FEFC - -Count = 1061 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A34366C7EB3A53F8F2DE75D9692FB34C8 - -Count = 1062 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59AB845864382301DED84ED4055D07868E1 - -Count = 1063 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A736CE4BC21FA417BF3F70A58018A408E - -Count = 1064 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A12582A9A5E1F1959A368ACAAE51FB000 - -Count = 1065 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304050607 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A9EF5AD88D51A435AAE0E5613FD5988CB - -Count = 1066 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A6D6DEA50D87756FD4AC058EECEA53B5E - -Count = 1067 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506070809 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59ACC0FE3B224507BB3C3FC1D1F45CDDD45 - -Count = 1068 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A435A9B708AB438D8B9FE9F8A5E54BFB8 - -Count = 1069 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59ADBF65C902E024A4A6A0440665C33A81C - -Count = 1070 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A49372E620C2FC3D071E74D3527324A1D - -Count = 1071 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59AD218CAA7DB74E05E80C4551CE53857F7 - -Count = 1072 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A5C115C930C3E99E14533CE47B3C11DFD - -Count = 1073 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59AD1FD63E63F54C396D6A938C8646EFB65 - -Count = 1074 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A04B0B3A944DBD783EDCDD95C60096604 - -Count = 1075 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A3A1E6D0B9947CFFB220E910D641D56E2 - -Count = 1076 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59AC70B11D1E6137F4E0995A799023465A6 - -Count = 1077 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59ADD0830C65124F7FE260243C9C9C3B89D - -Count = 1078 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A4C99A441E87474CE8C02BFC2184196C3 - -Count = 1079 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59AA7E6C63938F014243FA667FCB37DF64A - -Count = 1080 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A68FA974F3DEEE29674A1D840006991FB - -Count = 1081 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A200B7EAB5F11717455F0E5BE6AF709DC - -Count = 1082 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59AD3C58ED54ABAB6D3B9248B5169D27898 - -Count = 1083 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A57BDED4E0133724A55C874D9403A6608 - -Count = 1084 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A2DDCAA7A8E785C42A59D2DDEA55DF25C - -Count = 1085 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59AB00DCEA6A4CCAA7E18B6B05176D10AEB - -Count = 1086 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A249ABC7AED396AACF12548C7595CD661 - -Count = 1087 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A2FD2EEA5AD1D5B1FF120D6FA380E457A - -Count = 1088 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59AD39F4E9234E8C13C38E2BF8FA114DC4C - -Count = 1089 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 01BC9CCB186E4A3732E86B9FAC4ABF3E6C4A8274A185FF3443158CC56F13B59A0B6851D49C3E6049B766C013443433EC - diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys/aead-common.c b/isap/Implementations/crypto_aead/isapk128av20/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128av20/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys/aead-common.h b/isap/Implementations/crypto_aead/isapk128av20/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128av20/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys/api.h b/isap/Implementations/crypto_aead/isapk128av20/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128av20/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys/encrypt.c b/isap/Implementations/crypto_aead/isapk128av20/rhys/encrypt.c new file mode 100644 index 0000000..c54de88 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128av20/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "isap.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return isap_keccak_128a_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return isap_keccak_128a_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-ascon.c b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-ascon.c new file mode 100644 index 0000000..12a8ec6 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-ascon.c @@ -0,0 +1,76 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-ascon.h" + +void ascon_permute(ascon_state_t *state, uint8_t first_round) +{ + uint64_t t0, t1, t2, t3, t4; +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = be_load_word64(state->B); + uint64_t x1 = be_load_word64(state->B + 8); + uint64_t x2 = be_load_word64(state->B + 16); + uint64_t x3 = be_load_word64(state->B + 24); + uint64_t x4 = be_load_word64(state->B + 32); +#else + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; + uint64_t x4 = state->S[4]; +#endif + while (first_round < 12) { + /* Add the round constant to the state */ + x2 ^= ((0x0F - first_round) << 4) | first_round; + + /* Substitution layer - apply the s-box using bit-slicing + * according to the algorithm recommended in the specification */ + x0 ^= x4; x4 ^= x3; x2 ^= x1; + t0 = ~x0; t1 = ~x1; t2 = ~x2; t3 = ~x3; t4 = ~x4; + t0 &= x1; t1 &= x2; t2 &= x3; t3 &= x4; t4 &= x0; + x0 ^= t1; x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t0; + x1 ^= x0; x0 ^= x4; x3 ^= x2; x2 = ~x2; + + /* Linear diffusion layer */ + x0 ^= rightRotate19_64(x0) ^ rightRotate28_64(x0); + x1 ^= rightRotate61_64(x1) ^ rightRotate39_64(x1); + x2 ^= rightRotate1_64(x2) ^ rightRotate6_64(x2); + x3 ^= rightRotate10_64(x3) ^ rightRotate17_64(x3); + x4 ^= rightRotate7_64(x4) ^ rightRotate41_64(x4); + + /* Move onto the next round */ + ++first_round; + } +#if defined(LW_UTIL_LITTLE_ENDIAN) + be_store_word64(state->B, x0); + be_store_word64(state->B + 8, x1); + be_store_word64(state->B + 16, x2); + be_store_word64(state->B + 24, x3); + be_store_word64(state->B + 32, x4); +#else + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; + state->S[4] = x4; +#endif +} diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-ascon.h b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-ascon.h new file mode 100644 index 0000000..d3fa3ca --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-ascon.h @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_ASCON_H +#define LW_INTERNAL_ASCON_H + +#include "internal-util.h" + +/** + * \file internal-ascon.h + * \brief Internal implementation of the ASCON permutation. + * + * References: http://competitions.cr.yp.to/round3/asconv12.pdf, + * http://ascon.iaik.tugraz.at/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Structure of the internal state of the ASCON permutation. + */ +typedef union +{ + uint64_t S[5]; /**< Words of the state */ + uint8_t B[40]; /**< Bytes of the state */ + +} ascon_state_t; + +/** + * \brief Permutes the ASCON state. + * + * \param state The ASCON state to be permuted. + * \param first_round The first round (of 12) to be performed; 0, 4, or 6. + * + * The input and output \a state will be in big-endian byte order. + */ +void ascon_permute(ascon_state_t *state, uint8_t first_round); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-isap.h b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-isap.h new file mode 100644 index 0000000..ba99f2a --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-isap.h @@ -0,0 +1,249 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +/* We expect a number of macros to be defined before this file + * is included to configure the underlying ISAP variant. + * + * ISAP_ALG_NAME Name of the ISAP algorithm; e.g. isap_keccak_128 + * ISAP_RATE Number of bytes in the rate for hashing and encryption. + * ISAP_sH Number of rounds for hashing. + * ISAP_sE Number of rounds for encryption. + * ISAP_sB Number of rounds for key bit absorption. + * ISAP_sK Number of rounds for keying. + * ISAP_STATE Type for the permuation state; e.g. ascon_state_t + * ISAP_PERMUTE(s,r) Permutes the state "s" with number of rounds "r". + */ +#if defined(ISAP_ALG_NAME) + +#define ISAP_CONCAT_INNER(name,suffix) name##suffix +#define ISAP_CONCAT(name,suffix) ISAP_CONCAT_INNER(name,suffix) + +/* IV string for initialising the associated data */ +static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_A) + [sizeof(ISAP_STATE) - ISAP_NONCE_SIZE] = { + 0x01, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, + ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK +}; + +/* IV string for authenticating associated data */ +static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_KA) + [sizeof(ISAP_STATE) - ISAP_KEY_SIZE] = { + 0x02, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, + ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK +}; + +/* IV string for encrypting payload data */ +static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_KE) + [sizeof(ISAP_STATE) - ISAP_KEY_SIZE] = { + 0x03, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, + ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK +}; + +/** + * \brief Re-keys the ISAP permutation state. + * + * \param state The permutation state to be re-keyed. + * \param k Points to the 128-bit key for the ISAP cipher. + * \param iv Points to the initialization vector for this re-keying operation. + * \param data Points to the data to be absorbed to perform the re-keying. + * \param data_len Length of the data to be absorbed. + * + * The output key will be left in the leading bytes of \a state. + */ +static void ISAP_CONCAT(ISAP_ALG_NAME,_rekey) + (ISAP_STATE *state, const unsigned char *k, const unsigned char *iv, + const unsigned char *data, unsigned data_len) +{ + unsigned bit, num_bits; + + /* Initialize the state with the key and IV */ + memcpy(state->B, k, ISAP_KEY_SIZE); + memcpy(state->B + ISAP_KEY_SIZE, iv, sizeof(state->B) - ISAP_KEY_SIZE); + ISAP_PERMUTE(state, ISAP_sK); + + /* Absorb all of the bits of the data buffer one by one */ + num_bits = data_len * 8 - 1; + for (bit = 0; bit < num_bits; ++bit) { + state->B[0] ^= (data[bit / 8] << (bit % 8)) & 0x80; + ISAP_PERMUTE(state, ISAP_sB); + } + state->B[0] ^= (data[bit / 8] << (bit % 8)) & 0x80; + ISAP_PERMUTE(state, ISAP_sK); +} + +/** + * \brief Encrypts (or decrypts) a message payload with ISAP. + * + * \param state ISAP permutation state. + * \param k Points to the 128-bit key for the ISAP cipher. + * \param npub Points to the 128-bit nonce for the ISAP cipher. + * \param c Buffer to receive the output ciphertext. + * \param m Buffer to receive the input plaintext. + * \param mlen Length of the input plaintext. + */ +static void ISAP_CONCAT(ISAP_ALG_NAME,_encrypt) + (ISAP_STATE *state, const unsigned char *k, const unsigned char *npub, + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Set up the re-keyed encryption key and nonce in the state */ + ISAP_CONCAT(ISAP_ALG_NAME,_rekey) + (state, k, ISAP_CONCAT(ISAP_ALG_NAME,_IV_KE), npub, ISAP_NONCE_SIZE); + memcpy(state->B + sizeof(ISAP_STATE) - ISAP_NONCE_SIZE, + npub, ISAP_NONCE_SIZE); + + /* Encrypt the plaintext to produce the ciphertext */ + while (mlen >= ISAP_RATE) { + ISAP_PERMUTE(state, ISAP_sE); + lw_xor_block_2_src(c, state->B, m, ISAP_RATE); + c += ISAP_RATE; + m += ISAP_RATE; + mlen -= ISAP_RATE; + } + if (mlen > 0) { + ISAP_PERMUTE(state, ISAP_sE); + lw_xor_block_2_src(c, state->B, m, (unsigned)mlen); + } +} + +/** + * \brief Authenticates the associated data and ciphertext using ISAP. + * + * \param state ISAP permutation state. + * \param k Points to the 128-bit key for the ISAP cipher. + * \param npub Points to the 128-bit nonce for the ISAP cipher. + * \param ad Buffer containing the associated data. + * \param adlen Length of the associated data. + * \param c Buffer containing the ciphertext. + * \param clen Length of the ciphertext. + */ +static void ISAP_CONCAT(ISAP_ALG_NAME,_mac) + (ISAP_STATE *state, const unsigned char *k, const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *c, unsigned long long clen, + unsigned char *tag) +{ + unsigned char preserve[sizeof(ISAP_STATE) - ISAP_TAG_SIZE]; + unsigned temp; + + /* Absorb the associated data */ + memcpy(state->B, npub, ISAP_NONCE_SIZE); + memcpy(state->B + ISAP_NONCE_SIZE, ISAP_CONCAT(ISAP_ALG_NAME,_IV_A), + sizeof(state->B) - ISAP_NONCE_SIZE); + ISAP_PERMUTE(state, ISAP_sH); + while (adlen >= ISAP_RATE) { + lw_xor_block(state->B, ad, ISAP_RATE); + ISAP_PERMUTE(state, ISAP_sH); + ad += ISAP_RATE; + adlen -= ISAP_RATE; + } + temp = (unsigned)adlen; + lw_xor_block(state->B, ad, temp); + state->B[temp] ^= 0x80; /* padding */ + ISAP_PERMUTE(state, ISAP_sH); + state->B[sizeof(state->B) - 1] ^= 0x01; /* domain separation */ + + /* Absorb the ciphertext */ + while (clen >= ISAP_RATE) { + lw_xor_block(state->B, c, ISAP_RATE); + ISAP_PERMUTE(state, ISAP_sH); + c += ISAP_RATE; + clen -= ISAP_RATE; + } + temp = (unsigned)clen; + lw_xor_block(state->B, c, temp); + state->B[temp] ^= 0x80; /* padding */ + ISAP_PERMUTE(state, ISAP_sH); + + /* Re-key the state and generate the authentication tag */ + memcpy(tag, state->B, ISAP_TAG_SIZE); + memcpy(preserve, state->B + ISAP_TAG_SIZE, sizeof(preserve)); + ISAP_CONCAT(ISAP_ALG_NAME,_rekey) + (state, k, ISAP_CONCAT(ISAP_ALG_NAME,_IV_KA), tag, ISAP_TAG_SIZE); + memcpy(state->B + ISAP_TAG_SIZE, preserve, sizeof(preserve)); + ISAP_PERMUTE(state, ISAP_sH); + memcpy(tag, state->B, ISAP_TAG_SIZE); +} + +int ISAP_CONCAT(ISAP_ALG_NAME,_aead_encrypt) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + ISAP_STATE state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ISAP_TAG_SIZE; + + /* Encrypt the plaintext to produce the ciphertext */ + ISAP_CONCAT(ISAP_ALG_NAME,_encrypt)(&state, k, npub, c, m, mlen); + + /* Authenticate the associated data and ciphertext to generate the tag */ + ISAP_CONCAT(ISAP_ALG_NAME,_mac) + (&state, k, npub, ad, adlen, c, mlen, c + mlen); + return 0; +} + +int ISAP_CONCAT(ISAP_ALG_NAME,_aead_decrypt) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + ISAP_STATE state; + unsigned char tag[ISAP_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ISAP_TAG_SIZE) + return -1; + *mlen = clen - ISAP_TAG_SIZE; + + /* Authenticate the associated data and ciphertext to generate the tag */ + ISAP_CONCAT(ISAP_ALG_NAME,_mac)(&state, k, npub, ad, adlen, c, *mlen, tag); + + /* Decrypt the ciphertext to produce the plaintext */ + ISAP_CONCAT(ISAP_ALG_NAME,_encrypt)(&state, k, npub, m, c, *mlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, tag, c + *mlen, ISAP_TAG_SIZE); +} + +#endif /* ISAP_ALG_NAME */ + +/* Now undefine everything so that we can include this file again for + * another variant on the ISAP algorithm */ +#undef ISAP_ALG_NAME +#undef ISAP_RATE +#undef ISAP_sH +#undef ISAP_sE +#undef ISAP_sB +#undef ISAP_sK +#undef ISAP_STATE +#undef ISAP_PERMUTE +#undef ISAP_CONCAT_INNER +#undef ISAP_CONCAT diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak.c b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak.c new file mode 100644 index 0000000..c3c4011 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak.c @@ -0,0 +1,204 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-keccak.h" + +/* Faster method to compute ((x + y) % 5) that avoids the division */ +static unsigned char const addMod5Table[9] = { + 0, 1, 2, 3, 4, 0, 1, 2, 3 +}; +#define addMod5(x, y) (addMod5Table[(x) + (y)]) + +void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds) +{ + static uint8_t const RC[18] = { + 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, + 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, + 0x02, 0x80 + }; + uint8_t B[5][5]; + uint8_t D; + unsigned round; + unsigned index, index2; + for (round = 18 - rounds; round < 18; ++round) { + /* Step mapping theta. The specification mentions two temporary + * arrays of size 5 called C and D. To save a bit of memory, + * we use the first row of B to store C and compute D on the fly */ + for (index = 0; index < 5; ++index) { + B[0][index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; + } + for (index = 0; index < 5; ++index) { + D = B[0][addMod5(index, 4)] ^ + leftRotate1_8(B[0][addMod5(index, 1)]); + for (index2 = 0; index2 < 5; ++index2) + state->A[index2][index] ^= D; + } + + /* Step mapping rho and pi combined into a single step. + * Rotate all lanes by a specific offset and rearrange */ + B[0][0] = state->A[0][0]; + B[1][0] = leftRotate4_8(state->A[0][3]); + B[2][0] = leftRotate1_8(state->A[0][1]); + B[3][0] = leftRotate3_8(state->A[0][4]); + B[4][0] = leftRotate6_8(state->A[0][2]); + B[0][1] = leftRotate4_8(state->A[1][1]); + B[1][1] = leftRotate4_8(state->A[1][4]); + B[2][1] = leftRotate6_8(state->A[1][2]); + B[3][1] = leftRotate4_8(state->A[1][0]); + B[4][1] = leftRotate7_8(state->A[1][3]); + B[0][2] = leftRotate3_8(state->A[2][2]); + B[1][2] = leftRotate3_8(state->A[2][0]); + B[2][2] = leftRotate1_8(state->A[2][3]); + B[3][2] = leftRotate2_8(state->A[2][1]); + B[4][2] = leftRotate7_8(state->A[2][4]); + B[0][3] = leftRotate5_8(state->A[3][3]); + B[1][3] = leftRotate5_8(state->A[3][1]); + B[2][3] = state->A[3][4]; + B[3][3] = leftRotate7_8(state->A[3][2]); + B[4][3] = leftRotate1_8(state->A[3][0]); + B[0][4] = leftRotate6_8(state->A[4][4]); + B[1][4] = leftRotate5_8(state->A[4][2]); + B[2][4] = leftRotate2_8(state->A[4][0]); + B[3][4] = state->A[4][3]; + B[4][4] = leftRotate2_8(state->A[4][1]); + + /* Step mapping chi. Combine each lane with two others in its row */ + for (index = 0; index < 5; ++index) { + for (index2 = 0; index2 < 5; ++index2) { + state->A[index2][index] = + B[index2][index] ^ + ((~B[index2][addMod5(index, 1)]) & + B[index2][addMod5(index, 2)]); + } + } + + /* Step mapping iota. XOR A[0][0] with the round constant */ + state->A[0][0] ^= RC[round]; + } +} + +#if defined(LW_UTIL_LITTLE_ENDIAN) +#define keccakp_400_permute_host keccakp_400_permute +#endif + +/* Keccak-p[400] that assumes that the input is already in host byte order */ +void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) +{ + static uint16_t const RC[20] = { + 0x0001, 0x8082, 0x808A, 0x8000, 0x808B, 0x0001, 0x8081, 0x8009, + 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, + 0x8002, 0x0080, 0x800A, 0x000A + }; + uint16_t B[5][5]; + uint16_t D; + unsigned round; + unsigned index, index2; + for (round = 20 - rounds; round < 20; ++round) { + /* Step mapping theta. The specification mentions two temporary + * arrays of size 5 called C and D. To save a bit of memory, + * we use the first row of B to store C and compute D on the fly */ + for (index = 0; index < 5; ++index) { + B[0][index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; + } + for (index = 0; index < 5; ++index) { + D = B[0][addMod5(index, 4)] ^ + leftRotate1_16(B[0][addMod5(index, 1)]); + for (index2 = 0; index2 < 5; ++index2) + state->A[index2][index] ^= D; + } + + /* Step mapping rho and pi combined into a single step. + * Rotate all lanes by a specific offset and rearrange */ + B[0][0] = state->A[0][0]; + B[1][0] = leftRotate12_16(state->A[0][3]); + B[2][0] = leftRotate1_16 (state->A[0][1]); + B[3][0] = leftRotate11_16(state->A[0][4]); + B[4][0] = leftRotate14_16(state->A[0][2]); + B[0][1] = leftRotate12_16(state->A[1][1]); + B[1][1] = leftRotate4_16 (state->A[1][4]); + B[2][1] = leftRotate6_16 (state->A[1][2]); + B[3][1] = leftRotate4_16 (state->A[1][0]); + B[4][1] = leftRotate7_16 (state->A[1][3]); + B[0][2] = leftRotate11_16(state->A[2][2]); + B[1][2] = leftRotate3_16 (state->A[2][0]); + B[2][2] = leftRotate9_16 (state->A[2][3]); + B[3][2] = leftRotate10_16(state->A[2][1]); + B[4][2] = leftRotate7_16 (state->A[2][4]); + B[0][3] = leftRotate5_16 (state->A[3][3]); + B[1][3] = leftRotate13_16(state->A[3][1]); + B[2][3] = leftRotate8_16 (state->A[3][4]); + B[3][3] = leftRotate15_16(state->A[3][2]); + B[4][3] = leftRotate9_16 (state->A[3][0]); + B[0][4] = leftRotate14_16(state->A[4][4]); + B[1][4] = leftRotate13_16(state->A[4][2]); + B[2][4] = leftRotate2_16 (state->A[4][0]); + B[3][4] = leftRotate8_16 (state->A[4][3]); + B[4][4] = leftRotate2_16 (state->A[4][1]); + + /* Step mapping chi. Combine each lane with two others in its row */ + for (index = 0; index < 5; ++index) { + for (index2 = 0; index2 < 5; ++index2) { + state->A[index2][index] = + B[index2][index] ^ + ((~B[index2][addMod5(index, 1)]) & + B[index2][addMod5(index, 2)]); + } + } + + /* Step mapping iota. XOR A[0][0] with the round constant */ + state->A[0][0] ^= RC[round]; + } +} + +#if !defined(LW_UTIL_LITTLE_ENDIAN) + +/** + * \brief Reverses the bytes in a Keccak-p[400] state. + * + * \param state The Keccak-p[400] state to apply byte-reversal to. + */ +static void keccakp_400_reverse_bytes(keccakp_400_state_t *state) +{ + unsigned index; + unsigned char temp1; + unsigned char temp2; + for (index = 0; index < 50; index += 2) { + temp1 = state->B[index]; + temp2 = state->B[index + 1]; + state->B[index] = temp2; + state->B[index + 1] = temp1; + } +} + +/* Keccak-p[400] that requires byte reversal on input and output */ +void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) +{ + keccakp_400_reverse_bytes(state); + keccakp_400_permute_host(state, rounds); + keccakp_400_reverse_bytes(state); +} + +#endif diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak.h b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak.h new file mode 100644 index 0000000..026da50 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak.h @@ -0,0 +1,88 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_KECCAK_H +#define LW_INTERNAL_KECCAK_H + +#include "internal-util.h" + +/** + * \file internal-keccak.h + * \brief Internal implementation of the Keccak-p permutation. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the state for the Keccak-p[200] permutation. + */ +#define KECCAKP_200_STATE_SIZE 25 + +/** + * \brief Size of the state for the Keccak-p[400] permutation. + */ +#define KECCAKP_400_STATE_SIZE 50 + +/** + * \brief Structure of the internal state of the Keccak-p[200] permutation. + */ +typedef union +{ + uint8_t A[5][5]; /**< Keccak-p[200] state as a 5x5 array of lanes */ + uint8_t B[25]; /**< Keccak-p[200] state as a byte array */ + +} keccakp_200_state_t; + +/** + * \brief Structure of the internal state of the Keccak-p[400] permutation. + */ +typedef union +{ + uint16_t A[5][5]; /**< Keccak-p[400] state as a 5x5 array of lanes */ + uint8_t B[50]; /**< Keccak-p[400] state as a byte array */ + +} keccakp_400_state_t; + +/** + * \brief Permutes the Keccak-p[200] state. + * + * \param state The Keccak-p[200] state to be permuted. + * \param rounds The number of rounds to perform (up to 18). + */ +void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds); + +/** + * \brief Permutes the Keccak-p[400] state, which is assumed to be in + * little-endian byte order. + * + * \param state The Keccak-p[400] state to be permuted. + * \param rounds The number of rounds to perform (up to 20). + */ +void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-util.h b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys/isap.c b/isap/Implementations/crypto_aead/isapk128av20/rhys/isap.c new file mode 100644 index 0000000..26d50a3 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128av20/rhys/isap.c @@ -0,0 +1,110 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "isap.h" +#include "internal-keccak.h" +#include "internal-ascon.h" +#include + +aead_cipher_t const isap_keccak_128a_cipher = { + "ISAP-K-128A", + ISAP_KEY_SIZE, + ISAP_NONCE_SIZE, + ISAP_TAG_SIZE, + AEAD_FLAG_NONE, + isap_keccak_128a_aead_encrypt, + isap_keccak_128a_aead_decrypt +}; + +aead_cipher_t const isap_ascon_128a_cipher = { + "ISAP-A-128A", + ISAP_KEY_SIZE, + ISAP_NONCE_SIZE, + ISAP_TAG_SIZE, + AEAD_FLAG_NONE, + isap_ascon_128a_aead_encrypt, + isap_ascon_128a_aead_decrypt +}; + +aead_cipher_t const isap_keccak_128_cipher = { + "ISAP-K-128", + ISAP_KEY_SIZE, + ISAP_NONCE_SIZE, + ISAP_TAG_SIZE, + AEAD_FLAG_NONE, + isap_keccak_128_aead_encrypt, + isap_keccak_128_aead_decrypt +}; + +aead_cipher_t const isap_ascon_128_cipher = { + "ISAP-A-128", + ISAP_KEY_SIZE, + ISAP_NONCE_SIZE, + ISAP_TAG_SIZE, + AEAD_FLAG_NONE, + isap_ascon_128_aead_encrypt, + isap_ascon_128_aead_decrypt +}; + +/* ISAP-K-128A */ +#define ISAP_ALG_NAME isap_keccak_128a +#define ISAP_RATE (144 / 8) +#define ISAP_sH 16 +#define ISAP_sE 8 +#define ISAP_sB 1 +#define ISAP_sK 8 +#define ISAP_STATE keccakp_400_state_t +#define ISAP_PERMUTE(s,r) keccakp_400_permute((s), (r)) +#include "internal-isap.h" + +/* ISAP-A-128A */ +#define ISAP_ALG_NAME isap_ascon_128a +#define ISAP_RATE (64 / 8) +#define ISAP_sH 12 +#define ISAP_sE 6 +#define ISAP_sB 1 +#define ISAP_sK 12 +#define ISAP_STATE ascon_state_t +#define ISAP_PERMUTE(s,r) ascon_permute((s), 12 - (r)) +#include "internal-isap.h" + +/* ISAP-K-128 */ +#define ISAP_ALG_NAME isap_keccak_128 +#define ISAP_RATE (144 / 8) +#define ISAP_sH 20 +#define ISAP_sE 12 +#define ISAP_sB 12 +#define ISAP_sK 12 +#define ISAP_STATE keccakp_400_state_t +#define ISAP_PERMUTE(s,r) keccakp_400_permute((s), (r)) +#include "internal-isap.h" + +/* ISAP-A-128 */ +#define ISAP_ALG_NAME isap_ascon_128 +#define ISAP_RATE (64 / 8) +#define ISAP_sH 12 +#define ISAP_sE 12 +#define ISAP_sB 12 +#define ISAP_sK 12 +#define ISAP_STATE ascon_state_t +#define ISAP_PERMUTE(s,r) ascon_permute((s), 12 - (r)) +#include "internal-isap.h" diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys/isap.h b/isap/Implementations/crypto_aead/isapk128av20/rhys/isap.h new file mode 100644 index 0000000..ddf8203 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128av20/rhys/isap.h @@ -0,0 +1,330 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ISAP_H +#define LWCRYPTO_ISAP_H + +#include "aead-common.h" + +/** + * \file isap.h + * \brief ISAP authenticated encryption algorithm. + * + * ISAP is a family of authenticated encryption algorithms that are built + * around the Keccak-p[400] or ASCON permutations. There are four algorithms + * in the family, each of which have a 128-bit key, a 128-bit nonce, and a + * 128-bit tag: + * + * \li ISAP-K-128A based around the Keccak-p[400] permutation with a + * reduced number of rounds. This is the primary member in the family. + * \li ISAP-A-128A based around the ASCON permutation with a reduced + * number of rounds. + * \li ISAP-K-128 based around the Keccak-p[400] permutation. + * \li ISAP-A-128 based around the ASCON permutation. + * + * ISAP is designed to provide some protection against adversaries + * using differential power analysis to determine the key. The + * downside is that key setup is very slow. + * + * References: https://isap.iaik.tugraz.at/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all ISAP family members. + */ +#define ISAP_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for all ISAP family members. + */ +#define ISAP_TAG_SIZE 16 + +/** + * \brief Size of the nonce for all ISAP family members. + */ +#define ISAP_NONCE_SIZE 16 + +/** + * \brief Meta-information block for the ISAP-K-128A cipher. + */ +extern aead_cipher_t const isap_keccak_128a_cipher; + +/** + * \brief Meta-information block for the ISAP-A-128A cipher. + */ +extern aead_cipher_t const isap_ascon_128a_cipher; + +/** + * \brief Meta-information block for the ISAP-K-128 cipher. + */ +extern aead_cipher_t const isap_keccak_128_cipher; + +/** + * \brief Meta-information block for the ISAP-A-128 cipher. + */ +extern aead_cipher_t const isap_ascon_128_cipher; + +/** + * \brief Encrypts and authenticates a packet with ISAP-K-128A. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa isap_keccak_128a_aead_decrypt() + */ +int isap_keccak_128a_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ISAP-K-128A. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa isap_keccak_128a_aead_encrypt() + */ +int isap_keccak_128a_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with ISAP-A-128A. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa isap_ascon_128a_aead_decrypt() + */ +int isap_ascon_128a_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ISAP-A-128A. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa isap_ascon_128a_aead_encrypt() + */ +int isap_ascon_128a_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with ISAP-K-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa isap_keccak_128_aead_decrypt() + */ +int isap_keccak_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ISAP-K-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa isap_keccak_128_aead_encrypt() + */ +int isap_keccak_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with ISAP-A-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa isap_ascon_128_aead_decrypt() + */ +int isap_ascon_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ISAP-A-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa isap_ascon_128_aead_encrypt() + */ +int isap_ascon_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/isap/Implementations/crypto_aead/isapk128v20/LWC_AEAD_KAT_128_128.txt b/isap/Implementations/crypto_aead/isapk128v20/LWC_AEAD_KAT_128_128.txt new file mode 100644 index 0000000..14956bb --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128v20/LWC_AEAD_KAT_128_128.txt @@ -0,0 +1,7623 @@ +Count = 1 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = +CT = 104E625D372E27EEE4D4E3CE1CA39D1B + +Count = 2 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00 +CT = 8EA6C9449EF9B5C24CFFFE4D781E616B + +Count = 3 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 0001 +CT = 291F4AFC4F703A978A3DC4FB8EE4DA4A + +Count = 4 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102 +CT = 3346A06FAE8812F17211E2BEEEA5FABD + +Count = 5 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00010203 +CT = 17EDD93471C85041626DF6B67A84CFAB + +Count = 6 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 0001020304 +CT = E1A7975C892AA0F499F9828573C08DD7 + +Count = 7 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405 +CT = 5823BD069977076D69DB8F78A9043FFC + +Count = 8 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00010203040506 +CT = 8C4CD83C2EBEE7022D9D402D2630F6A1 + +Count = 9 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 0001020304050607 +CT = 0DD36AE124BCBB6F435422F96D3D8233 + +Count = 10 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708 +CT = 89343263D3CF67F59B7C711B820CC61B + +Count = 11 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 00010203040506070809 +CT = FADF706A48B0BEE5A94B12318FE9F320 + +Count = 12 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A +CT = 5608114EAB33ABCC543CF91F078AB1DA + +Count = 13 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B +CT = 452B6B00380F19C157B692D93C005C5A + +Count = 14 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C +CT = 44244FC7492B8712D4AF62A476641F1B + +Count = 15 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D +CT = 5F3C09A1BC54FA805D86E85A137336E2 + +Count = 16 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E +CT = 36BE350750F559D81E8BBB47B4BBB013 + +Count = 17 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F +CT = 07B0FC873E00FFAD5FDB349308D5FA99 + +Count = 18 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 0775BEA622F1C6DE2EDEC8AD65D32A53 + +Count = 19 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 256F874EEE93CD7B7D6462B8229C4130 + +Count = 20 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 2FFBBEDFEB32AA69BE8A351DBF7ACA66 + +Count = 21 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 606A578DD659F2377F18112CA91CC1CB + +Count = 22 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = DAC66A39C17CF1CCC8B1DCF034F50045 + +Count = 23 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 95DD335590B23F070180499EB4E29580 + +Count = 24 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 657C1CE6BAF9D1064C8C880EC25E5DFE + +Count = 25 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = BFE353B26FDCEDF884440BADA402A1DE + +Count = 26 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 0C518C5A3C0F6871210843307D1D8113 + +Count = 27 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 278066231AFA68D8070E27E4C11684A6 + +Count = 28 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 61FC0D8273718B49BA30E38CD55778DF + +Count = 29 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 6FA40D8FB591AF5C7D1742DAF981BF8F + +Count = 30 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 92279D2AE0F991C2BF7A0B2E41812924 + +Count = 31 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = C2CBC9FBCB01FE241E7E5A07150DE0CD + +Count = 32 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 5E5BD60D0B68608251804F7021947400 + +Count = 33 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 6CEE7AAE490C0A9D6C0D060E61F3E442 + +Count = 34 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = +CT = 599F434C5D63E9DEB47C2C67A5113A4F3E + +Count = 35 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00 +CT = 5996A6EC86590D93659A31543B9309E998 + +Count = 36 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 0001 +CT = 5937D5412329313B86B1574CB661B29843 + +Count = 37 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102 +CT = 599B57AA2A3519D5F6AE68F35EA28A1660 + +Count = 38 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00010203 +CT = 59E972F9284A893A53487BEF1E705CBA71 + +Count = 39 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 0001020304 +CT = 59AB5D07669E0BFF5FACD16CEC0D732924 + +Count = 40 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405 +CT = 5941A13766677806F6525AE561A6916B64 + +Count = 41 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00010203040506 +CT = 595D2FD7FA101BEF1C314ECBA83DC082C3 + +Count = 42 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 0001020304050607 +CT = 59AAE6F62BF05DE0DEA9374FF7955BED79 + +Count = 43 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708 +CT = 596EA6D639B9430DD9FEF68C4D4E63F51F + +Count = 44 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 00010203040506070809 +CT = 5930680CCD354B128E3174F8E94BFA0E14 + +Count = 45 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A +CT = 59889913C7FC4B1C644FCFD9CAC727E2D2 + +Count = 46 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B +CT = 5992C1065A489CF6557C7B9546945FBF12 + +Count = 47 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C +CT = 595BDF874931CA30B8AE6BBF1AFCB7D9D2 + +Count = 48 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D +CT = 593C645155B515B8A910367CFF1115F1EB + +Count = 49 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E +CT = 5999BA0313D726B76FD7B60835336BE073 + +Count = 50 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F +CT = 5950C6E7AEA09036C7BBE1135102E56EEC + +Count = 51 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59EE439ECA08B286C32DAD1EE8ED943A86 + +Count = 52 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 596C67E8B1BA10EA79AB32A1A41239500D + +Count = 53 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 591FEBE8102789DB66C9F1315A480CEFE2 + +Count = 54 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59979CDBB78A18B981E5B7D16C6405931D + +Count = 55 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59F42BA5FB6B9D1E5ED39C33FD37496ACC + +Count = 56 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59C95A20C60F30FFD523A9E449DB4B5F1A + +Count = 57 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 599B5685401CACF7CFD18429FDBCF226DD + +Count = 58 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59A23E7A8B8BC912B35E3B30EBB63DBC42 + +Count = 59 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 595E042F4CBC74AE17DEF75B05BB934CAB + +Count = 60 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 596798064988EB4E60C56CE8987ECDD0E4 + +Count = 61 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59A415156D6631267659317E25E1F4324A + +Count = 62 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59EE24F5CB7C58471F5C839B521E2766E8 + +Count = 63 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59DA062EE3551998BC656236A0A7BF801A + +Count = 64 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 594ADA8FB444843032F2F3520EF454731F + +Count = 65 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59AEB20013E7C0092E320C52B4BD079136 + +Count = 66 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59BF66CF612F34B86600B22FC37371A808 + +Count = 67 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = +CT = 59D594D58AA83A5EB43213DE3E5ABC386274 + +Count = 68 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00 +CT = 59D5CE5A4E2D5292EA0727643FFC47187BAA + +Count = 69 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 0001 +CT = 59D57AF2E0CFCBBB983B0D3C3E3938AD029D + +Count = 70 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102 +CT = 59D5295BC297561F66337D59D545D4CB39E3 + +Count = 71 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00010203 +CT = 59D598F2DB0BC44E6A9CC5C5A73EFCA0B970 + +Count = 72 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 0001020304 +CT = 59D53D34654A6A0F151B90A0E85BAC875705 + +Count = 73 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405 +CT = 59D5D547A1C5BAA65BBAE4010F8E961A188A + +Count = 74 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00010203040506 +CT = 59D55DDD2D87632EF0D5AED27BCC18B361A6 + +Count = 75 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 0001020304050607 +CT = 59D5177B4B3F284E426E8E572EC00A2D82D2 + +Count = 76 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708 +CT = 59D5AFD97BB311D9370D091154CAEAA30487 + +Count = 77 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 00010203040506070809 +CT = 59D591B0A2FA7B3CD656ED3529B4F9CF9475 + +Count = 78 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A +CT = 59D5C651E9A26DDD7616475C8C901A7751EA + +Count = 79 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B +CT = 59D533FA11890368A1FF253495FF5CFA7CD0 + +Count = 80 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C +CT = 59D599026E090AF3A6A641701024CDB3B802 + +Count = 81 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D +CT = 59D5760625EDF21DE04F61B5E91A04FD1B6D + +Count = 82 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E +CT = 59D5588E96D89C40B780B9E9F58F945E622B + +Count = 83 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5EE76FCD94649086AEC6622834C640E8C + +Count = 84 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D52450CD836AF182820ECDAF6C24552059 + +Count = 85 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5F4FB63A5562CDBB7E28B0908BD9FAE73 + +Count = 86 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5FA1AF57059CE1ED3D65518BF80832D2D + +Count = 87 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5B7C684CEEEE6C7071A7A377FB32C4B19 + +Count = 88 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D547CB7EFEDE2FF838E0397053D47B9383 + +Count = 89 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D546AB460ECC4A32FC770D683640AF41A8 + +Count = 90 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5CB5C5C6F1E7752C987BB34183D8F512F + +Count = 91 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D55F0C80F637103EED139C5B2BA77260DC + +Count = 92 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5D6F98931E29FF5303223B26D433D1381 + +Count = 93 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D58D821DF5385314C3747E616DBCDFFEFA + +Count = 94 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D586DAA3015185A02FD7474A10315FE2DC + +Count = 95 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D58332BBF7FA18C2D04C24E2985C60E432 + +Count = 96 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D517D1E23CE33AF7C90F0B4502F943A677 + +Count = 97 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5017FEA518E6611A82F87533D5CDDA7DE + +Count = 98 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D56403387CBCB8B7ACE96C7664969ABDF1 + +Count = 99 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5CFEBBA4078F578F5CF02ECFC3DC94088 + +Count = 100 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = +CT = 59D5A4803EE152CE95019672B78F1F8104CCE7 + +Count = 101 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00 +CT = 59D5A44293E1A9B087F96D8414E084BFF04739 + +Count = 102 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 0001 +CT = 59D5A4E8DD8BFDBAB5651351175A30B9F5D8C4 + +Count = 103 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102 +CT = 59D5A40070F2075ABA7F5BF852EFFC67609A1D + +Count = 104 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00010203 +CT = 59D5A4C288DA6C2A88754CAB180BE036E79D50 + +Count = 105 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 0001020304 +CT = 59D5A49F2A89849FE2FA93B54684FA52038A7D + +Count = 106 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405 +CT = 59D5A40B08AB9A54099CA286083BC1D5C62BB1 + +Count = 107 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00010203040506 +CT = 59D5A409747320BE9DB181104F39E1DE35329E + +Count = 108 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 0001020304050607 +CT = 59D5A478E14E91353E9D643CD9A541E977DB03 + +Count = 109 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708 +CT = 59D5A45AE027FB1DB62B6941023C3FA54C7F3F + +Count = 110 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 00010203040506070809 +CT = 59D5A4B86D801A72ECF475295C0FF21B60D6CF + +Count = 111 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A +CT = 59D5A4674DE2C62FCF80825F1E10EFADD6E5CF + +Count = 112 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B +CT = 59D5A44AA986E05D4B902794AB08181774C146 + +Count = 113 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C +CT = 59D5A4EC01312EA5154EC48B968F82F63DEC66 + +Count = 114 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D +CT = 59D5A4AEF4C940333F28D8E36747C3D6007BDE + +Count = 115 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A4DB0235C1CFE05CAD7425F7C0754854A8 + +Count = 116 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A4B01BD28168131F1942964F749F3C3172 + +Count = 117 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A4A3A7B4EBCD23BBB921A490B34641D4FD + +Count = 118 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A4E38A5092E8C2AD8B0DB1A7195704C390 + +Count = 119 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A4013A74E89E39AB2365CCDE9B1432F4FF + +Count = 120 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A4DA300F3B3436BDB49F4C1D986B118EC6 + +Count = 121 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A4848EA6B707C3897A09423DA1CB5DDE67 + +Count = 122 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A425A5C25489497528D22CB70A1ED8BE41 + +Count = 123 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A4732B12957B2B9F82F8BE4A5FDA9AFAF7 + +Count = 124 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A4C7D950C8BE015BD221A9EDF58A9EEA24 + +Count = 125 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A4A04949BBE6C3C34AE03122A1C52F4199 + +Count = 126 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A446C9A86A0E274000F08E95B49EF3A590 + +Count = 127 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A434467AAE8A0F9E5A9B4C7EA28CA167E0 + +Count = 128 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A41DF22A7EE19755A532C32A0161CAA6E3 + +Count = 129 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A423490C95F3A7A15BA80F5835E3C2099D + +Count = 130 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A4F40FD63F84AC51E95A07CB04CE336B08 + +Count = 131 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A4AF585688E2375A23C9A8EE3589C9D5C6 + +Count = 132 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A49BC96D3B2C24F6B4778AB75AF8E88039 + +Count = 133 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = +CT = 59D5A45BBE536C191C4400B7D9A994F6C700F568 + +Count = 134 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00 +CT = 59D5A45B840E3E6ACC9D74514CC2F06341E06E2B + +Count = 135 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 0001 +CT = 59D5A45BB3895D2BDCD5708D7008F36F4C281C85 + +Count = 136 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102 +CT = 59D5A45BE8C659FCB6D6B308629677FD13128123 + +Count = 137 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00010203 +CT = 59D5A45B59C266F87B12DE5884875360F9EA9E8D + +Count = 138 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 0001020304 +CT = 59D5A45B3628FC987B92A2B4BD14BC603387F2AA + +Count = 139 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405 +CT = 59D5A45BDD7218285C6B4198F126DF2EC06B297F + +Count = 140 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00010203040506 +CT = 59D5A45BBFF9127ABA7E6C2CAB2A6349CA5DF5C3 + +Count = 141 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 0001020304050607 +CT = 59D5A45B024637FC09B79261AC8E5A7BFDD8230A + +Count = 142 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708 +CT = 59D5A45B047A50C3D5DED10FD9A8CC5AAABF6013 + +Count = 143 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 00010203040506070809 +CT = 59D5A45BCBEC6A494979720741AE32B969D1080D + +Count = 144 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A +CT = 59D5A45B3582FDCCBD34A70291C8A08B4CE92DE7 + +Count = 145 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B +CT = 59D5A45B5F3575E6FA10CE0E30B34B507D0E3B35 + +Count = 146 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C +CT = 59D5A45B736EABA52D2A5C3D437AB4E9356C1A33 + +Count = 147 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D +CT = 59D5A45B7D185744FF77BD0810E4622399A3D9B8 + +Count = 148 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45B543224B51DE1CFA4A48C8A91DC364A79 + +Count = 149 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BE76526D8DAB2432AC0D05269529057B7 + +Count = 150 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45B505853FAADD207F8999B758AA98B5B4B + +Count = 151 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BD1DADA6BB07F815A53CD24646DF12492 + +Count = 152 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45B7327BDFEBE41008FAB153E8B39DD532B + +Count = 153 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BFE2F1C7A842BC189CC117F921F751D3B + +Count = 154 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45B90B6469E825E4551511EE50195D19D0F + +Count = 155 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45B03639F7B47288FE87607085B3776B5E5 + +Count = 156 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45B822B32B4646BD19CDF7B114764CA61FB + +Count = 157 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45B5CA29D33F978F36FE225961794115D1C + +Count = 158 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45B4DD591FA8FDC13737F44AB02DE7648FD + +Count = 159 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BAD79AF3AA60495CE389DDC748F67C946 + +Count = 160 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45B294A2DB78A85FD7B2518F4A8A3C09B66 + +Count = 161 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45B9FF6F48153ED48BF834B8FC2BFBB1E70 + +Count = 162 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BF0DE57FD9D0885E51A87128082DD4FF5 + +Count = 163 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BFA2147FA09B3A8708CF2CC64D6601D13 + +Count = 164 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45B125B981CCD8890E8FB52F0D3ECE59C4E + +Count = 165 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45B01093EFD5B7366907F68A16FADF3E395 + +Count = 166 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = +CT = 59D5A45BCB81467C017572B9BF07055FEBDAAABC56 + +Count = 167 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00 +CT = 59D5A45BCB8E8BC2B035451DE70AFBCD179EB88DDA + +Count = 168 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 0001 +CT = 59D5A45BCB728E5D13F3990F8209AF0F9B35290767 + +Count = 169 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102 +CT = 59D5A45BCB84E8F564DE3D604B7022F27FB906C7AD + +Count = 170 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00010203 +CT = 59D5A45BCBF63F951AEFADEF653F6109E00876404A + +Count = 171 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 0001020304 +CT = 59D5A45BCB9CB739A99E815C050DDA34DF1AC0703B + +Count = 172 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405 +CT = 59D5A45BCB8DAC01F8B17D6C8036B94179C4E4EBBD + +Count = 173 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00010203040506 +CT = 59D5A45BCB533DAC4D5B3AE7699F977DD0A0CC0A6B + +Count = 174 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 0001020304050607 +CT = 59D5A45BCBDE30004C53E1CD43EE0A983FB16BE301 + +Count = 175 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708 +CT = 59D5A45BCB2CD33E2C5467EC4EECCAB974F10D3653 + +Count = 176 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 00010203040506070809 +CT = 59D5A45BCBF33AA265BEC14DEF07C3B4B0D58B2F98 + +Count = 177 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A +CT = 59D5A45BCBFA3B5188EA398D8D04EBDADF6569D847 + +Count = 178 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B +CT = 59D5A45BCBD5668DA7B9A766C426E94F1B5D05406E + +Count = 179 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBFC99D789D5B0AFF9326EE6122BC56DB1 + +Count = 180 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCB56BA5CEA1025C520D89427DE831B223B + +Count = 181 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBC46048D8B684714467F785ABBED29729 + +Count = 182 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCE303CE0C11F278D9A8D9F72BA04D38E + +Count = 183 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCB0805609383574B4EE592A038C187AE74 + +Count = 184 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCB3A9720F6095D68F884B541E57253C8EB + +Count = 185 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCB532FE7DA766AA66C2C658173CF1AE47C + +Count = 186 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCB78F3FB57AA707A202576DBF89598CEFD + +Count = 187 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCB809EC045E0AAD202DA9AB679679D8D9B + +Count = 188 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBAF30D4E172E9D36D5059682CE869734B + +Count = 189 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBECB26BBF9F648F2978378F66421A963C + +Count = 190 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBB30127629ACD0ECA03593A74F468BE76 + +Count = 191 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCB988C03CD85A193E14ED8C96A8498195D + +Count = 192 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCB75991E7BAB1405735D002486FD208552 + +Count = 193 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBD321F543A5FA8C19731953EFEA6EECD9 + +Count = 194 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCB538A9F6D4B6A6447718472ABFB86311D + +Count = 195 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBE5948B086BFDA228E1D2D49C4C7D449C + +Count = 196 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBF194219F21563217CBCF8CAC6C41370B + +Count = 197 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCB2B612FDA54112A635E1C77484DDD6928 + +Count = 198 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCB3B42DB57D6F9F91C128D8980AD862547 + +Count = 199 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = +CT = 59D5A45BCBCB5836E69EE0E89556AB2BDC2C6F5A93AF + +Count = 200 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00 +CT = 59D5A45BCBCB5978FC60F45A2C80F7F18AA887D6F766 + +Count = 201 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 0001 +CT = 59D5A45BCBCB309F15179349A4A7F1A568DA30BDFBA8 + +Count = 202 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102 +CT = 59D5A45BCBCBA2369F86946F01173627C4E7C94D0488 + +Count = 203 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00010203 +CT = 59D5A45BCBCBF17D89A5EDA3B659B1E7C08F8446AB31 + +Count = 204 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 0001020304 +CT = 59D5A45BCBCBC50AB7523B5576F625AD717E3408E9C8 + +Count = 205 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405 +CT = 59D5A45BCBCB7F49C12FAC2FF0459DA9D91C81289F64 + +Count = 206 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00010203040506 +CT = 59D5A45BCBCB69CC45A58AFA584EA5E594A456BA9BAD + +Count = 207 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 0001020304050607 +CT = 59D5A45BCBCB7E4015C28D913438F8C63D17A8DBD9B7 + +Count = 208 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708 +CT = 59D5A45BCBCB0153BB8BB5E032A76659C42A9D1825D6 + +Count = 209 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 00010203040506070809 +CT = 59D5A45BCBCB9BD8ACD57D8BD8128BC76865527DC65E + +Count = 210 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A +CT = 59D5A45BCBCBC5C2C94FB0629DEBA1827FDC9BB05831 + +Count = 211 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B +CT = 59D5A45BCBCBBFEF14F9C13FF8AAECDDB2884DEEF0B8 + +Count = 212 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCBE7624C7F2DD32E07631723E0813907A2 + +Count = 213 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB676907C8932EC866A769B02E55F5B8BE + +Count = 214 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCBDA7F31E425C03985A44A3CB0547F545B + +Count = 215 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB516DCAF8F9BAA8B5ABF459FF0F3FB837 + +Count = 216 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCBC6B59AC79BADFCFAE4B347B30CF8AFC9 + +Count = 217 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCBB791495ECAE5E0B022EC50003441D246 + +Count = 218 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB1D5DD3462B3919BBB6EE63869975F830 + +Count = 219 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCBF4356F46004E9A9281FA10B111CE08CB + +Count = 220 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB079036F1E350892801AB26B87768042F + +Count = 221 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCBA815F377E4BBB6E42C2D6063636C2B16 + +Count = 222 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCBC897479E24103F60030FFF0A27946E10 + +Count = 223 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB094253726CE8F3A8572EBBBA798A5E7D + +Count = 224 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCBA3DA993982EAFD20BA51B1A3F6A5CF53 + +Count = 225 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB8ACEBD5082AF5A2C89D001F44FF5105E + +Count = 226 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB077522E331345DBD30270C8933E6ADD1 + +Count = 227 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB556B98DEAC60978051337C7A96BC154D + +Count = 228 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB8F8D0B5CBDB69B45B8BF001540B8EB56 + +Count = 229 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB654ECDF7A9B46BB7F5EF9BB5CC112F24 + +Count = 230 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB5779173FF149BE888FC3065DA3DAEF39 + +Count = 231 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB9BC61F6288B482B95E829A7ABD34922B + +Count = 232 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = +CT = 59D5A45BCBCB339A578C3F2FB53FDD65567AB5A380F3CA + +Count = 233 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00 +CT = 59D5A45BCBCB3387258F87682C495D763C3D23D15BCA4E + +Count = 234 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 0001 +CT = 59D5A45BCBCB337CE146D57A3C3B150688EA9F419FE47E + +Count = 235 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102 +CT = 59D5A45BCBCB3364E35E85DE8FC9AEDE2640AA607B55A0 + +Count = 236 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00010203 +CT = 59D5A45BCBCB339211694A8E9D2C6A3A2312732632BCF0 + +Count = 237 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 0001020304 +CT = 59D5A45BCBCB33254F8E80D2F7F1C7A5EB08DB613F16F4 + +Count = 238 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405 +CT = 59D5A45BCBCB3364A233B6F3E085C99B57781D9F3F60C5 + +Count = 239 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00010203040506 +CT = 59D5A45BCBCB339946AAAF7EC9B11202095E788C9841BE + +Count = 240 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 0001020304050607 +CT = 59D5A45BCBCB33A5693D7C20D6AC1364C25F7EF9CC45C9 + +Count = 241 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708 +CT = 59D5A45BCBCB33521A373FB0E191F4C3F3304F656E60DF + +Count = 242 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 00010203040506070809 +CT = 59D5A45BCBCB332A654469822E08124F823332E83C27D8 + +Count = 243 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A +CT = 59D5A45BCBCB33AC64E967D9AD5CE4A718950352A1D41E + +Count = 244 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB33DEE6DCD1C1CE082972B91F6A75703729 + +Count = 245 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB33DDDE87F0DCBA92BA34E66E1AF31D509C + +Count = 246 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB33D5C4D8EE52C316120B0597DCA4A3AD55 + +Count = 247 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB339BE4B9F169922D666BB262AD67E16E5F + +Count = 248 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB33F6478B124FF653EF1C65BA94CD3A66B5 + +Count = 249 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB33DFEBC4DEA9C49BB6980B655C998067CB + +Count = 250 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB33C34451C6ABEB953AB438F2979F7FE592 + +Count = 251 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB33A29B79299D6BFB97F36BBFCE4AF59D3B + +Count = 252 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB33E28EAC8FE42E2ECBC0857D4247B94979 + +Count = 253 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB33D8DF0FBAFB01E0D6499FF559D126C387 + +Count = 254 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB333D0E7750A9CB528FD8B554D40A07F418 + +Count = 255 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB33FA80EB5DC8732B52E3CD134291C54239 + +Count = 256 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB338DAD570E293144B8F4CE0F5978C188BD + +Count = 257 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB33FB9EE9C321B0D980005369CC49CFC0A7 + +Count = 258 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB3378D1B55FF464EFF144407EC54817938A + +Count = 259 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB3312A6FC3A0318473522B6A717DAC82E82 + +Count = 260 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB337B5440AD2166CB14CF975A79993AA04A + +Count = 261 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB3331A1B60E3B5076EEA7AA451F1E073A7A + +Count = 262 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB33D519A952EC5E39A2A7471D3CD6BD4635 + +Count = 263 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB33FE62E76094A94460DAB6B4C3FB26E584 + +Count = 264 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB33701A5FB2B9478DBAF911AB5AB00041CF + +Count = 265 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = +CT = 59D5A45BCBCB3323F574421124643678085676B85AEFD541 + +Count = 266 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00 +CT = 59D5A45BCBCB332379A97FD4BAE5C8ED4E520DD67F896FCF + +Count = 267 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 0001 +CT = 59D5A45BCBCB3323B5A66439908EC4D7CEE3A6ADB8C0C865 + +Count = 268 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102 +CT = 59D5A45BCBCB3323AC60EFF1889D871514A14C5E44F0FAC2 + +Count = 269 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00010203 +CT = 59D5A45BCBCB3323DBF83C5FB9C68710F59D15F547078E36 + +Count = 270 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 0001020304 +CT = 59D5A45BCBCB332337ED1E073DDE88038005869773B37311 + +Count = 271 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405 +CT = 59D5A45BCBCB33235CE19497F5FF125C6DA847B32801DF69 + +Count = 272 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00010203040506 +CT = 59D5A45BCBCB3323288A43032F17223D2FD918D8FFD5AE32 + +Count = 273 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 0001020304050607 +CT = 59D5A45BCBCB3323415DC52F4EA5B2002EA0059CD63BDEE3 + +Count = 274 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708 +CT = 59D5A45BCBCB3323380B8068B9258DBE9B73BFBD97F0A464 + +Count = 275 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 00010203040506070809 +CT = 59D5A45BCBCB33237D56EBB4FFC278240FB53EAB882CB278 + +Count = 276 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A +CT = 59D5A45BCBCB3323EAD96447DECF5AAA74BA1DE0918E0651 + +Count = 277 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB3323A9E2EA0B07D5AD8BA80F873908E20892 + +Count = 278 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB3323883D3483C695E54F646AB68FD8F99F75 + +Count = 279 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB3323523997B8763DDFDF05B2B323A0FB6B38 + +Count = 280 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB33237811C24BA10CCB179BF957691E466076 + +Count = 281 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB3323F1E4AF398E737BF5A6DE8EACBDDC588C + +Count = 282 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB33238B109D9F6531299B6F4D58A7961B93AA + +Count = 283 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB33230DB7AA1101488C3111D8DA41AA71D8F7 + +Count = 284 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332385022F2B43DE0780EA8C5DB09261ABA6 + +Count = 285 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB33239F24659C1C2F33114FA107616FE964D6 + +Count = 286 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332321E1102FFEC3043E902CDAE7499A1B6A + +Count = 287 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332333ADE1FB08F779750D8F7564325E8A72 + +Count = 288 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB3323E307905D47DE1BBC52267D13C426D7A0 + +Count = 289 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332369BA3A45DB1DA5C91BC7ED17C6CDC9EF + +Count = 290 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB3323658F485615353D9485B7AA3B63507C7A + +Count = 291 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332351F11C2DCEE220DC5EDC72BFA5CABA43 + +Count = 292 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB3323AAFDF1AA8DAA4EF1593FCBE105ACD5E7 + +Count = 293 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB3323ECDDB52C1AA3CD3835DFB79D9A943BA3 + +Count = 294 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB3323EB540DB9E22B8BEAE877083560E6CEEA + +Count = 295 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332308FFAAAF14DE1DE29A4EF41020BFBC70 + +Count = 296 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332392F476E13F3C73DF9495D71243C4A6D8 + +Count = 297 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 0001020304050607 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332369FA4BAB5ADDE8AC4E4B51B6B1F0C202 + +Count = 298 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = +CT = 59D5A45BCBCB3323113C388E9C3721C8A7B2C4969FEFF3AA63 + +Count = 299 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00 +CT = 59D5A45BCBCB332311CD2E1E5F79E71E1925A05A11D16B4775 + +Count = 300 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 0001 +CT = 59D5A45BCBCB3323119EAF7CC5D90E4E5DB8623EC21E506503 + +Count = 301 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102 +CT = 59D5A45BCBCB3323110C23D877D1073DCA471D793D6C0E6C32 + +Count = 302 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00010203 +CT = 59D5A45BCBCB33231122B16C10ABD628D71A8C57FD4AE47E04 + +Count = 303 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 0001020304 +CT = 59D5A45BCBCB3323114FBCA31A1C5387D7B56A1CB2FFA784AB + +Count = 304 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405 +CT = 59D5A45BCBCB332311BA0685737068BA90E4150499F8F3AC6D + +Count = 305 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00010203040506 +CT = 59D5A45BCBCB3323113A579978CD770868296E7610E08C4FC2 + +Count = 306 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 0001020304050607 +CT = 59D5A45BCBCB332311AF8CDAABD06AFD7CB72DFC272BE4A673 + +Count = 307 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708 +CT = 59D5A45BCBCB3323112BEBBFF4E1D9638602FC86BAC2EC55D2 + +Count = 308 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311A519073CE0E97C133B0F31D0E25AD3B7 + +Count = 309 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A +CT = 59D5A45BCBCB3323111B63D2874969E18E1628DAFAB4AD84B2 + +Count = 310 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB3323119BF9133F4D4FC203D6C515A32E27A8C3 + +Count = 311 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311A2C8ED6F5FEF24B39C5EC1DEC3C364E7 + +Count = 312 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB33231187BFE56986A37A08BBFE786FE6BF3B5C + +Count = 313 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311318223BB0A40E7DA3CCCAD8C60476448 + +Count = 314 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB3323115E044359C57896C12481DF1435A79FE0 + +Count = 315 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB3323119BD6D6345D76EF4E87DC7983499D07C8 + +Count = 316 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB33231196E1CF74AA0E6F8FB514DCF5FF83BAC2 + +Count = 317 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB3323111CC8CDF138E83629396041C9983F6321 + +Count = 318 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB3323115BB887644ACC1AC1E501E22E123677EE + +Count = 319 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB33231175192FAACE24BCCCA97B7495C3D52537 + +Count = 320 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311F6DB1A34B640DC5D7ED3C7764F7AB1CE + +Count = 321 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311B2A7879AF84B6737A343C29AD58F2F69 + +Count = 322 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311B88E3D3615E26C3B30CA43735142C206 + +Count = 323 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311F9A8D6CA7FFC59FD5F568A9F1D380042 + +Count = 324 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311E7A9E5A71F9DB6929C2063664F36B3B7 + +Count = 325 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311BE43B3B46E8F5D3EC685F1A2E0A244B6 + +Count = 326 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB33231175F57510CE8F618F6C932AC306278E0A + +Count = 327 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB33231121AC122C1EC405F4D43C55FFCFD779E3 + +Count = 328 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311C0A820CDD54925A305390066D7A6A7BB + +Count = 329 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311EA06FAD5176074DB7FCD5EB08F861117 + +Count = 330 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311CD0CA4178AC9DAABC82793C4741BBB25 + +Count = 331 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = +CT = 59D5A45BCBCB332311865E5CD84EC022AE77A3ED9B695065B5D1 + +Count = 332 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00 +CT = 59D5A45BCBCB33231186F0A539447CBD46B5D116E04514B36A93 + +Count = 333 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 0001 +CT = 59D5A45BCBCB33231186CFF36CE46B8112E211F2739590ED7B4F + +Count = 334 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102 +CT = 59D5A45BCBCB3323118650EB9B1F804D8DFE420993410DCA33F1 + +Count = 335 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00010203 +CT = 59D5A45BCBCB3323118634862D6A0A7FF55BDB2EADBC1ECC6F14 + +Count = 336 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 0001020304 +CT = 59D5A45BCBCB332311868B4A5780F6BB0A6070B938121E0E52A2 + +Count = 337 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405 +CT = 59D5A45BCBCB3323118657290D778F9129BA9C79F7017D059EBA + +Count = 338 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00010203040506 +CT = 59D5A45BCBCB33231186ABFFD5A3F8EBFB91BC01EDC2F7B51417 + +Count = 339 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 0001020304050607 +CT = 59D5A45BCBCB332311865E0A8635F005BED24554A9C0FF55FB6C + +Count = 340 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708 +CT = 59D5A45BCBCB3323118605145FB719D677D5CF561447135A82F9 + +Count = 341 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311860471BC49AF1DE3BEBE131AD5C317E7F3 + +Count = 342 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A +CT = 59D5A45BCBCB33231186DE08AB286532D689066FE4A77ABB119C + +Count = 343 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB33231186ADFF40A029DDD55020F58869E62187AE + +Count = 344 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311862192DA16558F283C7E784FDCE8FBBC35 + +Count = 345 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB33231186C493993096EF2B4CCF7D47468C9DC4C9 + +Count = 346 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB33231186B059076F8227189FBAA1F8B21EE2E1ED + +Count = 347 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311868EAB2C6FDD3D4B6EEAA02299E3B337BA + +Count = 348 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311866CCA79B2AE6F6B7A168221EC17716ED3 + +Count = 349 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311867C4A66BBBE5ED2DDB7F96270AD931CEB + +Count = 350 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB33231186791442ABC4D8BBED4D816990B2446314 + +Count = 351 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB33231186CFE15E09BFB2BB44ECA53CF5C6753951 + +Count = 352 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB3323118668B9561CED118C60FC520532F06A8C18 + +Count = 353 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869FB43CBDB736D6B4A35580A00C32064B + +Count = 354 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB3323118626293BCD445F237082815963F1DF96EC + +Count = 355 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB33231186906B2F46EE45E35B94A4EB6B56A79440 + +Count = 356 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311863E61DF25FEB4282985FBF6D4D273898B + +Count = 357 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311862D11C214DAD0DF4740DDC735A837D4FB + +Count = 358 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB33231186B3E167867A6CF38B38F5F7F63D6DDD66 + +Count = 359 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB33231186DD1FEDF5BFD162AC59DB3A3D068844B6 + +Count = 360 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB3323118688279A5E9EAECE2F373423781A75A25B + +Count = 361 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311865EB79FB55FDAC6AAB6FB92D9681E4A81 + +Count = 362 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311860C461755100B19C6867DA8E3FB9C4FAD + +Count = 363 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 00010203040506070809 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB33231186B1849A6F10526FD1912E77E70C3A4A3D + +Count = 364 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = +CT = 59D5A45BCBCB332311869B5FF1FADBD2CA07A6FE825F5859AACECB + +Count = 365 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00 +CT = 59D5A45BCBCB332311869B44BB3CB56D12AEE3D7913035B1192988 + +Count = 366 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 0001 +CT = 59D5A45BCBCB332311869B7D2C624CB0ECAF428C33DA09F9EC24C1 + +Count = 367 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102 +CT = 59D5A45BCBCB332311869B8B990B5AA75890A3D3B61446CDCEFEDE + +Count = 368 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00010203 +CT = 59D5A45BCBCB332311869B2A28679D8F2F0B97D4C41309C2F94082 + +Count = 369 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 0001020304 +CT = 59D5A45BCBCB332311869BC30C4BB61AD467D5EBD74BD1DE855E10 + +Count = 370 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405 +CT = 59D5A45BCBCB332311869B193C68B9F05E449E6B7E880F1D1DF2B4 + +Count = 371 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00010203040506 +CT = 59D5A45BCBCB332311869BEE162CDBEE92D23782439082FE7B2592 + +Count = 372 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B017843DFE7C945E99A55887E77E89BC9 + +Count = 373 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B4E9480166899C9A09CFEA666905DF709 + +Count = 374 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B2935986BE2CAC7819F7D53DF700D13C0 + +Count = 375 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B93D5D97DE390B27BFE4435C883DEA20E + +Count = 376 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B1CE3EFB78FFA6A8EDF4A9E1B9C6E7B31 + +Count = 377 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869BA852004340108FD32DA03DCAE20C9C65 + +Count = 378 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869BA67E2A2251C0FE0F505A53D787CFED42 + +Count = 379 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B3CACB0810D9E33076694C2B62580A903 + +Count = 380 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B9A536AC46174C3E10AB52E0001F86884 + +Count = 381 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B844F14C2019FA5D55A9E92A2F90300B3 + +Count = 382 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B16414A8B5F8ACB40CFEF2758FECF5F66 + +Count = 383 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B11F03C9208B253EAFF894E3065152C52 + +Count = 384 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B581B7B7276769ADE2E45380098B5305A + +Count = 385 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869BA6469B98CBF911D8902E335FA0187BAF + +Count = 386 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869BA91698DF5FA6DCBD2B4419F193427E25 + +Count = 387 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B523C6B6F120888913D4F680F1774FCE8 + +Count = 388 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B40292FC7D7BD760444C188786F7BE21E + +Count = 389 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869BCCF061821ECC83F54F89646130839C3B + +Count = 390 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869BF52994EB62C1F7E2679A5AAD469E17DD + +Count = 391 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869BBA0A289BB73184A1F999E7BEA3822258 + +Count = 392 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869BF983A95A36DAB9FE693D120B52567E23 + +Count = 393 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B7DD2DA665180DC04B5C68AF59720C250 + +Count = 394 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B60546682EAFD3C8374252659E854C87C + +Count = 395 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869BE9160DD3C4E25A771BFF99841543D67E + +Count = 396 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B8CE4EEDCAC560D85ED1012D16636BC36 + +Count = 397 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = +CT = 59D5A45BCBCB332311869B73A7A25A7264D414F33556D3FCF3F64E47 + +Count = 398 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00 +CT = 59D5A45BCBCB332311869B736D7759279A9F40807CF990A0B83C95C2 + +Count = 399 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 0001 +CT = 59D5A45BCBCB332311869B7351330DEB43C3E982F8D7B4D036DC9341 + +Count = 400 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102 +CT = 59D5A45BCBCB332311869B7312E1A662CA596F32981B3708EB50E9CF + +Count = 401 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00010203 +CT = 59D5A45BCBCB332311869B734F6913F924F98AC20FE8D970D3D1FD5B + +Count = 402 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73C100EE132BDEDC5D26C6313E4E2C9F89 + +Count = 403 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73E8EF11D9191101EAB150F29BEE1A18E9 + +Count = 404 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73239698936E9B4D9B28506B418F10E54E + +Count = 405 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B7377AE8FE0CCEB40CC42ECE2685A3EAB2C + +Count = 406 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B734A043309354CACACFB1086115AD11CD5 + +Count = 407 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73E52A3FD0634E70CC29AAF1E6375E94AE + +Count = 408 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B7392C8239D37733BE3550A1F99024B723F + +Count = 409 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B734FC843318DF98AE655489A9F76A3D64E + +Count = 410 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B733086371EEC30D979CE3D7981BEE2864B + +Count = 411 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B737CE4727FBE4164BE2CAF9E7AA4E40D18 + +Count = 412 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73CDE6937EF1E7E8F272828325D0D774FC + +Count = 413 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B737883196D572FEF6AE26249448DC074EF + +Count = 414 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B736D1BAEC7D42263CE6537BAF0F10C3FB0 + +Count = 415 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B7375DA8E7F851F06E63B5E280CFCDE76EC + +Count = 416 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73BC07721BB9A04EFB11D2842E524BE133 + +Count = 417 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B7373B2364E7C44836359A9C1403AD5B9D8 + +Count = 418 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B739897C52302896546AFD6F153652B43E8 + +Count = 419 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73609D7613E6EE628122FFEF14B2CB072B + +Count = 420 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73FF9755048F578D30AC7CA471DBEE6830 + +Count = 421 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B737DEE9847EE937082E8C19208A4371C3D + +Count = 422 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73EE6A1BDB4F1256FF282A242B5668DF7B + +Count = 423 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73801EBC9006D34F3D1B18178D70A5E947 + +Count = 424 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B7395EA6BE436CD10C5F30D5F6643C6CF29 + +Count = 425 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73B6E94DBCC8290B8F07DF573549560EB7 + +Count = 426 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B733A80A3D4900DFFED3D9134272F900F8B + +Count = 427 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73C627CA4A5B1936885584DE1AAB1D39A1 + +Count = 428 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B731D96DC64615AD43EE7C2CD34ADDFB021 + +Count = 429 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B7390E20A274983479F5970F8E0E28D653B + +Count = 430 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = +CT = 59D5A45BCBCB332311869B73F6FE1D93DFA6060D98F4F980DD413A33A1 + +Count = 431 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00 +CT = 59D5A45BCBCB332311869B73F620C8F03FAE6F84726A803519AC3376DB + +Count = 432 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 0001 +CT = 59D5A45BCBCB332311869B73F67B67C75CCDAFE7B20A8051FA8C3DAD70 + +Count = 433 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102 +CT = 59D5A45BCBCB332311869B73F6D22C779AE9CCC94B56DE5BE73BD9C636 + +Count = 434 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00010203 +CT = 59D5A45BCBCB332311869B73F632C0F9B22D8A68741C17AD901226B0FE + +Count = 435 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73F609A4E965DD7A6BCE7DAC91C6F1D70982 + +Count = 436 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73F6387CD01B130C619B650A670002C81AEC + +Count = 437 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73F62F96A0545BF4D9B7458A5DF0533811EA + +Count = 438 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B73F6AA51BFB7F69B785A156C6DDFC8DFEC18 + +Count = 439 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B73F62CE895E2D4E0D69B41425A1543CA6811 + +Count = 440 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73F6FA7F1CAE91CD34CC53BE56E0D34E07CE + +Count = 441 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B73F65ED69E2CE861A14CFFA8B0C3B65FA831 + +Count = 442 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B73F6CF3A3C05E8E6F6ED53507552B308FC26 + +Count = 443 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B73F6ABCB812EED5C1101AE8681145CC30687 + +Count = 444 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B73F6F0BE4FDB7E5956872DD8F3FE6F13AC08 + +Count = 445 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73F6A47775B7BACA8488B0B263686C9AF144 + +Count = 446 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B73F65503ED07F1ACCFF41E27C9B991291439 + +Count = 447 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B73F6441C83882F2F0D03834628B1A0BA0D54 + +Count = 448 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B73F63360648E6BBC90398ADC00D0B39BEAF5 + +Count = 449 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73F6938EE6B255A919D7CBA4F834B676A796 + +Count = 450 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B73F60A84606DEE86C41DA18610B5C1ED0138 + +Count = 451 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B73F62F00952A9E789C49D2E291A0D065BBA7 + +Count = 452 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73F6107862AF28A9BF80C0D82D3AFFE71076 + +Count = 453 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73F6AC78F9C1814C072FA96802C5B39BA6BE + +Count = 454 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B73F655E4C12A1AAAAE829679160CD838EFA3 + +Count = 455 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73F64DC075DB78AD01F1B13875D7E734880E + +Count = 456 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73F63F06E4E3A93EC57A47167188BE718C0F + +Count = 457 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B73F6AB2701355DE5E46608D10EB4FF8B7342 + +Count = 458 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73F6CAF3C7A6CDF0932AC19C2340B0E09250 + +Count = 459 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B73F64A8AA115313D09D003C66434606AFE44 + +Count = 460 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73F64B06EF2064618CCB91102AC92EF1AF82 + +Count = 461 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B73F61735589387BAB3D664464EBD5C86EB86 + +Count = 462 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B73F601C58636E0C0B72B91F653B0EDB31309 + +Count = 463 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = +CT = 59D5A45BCBCB332311869B73F6334DE0568CE014549570E2F081918B0A3B + +Count = 464 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00 +CT = 59D5A45BCBCB332311869B73F633AE38D3D8246B1701D048E257CEA1B0D2 + +Count = 465 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 0001 +CT = 59D5A45BCBCB332311869B73F6334229ED5409D6D658270428AC3CC0FC34 + +Count = 466 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102 +CT = 59D5A45BCBCB332311869B73F63388E804D101C1275E396D697DBC062D1B + +Count = 467 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00010203 +CT = 59D5A45BCBCB332311869B73F633F07B1DCB028A479CBF3A679C703739D8 + +Count = 468 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73F633F657656C30AA1BAC922922A1267FBE68 + +Count = 469 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73F6339752A9246F19517FC5EB0C2DA9663100 + +Count = 470 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73F633C0200961AC840FB1DA999226101A038C + +Count = 471 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B73F633D70D3295B909BEAE83820516625F4B4D + +Count = 472 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B73F633A202E5B4821104B0306674A3A5B35C3F + +Count = 473 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73F63393C82D05B933CF8FB2A3E8BB745B8435 + +Count = 474 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B73F6337D48A50AC8947CFC543373E55C52DFD1 + +Count = 475 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B73F633B87F334A6AEDB89B6A8B0E946A1A7A9E + +Count = 476 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B73F6335A4B138EEEE8FAEF62D4F8736E196024 + +Count = 477 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B73F63342D47C386A1FEF63592506E415447F5B + +Count = 478 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73F633E0763FEAE68FFBC1236923C9E9CA27BF + +Count = 479 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B73F63335590389FAA84FB0D4800D02043BCA14 + +Count = 480 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B73F633CD81D5E77857A8B4BB8AC92E97C79817 + +Count = 481 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B73F633D3ED707149712258D0D0E709AF38274E + +Count = 482 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73F633FA32584E88D204ECFF1278ED73C08461 + +Count = 483 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B73F6334B87794B0C2DE094A5D6CC9FA085EFDA + +Count = 484 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B73F633D7F5352F457101887C5C8A44CF5283BC + +Count = 485 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73F6333937C458B396B8E66E89BEC0589E49FF + +Count = 486 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73F63326AC603E185D01BCE424E852E4678863 + +Count = 487 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B73F6332C1FB2AE7ACA2796A931A1F4A61D57D7 + +Count = 488 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73F633AAC3BA9BB9BB5973CB8C81CC33F09FBE + +Count = 489 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73F63397B4F5C375D7747907F6739AB8D1179E + +Count = 490 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B73F6334450E0357B80D6A71D2BDF117F569410 + +Count = 491 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73F633849E128F00BA07E459495D73D3D5C086 + +Count = 492 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B73F633BC6FC726625402C8609E9BFBBC54CF70 + +Count = 493 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73F6338AD09FDB9A40EC1870DDD21D15CB3137 + +Count = 494 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B73F633AE97C8948957FBC4BA21E635DA9D985F + +Count = 495 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B73F6334148F52B5B12ACC663C907E690A7C001 + +Count = 496 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = +CT = 59D5A45BCBCB332311869B73F633D296F3024622D027CB81522C46DC851E75 + +Count = 497 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00 +CT = 59D5A45BCBCB332311869B73F633D24446F7E2D22D067948C3A3C5B988E223 + +Count = 498 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 0001 +CT = 59D5A45BCBCB332311869B73F633D2C51441C87358C20D41D0358B38F6C13A + +Count = 499 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102 +CT = 59D5A45BCBCB332311869B73F633D25DCAD1B981F960774430B8501E510057 + +Count = 500 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00010203 +CT = 59D5A45BCBCB332311869B73F633D2EE7BDDCF96F4E36D033FCBEFCD11DAF4 + +Count = 501 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73F633D24ACF703E6A59A074ADA80E613602CEAB + +Count = 502 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73F633D22B8517A2E344F527D9F440C80C1FE065 + +Count = 503 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73F633D2363724B4FD865BC72FFA5427CF49CC6E + +Count = 504 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B73F633D2BE6AD4EB94720DA89EFBBD68A0ED7FBD + +Count = 505 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B73F633D297DFAF27063D237CFB57A32918D48085 + +Count = 506 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73F633D243362CE953DC9F7EF2260AB269FA958D + +Count = 507 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B73F633D2B879435D9E7466B0878573F7B7D63B09 + +Count = 508 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B73F633D275621A3832FF3C6FC8D6D84A16703214 + +Count = 509 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B73F633D2015B635BB15B2533C18305A6D4FDF9F0 + +Count = 510 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B73F633D2BDC771C361F2355FBCF22F85E1844A34 + +Count = 511 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73F633D2E86F7C2AE9F637C3B5FEB1512CCDBB22 + +Count = 512 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B73F633D2684F9E07543EDFC234B5F7E8616DA254 + +Count = 513 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B73F633D23EB0D1C39A1F3251128EC775960288AB + +Count = 514 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B73F633D2C5DBA728DEAF45ED5605FD555DE42ADE + +Count = 515 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73F633D24CADFA27381995106831D05D56B769C5 + +Count = 516 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B73F633D264C50BFEE713198715A31514D5FE4928 + +Count = 517 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B73F633D27B651393354CCAB0ACB0B88B4318FB6D + +Count = 518 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73F633D2D2B206BA83ED665BE32C465A0C58D87C + +Count = 519 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73F633D2588DAF8171E755F667DEA1A291A9C9E4 + +Count = 520 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B73F633D2791BC06D2E8CA8B6F4F2E545A73DEAD3 + +Count = 521 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73F633D2DE43B5CE337A064C5A500DA8FDD19A2E + +Count = 522 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73F633D246E33A3258DB4609E3DFF04D44159EDC + +Count = 523 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B73F633D215BE261CE3D3E417F225A54B3E587A4D + +Count = 524 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73F633D2E1F7FD290661D0B7457CAEA1B2EE0D77 + +Count = 525 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B73F633D228C701003DEE3E34642626AAE1558FF7 + +Count = 526 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73F633D240B43E8CA4ADCB5A9FE3B9AD39501562 + +Count = 527 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B73F633D26DD2679F0DCBC54BC36C2C0F775EDF4D + +Count = 528 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B73F633D2F24135A37187E909CF2688694B68BEA9 + +Count = 529 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = +CT = 59D5A45BCBCB332311869B73F633D296611099FFB698978069FD5E0845644420 + +Count = 530 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00 +CT = 59D5A45BCBCB332311869B73F633D29630E57C78EACDBA987FF51029262A8507 + +Count = 531 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001 +CT = 59D5A45BCBCB332311869B73F633D296A7E1C8791E781C097897C1DED82425DA + +Count = 532 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102 +CT = 59D5A45BCBCB332311869B73F633D2968DA6117592FA1F839CE278E962318DFA + +Count = 533 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203 +CT = 59D5A45BCBCB332311869B73F633D296EB04700EF178B0BCFE4D96E8E5E14B84 + +Count = 534 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73F633D296E714ABF91D2B5B3719C3B2D46B6F7376 + +Count = 535 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73F633D2969197856B75CF80263797D5B1703C506A + +Count = 536 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73F633D29610890DD7464604B1E564917D8BD6F4EA + +Count = 537 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B73F633D296DA458BC12F3F72596C974BD751594357 + +Count = 538 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B73F633D296CFAD2E4988301D38C8C8205C01B2AD46 + +Count = 539 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73F633D2964F9D145375DF6688EEB35CA9875C8C92 + +Count = 540 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B73F633D296837B158D1D0F9C633857E1DD715DBF82 + +Count = 541 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B73F633D29602B3459A7805812649326B0D39FCCE5D + +Count = 542 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B73F633D2965D29A1836125EA8A262501637336FA47 + +Count = 543 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B73F633D296F483F7A7A3A9548025A71A167A52E85F + +Count = 544 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73F633D2961B23B1A3248ABF7D823800BAA0D2CD97 + +Count = 545 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B73F633D296C4F7CA814C0A3BDC5400098E27EB4849 + +Count = 546 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B73F633D2969B850BC35383AD7B6E0D682F851515D5 + +Count = 547 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B73F633D296D472FA693BB82A22C86FBEDD835761AE + +Count = 548 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73F633D29636865F7BB6F7977275CE7E26E9F05DAC + +Count = 549 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B73F633D296EA5C085395C885C982709AC46C34493D + +Count = 550 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B73F633D2967E94140E97AB11E747A862090D05916F + +Count = 551 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73F633D29693382FB1D4AD466B29116E286090DC29 + +Count = 552 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73F633D296774DF015D4CE063CB0D35A60F5AF1654 + +Count = 553 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B73F633D296EFDF5A68927985547EBB7F01726DB3EF + +Count = 554 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73F633D296CED5BC10DD64857148859C73B22F427F + +Count = 555 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73F633D2967B20D3985B91305D5467A91F0BE986DC + +Count = 556 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B73F633D29658C96D52D6FB94ED6C950AD922A2C539 + +Count = 557 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73F633D296C1B9967148DD6A0125C7579E20553EAB + +Count = 558 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B73F633D296C688CCF7E1FF3859741BD40FCA7582FB + +Count = 559 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73F633D296E50A9080FF289C8BEB76B7936B278F93 + +Count = 560 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B73F633D296428CF87567FD908474B4D493B01B0132 + +Count = 561 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B73F633D29663F6326909EF7A7391AC2556956B1F0F + +Count = 562 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = +CT = 59D5A45BCBCB332311869B73F633D296067ACB65E597FBD9E744FD7B99FF37B38B + +Count = 563 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00 +CT = 59D5A45BCBCB332311869B73F633D29606CB6AC7DBCE6B36B40AA9539FA388B593 + +Count = 564 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001 +CT = 59D5A45BCBCB332311869B73F633D2960623540F70591FAE6448147FDAE9CE2B33 + +Count = 565 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102 +CT = 59D5A45BCBCB332311869B73F633D29606708515A7CBB0C24A840CE1DB199FBA66 + +Count = 566 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203 +CT = 59D5A45BCBCB332311869B73F633D296068307CF81EB7C7BFBA8C3B9C4582750DE + +Count = 567 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73F633D29606F83A353BBE50A528D65B30C399FECFD2 + +Count = 568 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73F633D29606FAB38D34DDB648FB900CE9B30F1182E3 + +Count = 569 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73F633D29606E9261A92ECFC25C673DF9418ED2BBE80 + +Count = 570 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B73F633D29606049AB451BF1C3554580FCB7E22C5742A + +Count = 571 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B73F633D296060F2DAD7FFF44DDD0DA3D4C27D315B3F5 + +Count = 572 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73F633D29606F74A1AB123E1F6D09B8E3490D7650580 + +Count = 573 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B73F633D29606EC56464D47D3F2E0D3B647A38F092734 + +Count = 574 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B73F633D2960685E97A49C961A83C7B46DE0F7EEABAD3 + +Count = 575 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B73F633D2960625B415556C41F6691B7D428F83DF647A + +Count = 576 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B73F633D29606000F1AA87ABC36201A39A63D751333D8 + +Count = 577 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73F633D2960613643188C52749C351D1AD2B8289817A + +Count = 578 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B73F633D29606BB553CF05AB5841D14124D03ED3AC7DD + +Count = 579 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B73F633D296060162934612C806685D9E9372A6A36F15 + +Count = 580 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B73F633D29606A9E8BD5924E56E756F5E242AA6ADA013 + +Count = 581 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73F633D296065AD1EE9925A7FD0843B14568E1DCFB2F + +Count = 582 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B73F633D296068B919350CA66FB7BF533E5ED6C73526D + +Count = 583 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B73F633D29606C6784E02B41B9152A595474BEC0F5B27 + +Count = 584 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73F633D296063A504272D51D0028FD5C9E6372EF6302 + +Count = 585 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73F633D29606FDD61B0F6F8E2B962F1697A4F14FC74B + +Count = 586 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B73F633D29606CD0844B0B0DB6B28893F10BB1529A40F + +Count = 587 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73F633D2960684D04FD6E0FA72AB44CE934EA966FAAB + +Count = 588 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73F633D296061CFE33FE3625F7C2C47753EA96C57EAE + +Count = 589 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B73F633D296067BA0AEF8AE30099ED1C4BDD7D8C67AA9 + +Count = 590 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73F633D29606661910E645240283A7EF525BD721D976 + +Count = 591 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B73F633D29606C0AB629C14AE443D27E97EBAF60C48FD + +Count = 592 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73F633D29606281E972F95FEFC023F2DBCB4BB5C07B1 + +Count = 593 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B73F633D2960671FCEE54BF4DA4C39DF93D07A7DA10BC + +Count = 594 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B73F633D29606D1AE3F4E8EF6E6E609A309B99671457C + +Count = 595 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = +CT = 59D5A45BCBCB332311869B73F633D29606057056A250A23EDB921D56862CE72C22EB + +Count = 596 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00 +CT = 59D5A45BCBCB332311869B73F633D2960605C165CC3F6044C8D7206CAC32F3EBC9B3 + +Count = 597 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001 +CT = 59D5A45BCBCB332311869B73F633D2960605BCA2B7892A4E86E03165289707E84BC2 + +Count = 598 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102 +CT = 59D5A45BCBCB332311869B73F633D29606054846EC42894AD10E4A9F3F5DB2624A41 + +Count = 599 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203 +CT = 59D5A45BCBCB332311869B73F633D2960605101C513E2342F1FD50F7F7F659259343 + +Count = 600 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73F633D29606056175D6CD0DDF5DFBA749CBEEBF37606B + +Count = 601 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73F633D2960605774BDEC64673F73EF4955417593A7561 + +Count = 602 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73F633D296060540A2EDC5EF70BC355D0DE47FFFC36473 + +Count = 603 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B73F633D2960605B7222ED16397596EB7A6F50F8FFC05FE + +Count = 604 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B73F633D2960605D5C100A3C7D56019465558A4E26E0F31 + +Count = 605 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73F633D2960605A0B3C52D04F85ADA20AD0C6F881A5A03 + +Count = 606 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B73F633D29606055153F3761749C8CD914779D516F316A6 + +Count = 607 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B73F633D29606056BD12DE38E2FEEB60118B630A9528698 + +Count = 608 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B73F633D2960605A4FCDD045F0BCFA37657A8FEC531863E + +Count = 609 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B73F633D2960605E33EF60EA132CDDBF8B47D6CE578FBC4 + +Count = 610 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73F633D2960605161653BC74BD798A02A7B3FC25A8CE1D + +Count = 611 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B73F633D2960605436DC7198F10A45E9AC1DC89C44C2EE9 + +Count = 612 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B73F633D2960605C86B6E1F1750EE3D8707DA76CC779C07 + +Count = 613 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B73F633D29606054A1919A258F4B9EF3F7D874B2147EBAA + +Count = 614 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73F633D296060518E4703DB8544F65285C58173E6AC864 + +Count = 615 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B73F633D29606053F833FF84C4AA956C4C80529F5B01357 + +Count = 616 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B73F633D2960605E24B09858728B4D01697D1663F350B36 + +Count = 617 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73F633D296060580C576E251EAD85A3FB9F44A49BDAEAF + +Count = 618 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73F633D2960605C29738A2CFB4EC49C67E4121AA412579 + +Count = 619 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B73F633D29606057219359230248B16C7D1BB772BB8E709 + +Count = 620 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73F633D2960605E9B9F36907B15FC09317A40CA1564C86 + +Count = 621 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73F633D2960605E32BBEF80BB1931669C762608503AD22 + +Count = 622 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B73F633D2960605949339B5D789F71ECDF251617B300FC7 + +Count = 623 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73F633D2960605E2815EFF65B6FC9A199DEE449F9BBE6B + +Count = 624 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B73F633D29606052139228F0E9BCD141465E4C523A4A6FB + +Count = 625 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73F633D2960605E961966ED7F2E082984B85B28DDF349B + +Count = 626 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B73F633D2960605184CFC6889F072DEB873B0A9DD4B45CF + +Count = 627 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B73F633D296060566AB4D20813BCDB87AD827EBC4F9EA41 + +Count = 628 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = +CT = 59D5A45BCBCB332311869B73F633D29606056BB3B3EBD8DB2FBF17AC367F425AFA49B3 + +Count = 629 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00 +CT = 59D5A45BCBCB332311869B73F633D29606056B79F4426721819B8D762B8A212B81445D + +Count = 630 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001 +CT = 59D5A45BCBCB332311869B73F633D29606056B7D05036C16BD978F0B531F5996FB45DB + +Count = 631 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102 +CT = 59D5A45BCBCB332311869B73F633D29606056B03C83AA779BE3A5D227FA13AB0F611C0 + +Count = 632 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203 +CT = 59D5A45BCBCB332311869B73F633D29606056B55BAB4A58CA12A0DC3B9CC86ED347DD8 + +Count = 633 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73F633D29606056B05AFA303B0AEC278310C9BE526005371 + +Count = 634 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73F633D29606056BA6F8A585FC0284506443222D79BF1B32 + +Count = 635 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73F633D29606056BB9026EC322D8B3E6F4F9A225A1DFE9AC + +Count = 636 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B73F633D29606056B26DC4C0197743E633E6753A8CFF79E91 + +Count = 637 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B73F633D29606056B5C874E4C3FF519C7CEF51D3C4FB072B7 + +Count = 638 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73F633D29606056B16CCB787D4EA58DA9795A040B77594F2 + +Count = 639 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B73F633D29606056BE7698066A09C844DF7CA613A1624E6BA + +Count = 640 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B73F633D29606056BDFEF401578013DDFCF46D860AEE79CE2 + +Count = 641 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B73F633D29606056B3B63B5E313F74623CE3A3019C239DBAD + +Count = 642 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B73F633D29606056BA5B5597C65677D4FBC72D7AF59AFAD7A + +Count = 643 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73F633D29606056B633DCDAAB4742D7B7F655D9303D811A3 + +Count = 644 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B73F633D29606056B532A88BFE6C374388C4113224F761A38 + +Count = 645 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B73F633D29606056B132B6C684E89D4BE497BBD385B0BC2CD + +Count = 646 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B73F633D29606056BB3EBEDE32F084F657F858AEA9E2AAD83 + +Count = 647 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73F633D29606056B59C8BAFE27CF2F289F2693927BBC8EEA + +Count = 648 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B73F633D29606056B7D0C6DA6A5AD25D6B5267F7DAF39F7A1 + +Count = 649 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B73F633D29606056BAC7EDA265A9A064B8FDB2B63675B415D + +Count = 650 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73F633D29606056BD10F5A42604DB96ADB7F4ADE13F93B65 + +Count = 651 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73F633D29606056B7C1211FE1CE4873523933173FC2CC6CE + +Count = 652 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B73F633D29606056BDE0A622D1652244EF4959EE36BD06ED3 + +Count = 653 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73F633D29606056B54DE826E91D7B0A1C6E50DCBDA60133B + +Count = 654 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73F633D29606056B202EC7D8E41F0CECCB8DB95CC01693EB + +Count = 655 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B73F633D29606056BD09B7877A69B8698E69613921031B6CE + +Count = 656 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73F633D29606056B77AF64D52362039B9C4AE1C522546954 + +Count = 657 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B73F633D29606056B3B42A14E7C5F0EB43EFF24B8C4902BE7 + +Count = 658 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73F633D29606056BBD7033496EC00A3BAC1E4A9243214CB7 + +Count = 659 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B73F633D29606056B9D0227143C58A7A78E323362794F52E8 + +Count = 660 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B73F633D29606056B4A13BD8C080C47B0B17E3A7BBBC2B83A + +Count = 661 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = +CT = 59D5A45BCBCB332311869B73F633D29606056B79C88E4D2E44100ED8CA4F76A3E2006487 + +Count = 662 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00 +CT = 59D5A45BCBCB332311869B73F633D29606056B79C39C84F63EDA23230A27EE8A6153A002 + +Count = 663 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001 +CT = 59D5A45BCBCB332311869B73F633D29606056B79641FD520FBE27C3D8B6C4A7E301F4910 + +Count = 664 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102 +CT = 59D5A45BCBCB332311869B73F633D29606056B792E1145F2B9A694FE959D7BA7EE83FD87 + +Count = 665 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203 +CT = 59D5A45BCBCB332311869B73F633D29606056B798AA3D09083A0D6818CFC620ECCB24D09 + +Count = 666 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73F633D29606056B7995157146E88FDBA2053F60A04F7A7E79 + +Count = 667 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8DFE69DFB7EEBF363401A08A3EAAF8 + +Count = 668 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73F633D29606056B79875015A06879D4C2D941052E4B5EF799 + +Count = 669 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B73F633D29606056B79E0BA3F8FF8A3012EFA2F26CA2DB997A4 + +Count = 670 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B73F633D29606056B794CB9B23A634E2B0F200E4F3D7C327C65 + +Count = 671 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73F633D29606056B794C76BA58265E42963CDAA9091F262799 + +Count = 672 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B73F633D29606056B79BE009181E4F093AC9217E72E81B3E9EC + +Count = 673 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B73F633D29606056B793DF7D3C6716D3A23CA4D9CC0792D5B15 + +Count = 674 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B73F633D29606056B79586E4C07660F9878E08E9E1970059D57 + +Count = 675 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B73F633D29606056B79D0FF309EAD7E355F5FD97EE9FE7BDE55 + +Count = 676 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73F633D29606056B7969C73C164D152EF0D711030D3B47FF31 + +Count = 677 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B73F633D29606056B7914ABBA6DA27B0148CCA766BD5778B89F + +Count = 678 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B73F633D29606056B79EC1C896F355F72177FD9AAA017B3C123 + +Count = 679 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B73F633D29606056B79CADE04ACEDA4C7996B0F8A340F9BF07E + +Count = 680 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73F633D29606056B7991C2A2EA021B2576AF8C9BE51F4AA490 + +Count = 681 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B73F633D29606056B79E53BAA4706D379B58A908E0025A7E246 + +Count = 682 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B73F633D29606056B796BCDC2720C5C5655B48432F1F60DC320 + +Count = 683 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73F633D29606056B794E211A0059A2DA2A03FCAA865CD92960 + +Count = 684 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73F633D29606056B797C001DF4E0CB30BA508F75970DB90324 + +Count = 685 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B73F633D29606056B79CC8B5947C9024580BFD58558827503A5 + +Count = 686 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73F633D29606056B79E7011E7100EEB45CB80B34CD18109BE4 + +Count = 687 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73F633D29606056B795FC7E7CA6229D7E85476A7EE574DDD20 + +Count = 688 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B73F633D29606056B79F1801020202A558A77AABDFF760F5B9A + +Count = 689 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73F633D29606056B79241D37653EB0DF83C8C8B611610B7654 + +Count = 690 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B73F633D29606056B791837DE34489F26310A7778FF867078BE + +Count = 691 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73F633D29606056B79340BD973C05D1AEC9EDE8C9622948168 + +Count = 692 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B73F633D29606056B792B8D7CD9BE53A57CAFC18D35C1D59B23 + +Count = 693 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B73F633D29606056B795E8AA842BEFAE650C20B1D5980272B4D + +Count = 694 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = +CT = 59D5A45BCBCB332311869B73F633D29606056B791F5C31C153756BE568218BD7554A559929 + +Count = 695 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F1E37EEBB74277A2A1558029AE1BF6C48 + +Count = 696 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001 +CT = 59D5A45BCBCB332311869B73F633D29606056B791FB51646EEF0B07EF0F865E4924540B1B9 + +Count = 697 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102 +CT = 59D5A45BCBCB332311869B73F633D29606056B791FB81BB16B92B08597BBCF8F3DB29DF7B3 + +Count = 698 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F59351D6AD1BB0A71BFDFC26E3E87F92E + +Count = 699 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F64283B6FD57090190643C739BB6EFBEF + +Count = 700 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F590032F4277BF9E77CBFFB3C76F54A87 + +Count = 701 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F350C184AE4BDFCB0055F1716EE55D396 + +Count = 702 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B73F633D29606056B791FDF9A353E0D23C301FF79D6851EF2F875 + +Count = 703 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F6C6CA5E8B8244C4EF182E86EA3F3872E + +Count = 704 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F810DFA6E2A3376481729FA442E583642 + +Count = 705 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F689BD76F4D52BD463E033EB8A3C6DF82 + +Count = 706 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F17C63F03B0CD12C826BB0550D7BA5D5F + +Count = 707 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F2F3C34F24697889C5AA82A906B28F119 + +Count = 708 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B73F633D29606056B791FEE3A8452A56A7B91F23A92A8649CF902 + +Count = 709 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F139DCDA1B24CDC0935316C46B28BE1EC + +Count = 710 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B73F633D29606056B791FC68B5FD54B65AD663621368FC115B4C4 + +Count = 711 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8006EAAA7E12613C390DA8528EA0F247 + +Count = 712 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B73F633D29606056B791FEB22E4C703877931917616985A277A34 + +Count = 713 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73F633D29606056B791FD48C5FB8B1295F8A93378B3B4DA60343 + +Count = 714 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F633BAB8F84AAFE31846C9A241DA98EB9 + +Count = 715 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B73F633D29606056B791FC0D02117A06EA5F647BF93BDBE3678A7 + +Count = 716 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F38785B21AE08CAC9AE34354F9F84B087 + +Count = 717 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F2DF485E52066757D4843BABCBF44C785 + +Count = 718 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F9E81F7FEB8E8BEA325F7A827020FACF8 + +Count = 719 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73F633D29606056B791FFF8F2F3AD2DF7FE7EAC60C010C357228 + +Count = 720 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73F633D29606056B791FC7AE780517B7B518ACFE9E64B368E117 + +Count = 721 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B73F633D29606056B791FF1ED7E89269AA35A44B92177C903CB18 + +Count = 722 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8F055C247561562B80669672F4668175 + +Count = 723 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F71CA3DC6B18617C8CE067E5C6C99D2F9 + +Count = 724 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F039E81466335CEB8C4BA6EE1FFA07319 + +Count = 725 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B73F633D29606056B791FA7D66794380AA14FEFD0C0567800BFF9 + +Count = 726 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F91DDCE52175D6BC80A7C011728985A21 + +Count = 727 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8ADC1B49E13B54104D57C78875FE44CDC8 + +Count = 728 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8AA4D93128B035E0E78E9F4C8C61678FF9 + +Count = 729 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A8160CF2232EFAD0C57431CD558DE548B + +Count = 730 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8AAB5117015CB4986A347F1F81392485D0 + +Count = 731 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A85AA8B0E9A0993EB201DC3CD1E28A92F + +Count = 732 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8AE288AF11B290937BD9D90628B65086A4 + +Count = 733 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8ABCD5575F4CFD9B451CF42FAA86214A4B + +Count = 734 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A52325EAACD5AAAEF3252479F297FD2B2 + +Count = 735 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8AF6E90B760B5354085B59588DB76090F2 + +Count = 736 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8ACA73420DDF4A1B4D7B9B10AF04AB135F + +Count = 737 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A1FCC26F730AA3B39F61BD575CC0EBB41 + +Count = 738 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A0151AEE176A494F63A6B334CD0436DEF + +Count = 739 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A410DD32E3AACD2E67C17A0132E647190 + +Count = 740 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A2C5B5F0724337811A59C06786030B28D + +Count = 741 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A7807FF0E7C0944EC48ECA801A404BDAA + +Count = 742 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A11F7204A6FF8AD208A9F9541893B7C33 + +Count = 743 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A66416A384CB20AD58241B81AB47E39EA + +Count = 744 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A3FADCDE576B986663D6133769C1900B5 + +Count = 745 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8AA8897479F5BA6A4912EE364239DE75FA + +Count = 746 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8AC3FD7B5538F645664DEDB9D2BCCD4F3D + +Count = 747 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8AE2249A9202B50347FFF46FC6213BA193 + +Count = 748 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A125FD011499F0AD5BDB2599364B4CCF6 + +Count = 749 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A12AED98FF1712BC825D0C1844FD6BB1E + +Count = 750 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8ACBD996B4993C78842D1F2D90FD56F3F1 + +Count = 751 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A966DD3DDB5EEF6F08B434AA0BD69FC7F + +Count = 752 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A2D561B21EF83FC69BD88912FBA534D2D + +Count = 753 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8AAA4E30D1C923ED99CACE89C8CA4BF84B + +Count = 754 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8AD9440361DD91CF8CE4ED8AC6E45E5F39 + +Count = 755 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A9C70F7A013104347A921478684B9F87F + +Count = 756 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A4E43BF8EFD107690FADC0A44A6E74C38 + +Count = 757 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8ABCB7B9E35A6D333E24BB32FD12BEE65D + +Count = 758 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A38B6F5577F16E3BB1AA3DCAE7622808C + +Count = 759 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A2AD1B951B8F4E9C516BDD281AD922347 + +Count = 760 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A6855C445AE9ADED7CB7E8D20491A5C6938 + +Count = 761 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68496CDB7B8747E922C11DD4C6491110B5 + +Count = 762 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68EA11AB5CB3A270FAA8C44A858155941A + +Count = 763 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68262D7C1F82C98E20E6F586755F2DAAC4 + +Count = 764 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68A1B83E0459884A488786CE2B1559F3BE + +Count = 765 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A6861B3DC7AF667E7AE1647B9517D7BB330 + +Count = 766 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A680B9C03738D219A5E8CD8DD170DDE8BE9 + +Count = 767 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68E1602B8F12A5ACF3682CCAB6D4344310 + +Count = 768 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68A573619D6392301063EDA5137E97213D + +Count = 769 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68C01C13E459558D889ED015F8015CC604 + +Count = 770 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684B38BAD0C7BCBA0E061BEFDC9E40232F + +Count = 771 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68F20CA7C894D7CDE7A06B357814696787 + +Count = 772 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68AE62F36BD3A331DF1FACE7256195938F + +Count = 773 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68AB8067C67260419A060D27E9FEDE5139 + +Count = 774 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68A8300812F84CBEC431D127DC0DF78DFF + +Count = 775 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A680E79D0C56D1CA75C450DD3BA8D1FB9AF + +Count = 776 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684F18288321FD576D7464466D4912FEF8 + +Count = 777 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68477EE60F775D4BF463219C8FCF8CCBBD + +Count = 778 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68BD5DCE3B4E08AB1C9B5013389807013A + +Count = 779 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68C65F8F81A4087731A9BE36FCD9707245 + +Count = 780 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A689FC9C05A40F4165F995814B62BE1FBF6 + +Count = 781 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68ECAFFF63272936370814A491D1CAECFB + +Count = 782 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68FAAD94E78E738347D0976331AA577F3B + +Count = 783 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A688776BE7EE7698169750266132D62D7EA + +Count = 784 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A6886B18BAFC86E06C2C4E80F158E23BA6C + +Count = 785 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A689EC4C8F24CE19A484398E82D6568DCCE + +Count = 786 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A687581B1C02B3308AA47CDAEAD68F7CF2F + +Count = 787 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A6864EB7D14DBCABEE4FD7B0C5ABEB2540F + +Count = 788 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68B427D215A614AA3D789B8F216A4AD7EA + +Count = 789 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68A1E5F258EE1527FDF0C21D18AB5E59D3 + +Count = 790 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68E0B99B58B0BFE3D88763E82F9490A067 + +Count = 791 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A6829F7A214BAB785861F99F325CD782B70 + +Count = 792 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68380184E0CE69F1B778AD5ABCF64D7910 + +Count = 793 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E57F02139A9C6FEFA14D65DC075603589 + +Count = 794 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E6D8D29E6F81DFD587AE224E9976E406B + +Count = 795 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EE61AB56E974052277171770E5EA8E6BB + +Count = 796 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E72086B56B92547803D9683947D14B99D + +Count = 797 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EC63EFA8812EAFE0D98D83CE0C7607F4B + +Count = 798 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E97D2AA634C91C61DB4478162459E233F + +Count = 799 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EFF98C98C6B4241A47C951AE16F0DFBA2 + +Count = 800 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E7C048EF6C393CD30AB60CA8B48991180 + +Count = 801 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E5359AA4C8C33E36BB302B22025F09F6E + +Count = 802 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E067A5D3FB8256DA746308E9600B0EB3E + +Count = 803 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EF16646C71355651E635739EAAB24EFCB + +Count = 804 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E8576CB3469DE66023440B47DEBB12664 + +Count = 805 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E73301B32C456F84CDDC84A3641F37E5D + +Count = 806 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E7BDCED94850BA717564D3BF13647A135 + +Count = 807 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EC02AE6715E172023F18F5F5670975078 + +Count = 808 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EF759235BF865A8200C2501EB32B6DA6A + +Count = 809 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EFFC0A5F0A8EB6E003C45E67DD1DE502E + +Count = 810 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E019494BB3FFBCCE0DB072A1BD918C88B + +Count = 811 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EB8CBDB5399AFB363CA6383765D9AF980 + +Count = 812 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EBC67F1386980BE1582914B6ECB7F448F + +Count = 813 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E0D99473A61D123F28E09C4306D94841C + +Count = 814 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E33EDD7322E394679DEE6AAAC89A17AA7 + +Count = 815 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E8E00112254D036FABFAD46BBE9DB7199 + +Count = 816 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EBA3290F881EC8B2CDDE9DC6082670821 + +Count = 817 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E2553217F2195066B6F9EAFD049DB2AD4 + +Count = 818 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E1AAEDE3476410A78C1CBE67D479A46EB + +Count = 819 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E477908701DC55A9971B9DCF278341D53 + +Count = 820 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EEE6ADE4AA0679A49E3696942F1A71649 + +Count = 821 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E6FDB4F91185E10F93D7E33FDBE729CA2 + +Count = 822 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E2169D4C70080BAD7EE4EBC595BF1468E + +Count = 823 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EC20DE484F95D8EFEF3ED7DB1624F6BEB + +Count = 824 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E10C7749E1DBBC7B3507AC8FBB43A543A + +Count = 825 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F1011121314151617 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E3B2FB9AD0EE4FA7D340C326C7B9D8AF7 + +Count = 826 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87AB3FE7E760507E9D474F7182487F71 + +Count = 827 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DE5AD4DD762DAFCCB6B2164C516C481B5 + +Count = 828 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D2DFE14B19D2707FD9ABC848AD43F47F5 + +Count = 829 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DC8A3C76B1DFE39120473F5B2B4791A1F + +Count = 830 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D7D7AF873611726E394418EA39CB443AA + +Count = 831 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D787A3D6CB321C683BF5BD1902A863E58 + +Count = 832 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D03C8EE310794D41D2DC6CF573338BDC9 + +Count = 833 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DC1EEC5D5C16198B22CAB8976FCD95FF0 + +Count = 834 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D7CF75FDD033F0267609051BEF5DCF03B + +Count = 835 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D81EFF05D0C9E0DDF602CDA3BD077D009 + +Count = 836 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D9BAB89211E3723AFE2E50E95D1C6D281 + +Count = 837 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D5B4E70D6B71EADD999AC93E208AB1377 + +Count = 838 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D492EE81007824A6927E6A7AD09BBBB67 + +Count = 839 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D1F5661E018EBFD51C49CCCE128EEA40A + +Count = 840 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DB173EBD9C716BE341B2F858EA5972282 + +Count = 841 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D513217483CD04BCD6BC387277E1F5432 + +Count = 842 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D117FDAB76DF8A7D884C30B16A177CD98 + +Count = 843 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DCC3938B3824E4E93861BFAFF449A826A + +Count = 844 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D3CD503C8BF4933A74F5ADF38329BBEDE + +Count = 845 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D3D24C29327597CC9C15CED48059B53B5 + +Count = 846 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DB0B2AFB71405FE8D85A64FA25797A308 + +Count = 847 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DD0B3DA545EB38F3DE0AD6A3B9DBB4FA2 + +Count = 848 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DCB439CE91591329EAAD8FB61E74D0CC4 + +Count = 849 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DFF3D5F793E560A6A844DD51F0E019CA7 + +Count = 850 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D5A9890779AD0BDB849A5545597E0D908 + +Count = 851 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D533F9529F4384CBFFC4077E1344DC970 + +Count = 852 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D6BF69CA55139F16BA153A141F4F6B50D + +Count = 853 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D503E7F45395CD51E0D0F9C2B34971617 + +Count = 854 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DAB64561FC76F017DEB8C7A38FC079D76 + +Count = 855 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D041348C9061CC35EBFA27AE7D6E5C42B + +Count = 856 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DBAB39B8D1F3A5385986BC78247BCAED3 + +Count = 857 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D1D3E44BD5574DFF0972AA1A6E62D1120 + +Count = 858 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D8882931DB954726BA3CBC82530A34698 + +Count = 859 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D873448F3A6CFC9118318E2F194C60B2466 + +Count = 860 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87BC891241C6D70924C100FAEACBE637A4 + +Count = 861 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D8748E7EDFBEC36884E690E271A8CA4DC97 + +Count = 862 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87D8602A6EE2B2DDD88A8E3D7390C73E7D + +Count = 863 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87BEB9868DD060B679EF70C7256238960C + +Count = 864 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87E0BD22CD00E084C545E9C47346796037 + +Count = 865 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D879579F5BFDF9B565E7E7E85C2F3C180D8 + +Count = 866 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D8776EA302DE67246A0EEB0016918232BEA + +Count = 867 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D8739C62481B129AE07A1B77AF4E3D6A0E1 + +Count = 868 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CF176DBEFE255A87EA7DC29DE9E639E + +Count = 869 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D878354C9352526999303D47D6CDD7B7B5E + +Count = 870 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D879A90E09993BBC18D7C139F74F50154E7 + +Count = 871 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87702E39CFD71944BA86109DE200D8FAA5 + +Count = 872 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87BDB3F84D585CFF414555B7A5CACEA415 + +Count = 873 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87553F0184FD9F7A142E6EEE2E10C63383 + +Count = 874 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D877E0DA3B60DF1C7BF16515B4841CC9238 + +Count = 875 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87D0E7C2DF9FC51E4ADA113F6AAC645C5E + +Count = 876 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87891ED3EE8E72C09CA5AB4670A924023C + +Count = 877 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D874C0D2D539B796741A23120D87C861420 + +Count = 878 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D8706B33F337A4A5BE0F3186F5408DA65C3 + +Count = 879 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87F93E4E8DF099B641ECB49DDA3BF0E9ED + +Count = 880 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D879C097FC5C1D996B09CC6D43D295F3AEA + +Count = 881 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D8730E5646B75281A680857D1A34D6CF579 + +Count = 882 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87A3C7007DEDC88AF57FBB19769C1B4C6C + +Count = 883 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D870F030AE2EA72CED9C1844B050169253F + +Count = 884 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D8714759990101F2E4C12C08055734EEA7F + +Count = 885 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87132A7CE824BC953D8EC796E3F9A4DBB4 + +Count = 886 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876F5604275472C7809B6C5469193878FC + +Count = 887 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D871BD463B8C92BF9FBA9036ACCC60A1BE5 + +Count = 888 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87FBC6E3AF78BB4E0B87117DEB0B201B25 + +Count = 889 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87815FDCF0A163C26A815720BB8544B062 + +Count = 890 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87C58CB47E9D498A64DACBE79A4666E5A4 + +Count = 891 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D8743D1C63E8B0496DB3215DCB05AFA05E1 + +Count = 892 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C82C7537A40CC8B7810CE8B95A63D8D39 + +Count = 893 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C045BF7856D2C00769AA421727907AEA5 + +Count = 894 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CE49FA4060262AFD26D6843BD23CBEFBD + +Count = 895 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C411E5F8600A613F4F5893A35A559629D + +Count = 896 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C050C691F618483316A9D171C6B4E476E + +Count = 897 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C36BFBDAC37B4A7ABC3B08DC2AAE1743B + +Count = 898 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C0960BEE7DAE54C79B7B8FDCE7A2FB9E3 + +Count = 899 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C547931339E1A3475130CDC20C7D0A630 + +Count = 900 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CB7712F6D29FC570972D1EB92A14155BF + +Count = 901 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CB410469590A1D27DB50AB89251B77E02 + +Count = 902 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C399D305C73E14C76630218601C507F4C + +Count = 903 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C636B5E5DE9D09264E3873E02DFF10044 + +Count = 904 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C9CCDC4747ACDE23D8CAA104D21212306 + +Count = 905 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CF7AED42BED0C323283D6FB91051ED67A + +Count = 906 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C0A163D32AD25ADB70BB22E24EA36701B + +Count = 907 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CA6F549D881D13FD9752440E620F82480 + +Count = 908 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CD1948EBCC1859DEB58262F3B79ED8653 + +Count = 909 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C6C5CC67CFA4E9FD281ECC7E16940598B + +Count = 910 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C8FFA84A9166EF266FE09DCE59083174F + +Count = 911 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C4DDEBDBC10A500AB7939FCC574EABFD9 + +Count = 912 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CCC59073046BD4B147F7B47843060A950 + +Count = 913 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C2A46883881A63D898772818411E6DB06 + +Count = 914 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CECB9F84E0B00FD34E97F19FAC85851C7 + +Count = 915 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CD5992787B846514F4841C535359E9B97 + +Count = 916 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C32A7F52E3EBBF3B01EE36B07947D4D3D + +Count = 917 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CA971B97F703E1A4BD7CAC7E5D3198223 + +Count = 918 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CB49ADF9EAF2DB688146EC5B986E6E1A2 + +Count = 919 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C9E9ACC043736A66ECA60782CBD73A8B4 + +Count = 920 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CDB467524352EAFE07ADC94C99BBD0278 + +Count = 921 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C5B46F71343A623E99B844590065BA545 + +Count = 922 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C5ECE67A401ED747B59B7E8296A7560EC + +Count = 923 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CA615711631A4DD02E1C07D2DA662A4D6 + +Count = 924 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C8E1C0768867203AD8B62BCFF204FD746 + +Count = 925 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1F5630ECCC4373FA1238DB9E057890D66 + +Count = 926 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1486F2CB1BFDED34BECCD234B19764A4D + +Count = 927 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC11FCD537AD1E6FBFF47A945D92A9467BB + +Count = 928 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1D993EF9473732E0213DCE65ECA791973 + +Count = 929 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC148D44EC16829E4E64512C2F1CC24ED8F + +Count = 930 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1FD72CE22139E5A1B1C0F99E17B4D274C + +Count = 931 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1078946F2C679C9E3C6A7D2328D91F37A + +Count = 932 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1668C37CA4EE7D97A6912F2414C9AC383 + +Count = 933 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1EC5192B73FAB4CF2ABAF47F6F58E3B86 + +Count = 934 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1CF71B736D001377145F9FC864E458174 + +Count = 935 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC14D5BA9B4BABECD7FEEDE25C9E4A44A21 + +Count = 936 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1EA5E97754B2810D82E5B932A7A8CBAEB + +Count = 937 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1681DBE8177388223470122CE65A0458A + +Count = 938 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1028E8C857856A2AD3FF611C8D87CDA94 + +Count = 939 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1216255B358723D217AA8D06542E35860 + +Count = 940 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC11D0F00A00986D512455E20D26DD4C521 + +Count = 941 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1EB7A28EDC8509E3D1580CD1BCFA81967 + +Count = 942 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC15258F54880EF3EF1D44F5C49E5B0D395 + +Count = 943 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1EB0270BD3F673327155C3C0B07E554BB + +Count = 944 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1F8A98C734023EB3BCD2CA9D1849AF243 + +Count = 945 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1E1DEE90D3F2280E8EEFEB10A19137D79 + +Count = 946 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1D079553CF021DFDA03DE90210885C5BD + +Count = 947 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC129AACE7FEAB3E339C89D3C47EA112D63 + +Count = 948 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC15A8A6193530E061DD1B5AA1182D1B5B6 + +Count = 949 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC145F09727FA9CB58CCD33EC2B01D16AD7 + +Count = 950 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC14EC6D51736F932F50E5AECA2C1986411 + +Count = 951 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1D204E957C143045A449B78FC6F0DBB33 + +Count = 952 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC125AFDDBE7AD59A06DF9C4A90C22D267E + +Count = 953 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1DF0C08D8530F17A9F391A3F2E47D5F74 + +Count = 954 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1545966E82E9CF57E1513FE62EB0CA95A + +Count = 955 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC17ED6D968FE17DEE3CB8197C10628B71D + +Count = 956 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1A1C8079D1BE3BA06ECF25AC3C94B956A + +Count = 957 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC161A8D6E9587DD581380D78A8FF3CDF55 + +Count = 958 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7EB2C940D16323835BDCC6D3FFDC1A933 + +Count = 959 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7EAEA033E98FDC6E44699D8115DDBCEC4 + +Count = 960 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7F948EC4C911BD98E47EF47A81EB69B8C + +Count = 961 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7657CA0EFC8309D337F28F0689EFFBB44 + +Count = 962 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7FE9DA69A7DB60A320BAB9119035D79EB + +Count = 963 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B74F87131EDDC061A0558E503F5023A643 + +Count = 964 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B756C58BEF3401D0E0F1B7136775491D2E + +Count = 965 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B755AC091225254EC28A2B880AD2EAE1CA + +Count = 966 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7409E1C37EC6F62B2DDFF254C0A4CD69C + +Count = 967 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B785D7C7DD776E4CDE1FF14BD00B14AE8E + +Count = 968 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7683489BAC6753C1D03092AAD48B2B40B + +Count = 969 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ECC5F1CA4DFFBD6988A0781375C0E67D + +Count = 970 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7FE65625939DE023C5B315E822058F347 + +Count = 971 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7C2047D0F7B9C07BE45FD0DD5A6A4BD8D + +Count = 972 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7C82F9BFB210D503C5F92123729B9055F + +Count = 973 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7516CB597FB42648DC0E8B0E841F8E830 + +Count = 974 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B70A84D9965665F32FBC3521E669829797 + +Count = 975 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7895C1AAAF5093ABF39D220A40865805E + +Count = 976 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7C23E64B0D89C053585DE284498CC851F + +Count = 977 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B78D655A4860901989CECC33008A213F57 + +Count = 978 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B736287F42AB55B29E0414A38E7BF873E9 + +Count = 979 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B72ED50229949D3ED4D700E590A5D0FFBF + +Count = 980 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B786CDCBDF5D94DAF4F21A99A8DDC17FF4 + +Count = 981 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7A3C3069364B519111736D6E6B3C27910 + +Count = 982 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B79190FC9F6B6D445F0366799FE6F651DC + +Count = 983 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B79469BD4ADC9C618105179DF919EB4A71 + +Count = 984 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7E1CA0DC98D7CD1AE57472C439185F25C + +Count = 985 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B760599575BBF80370A02E5757D43CA438 + +Count = 986 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B72E50080E0BB7C028282E2CB4C1EA8C0C + +Count = 987 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7FFA427341BE3F871A72C048F04AF9F79 + +Count = 988 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B758BE6E05A6E83858C2F2FAF0F4470D43 + +Count = 989 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7F8A8B661B9D6EA421AA04E4BAF5E51C3 + +Count = 990 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7638D3DABA63D4EB283528A6FABEDDC3E + +Count = 991 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADC5213CFDA610FCAADB9956F2BE1785CC + +Count = 992 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADDB320432F49B733E9A5F3FD2097BDB76 + +Count = 993 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD4779AAA01B09E004BA02A1811E5030A4 + +Count = 994 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD3FB7BA6DBB1F2173CEFEE4E81E06BED3 + +Count = 995 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADE0F9D19ACEEB243D15BDA6F367408C1F + +Count = 996 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD0C399CFA743FEB630B93D37D475A95CF + +Count = 997 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADFBBBE75EE503290EFE1FFFC772B418BE + +Count = 998 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADA2D0D551F9A4EB19E0F956A3955DC4C5 + +Count = 999 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD1AC438BA6A9E09A6658D36C35BAE6A4D + +Count = 1000 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADC10D448D3B43537D5609D083564AB796 + +Count = 1001 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADFB51A1A21CDA26607F0820352405463A + +Count = 1002 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD12B52748817907B5CD3333D8532A32D7 + +Count = 1003 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD3E0E3CFBF755ADD1D277CC2E0580D29B + +Count = 1004 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD1A3D22D26F9CDA65E5B9FE201CCAA2D7 + +Count = 1005 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD794B54C8C9DCE10553898CB5F4B7FEE4 + +Count = 1006 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD060B7CC2AF5DA75B1F6B12F8906492EC + +Count = 1007 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADE889BA20738B6FDC692EA8D5AFDCD26B + +Count = 1008 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADA606072B142F37B9FBDC381F4579E726 + +Count = 1009 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD45721303A6AA6903657B97AD79C8B25A + +Count = 1010 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD87AA3F1A6F60DB07EE4F2E903E39740F + +Count = 1011 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADC79423C689FC65D691225722D09A4A36 + +Count = 1012 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD29E9EA39819EF2C445E57AF62F45A8DD + +Count = 1013 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADD770752D81CAEA7C74C034AF162B5DF5 + +Count = 1014 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD648652A42DAB44A7ED35D13484335801 + +Count = 1015 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD59738A1C05BCBE706636D3D2CFB39EE7 + +Count = 1016 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADFE35C5A3FF7A09A0505FBE953448882A + +Count = 1017 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD5B380ED4C9C06F4CCF88C941959763EB + +Count = 1018 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADF41556865B398F814216368FBB02AD6C + +Count = 1019 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD5DC41F8F835568C5671F636B8A96ECBD + +Count = 1020 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD30621CE4646D690C7EC6310B666197D5 + +Count = 1021 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD14FCA40B338125735869B6CA4651C19D + +Count = 1022 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD012A7D3E5A76207FE278F56C2F25A436 + +Count = 1023 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD0111D14C7497DBA56E2043829516260E + +Count = 1024 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73FF8A0BC1F54F34361025CE35FD0F03F2 + +Count = 1025 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD739803A189FE20D98E59B7E04D2DF99223 + +Count = 1026 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD7396931318D760CDB7B084191DA4989BB2 + +Count = 1027 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73219039CD85CED20006F2050A51E3A39A + +Count = 1028 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A1BA2B29EED38DD9E1BCA6007AE2773D + +Count = 1029 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A9C4D2692D4C99F94C7694CFB2EF5F20 + +Count = 1030 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73DC428EA5862D7D81D82D39A1C977B0E2 + +Count = 1031 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73700BAA043B6BA9CB4310F5D0CE0695BC + +Count = 1032 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A9DF1992B478697E733B6497810D8BC4 + +Count = 1033 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73B4F8A2F74DC6C78C989E0D77821F7A91 + +Count = 1034 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD731FF4ACB4FB1D90CA856CA4E926712880 + +Count = 1035 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73BE6A520ACBCE39697CEAE621579B52D9 + +Count = 1036 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73DBDA70409A486740E87DDC27DFDE0869 + +Count = 1037 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD738A1BDEFF61DA711DD411919CCBD9E410 + +Count = 1038 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD734FC593223A0182592D30667D89EF9BE4 + +Count = 1039 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73E1370CC6B0FFB470D54FB22BD6FD24B2 + +Count = 1040 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD731D15299E9226B9398F72E44FCBAD501E + +Count = 1041 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73AA9BE81D6C858C8B93242588D5ADED29 + +Count = 1042 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73386142068FB5677E9875A58CB3607F84 + +Count = 1043 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD732B8E413396F27D2804F013AC79B2B3EA + +Count = 1044 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD730BB33B9A328B7A4A43610E1DFE1905BC + +Count = 1045 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73102F2CB8F317BB049EA5A96D37ED145B + +Count = 1046 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73754CDF5B46C2BD0FD279112E94F77348 + +Count = 1047 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73DA93011F49F2B5E7C083E1DFACA08E2D + +Count = 1048 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD7379FBD72F07BC9FE5FB430D9DBD5A62B7 + +Count = 1049 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD732BCB00B018AFD1EEAA92B4E157FBA4EA + +Count = 1050 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73B1F1FE1F85C1A36FC7CD453EE079F4EE + +Count = 1051 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73D24F75125AB4BAA457D9D09A127228A0 + +Count = 1052 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD7321A7E4F2F089767A98AFC62556D56B7F + +Count = 1053 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73564D9F2D2D06066880A2ACBAD016D7F9 + +Count = 1054 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD7337B90AF70ABDAD2D88A6152CCFEB8F4E + +Count = 1055 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73EE5BD51E09FB636238ABA1E3423A091E + +Count = 1056 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD738E0416B48CB653F7E46353F988D334BD + +Count = 1057 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A309D48992E694008BC85750B4CF8D1EC9 + +Count = 1058 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A3289655787FF3FF9BDB28C879F826B003 + +Count = 1059 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A350448EC83950637FF8FB17ACBF00D508 + +Count = 1060 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A317CDAC2EE15128E0393DD1C27A691AAA + +Count = 1061 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A36C37E437BE1369DC845D461F7A676A24 + +Count = 1062 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001020304 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A3B79600F07CECB309C81079F39C900D24 + +Count = 1063 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A312B5F0EAC304CBA1F11D8FD2B8C06B56 + +Count = 1064 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203040506 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A30982D08DC284D34FFCEAD159F4418C28 + +Count = 1065 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 0001020304050607 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A3B6EA693C0975607BF3F845BEE8CAA015 + +Count = 1066 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A35920C48E1DCF883C83924E36580F9312 + +Count = 1067 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 00010203040506070809 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A33F7296C9D1FC1D21A3A599DEAD7220EA + +Count = 1068 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A30069C99FEEDD98108E4FC34BF2BDD4AB + +Count = 1069 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A35FFDD19745A9E63AC87888F56CD4E9DB + +Count = 1070 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A3D9F65680B439013B0D5F4108F9FA975C + +Count = 1071 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A3304E326E296EDD5A88F0DC8079272D16 + +Count = 1072 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A331F009CA52DBE5D16BE114C7AF74C256 + +Count = 1073 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A31453533EC74604DE513A7D7AA834DB12 + +Count = 1074 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A3F5A450B7E3481DC42F79522DF6D5BAA3 + +Count = 1075 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A38ADB04222A3A349176DD427AB1C31E3E + +Count = 1076 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A30608584484B150D2D1E41530B2278F1F + +Count = 1077 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A3C6BEE2433839E5E8FE935C1227E3ABD4 + +Count = 1078 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011121314 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A322D6EDDC0058690B33C6E237C17F4E2B + +Count = 1079 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A34C9FF9BE3AA963F01EB8193E94205269 + +Count = 1080 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213141516 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A3077F0309CE755D2FD8973F72E002505C + +Count = 1081 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F1011121314151617 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A33B4CD5DD4031158F9BBE96F91BE27B94 + +Count = 1082 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A38706A0B4AE7CFD6EA6665A56D3036648 + +Count = 1083 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A3FE7E3A366D28D541BA352AB5A18A4EF7 + +Count = 1084 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A34FF83D42BAAA1B0A3D92582A3C64AC91 + +Count = 1085 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A36E10C177D00C16ECD4EFD2B1311E8D6E + +Count = 1086 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A301A4471A6A1DCC2D848E824FD3C3BC80 + +Count = 1087 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A3DED27A2F2DE5F406C20052FB5E7AE797 + +Count = 1088 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A396BE7DC1DB3BB585EE762A8E4641E83F + +Count = 1089 +Key = 000102030405060708090A0B0C0D0E0F +Nonce = 000102030405060708090A0B0C0D0E0F +PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A37CABFFC9C255FB9531F303E966332FFD + diff --git a/isap/Implementations/crypto_aead/isapk128v20/ref/LWC_AEAD_KAT_128_128.txt b/isap/Implementations/crypto_aead/isapk128v20/ref/LWC_AEAD_KAT_128_128.txt deleted file mode 100644 index 14956bb..0000000 --- a/isap/Implementations/crypto_aead/isapk128v20/ref/LWC_AEAD_KAT_128_128.txt +++ /dev/null @@ -1,7623 +0,0 @@ -Count = 1 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = -CT = 104E625D372E27EEE4D4E3CE1CA39D1B - -Count = 2 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00 -CT = 8EA6C9449EF9B5C24CFFFE4D781E616B - -Count = 3 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 0001 -CT = 291F4AFC4F703A978A3DC4FB8EE4DA4A - -Count = 4 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102 -CT = 3346A06FAE8812F17211E2BEEEA5FABD - -Count = 5 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00010203 -CT = 17EDD93471C85041626DF6B67A84CFAB - -Count = 6 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 0001020304 -CT = E1A7975C892AA0F499F9828573C08DD7 - -Count = 7 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405 -CT = 5823BD069977076D69DB8F78A9043FFC - -Count = 8 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00010203040506 -CT = 8C4CD83C2EBEE7022D9D402D2630F6A1 - -Count = 9 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 0001020304050607 -CT = 0DD36AE124BCBB6F435422F96D3D8233 - -Count = 10 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708 -CT = 89343263D3CF67F59B7C711B820CC61B - -Count = 11 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00010203040506070809 -CT = FADF706A48B0BEE5A94B12318FE9F320 - -Count = 12 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A -CT = 5608114EAB33ABCC543CF91F078AB1DA - -Count = 13 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B -CT = 452B6B00380F19C157B692D93C005C5A - -Count = 14 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C -CT = 44244FC7492B8712D4AF62A476641F1B - -Count = 15 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D -CT = 5F3C09A1BC54FA805D86E85A137336E2 - -Count = 16 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E -CT = 36BE350750F559D81E8BBB47B4BBB013 - -Count = 17 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F -CT = 07B0FC873E00FFAD5FDB349308D5FA99 - -Count = 18 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 0775BEA622F1C6DE2EDEC8AD65D32A53 - -Count = 19 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 256F874EEE93CD7B7D6462B8229C4130 - -Count = 20 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2FFBBEDFEB32AA69BE8A351DBF7ACA66 - -Count = 21 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 606A578DD659F2377F18112CA91CC1CB - -Count = 22 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DAC66A39C17CF1CCC8B1DCF034F50045 - -Count = 23 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 95DD335590B23F070180499EB4E29580 - -Count = 24 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 657C1CE6BAF9D1064C8C880EC25E5DFE - -Count = 25 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = BFE353B26FDCEDF884440BADA402A1DE - -Count = 26 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 0C518C5A3C0F6871210843307D1D8113 - -Count = 27 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 278066231AFA68D8070E27E4C11684A6 - -Count = 28 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 61FC0D8273718B49BA30E38CD55778DF - -Count = 29 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 6FA40D8FB591AF5C7D1742DAF981BF8F - -Count = 30 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 92279D2AE0F991C2BF7A0B2E41812924 - -Count = 31 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C2CBC9FBCB01FE241E7E5A07150DE0CD - -Count = 32 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 5E5BD60D0B68608251804F7021947400 - -Count = 33 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6CEE7AAE490C0A9D6C0D060E61F3E442 - -Count = 34 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = -CT = 599F434C5D63E9DEB47C2C67A5113A4F3E - -Count = 35 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00 -CT = 5996A6EC86590D93659A31543B9309E998 - -Count = 36 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 0001 -CT = 5937D5412329313B86B1574CB661B29843 - -Count = 37 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102 -CT = 599B57AA2A3519D5F6AE68F35EA28A1660 - -Count = 38 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00010203 -CT = 59E972F9284A893A53487BEF1E705CBA71 - -Count = 39 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 0001020304 -CT = 59AB5D07669E0BFF5FACD16CEC0D732924 - -Count = 40 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405 -CT = 5941A13766677806F6525AE561A6916B64 - -Count = 41 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00010203040506 -CT = 595D2FD7FA101BEF1C314ECBA83DC082C3 - -Count = 42 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 0001020304050607 -CT = 59AAE6F62BF05DE0DEA9374FF7955BED79 - -Count = 43 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708 -CT = 596EA6D639B9430DD9FEF68C4D4E63F51F - -Count = 44 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00010203040506070809 -CT = 5930680CCD354B128E3174F8E94BFA0E14 - -Count = 45 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A -CT = 59889913C7FC4B1C644FCFD9CAC727E2D2 - -Count = 46 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B -CT = 5992C1065A489CF6557C7B9546945FBF12 - -Count = 47 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C -CT = 595BDF874931CA30B8AE6BBF1AFCB7D9D2 - -Count = 48 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D -CT = 593C645155B515B8A910367CFF1115F1EB - -Count = 49 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E -CT = 5999BA0313D726B76FD7B60835336BE073 - -Count = 50 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F -CT = 5950C6E7AEA09036C7BBE1135102E56EEC - -Count = 51 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59EE439ECA08B286C32DAD1EE8ED943A86 - -Count = 52 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 596C67E8B1BA10EA79AB32A1A41239500D - -Count = 53 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 591FEBE8102789DB66C9F1315A480CEFE2 - -Count = 54 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59979CDBB78A18B981E5B7D16C6405931D - -Count = 55 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59F42BA5FB6B9D1E5ED39C33FD37496ACC - -Count = 56 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59C95A20C60F30FFD523A9E449DB4B5F1A - -Count = 57 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 599B5685401CACF7CFD18429FDBCF226DD - -Count = 58 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59A23E7A8B8BC912B35E3B30EBB63DBC42 - -Count = 59 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 595E042F4CBC74AE17DEF75B05BB934CAB - -Count = 60 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 596798064988EB4E60C56CE8987ECDD0E4 - -Count = 61 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59A415156D6631267659317E25E1F4324A - -Count = 62 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59EE24F5CB7C58471F5C839B521E2766E8 - -Count = 63 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59DA062EE3551998BC656236A0A7BF801A - -Count = 64 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 594ADA8FB444843032F2F3520EF454731F - -Count = 65 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59AEB20013E7C0092E320C52B4BD079136 - -Count = 66 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59BF66CF612F34B86600B22FC37371A808 - -Count = 67 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = -CT = 59D594D58AA83A5EB43213DE3E5ABC386274 - -Count = 68 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00 -CT = 59D5CE5A4E2D5292EA0727643FFC47187BAA - -Count = 69 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 0001 -CT = 59D57AF2E0CFCBBB983B0D3C3E3938AD029D - -Count = 70 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102 -CT = 59D5295BC297561F66337D59D545D4CB39E3 - -Count = 71 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00010203 -CT = 59D598F2DB0BC44E6A9CC5C5A73EFCA0B970 - -Count = 72 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 0001020304 -CT = 59D53D34654A6A0F151B90A0E85BAC875705 - -Count = 73 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405 -CT = 59D5D547A1C5BAA65BBAE4010F8E961A188A - -Count = 74 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00010203040506 -CT = 59D55DDD2D87632EF0D5AED27BCC18B361A6 - -Count = 75 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 0001020304050607 -CT = 59D5177B4B3F284E426E8E572EC00A2D82D2 - -Count = 76 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708 -CT = 59D5AFD97BB311D9370D091154CAEAA30487 - -Count = 77 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00010203040506070809 -CT = 59D591B0A2FA7B3CD656ED3529B4F9CF9475 - -Count = 78 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A -CT = 59D5C651E9A26DDD7616475C8C901A7751EA - -Count = 79 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B -CT = 59D533FA11890368A1FF253495FF5CFA7CD0 - -Count = 80 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C -CT = 59D599026E090AF3A6A641701024CDB3B802 - -Count = 81 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D -CT = 59D5760625EDF21DE04F61B5E91A04FD1B6D - -Count = 82 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E -CT = 59D5588E96D89C40B780B9E9F58F945E622B - -Count = 83 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5EE76FCD94649086AEC6622834C640E8C - -Count = 84 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D52450CD836AF182820ECDAF6C24552059 - -Count = 85 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5F4FB63A5562CDBB7E28B0908BD9FAE73 - -Count = 86 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5FA1AF57059CE1ED3D65518BF80832D2D - -Count = 87 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5B7C684CEEEE6C7071A7A377FB32C4B19 - -Count = 88 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D547CB7EFEDE2FF838E0397053D47B9383 - -Count = 89 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D546AB460ECC4A32FC770D683640AF41A8 - -Count = 90 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5CB5C5C6F1E7752C987BB34183D8F512F - -Count = 91 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D55F0C80F637103EED139C5B2BA77260DC - -Count = 92 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5D6F98931E29FF5303223B26D433D1381 - -Count = 93 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D58D821DF5385314C3747E616DBCDFFEFA - -Count = 94 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D586DAA3015185A02FD7474A10315FE2DC - -Count = 95 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D58332BBF7FA18C2D04C24E2985C60E432 - -Count = 96 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D517D1E23CE33AF7C90F0B4502F943A677 - -Count = 97 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5017FEA518E6611A82F87533D5CDDA7DE - -Count = 98 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D56403387CBCB8B7ACE96C7664969ABDF1 - -Count = 99 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5CFEBBA4078F578F5CF02ECFC3DC94088 - -Count = 100 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = -CT = 59D5A4803EE152CE95019672B78F1F8104CCE7 - -Count = 101 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00 -CT = 59D5A44293E1A9B087F96D8414E084BFF04739 - -Count = 102 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 0001 -CT = 59D5A4E8DD8BFDBAB5651351175A30B9F5D8C4 - -Count = 103 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102 -CT = 59D5A40070F2075ABA7F5BF852EFFC67609A1D - -Count = 104 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00010203 -CT = 59D5A4C288DA6C2A88754CAB180BE036E79D50 - -Count = 105 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 0001020304 -CT = 59D5A49F2A89849FE2FA93B54684FA52038A7D - -Count = 106 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405 -CT = 59D5A40B08AB9A54099CA286083BC1D5C62BB1 - -Count = 107 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00010203040506 -CT = 59D5A409747320BE9DB181104F39E1DE35329E - -Count = 108 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 0001020304050607 -CT = 59D5A478E14E91353E9D643CD9A541E977DB03 - -Count = 109 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708 -CT = 59D5A45AE027FB1DB62B6941023C3FA54C7F3F - -Count = 110 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00010203040506070809 -CT = 59D5A4B86D801A72ECF475295C0FF21B60D6CF - -Count = 111 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A -CT = 59D5A4674DE2C62FCF80825F1E10EFADD6E5CF - -Count = 112 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B -CT = 59D5A44AA986E05D4B902794AB08181774C146 - -Count = 113 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C -CT = 59D5A4EC01312EA5154EC48B968F82F63DEC66 - -Count = 114 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D -CT = 59D5A4AEF4C940333F28D8E36747C3D6007BDE - -Count = 115 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A4DB0235C1CFE05CAD7425F7C0754854A8 - -Count = 116 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A4B01BD28168131F1942964F749F3C3172 - -Count = 117 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A4A3A7B4EBCD23BBB921A490B34641D4FD - -Count = 118 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A4E38A5092E8C2AD8B0DB1A7195704C390 - -Count = 119 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A4013A74E89E39AB2365CCDE9B1432F4FF - -Count = 120 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A4DA300F3B3436BDB49F4C1D986B118EC6 - -Count = 121 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A4848EA6B707C3897A09423DA1CB5DDE67 - -Count = 122 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A425A5C25489497528D22CB70A1ED8BE41 - -Count = 123 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A4732B12957B2B9F82F8BE4A5FDA9AFAF7 - -Count = 124 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A4C7D950C8BE015BD221A9EDF58A9EEA24 - -Count = 125 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A4A04949BBE6C3C34AE03122A1C52F4199 - -Count = 126 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A446C9A86A0E274000F08E95B49EF3A590 - -Count = 127 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A434467AAE8A0F9E5A9B4C7EA28CA167E0 - -Count = 128 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A41DF22A7EE19755A532C32A0161CAA6E3 - -Count = 129 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A423490C95F3A7A15BA80F5835E3C2099D - -Count = 130 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A4F40FD63F84AC51E95A07CB04CE336B08 - -Count = 131 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A4AF585688E2375A23C9A8EE3589C9D5C6 - -Count = 132 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A49BC96D3B2C24F6B4778AB75AF8E88039 - -Count = 133 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = -CT = 59D5A45BBE536C191C4400B7D9A994F6C700F568 - -Count = 134 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00 -CT = 59D5A45B840E3E6ACC9D74514CC2F06341E06E2B - -Count = 135 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 0001 -CT = 59D5A45BB3895D2BDCD5708D7008F36F4C281C85 - -Count = 136 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102 -CT = 59D5A45BE8C659FCB6D6B308629677FD13128123 - -Count = 137 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00010203 -CT = 59D5A45B59C266F87B12DE5884875360F9EA9E8D - -Count = 138 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 0001020304 -CT = 59D5A45B3628FC987B92A2B4BD14BC603387F2AA - -Count = 139 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405 -CT = 59D5A45BDD7218285C6B4198F126DF2EC06B297F - -Count = 140 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00010203040506 -CT = 59D5A45BBFF9127ABA7E6C2CAB2A6349CA5DF5C3 - -Count = 141 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 0001020304050607 -CT = 59D5A45B024637FC09B79261AC8E5A7BFDD8230A - -Count = 142 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708 -CT = 59D5A45B047A50C3D5DED10FD9A8CC5AAABF6013 - -Count = 143 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00010203040506070809 -CT = 59D5A45BCBEC6A494979720741AE32B969D1080D - -Count = 144 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A -CT = 59D5A45B3582FDCCBD34A70291C8A08B4CE92DE7 - -Count = 145 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B -CT = 59D5A45B5F3575E6FA10CE0E30B34B507D0E3B35 - -Count = 146 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C -CT = 59D5A45B736EABA52D2A5C3D437AB4E9356C1A33 - -Count = 147 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D -CT = 59D5A45B7D185744FF77BD0810E4622399A3D9B8 - -Count = 148 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45B543224B51DE1CFA4A48C8A91DC364A79 - -Count = 149 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BE76526D8DAB2432AC0D05269529057B7 - -Count = 150 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45B505853FAADD207F8999B758AA98B5B4B - -Count = 151 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BD1DADA6BB07F815A53CD24646DF12492 - -Count = 152 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45B7327BDFEBE41008FAB153E8B39DD532B - -Count = 153 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BFE2F1C7A842BC189CC117F921F751D3B - -Count = 154 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45B90B6469E825E4551511EE50195D19D0F - -Count = 155 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45B03639F7B47288FE87607085B3776B5E5 - -Count = 156 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45B822B32B4646BD19CDF7B114764CA61FB - -Count = 157 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45B5CA29D33F978F36FE225961794115D1C - -Count = 158 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45B4DD591FA8FDC13737F44AB02DE7648FD - -Count = 159 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BAD79AF3AA60495CE389DDC748F67C946 - -Count = 160 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45B294A2DB78A85FD7B2518F4A8A3C09B66 - -Count = 161 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45B9FF6F48153ED48BF834B8FC2BFBB1E70 - -Count = 162 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BF0DE57FD9D0885E51A87128082DD4FF5 - -Count = 163 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BFA2147FA09B3A8708CF2CC64D6601D13 - -Count = 164 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45B125B981CCD8890E8FB52F0D3ECE59C4E - -Count = 165 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45B01093EFD5B7366907F68A16FADF3E395 - -Count = 166 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = -CT = 59D5A45BCB81467C017572B9BF07055FEBDAAABC56 - -Count = 167 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00 -CT = 59D5A45BCB8E8BC2B035451DE70AFBCD179EB88DDA - -Count = 168 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 0001 -CT = 59D5A45BCB728E5D13F3990F8209AF0F9B35290767 - -Count = 169 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102 -CT = 59D5A45BCB84E8F564DE3D604B7022F27FB906C7AD - -Count = 170 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00010203 -CT = 59D5A45BCBF63F951AEFADEF653F6109E00876404A - -Count = 171 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 0001020304 -CT = 59D5A45BCB9CB739A99E815C050DDA34DF1AC0703B - -Count = 172 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405 -CT = 59D5A45BCB8DAC01F8B17D6C8036B94179C4E4EBBD - -Count = 173 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00010203040506 -CT = 59D5A45BCB533DAC4D5B3AE7699F977DD0A0CC0A6B - -Count = 174 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 0001020304050607 -CT = 59D5A45BCBDE30004C53E1CD43EE0A983FB16BE301 - -Count = 175 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708 -CT = 59D5A45BCB2CD33E2C5467EC4EECCAB974F10D3653 - -Count = 176 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00010203040506070809 -CT = 59D5A45BCBF33AA265BEC14DEF07C3B4B0D58B2F98 - -Count = 177 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A -CT = 59D5A45BCBFA3B5188EA398D8D04EBDADF6569D847 - -Count = 178 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B -CT = 59D5A45BCBD5668DA7B9A766C426E94F1B5D05406E - -Count = 179 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBFC99D789D5B0AFF9326EE6122BC56DB1 - -Count = 180 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCB56BA5CEA1025C520D89427DE831B223B - -Count = 181 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBC46048D8B684714467F785ABBED29729 - -Count = 182 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCE303CE0C11F278D9A8D9F72BA04D38E - -Count = 183 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCB0805609383574B4EE592A038C187AE74 - -Count = 184 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCB3A9720F6095D68F884B541E57253C8EB - -Count = 185 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCB532FE7DA766AA66C2C658173CF1AE47C - -Count = 186 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCB78F3FB57AA707A202576DBF89598CEFD - -Count = 187 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCB809EC045E0AAD202DA9AB679679D8D9B - -Count = 188 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBAF30D4E172E9D36D5059682CE869734B - -Count = 189 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBECB26BBF9F648F2978378F66421A963C - -Count = 190 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBB30127629ACD0ECA03593A74F468BE76 - -Count = 191 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCB988C03CD85A193E14ED8C96A8498195D - -Count = 192 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCB75991E7BAB1405735D002486FD208552 - -Count = 193 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBD321F543A5FA8C19731953EFEA6EECD9 - -Count = 194 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCB538A9F6D4B6A6447718472ABFB86311D - -Count = 195 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBE5948B086BFDA228E1D2D49C4C7D449C - -Count = 196 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBF194219F21563217CBCF8CAC6C41370B - -Count = 197 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCB2B612FDA54112A635E1C77484DDD6928 - -Count = 198 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCB3B42DB57D6F9F91C128D8980AD862547 - -Count = 199 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = -CT = 59D5A45BCBCB5836E69EE0E89556AB2BDC2C6F5A93AF - -Count = 200 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00 -CT = 59D5A45BCBCB5978FC60F45A2C80F7F18AA887D6F766 - -Count = 201 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 0001 -CT = 59D5A45BCBCB309F15179349A4A7F1A568DA30BDFBA8 - -Count = 202 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102 -CT = 59D5A45BCBCBA2369F86946F01173627C4E7C94D0488 - -Count = 203 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00010203 -CT = 59D5A45BCBCBF17D89A5EDA3B659B1E7C08F8446AB31 - -Count = 204 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 0001020304 -CT = 59D5A45BCBCBC50AB7523B5576F625AD717E3408E9C8 - -Count = 205 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405 -CT = 59D5A45BCBCB7F49C12FAC2FF0459DA9D91C81289F64 - -Count = 206 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00010203040506 -CT = 59D5A45BCBCB69CC45A58AFA584EA5E594A456BA9BAD - -Count = 207 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 0001020304050607 -CT = 59D5A45BCBCB7E4015C28D913438F8C63D17A8DBD9B7 - -Count = 208 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708 -CT = 59D5A45BCBCB0153BB8BB5E032A76659C42A9D1825D6 - -Count = 209 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00010203040506070809 -CT = 59D5A45BCBCB9BD8ACD57D8BD8128BC76865527DC65E - -Count = 210 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A -CT = 59D5A45BCBCBC5C2C94FB0629DEBA1827FDC9BB05831 - -Count = 211 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B -CT = 59D5A45BCBCBBFEF14F9C13FF8AAECDDB2884DEEF0B8 - -Count = 212 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCBE7624C7F2DD32E07631723E0813907A2 - -Count = 213 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB676907C8932EC866A769B02E55F5B8BE - -Count = 214 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCBDA7F31E425C03985A44A3CB0547F545B - -Count = 215 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB516DCAF8F9BAA8B5ABF459FF0F3FB837 - -Count = 216 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCBC6B59AC79BADFCFAE4B347B30CF8AFC9 - -Count = 217 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCBB791495ECAE5E0B022EC50003441D246 - -Count = 218 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB1D5DD3462B3919BBB6EE63869975F830 - -Count = 219 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCBF4356F46004E9A9281FA10B111CE08CB - -Count = 220 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB079036F1E350892801AB26B87768042F - -Count = 221 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCBA815F377E4BBB6E42C2D6063636C2B16 - -Count = 222 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCBC897479E24103F60030FFF0A27946E10 - -Count = 223 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB094253726CE8F3A8572EBBBA798A5E7D - -Count = 224 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCBA3DA993982EAFD20BA51B1A3F6A5CF53 - -Count = 225 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB8ACEBD5082AF5A2C89D001F44FF5105E - -Count = 226 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB077522E331345DBD30270C8933E6ADD1 - -Count = 227 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB556B98DEAC60978051337C7A96BC154D - -Count = 228 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB8F8D0B5CBDB69B45B8BF001540B8EB56 - -Count = 229 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB654ECDF7A9B46BB7F5EF9BB5CC112F24 - -Count = 230 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB5779173FF149BE888FC3065DA3DAEF39 - -Count = 231 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB9BC61F6288B482B95E829A7ABD34922B - -Count = 232 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = -CT = 59D5A45BCBCB339A578C3F2FB53FDD65567AB5A380F3CA - -Count = 233 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00 -CT = 59D5A45BCBCB3387258F87682C495D763C3D23D15BCA4E - -Count = 234 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 0001 -CT = 59D5A45BCBCB337CE146D57A3C3B150688EA9F419FE47E - -Count = 235 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102 -CT = 59D5A45BCBCB3364E35E85DE8FC9AEDE2640AA607B55A0 - -Count = 236 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00010203 -CT = 59D5A45BCBCB339211694A8E9D2C6A3A2312732632BCF0 - -Count = 237 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 0001020304 -CT = 59D5A45BCBCB33254F8E80D2F7F1C7A5EB08DB613F16F4 - -Count = 238 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405 -CT = 59D5A45BCBCB3364A233B6F3E085C99B57781D9F3F60C5 - -Count = 239 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00010203040506 -CT = 59D5A45BCBCB339946AAAF7EC9B11202095E788C9841BE - -Count = 240 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 0001020304050607 -CT = 59D5A45BCBCB33A5693D7C20D6AC1364C25F7EF9CC45C9 - -Count = 241 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708 -CT = 59D5A45BCBCB33521A373FB0E191F4C3F3304F656E60DF - -Count = 242 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00010203040506070809 -CT = 59D5A45BCBCB332A654469822E08124F823332E83C27D8 - -Count = 243 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A -CT = 59D5A45BCBCB33AC64E967D9AD5CE4A718950352A1D41E - -Count = 244 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB33DEE6DCD1C1CE082972B91F6A75703729 - -Count = 245 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB33DDDE87F0DCBA92BA34E66E1AF31D509C - -Count = 246 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB33D5C4D8EE52C316120B0597DCA4A3AD55 - -Count = 247 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB339BE4B9F169922D666BB262AD67E16E5F - -Count = 248 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB33F6478B124FF653EF1C65BA94CD3A66B5 - -Count = 249 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB33DFEBC4DEA9C49BB6980B655C998067CB - -Count = 250 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB33C34451C6ABEB953AB438F2979F7FE592 - -Count = 251 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB33A29B79299D6BFB97F36BBFCE4AF59D3B - -Count = 252 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB33E28EAC8FE42E2ECBC0857D4247B94979 - -Count = 253 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB33D8DF0FBAFB01E0D6499FF559D126C387 - -Count = 254 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB333D0E7750A9CB528FD8B554D40A07F418 - -Count = 255 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB33FA80EB5DC8732B52E3CD134291C54239 - -Count = 256 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB338DAD570E293144B8F4CE0F5978C188BD - -Count = 257 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB33FB9EE9C321B0D980005369CC49CFC0A7 - -Count = 258 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB3378D1B55FF464EFF144407EC54817938A - -Count = 259 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB3312A6FC3A0318473522B6A717DAC82E82 - -Count = 260 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB337B5440AD2166CB14CF975A79993AA04A - -Count = 261 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB3331A1B60E3B5076EEA7AA451F1E073A7A - -Count = 262 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB33D519A952EC5E39A2A7471D3CD6BD4635 - -Count = 263 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB33FE62E76094A94460DAB6B4C3FB26E584 - -Count = 264 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB33701A5FB2B9478DBAF911AB5AB00041CF - -Count = 265 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = -CT = 59D5A45BCBCB3323F574421124643678085676B85AEFD541 - -Count = 266 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00 -CT = 59D5A45BCBCB332379A97FD4BAE5C8ED4E520DD67F896FCF - -Count = 267 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 0001 -CT = 59D5A45BCBCB3323B5A66439908EC4D7CEE3A6ADB8C0C865 - -Count = 268 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102 -CT = 59D5A45BCBCB3323AC60EFF1889D871514A14C5E44F0FAC2 - -Count = 269 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00010203 -CT = 59D5A45BCBCB3323DBF83C5FB9C68710F59D15F547078E36 - -Count = 270 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 0001020304 -CT = 59D5A45BCBCB332337ED1E073DDE88038005869773B37311 - -Count = 271 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405 -CT = 59D5A45BCBCB33235CE19497F5FF125C6DA847B32801DF69 - -Count = 272 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00010203040506 -CT = 59D5A45BCBCB3323288A43032F17223D2FD918D8FFD5AE32 - -Count = 273 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 0001020304050607 -CT = 59D5A45BCBCB3323415DC52F4EA5B2002EA0059CD63BDEE3 - -Count = 274 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708 -CT = 59D5A45BCBCB3323380B8068B9258DBE9B73BFBD97F0A464 - -Count = 275 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00010203040506070809 -CT = 59D5A45BCBCB33237D56EBB4FFC278240FB53EAB882CB278 - -Count = 276 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A -CT = 59D5A45BCBCB3323EAD96447DECF5AAA74BA1DE0918E0651 - -Count = 277 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB3323A9E2EA0B07D5AD8BA80F873908E20892 - -Count = 278 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB3323883D3483C695E54F646AB68FD8F99F75 - -Count = 279 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB3323523997B8763DDFDF05B2B323A0FB6B38 - -Count = 280 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB33237811C24BA10CCB179BF957691E466076 - -Count = 281 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB3323F1E4AF398E737BF5A6DE8EACBDDC588C - -Count = 282 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB33238B109D9F6531299B6F4D58A7961B93AA - -Count = 283 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB33230DB7AA1101488C3111D8DA41AA71D8F7 - -Count = 284 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332385022F2B43DE0780EA8C5DB09261ABA6 - -Count = 285 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB33239F24659C1C2F33114FA107616FE964D6 - -Count = 286 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332321E1102FFEC3043E902CDAE7499A1B6A - -Count = 287 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332333ADE1FB08F779750D8F7564325E8A72 - -Count = 288 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB3323E307905D47DE1BBC52267D13C426D7A0 - -Count = 289 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332369BA3A45DB1DA5C91BC7ED17C6CDC9EF - -Count = 290 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB3323658F485615353D9485B7AA3B63507C7A - -Count = 291 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332351F11C2DCEE220DC5EDC72BFA5CABA43 - -Count = 292 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB3323AAFDF1AA8DAA4EF1593FCBE105ACD5E7 - -Count = 293 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB3323ECDDB52C1AA3CD3835DFB79D9A943BA3 - -Count = 294 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB3323EB540DB9E22B8BEAE877083560E6CEEA - -Count = 295 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332308FFAAAF14DE1DE29A4EF41020BFBC70 - -Count = 296 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332392F476E13F3C73DF9495D71243C4A6D8 - -Count = 297 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332369FA4BAB5ADDE8AC4E4B51B6B1F0C202 - -Count = 298 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = -CT = 59D5A45BCBCB3323113C388E9C3721C8A7B2C4969FEFF3AA63 - -Count = 299 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00 -CT = 59D5A45BCBCB332311CD2E1E5F79E71E1925A05A11D16B4775 - -Count = 300 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 0001 -CT = 59D5A45BCBCB3323119EAF7CC5D90E4E5DB8623EC21E506503 - -Count = 301 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102 -CT = 59D5A45BCBCB3323110C23D877D1073DCA471D793D6C0E6C32 - -Count = 302 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00010203 -CT = 59D5A45BCBCB33231122B16C10ABD628D71A8C57FD4AE47E04 - -Count = 303 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 0001020304 -CT = 59D5A45BCBCB3323114FBCA31A1C5387D7B56A1CB2FFA784AB - -Count = 304 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405 -CT = 59D5A45BCBCB332311BA0685737068BA90E4150499F8F3AC6D - -Count = 305 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00010203040506 -CT = 59D5A45BCBCB3323113A579978CD770868296E7610E08C4FC2 - -Count = 306 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 0001020304050607 -CT = 59D5A45BCBCB332311AF8CDAABD06AFD7CB72DFC272BE4A673 - -Count = 307 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708 -CT = 59D5A45BCBCB3323112BEBBFF4E1D9638602FC86BAC2EC55D2 - -Count = 308 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311A519073CE0E97C133B0F31D0E25AD3B7 - -Count = 309 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A -CT = 59D5A45BCBCB3323111B63D2874969E18E1628DAFAB4AD84B2 - -Count = 310 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB3323119BF9133F4D4FC203D6C515A32E27A8C3 - -Count = 311 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311A2C8ED6F5FEF24B39C5EC1DEC3C364E7 - -Count = 312 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB33231187BFE56986A37A08BBFE786FE6BF3B5C - -Count = 313 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311318223BB0A40E7DA3CCCAD8C60476448 - -Count = 314 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB3323115E044359C57896C12481DF1435A79FE0 - -Count = 315 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB3323119BD6D6345D76EF4E87DC7983499D07C8 - -Count = 316 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB33231196E1CF74AA0E6F8FB514DCF5FF83BAC2 - -Count = 317 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB3323111CC8CDF138E83629396041C9983F6321 - -Count = 318 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB3323115BB887644ACC1AC1E501E22E123677EE - -Count = 319 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB33231175192FAACE24BCCCA97B7495C3D52537 - -Count = 320 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311F6DB1A34B640DC5D7ED3C7764F7AB1CE - -Count = 321 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311B2A7879AF84B6737A343C29AD58F2F69 - -Count = 322 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311B88E3D3615E26C3B30CA43735142C206 - -Count = 323 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311F9A8D6CA7FFC59FD5F568A9F1D380042 - -Count = 324 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311E7A9E5A71F9DB6929C2063664F36B3B7 - -Count = 325 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311BE43B3B46E8F5D3EC685F1A2E0A244B6 - -Count = 326 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB33231175F57510CE8F618F6C932AC306278E0A - -Count = 327 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB33231121AC122C1EC405F4D43C55FFCFD779E3 - -Count = 328 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311C0A820CDD54925A305390066D7A6A7BB - -Count = 329 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311EA06FAD5176074DB7FCD5EB08F861117 - -Count = 330 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311CD0CA4178AC9DAABC82793C4741BBB25 - -Count = 331 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = -CT = 59D5A45BCBCB332311865E5CD84EC022AE77A3ED9B695065B5D1 - -Count = 332 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00 -CT = 59D5A45BCBCB33231186F0A539447CBD46B5D116E04514B36A93 - -Count = 333 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 0001 -CT = 59D5A45BCBCB33231186CFF36CE46B8112E211F2739590ED7B4F - -Count = 334 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102 -CT = 59D5A45BCBCB3323118650EB9B1F804D8DFE420993410DCA33F1 - -Count = 335 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00010203 -CT = 59D5A45BCBCB3323118634862D6A0A7FF55BDB2EADBC1ECC6F14 - -Count = 336 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 0001020304 -CT = 59D5A45BCBCB332311868B4A5780F6BB0A6070B938121E0E52A2 - -Count = 337 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405 -CT = 59D5A45BCBCB3323118657290D778F9129BA9C79F7017D059EBA - -Count = 338 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00010203040506 -CT = 59D5A45BCBCB33231186ABFFD5A3F8EBFB91BC01EDC2F7B51417 - -Count = 339 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 0001020304050607 -CT = 59D5A45BCBCB332311865E0A8635F005BED24554A9C0FF55FB6C - -Count = 340 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708 -CT = 59D5A45BCBCB3323118605145FB719D677D5CF561447135A82F9 - -Count = 341 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311860471BC49AF1DE3BEBE131AD5C317E7F3 - -Count = 342 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A -CT = 59D5A45BCBCB33231186DE08AB286532D689066FE4A77ABB119C - -Count = 343 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB33231186ADFF40A029DDD55020F58869E62187AE - -Count = 344 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311862192DA16558F283C7E784FDCE8FBBC35 - -Count = 345 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB33231186C493993096EF2B4CCF7D47468C9DC4C9 - -Count = 346 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB33231186B059076F8227189FBAA1F8B21EE2E1ED - -Count = 347 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311868EAB2C6FDD3D4B6EEAA02299E3B337BA - -Count = 348 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311866CCA79B2AE6F6B7A168221EC17716ED3 - -Count = 349 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311867C4A66BBBE5ED2DDB7F96270AD931CEB - -Count = 350 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB33231186791442ABC4D8BBED4D816990B2446314 - -Count = 351 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB33231186CFE15E09BFB2BB44ECA53CF5C6753951 - -Count = 352 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB3323118668B9561CED118C60FC520532F06A8C18 - -Count = 353 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869FB43CBDB736D6B4A35580A00C32064B - -Count = 354 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB3323118626293BCD445F237082815963F1DF96EC - -Count = 355 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB33231186906B2F46EE45E35B94A4EB6B56A79440 - -Count = 356 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311863E61DF25FEB4282985FBF6D4D273898B - -Count = 357 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311862D11C214DAD0DF4740DDC735A837D4FB - -Count = 358 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB33231186B3E167867A6CF38B38F5F7F63D6DDD66 - -Count = 359 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB33231186DD1FEDF5BFD162AC59DB3A3D068844B6 - -Count = 360 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB3323118688279A5E9EAECE2F373423781A75A25B - -Count = 361 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311865EB79FB55FDAC6AAB6FB92D9681E4A81 - -Count = 362 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311860C461755100B19C6867DA8E3FB9C4FAD - -Count = 363 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB33231186B1849A6F10526FD1912E77E70C3A4A3D - -Count = 364 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = -CT = 59D5A45BCBCB332311869B5FF1FADBD2CA07A6FE825F5859AACECB - -Count = 365 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00 -CT = 59D5A45BCBCB332311869B44BB3CB56D12AEE3D7913035B1192988 - -Count = 366 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 0001 -CT = 59D5A45BCBCB332311869B7D2C624CB0ECAF428C33DA09F9EC24C1 - -Count = 367 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102 -CT = 59D5A45BCBCB332311869B8B990B5AA75890A3D3B61446CDCEFEDE - -Count = 368 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00010203 -CT = 59D5A45BCBCB332311869B2A28679D8F2F0B97D4C41309C2F94082 - -Count = 369 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 0001020304 -CT = 59D5A45BCBCB332311869BC30C4BB61AD467D5EBD74BD1DE855E10 - -Count = 370 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405 -CT = 59D5A45BCBCB332311869B193C68B9F05E449E6B7E880F1D1DF2B4 - -Count = 371 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00010203040506 -CT = 59D5A45BCBCB332311869BEE162CDBEE92D23782439082FE7B2592 - -Count = 372 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B017843DFE7C945E99A55887E77E89BC9 - -Count = 373 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B4E9480166899C9A09CFEA666905DF709 - -Count = 374 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B2935986BE2CAC7819F7D53DF700D13C0 - -Count = 375 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B93D5D97DE390B27BFE4435C883DEA20E - -Count = 376 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B1CE3EFB78FFA6A8EDF4A9E1B9C6E7B31 - -Count = 377 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869BA852004340108FD32DA03DCAE20C9C65 - -Count = 378 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869BA67E2A2251C0FE0F505A53D787CFED42 - -Count = 379 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B3CACB0810D9E33076694C2B62580A903 - -Count = 380 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B9A536AC46174C3E10AB52E0001F86884 - -Count = 381 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B844F14C2019FA5D55A9E92A2F90300B3 - -Count = 382 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B16414A8B5F8ACB40CFEF2758FECF5F66 - -Count = 383 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B11F03C9208B253EAFF894E3065152C52 - -Count = 384 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B581B7B7276769ADE2E45380098B5305A - -Count = 385 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869BA6469B98CBF911D8902E335FA0187BAF - -Count = 386 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869BA91698DF5FA6DCBD2B4419F193427E25 - -Count = 387 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B523C6B6F120888913D4F680F1774FCE8 - -Count = 388 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B40292FC7D7BD760444C188786F7BE21E - -Count = 389 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869BCCF061821ECC83F54F89646130839C3B - -Count = 390 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869BF52994EB62C1F7E2679A5AAD469E17DD - -Count = 391 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869BBA0A289BB73184A1F999E7BEA3822258 - -Count = 392 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869BF983A95A36DAB9FE693D120B52567E23 - -Count = 393 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B7DD2DA665180DC04B5C68AF59720C250 - -Count = 394 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B60546682EAFD3C8374252659E854C87C - -Count = 395 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869BE9160DD3C4E25A771BFF99841543D67E - -Count = 396 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B8CE4EEDCAC560D85ED1012D16636BC36 - -Count = 397 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = -CT = 59D5A45BCBCB332311869B73A7A25A7264D414F33556D3FCF3F64E47 - -Count = 398 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00 -CT = 59D5A45BCBCB332311869B736D7759279A9F40807CF990A0B83C95C2 - -Count = 399 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 0001 -CT = 59D5A45BCBCB332311869B7351330DEB43C3E982F8D7B4D036DC9341 - -Count = 400 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102 -CT = 59D5A45BCBCB332311869B7312E1A662CA596F32981B3708EB50E9CF - -Count = 401 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00010203 -CT = 59D5A45BCBCB332311869B734F6913F924F98AC20FE8D970D3D1FD5B - -Count = 402 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73C100EE132BDEDC5D26C6313E4E2C9F89 - -Count = 403 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73E8EF11D9191101EAB150F29BEE1A18E9 - -Count = 404 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73239698936E9B4D9B28506B418F10E54E - -Count = 405 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B7377AE8FE0CCEB40CC42ECE2685A3EAB2C - -Count = 406 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B734A043309354CACACFB1086115AD11CD5 - -Count = 407 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73E52A3FD0634E70CC29AAF1E6375E94AE - -Count = 408 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B7392C8239D37733BE3550A1F99024B723F - -Count = 409 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B734FC843318DF98AE655489A9F76A3D64E - -Count = 410 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B733086371EEC30D979CE3D7981BEE2864B - -Count = 411 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B737CE4727FBE4164BE2CAF9E7AA4E40D18 - -Count = 412 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73CDE6937EF1E7E8F272828325D0D774FC - -Count = 413 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B737883196D572FEF6AE26249448DC074EF - -Count = 414 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B736D1BAEC7D42263CE6537BAF0F10C3FB0 - -Count = 415 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B7375DA8E7F851F06E63B5E280CFCDE76EC - -Count = 416 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73BC07721BB9A04EFB11D2842E524BE133 - -Count = 417 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B7373B2364E7C44836359A9C1403AD5B9D8 - -Count = 418 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B739897C52302896546AFD6F153652B43E8 - -Count = 419 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73609D7613E6EE628122FFEF14B2CB072B - -Count = 420 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73FF9755048F578D30AC7CA471DBEE6830 - -Count = 421 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B737DEE9847EE937082E8C19208A4371C3D - -Count = 422 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73EE6A1BDB4F1256FF282A242B5668DF7B - -Count = 423 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73801EBC9006D34F3D1B18178D70A5E947 - -Count = 424 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B7395EA6BE436CD10C5F30D5F6643C6CF29 - -Count = 425 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73B6E94DBCC8290B8F07DF573549560EB7 - -Count = 426 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B733A80A3D4900DFFED3D9134272F900F8B - -Count = 427 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73C627CA4A5B1936885584DE1AAB1D39A1 - -Count = 428 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B731D96DC64615AD43EE7C2CD34ADDFB021 - -Count = 429 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B7390E20A274983479F5970F8E0E28D653B - -Count = 430 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = -CT = 59D5A45BCBCB332311869B73F6FE1D93DFA6060D98F4F980DD413A33A1 - -Count = 431 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00 -CT = 59D5A45BCBCB332311869B73F620C8F03FAE6F84726A803519AC3376DB - -Count = 432 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 0001 -CT = 59D5A45BCBCB332311869B73F67B67C75CCDAFE7B20A8051FA8C3DAD70 - -Count = 433 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102 -CT = 59D5A45BCBCB332311869B73F6D22C779AE9CCC94B56DE5BE73BD9C636 - -Count = 434 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00010203 -CT = 59D5A45BCBCB332311869B73F632C0F9B22D8A68741C17AD901226B0FE - -Count = 435 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73F609A4E965DD7A6BCE7DAC91C6F1D70982 - -Count = 436 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73F6387CD01B130C619B650A670002C81AEC - -Count = 437 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73F62F96A0545BF4D9B7458A5DF0533811EA - -Count = 438 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B73F6AA51BFB7F69B785A156C6DDFC8DFEC18 - -Count = 439 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B73F62CE895E2D4E0D69B41425A1543CA6811 - -Count = 440 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73F6FA7F1CAE91CD34CC53BE56E0D34E07CE - -Count = 441 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B73F65ED69E2CE861A14CFFA8B0C3B65FA831 - -Count = 442 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B73F6CF3A3C05E8E6F6ED53507552B308FC26 - -Count = 443 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B73F6ABCB812EED5C1101AE8681145CC30687 - -Count = 444 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B73F6F0BE4FDB7E5956872DD8F3FE6F13AC08 - -Count = 445 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73F6A47775B7BACA8488B0B263686C9AF144 - -Count = 446 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B73F65503ED07F1ACCFF41E27C9B991291439 - -Count = 447 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B73F6441C83882F2F0D03834628B1A0BA0D54 - -Count = 448 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B73F63360648E6BBC90398ADC00D0B39BEAF5 - -Count = 449 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73F6938EE6B255A919D7CBA4F834B676A796 - -Count = 450 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B73F60A84606DEE86C41DA18610B5C1ED0138 - -Count = 451 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B73F62F00952A9E789C49D2E291A0D065BBA7 - -Count = 452 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73F6107862AF28A9BF80C0D82D3AFFE71076 - -Count = 453 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73F6AC78F9C1814C072FA96802C5B39BA6BE - -Count = 454 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B73F655E4C12A1AAAAE829679160CD838EFA3 - -Count = 455 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73F64DC075DB78AD01F1B13875D7E734880E - -Count = 456 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73F63F06E4E3A93EC57A47167188BE718C0F - -Count = 457 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B73F6AB2701355DE5E46608D10EB4FF8B7342 - -Count = 458 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73F6CAF3C7A6CDF0932AC19C2340B0E09250 - -Count = 459 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B73F64A8AA115313D09D003C66434606AFE44 - -Count = 460 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73F64B06EF2064618CCB91102AC92EF1AF82 - -Count = 461 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B73F61735589387BAB3D664464EBD5C86EB86 - -Count = 462 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B73F601C58636E0C0B72B91F653B0EDB31309 - -Count = 463 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = -CT = 59D5A45BCBCB332311869B73F6334DE0568CE014549570E2F081918B0A3B - -Count = 464 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00 -CT = 59D5A45BCBCB332311869B73F633AE38D3D8246B1701D048E257CEA1B0D2 - -Count = 465 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 0001 -CT = 59D5A45BCBCB332311869B73F6334229ED5409D6D658270428AC3CC0FC34 - -Count = 466 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102 -CT = 59D5A45BCBCB332311869B73F63388E804D101C1275E396D697DBC062D1B - -Count = 467 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00010203 -CT = 59D5A45BCBCB332311869B73F633F07B1DCB028A479CBF3A679C703739D8 - -Count = 468 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73F633F657656C30AA1BAC922922A1267FBE68 - -Count = 469 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73F6339752A9246F19517FC5EB0C2DA9663100 - -Count = 470 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73F633C0200961AC840FB1DA999226101A038C - -Count = 471 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B73F633D70D3295B909BEAE83820516625F4B4D - -Count = 472 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B73F633A202E5B4821104B0306674A3A5B35C3F - -Count = 473 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73F63393C82D05B933CF8FB2A3E8BB745B8435 - -Count = 474 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B73F6337D48A50AC8947CFC543373E55C52DFD1 - -Count = 475 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B73F633B87F334A6AEDB89B6A8B0E946A1A7A9E - -Count = 476 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B73F6335A4B138EEEE8FAEF62D4F8736E196024 - -Count = 477 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B73F63342D47C386A1FEF63592506E415447F5B - -Count = 478 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73F633E0763FEAE68FFBC1236923C9E9CA27BF - -Count = 479 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B73F63335590389FAA84FB0D4800D02043BCA14 - -Count = 480 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B73F633CD81D5E77857A8B4BB8AC92E97C79817 - -Count = 481 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B73F633D3ED707149712258D0D0E709AF38274E - -Count = 482 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73F633FA32584E88D204ECFF1278ED73C08461 - -Count = 483 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B73F6334B87794B0C2DE094A5D6CC9FA085EFDA - -Count = 484 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B73F633D7F5352F457101887C5C8A44CF5283BC - -Count = 485 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73F6333937C458B396B8E66E89BEC0589E49FF - -Count = 486 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73F63326AC603E185D01BCE424E852E4678863 - -Count = 487 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B73F6332C1FB2AE7ACA2796A931A1F4A61D57D7 - -Count = 488 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73F633AAC3BA9BB9BB5973CB8C81CC33F09FBE - -Count = 489 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73F63397B4F5C375D7747907F6739AB8D1179E - -Count = 490 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B73F6334450E0357B80D6A71D2BDF117F569410 - -Count = 491 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73F633849E128F00BA07E459495D73D3D5C086 - -Count = 492 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B73F633BC6FC726625402C8609E9BFBBC54CF70 - -Count = 493 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73F6338AD09FDB9A40EC1870DDD21D15CB3137 - -Count = 494 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B73F633AE97C8948957FBC4BA21E635DA9D985F - -Count = 495 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B73F6334148F52B5B12ACC663C907E690A7C001 - -Count = 496 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = -CT = 59D5A45BCBCB332311869B73F633D296F3024622D027CB81522C46DC851E75 - -Count = 497 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00 -CT = 59D5A45BCBCB332311869B73F633D24446F7E2D22D067948C3A3C5B988E223 - -Count = 498 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 0001 -CT = 59D5A45BCBCB332311869B73F633D2C51441C87358C20D41D0358B38F6C13A - -Count = 499 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102 -CT = 59D5A45BCBCB332311869B73F633D25DCAD1B981F960774430B8501E510057 - -Count = 500 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00010203 -CT = 59D5A45BCBCB332311869B73F633D2EE7BDDCF96F4E36D033FCBEFCD11DAF4 - -Count = 501 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73F633D24ACF703E6A59A074ADA80E613602CEAB - -Count = 502 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73F633D22B8517A2E344F527D9F440C80C1FE065 - -Count = 503 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73F633D2363724B4FD865BC72FFA5427CF49CC6E - -Count = 504 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B73F633D2BE6AD4EB94720DA89EFBBD68A0ED7FBD - -Count = 505 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B73F633D297DFAF27063D237CFB57A32918D48085 - -Count = 506 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73F633D243362CE953DC9F7EF2260AB269FA958D - -Count = 507 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B73F633D2B879435D9E7466B0878573F7B7D63B09 - -Count = 508 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B73F633D275621A3832FF3C6FC8D6D84A16703214 - -Count = 509 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B73F633D2015B635BB15B2533C18305A6D4FDF9F0 - -Count = 510 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B73F633D2BDC771C361F2355FBCF22F85E1844A34 - -Count = 511 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73F633D2E86F7C2AE9F637C3B5FEB1512CCDBB22 - -Count = 512 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B73F633D2684F9E07543EDFC234B5F7E8616DA254 - -Count = 513 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B73F633D23EB0D1C39A1F3251128EC775960288AB - -Count = 514 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B73F633D2C5DBA728DEAF45ED5605FD555DE42ADE - -Count = 515 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73F633D24CADFA27381995106831D05D56B769C5 - -Count = 516 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B73F633D264C50BFEE713198715A31514D5FE4928 - -Count = 517 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B73F633D27B651393354CCAB0ACB0B88B4318FB6D - -Count = 518 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73F633D2D2B206BA83ED665BE32C465A0C58D87C - -Count = 519 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73F633D2588DAF8171E755F667DEA1A291A9C9E4 - -Count = 520 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B73F633D2791BC06D2E8CA8B6F4F2E545A73DEAD3 - -Count = 521 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73F633D2DE43B5CE337A064C5A500DA8FDD19A2E - -Count = 522 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73F633D246E33A3258DB4609E3DFF04D44159EDC - -Count = 523 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B73F633D215BE261CE3D3E417F225A54B3E587A4D - -Count = 524 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73F633D2E1F7FD290661D0B7457CAEA1B2EE0D77 - -Count = 525 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B73F633D228C701003DEE3E34642626AAE1558FF7 - -Count = 526 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73F633D240B43E8CA4ADCB5A9FE3B9AD39501562 - -Count = 527 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B73F633D26DD2679F0DCBC54BC36C2C0F775EDF4D - -Count = 528 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B73F633D2F24135A37187E909CF2688694B68BEA9 - -Count = 529 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = -CT = 59D5A45BCBCB332311869B73F633D296611099FFB698978069FD5E0845644420 - -Count = 530 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00 -CT = 59D5A45BCBCB332311869B73F633D29630E57C78EACDBA987FF51029262A8507 - -Count = 531 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001 -CT = 59D5A45BCBCB332311869B73F633D296A7E1C8791E781C097897C1DED82425DA - -Count = 532 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102 -CT = 59D5A45BCBCB332311869B73F633D2968DA6117592FA1F839CE278E962318DFA - -Count = 533 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203 -CT = 59D5A45BCBCB332311869B73F633D296EB04700EF178B0BCFE4D96E8E5E14B84 - -Count = 534 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73F633D296E714ABF91D2B5B3719C3B2D46B6F7376 - -Count = 535 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73F633D2969197856B75CF80263797D5B1703C506A - -Count = 536 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73F633D29610890DD7464604B1E564917D8BD6F4EA - -Count = 537 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B73F633D296DA458BC12F3F72596C974BD751594357 - -Count = 538 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B73F633D296CFAD2E4988301D38C8C8205C01B2AD46 - -Count = 539 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73F633D2964F9D145375DF6688EEB35CA9875C8C92 - -Count = 540 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B73F633D296837B158D1D0F9C633857E1DD715DBF82 - -Count = 541 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B73F633D29602B3459A7805812649326B0D39FCCE5D - -Count = 542 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B73F633D2965D29A1836125EA8A262501637336FA47 - -Count = 543 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B73F633D296F483F7A7A3A9548025A71A167A52E85F - -Count = 544 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73F633D2961B23B1A3248ABF7D823800BAA0D2CD97 - -Count = 545 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B73F633D296C4F7CA814C0A3BDC5400098E27EB4849 - -Count = 546 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B73F633D2969B850BC35383AD7B6E0D682F851515D5 - -Count = 547 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B73F633D296D472FA693BB82A22C86FBEDD835761AE - -Count = 548 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73F633D29636865F7BB6F7977275CE7E26E9F05DAC - -Count = 549 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B73F633D296EA5C085395C885C982709AC46C34493D - -Count = 550 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B73F633D2967E94140E97AB11E747A862090D05916F - -Count = 551 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73F633D29693382FB1D4AD466B29116E286090DC29 - -Count = 552 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73F633D296774DF015D4CE063CB0D35A60F5AF1654 - -Count = 553 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B73F633D296EFDF5A68927985547EBB7F01726DB3EF - -Count = 554 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73F633D296CED5BC10DD64857148859C73B22F427F - -Count = 555 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73F633D2967B20D3985B91305D5467A91F0BE986DC - -Count = 556 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B73F633D29658C96D52D6FB94ED6C950AD922A2C539 - -Count = 557 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73F633D296C1B9967148DD6A0125C7579E20553EAB - -Count = 558 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B73F633D296C688CCF7E1FF3859741BD40FCA7582FB - -Count = 559 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73F633D296E50A9080FF289C8BEB76B7936B278F93 - -Count = 560 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B73F633D296428CF87567FD908474B4D493B01B0132 - -Count = 561 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B73F633D29663F6326909EF7A7391AC2556956B1F0F - -Count = 562 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = -CT = 59D5A45BCBCB332311869B73F633D296067ACB65E597FBD9E744FD7B99FF37B38B - -Count = 563 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00 -CT = 59D5A45BCBCB332311869B73F633D29606CB6AC7DBCE6B36B40AA9539FA388B593 - -Count = 564 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001 -CT = 59D5A45BCBCB332311869B73F633D2960623540F70591FAE6448147FDAE9CE2B33 - -Count = 565 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102 -CT = 59D5A45BCBCB332311869B73F633D29606708515A7CBB0C24A840CE1DB199FBA66 - -Count = 566 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203 -CT = 59D5A45BCBCB332311869B73F633D296068307CF81EB7C7BFBA8C3B9C4582750DE - -Count = 567 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73F633D29606F83A353BBE50A528D65B30C399FECFD2 - -Count = 568 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73F633D29606FAB38D34DDB648FB900CE9B30F1182E3 - -Count = 569 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73F633D29606E9261A92ECFC25C673DF9418ED2BBE80 - -Count = 570 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B73F633D29606049AB451BF1C3554580FCB7E22C5742A - -Count = 571 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B73F633D296060F2DAD7FFF44DDD0DA3D4C27D315B3F5 - -Count = 572 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73F633D29606F74A1AB123E1F6D09B8E3490D7650580 - -Count = 573 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B73F633D29606EC56464D47D3F2E0D3B647A38F092734 - -Count = 574 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B73F633D2960685E97A49C961A83C7B46DE0F7EEABAD3 - -Count = 575 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B73F633D2960625B415556C41F6691B7D428F83DF647A - -Count = 576 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B73F633D29606000F1AA87ABC36201A39A63D751333D8 - -Count = 577 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73F633D2960613643188C52749C351D1AD2B8289817A - -Count = 578 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B73F633D29606BB553CF05AB5841D14124D03ED3AC7DD - -Count = 579 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B73F633D296060162934612C806685D9E9372A6A36F15 - -Count = 580 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B73F633D29606A9E8BD5924E56E756F5E242AA6ADA013 - -Count = 581 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73F633D296065AD1EE9925A7FD0843B14568E1DCFB2F - -Count = 582 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B73F633D296068B919350CA66FB7BF533E5ED6C73526D - -Count = 583 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B73F633D29606C6784E02B41B9152A595474BEC0F5B27 - -Count = 584 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73F633D296063A504272D51D0028FD5C9E6372EF6302 - -Count = 585 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73F633D29606FDD61B0F6F8E2B962F1697A4F14FC74B - -Count = 586 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B73F633D29606CD0844B0B0DB6B28893F10BB1529A40F - -Count = 587 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73F633D2960684D04FD6E0FA72AB44CE934EA966FAAB - -Count = 588 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73F633D296061CFE33FE3625F7C2C47753EA96C57EAE - -Count = 589 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B73F633D296067BA0AEF8AE30099ED1C4BDD7D8C67AA9 - -Count = 590 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73F633D29606661910E645240283A7EF525BD721D976 - -Count = 591 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B73F633D29606C0AB629C14AE443D27E97EBAF60C48FD - -Count = 592 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73F633D29606281E972F95FEFC023F2DBCB4BB5C07B1 - -Count = 593 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B73F633D2960671FCEE54BF4DA4C39DF93D07A7DA10BC - -Count = 594 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B73F633D29606D1AE3F4E8EF6E6E609A309B99671457C - -Count = 595 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = -CT = 59D5A45BCBCB332311869B73F633D29606057056A250A23EDB921D56862CE72C22EB - -Count = 596 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00 -CT = 59D5A45BCBCB332311869B73F633D2960605C165CC3F6044C8D7206CAC32F3EBC9B3 - -Count = 597 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001 -CT = 59D5A45BCBCB332311869B73F633D2960605BCA2B7892A4E86E03165289707E84BC2 - -Count = 598 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102 -CT = 59D5A45BCBCB332311869B73F633D29606054846EC42894AD10E4A9F3F5DB2624A41 - -Count = 599 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203 -CT = 59D5A45BCBCB332311869B73F633D2960605101C513E2342F1FD50F7F7F659259343 - -Count = 600 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73F633D29606056175D6CD0DDF5DFBA749CBEEBF37606B - -Count = 601 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73F633D2960605774BDEC64673F73EF4955417593A7561 - -Count = 602 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73F633D296060540A2EDC5EF70BC355D0DE47FFFC36473 - -Count = 603 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B73F633D2960605B7222ED16397596EB7A6F50F8FFC05FE - -Count = 604 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B73F633D2960605D5C100A3C7D56019465558A4E26E0F31 - -Count = 605 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73F633D2960605A0B3C52D04F85ADA20AD0C6F881A5A03 - -Count = 606 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B73F633D29606055153F3761749C8CD914779D516F316A6 - -Count = 607 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B73F633D29606056BD12DE38E2FEEB60118B630A9528698 - -Count = 608 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B73F633D2960605A4FCDD045F0BCFA37657A8FEC531863E - -Count = 609 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B73F633D2960605E33EF60EA132CDDBF8B47D6CE578FBC4 - -Count = 610 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73F633D2960605161653BC74BD798A02A7B3FC25A8CE1D - -Count = 611 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B73F633D2960605436DC7198F10A45E9AC1DC89C44C2EE9 - -Count = 612 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B73F633D2960605C86B6E1F1750EE3D8707DA76CC779C07 - -Count = 613 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B73F633D29606054A1919A258F4B9EF3F7D874B2147EBAA - -Count = 614 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73F633D296060518E4703DB8544F65285C58173E6AC864 - -Count = 615 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B73F633D29606053F833FF84C4AA956C4C80529F5B01357 - -Count = 616 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B73F633D2960605E24B09858728B4D01697D1663F350B36 - -Count = 617 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73F633D296060580C576E251EAD85A3FB9F44A49BDAEAF - -Count = 618 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73F633D2960605C29738A2CFB4EC49C67E4121AA412579 - -Count = 619 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B73F633D29606057219359230248B16C7D1BB772BB8E709 - -Count = 620 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73F633D2960605E9B9F36907B15FC09317A40CA1564C86 - -Count = 621 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73F633D2960605E32BBEF80BB1931669C762608503AD22 - -Count = 622 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B73F633D2960605949339B5D789F71ECDF251617B300FC7 - -Count = 623 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73F633D2960605E2815EFF65B6FC9A199DEE449F9BBE6B - -Count = 624 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B73F633D29606052139228F0E9BCD141465E4C523A4A6FB - -Count = 625 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73F633D2960605E961966ED7F2E082984B85B28DDF349B - -Count = 626 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B73F633D2960605184CFC6889F072DEB873B0A9DD4B45CF - -Count = 627 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B73F633D296060566AB4D20813BCDB87AD827EBC4F9EA41 - -Count = 628 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = -CT = 59D5A45BCBCB332311869B73F633D29606056BB3B3EBD8DB2FBF17AC367F425AFA49B3 - -Count = 629 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00 -CT = 59D5A45BCBCB332311869B73F633D29606056B79F4426721819B8D762B8A212B81445D - -Count = 630 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001 -CT = 59D5A45BCBCB332311869B73F633D29606056B7D05036C16BD978F0B531F5996FB45DB - -Count = 631 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102 -CT = 59D5A45BCBCB332311869B73F633D29606056B03C83AA779BE3A5D227FA13AB0F611C0 - -Count = 632 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203 -CT = 59D5A45BCBCB332311869B73F633D29606056B55BAB4A58CA12A0DC3B9CC86ED347DD8 - -Count = 633 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73F633D29606056B05AFA303B0AEC278310C9BE526005371 - -Count = 634 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73F633D29606056BA6F8A585FC0284506443222D79BF1B32 - -Count = 635 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73F633D29606056BB9026EC322D8B3E6F4F9A225A1DFE9AC - -Count = 636 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B73F633D29606056B26DC4C0197743E633E6753A8CFF79E91 - -Count = 637 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B73F633D29606056B5C874E4C3FF519C7CEF51D3C4FB072B7 - -Count = 638 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73F633D29606056B16CCB787D4EA58DA9795A040B77594F2 - -Count = 639 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B73F633D29606056BE7698066A09C844DF7CA613A1624E6BA - -Count = 640 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B73F633D29606056BDFEF401578013DDFCF46D860AEE79CE2 - -Count = 641 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B73F633D29606056B3B63B5E313F74623CE3A3019C239DBAD - -Count = 642 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B73F633D29606056BA5B5597C65677D4FBC72D7AF59AFAD7A - -Count = 643 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73F633D29606056B633DCDAAB4742D7B7F655D9303D811A3 - -Count = 644 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B73F633D29606056B532A88BFE6C374388C4113224F761A38 - -Count = 645 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B73F633D29606056B132B6C684E89D4BE497BBD385B0BC2CD - -Count = 646 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B73F633D29606056BB3EBEDE32F084F657F858AEA9E2AAD83 - -Count = 647 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73F633D29606056B59C8BAFE27CF2F289F2693927BBC8EEA - -Count = 648 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B73F633D29606056B7D0C6DA6A5AD25D6B5267F7DAF39F7A1 - -Count = 649 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B73F633D29606056BAC7EDA265A9A064B8FDB2B63675B415D - -Count = 650 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73F633D29606056BD10F5A42604DB96ADB7F4ADE13F93B65 - -Count = 651 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73F633D29606056B7C1211FE1CE4873523933173FC2CC6CE - -Count = 652 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B73F633D29606056BDE0A622D1652244EF4959EE36BD06ED3 - -Count = 653 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73F633D29606056B54DE826E91D7B0A1C6E50DCBDA60133B - -Count = 654 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73F633D29606056B202EC7D8E41F0CECCB8DB95CC01693EB - -Count = 655 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B73F633D29606056BD09B7877A69B8698E69613921031B6CE - -Count = 656 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73F633D29606056B77AF64D52362039B9C4AE1C522546954 - -Count = 657 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B73F633D29606056B3B42A14E7C5F0EB43EFF24B8C4902BE7 - -Count = 658 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73F633D29606056BBD7033496EC00A3BAC1E4A9243214CB7 - -Count = 659 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B73F633D29606056B9D0227143C58A7A78E323362794F52E8 - -Count = 660 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B73F633D29606056B4A13BD8C080C47B0B17E3A7BBBC2B83A - -Count = 661 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = -CT = 59D5A45BCBCB332311869B73F633D29606056B79C88E4D2E44100ED8CA4F76A3E2006487 - -Count = 662 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00 -CT = 59D5A45BCBCB332311869B73F633D29606056B79C39C84F63EDA23230A27EE8A6153A002 - -Count = 663 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001 -CT = 59D5A45BCBCB332311869B73F633D29606056B79641FD520FBE27C3D8B6C4A7E301F4910 - -Count = 664 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102 -CT = 59D5A45BCBCB332311869B73F633D29606056B792E1145F2B9A694FE959D7BA7EE83FD87 - -Count = 665 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203 -CT = 59D5A45BCBCB332311869B73F633D29606056B798AA3D09083A0D6818CFC620ECCB24D09 - -Count = 666 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73F633D29606056B7995157146E88FDBA2053F60A04F7A7E79 - -Count = 667 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8DFE69DFB7EEBF363401A08A3EAAF8 - -Count = 668 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73F633D29606056B79875015A06879D4C2D941052E4B5EF799 - -Count = 669 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B73F633D29606056B79E0BA3F8FF8A3012EFA2F26CA2DB997A4 - -Count = 670 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B73F633D29606056B794CB9B23A634E2B0F200E4F3D7C327C65 - -Count = 671 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73F633D29606056B794C76BA58265E42963CDAA9091F262799 - -Count = 672 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B73F633D29606056B79BE009181E4F093AC9217E72E81B3E9EC - -Count = 673 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B73F633D29606056B793DF7D3C6716D3A23CA4D9CC0792D5B15 - -Count = 674 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B73F633D29606056B79586E4C07660F9878E08E9E1970059D57 - -Count = 675 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B73F633D29606056B79D0FF309EAD7E355F5FD97EE9FE7BDE55 - -Count = 676 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73F633D29606056B7969C73C164D152EF0D711030D3B47FF31 - -Count = 677 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B73F633D29606056B7914ABBA6DA27B0148CCA766BD5778B89F - -Count = 678 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B73F633D29606056B79EC1C896F355F72177FD9AAA017B3C123 - -Count = 679 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B73F633D29606056B79CADE04ACEDA4C7996B0F8A340F9BF07E - -Count = 680 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73F633D29606056B7991C2A2EA021B2576AF8C9BE51F4AA490 - -Count = 681 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B73F633D29606056B79E53BAA4706D379B58A908E0025A7E246 - -Count = 682 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B73F633D29606056B796BCDC2720C5C5655B48432F1F60DC320 - -Count = 683 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73F633D29606056B794E211A0059A2DA2A03FCAA865CD92960 - -Count = 684 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73F633D29606056B797C001DF4E0CB30BA508F75970DB90324 - -Count = 685 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B73F633D29606056B79CC8B5947C9024580BFD58558827503A5 - -Count = 686 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73F633D29606056B79E7011E7100EEB45CB80B34CD18109BE4 - -Count = 687 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73F633D29606056B795FC7E7CA6229D7E85476A7EE574DDD20 - -Count = 688 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B73F633D29606056B79F1801020202A558A77AABDFF760F5B9A - -Count = 689 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73F633D29606056B79241D37653EB0DF83C8C8B611610B7654 - -Count = 690 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B73F633D29606056B791837DE34489F26310A7778FF867078BE - -Count = 691 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73F633D29606056B79340BD973C05D1AEC9EDE8C9622948168 - -Count = 692 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B73F633D29606056B792B8D7CD9BE53A57CAFC18D35C1D59B23 - -Count = 693 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B73F633D29606056B795E8AA842BEFAE650C20B1D5980272B4D - -Count = 694 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = -CT = 59D5A45BCBCB332311869B73F633D29606056B791F5C31C153756BE568218BD7554A559929 - -Count = 695 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F1E37EEBB74277A2A1558029AE1BF6C48 - -Count = 696 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001 -CT = 59D5A45BCBCB332311869B73F633D29606056B791FB51646EEF0B07EF0F865E4924540B1B9 - -Count = 697 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102 -CT = 59D5A45BCBCB332311869B73F633D29606056B791FB81BB16B92B08597BBCF8F3DB29DF7B3 - -Count = 698 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F59351D6AD1BB0A71BFDFC26E3E87F92E - -Count = 699 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F64283B6FD57090190643C739BB6EFBEF - -Count = 700 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F590032F4277BF9E77CBFFB3C76F54A87 - -Count = 701 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F350C184AE4BDFCB0055F1716EE55D396 - -Count = 702 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B73F633D29606056B791FDF9A353E0D23C301FF79D6851EF2F875 - -Count = 703 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F6C6CA5E8B8244C4EF182E86EA3F3872E - -Count = 704 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F810DFA6E2A3376481729FA442E583642 - -Count = 705 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F689BD76F4D52BD463E033EB8A3C6DF82 - -Count = 706 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F17C63F03B0CD12C826BB0550D7BA5D5F - -Count = 707 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F2F3C34F24697889C5AA82A906B28F119 - -Count = 708 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B73F633D29606056B791FEE3A8452A56A7B91F23A92A8649CF902 - -Count = 709 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F139DCDA1B24CDC0935316C46B28BE1EC - -Count = 710 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B73F633D29606056B791FC68B5FD54B65AD663621368FC115B4C4 - -Count = 711 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8006EAAA7E12613C390DA8528EA0F247 - -Count = 712 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B73F633D29606056B791FEB22E4C703877931917616985A277A34 - -Count = 713 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73F633D29606056B791FD48C5FB8B1295F8A93378B3B4DA60343 - -Count = 714 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F633BAB8F84AAFE31846C9A241DA98EB9 - -Count = 715 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B73F633D29606056B791FC0D02117A06EA5F647BF93BDBE3678A7 - -Count = 716 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F38785B21AE08CAC9AE34354F9F84B087 - -Count = 717 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F2DF485E52066757D4843BABCBF44C785 - -Count = 718 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F9E81F7FEB8E8BEA325F7A827020FACF8 - -Count = 719 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73F633D29606056B791FFF8F2F3AD2DF7FE7EAC60C010C357228 - -Count = 720 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73F633D29606056B791FC7AE780517B7B518ACFE9E64B368E117 - -Count = 721 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B73F633D29606056B791FF1ED7E89269AA35A44B92177C903CB18 - -Count = 722 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8F055C247561562B80669672F4668175 - -Count = 723 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F71CA3DC6B18617C8CE067E5C6C99D2F9 - -Count = 724 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F039E81466335CEB8C4BA6EE1FFA07319 - -Count = 725 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B73F633D29606056B791FA7D66794380AA14FEFD0C0567800BFF9 - -Count = 726 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F91DDCE52175D6BC80A7C011728985A21 - -Count = 727 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8ADC1B49E13B54104D57C78875FE44CDC8 - -Count = 728 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8AA4D93128B035E0E78E9F4C8C61678FF9 - -Count = 729 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A8160CF2232EFAD0C57431CD558DE548B - -Count = 730 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8AAB5117015CB4986A347F1F81392485D0 - -Count = 731 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A85AA8B0E9A0993EB201DC3CD1E28A92F - -Count = 732 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8AE288AF11B290937BD9D90628B65086A4 - -Count = 733 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8ABCD5575F4CFD9B451CF42FAA86214A4B - -Count = 734 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A52325EAACD5AAAEF3252479F297FD2B2 - -Count = 735 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8AF6E90B760B5354085B59588DB76090F2 - -Count = 736 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8ACA73420DDF4A1B4D7B9B10AF04AB135F - -Count = 737 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A1FCC26F730AA3B39F61BD575CC0EBB41 - -Count = 738 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A0151AEE176A494F63A6B334CD0436DEF - -Count = 739 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A410DD32E3AACD2E67C17A0132E647190 - -Count = 740 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A2C5B5F0724337811A59C06786030B28D - -Count = 741 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A7807FF0E7C0944EC48ECA801A404BDAA - -Count = 742 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A11F7204A6FF8AD208A9F9541893B7C33 - -Count = 743 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A66416A384CB20AD58241B81AB47E39EA - -Count = 744 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A3FADCDE576B986663D6133769C1900B5 - -Count = 745 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8AA8897479F5BA6A4912EE364239DE75FA - -Count = 746 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8AC3FD7B5538F645664DEDB9D2BCCD4F3D - -Count = 747 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8AE2249A9202B50347FFF46FC6213BA193 - -Count = 748 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A125FD011499F0AD5BDB2599364B4CCF6 - -Count = 749 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A12AED98FF1712BC825D0C1844FD6BB1E - -Count = 750 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8ACBD996B4993C78842D1F2D90FD56F3F1 - -Count = 751 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A966DD3DDB5EEF6F08B434AA0BD69FC7F - -Count = 752 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A2D561B21EF83FC69BD88912FBA534D2D - -Count = 753 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8AAA4E30D1C923ED99CACE89C8CA4BF84B - -Count = 754 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8AD9440361DD91CF8CE4ED8AC6E45E5F39 - -Count = 755 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A9C70F7A013104347A921478684B9F87F - -Count = 756 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A4E43BF8EFD107690FADC0A44A6E74C38 - -Count = 757 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8ABCB7B9E35A6D333E24BB32FD12BEE65D - -Count = 758 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A38B6F5577F16E3BB1AA3DCAE7622808C - -Count = 759 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A2AD1B951B8F4E9C516BDD281AD922347 - -Count = 760 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A6855C445AE9ADED7CB7E8D20491A5C6938 - -Count = 761 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68496CDB7B8747E922C11DD4C6491110B5 - -Count = 762 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68EA11AB5CB3A270FAA8C44A858155941A - -Count = 763 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68262D7C1F82C98E20E6F586755F2DAAC4 - -Count = 764 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68A1B83E0459884A488786CE2B1559F3BE - -Count = 765 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A6861B3DC7AF667E7AE1647B9517D7BB330 - -Count = 766 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A680B9C03738D219A5E8CD8DD170DDE8BE9 - -Count = 767 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68E1602B8F12A5ACF3682CCAB6D4344310 - -Count = 768 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68A573619D6392301063EDA5137E97213D - -Count = 769 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68C01C13E459558D889ED015F8015CC604 - -Count = 770 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684B38BAD0C7BCBA0E061BEFDC9E40232F - -Count = 771 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68F20CA7C894D7CDE7A06B357814696787 - -Count = 772 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68AE62F36BD3A331DF1FACE7256195938F - -Count = 773 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68AB8067C67260419A060D27E9FEDE5139 - -Count = 774 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68A8300812F84CBEC431D127DC0DF78DFF - -Count = 775 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A680E79D0C56D1CA75C450DD3BA8D1FB9AF - -Count = 776 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684F18288321FD576D7464466D4912FEF8 - -Count = 777 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68477EE60F775D4BF463219C8FCF8CCBBD - -Count = 778 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68BD5DCE3B4E08AB1C9B5013389807013A - -Count = 779 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68C65F8F81A4087731A9BE36FCD9707245 - -Count = 780 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A689FC9C05A40F4165F995814B62BE1FBF6 - -Count = 781 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68ECAFFF63272936370814A491D1CAECFB - -Count = 782 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68FAAD94E78E738347D0976331AA577F3B - -Count = 783 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A688776BE7EE7698169750266132D62D7EA - -Count = 784 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A6886B18BAFC86E06C2C4E80F158E23BA6C - -Count = 785 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A689EC4C8F24CE19A484398E82D6568DCCE - -Count = 786 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A687581B1C02B3308AA47CDAEAD68F7CF2F - -Count = 787 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A6864EB7D14DBCABEE4FD7B0C5ABEB2540F - -Count = 788 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68B427D215A614AA3D789B8F216A4AD7EA - -Count = 789 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68A1E5F258EE1527FDF0C21D18AB5E59D3 - -Count = 790 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68E0B99B58B0BFE3D88763E82F9490A067 - -Count = 791 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A6829F7A214BAB785861F99F325CD782B70 - -Count = 792 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A68380184E0CE69F1B778AD5ABCF64D7910 - -Count = 793 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E57F02139A9C6FEFA14D65DC075603589 - -Count = 794 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E6D8D29E6F81DFD587AE224E9976E406B - -Count = 795 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EE61AB56E974052277171770E5EA8E6BB - -Count = 796 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E72086B56B92547803D9683947D14B99D - -Count = 797 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EC63EFA8812EAFE0D98D83CE0C7607F4B - -Count = 798 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E97D2AA634C91C61DB4478162459E233F - -Count = 799 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EFF98C98C6B4241A47C951AE16F0DFBA2 - -Count = 800 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E7C048EF6C393CD30AB60CA8B48991180 - -Count = 801 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E5359AA4C8C33E36BB302B22025F09F6E - -Count = 802 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E067A5D3FB8256DA746308E9600B0EB3E - -Count = 803 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EF16646C71355651E635739EAAB24EFCB - -Count = 804 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E8576CB3469DE66023440B47DEBB12664 - -Count = 805 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E73301B32C456F84CDDC84A3641F37E5D - -Count = 806 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E7BDCED94850BA717564D3BF13647A135 - -Count = 807 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EC02AE6715E172023F18F5F5670975078 - -Count = 808 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EF759235BF865A8200C2501EB32B6DA6A - -Count = 809 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EFFC0A5F0A8EB6E003C45E67DD1DE502E - -Count = 810 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E019494BB3FFBCCE0DB072A1BD918C88B - -Count = 811 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EB8CBDB5399AFB363CA6383765D9AF980 - -Count = 812 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EBC67F1386980BE1582914B6ECB7F448F - -Count = 813 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E0D99473A61D123F28E09C4306D94841C - -Count = 814 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E33EDD7322E394679DEE6AAAC89A17AA7 - -Count = 815 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E8E00112254D036FABFAD46BBE9DB7199 - -Count = 816 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EBA3290F881EC8B2CDDE9DC6082670821 - -Count = 817 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E2553217F2195066B6F9EAFD049DB2AD4 - -Count = 818 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E1AAEDE3476410A78C1CBE67D479A46EB - -Count = 819 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E477908701DC55A9971B9DCF278341D53 - -Count = 820 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EEE6ADE4AA0679A49E3696942F1A71649 - -Count = 821 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E6FDB4F91185E10F93D7E33FDBE729CA2 - -Count = 822 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E2169D4C70080BAD7EE4EBC595BF1468E - -Count = 823 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684EC20DE484F95D8EFEF3ED7DB1624F6BEB - -Count = 824 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E10C7749E1DBBC7B3507AC8FBB43A543A - -Count = 825 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E3B2FB9AD0EE4FA7D340C326C7B9D8AF7 - -Count = 826 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87AB3FE7E760507E9D474F7182487F71 - -Count = 827 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DE5AD4DD762DAFCCB6B2164C516C481B5 - -Count = 828 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D2DFE14B19D2707FD9ABC848AD43F47F5 - -Count = 829 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DC8A3C76B1DFE39120473F5B2B4791A1F - -Count = 830 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D7D7AF873611726E394418EA39CB443AA - -Count = 831 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D787A3D6CB321C683BF5BD1902A863E58 - -Count = 832 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D03C8EE310794D41D2DC6CF573338BDC9 - -Count = 833 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DC1EEC5D5C16198B22CAB8976FCD95FF0 - -Count = 834 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D7CF75FDD033F0267609051BEF5DCF03B - -Count = 835 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D81EFF05D0C9E0DDF602CDA3BD077D009 - -Count = 836 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D9BAB89211E3723AFE2E50E95D1C6D281 - -Count = 837 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D5B4E70D6B71EADD999AC93E208AB1377 - -Count = 838 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D492EE81007824A6927E6A7AD09BBBB67 - -Count = 839 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D1F5661E018EBFD51C49CCCE128EEA40A - -Count = 840 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DB173EBD9C716BE341B2F858EA5972282 - -Count = 841 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D513217483CD04BCD6BC387277E1F5432 - -Count = 842 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D117FDAB76DF8A7D884C30B16A177CD98 - -Count = 843 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DCC3938B3824E4E93861BFAFF449A826A - -Count = 844 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D3CD503C8BF4933A74F5ADF38329BBEDE - -Count = 845 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D3D24C29327597CC9C15CED48059B53B5 - -Count = 846 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DB0B2AFB71405FE8D85A64FA25797A308 - -Count = 847 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DD0B3DA545EB38F3DE0AD6A3B9DBB4FA2 - -Count = 848 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DCB439CE91591329EAAD8FB61E74D0CC4 - -Count = 849 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DFF3D5F793E560A6A844DD51F0E019CA7 - -Count = 850 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D5A9890779AD0BDB849A5545597E0D908 - -Count = 851 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D533F9529F4384CBFFC4077E1344DC970 - -Count = 852 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D6BF69CA55139F16BA153A141F4F6B50D - -Count = 853 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D503E7F45395CD51E0D0F9C2B34971617 - -Count = 854 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DAB64561FC76F017DEB8C7A38FC079D76 - -Count = 855 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D041348C9061CC35EBFA27AE7D6E5C42B - -Count = 856 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4DBAB39B8D1F3A5385986BC78247BCAED3 - -Count = 857 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D1D3E44BD5574DFF0972AA1A6E62D1120 - -Count = 858 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D8882931DB954726BA3CBC82530A34698 - -Count = 859 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D873448F3A6CFC9118318E2F194C60B2466 - -Count = 860 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87BC891241C6D70924C100FAEACBE637A4 - -Count = 861 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D8748E7EDFBEC36884E690E271A8CA4DC97 - -Count = 862 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87D8602A6EE2B2DDD88A8E3D7390C73E7D - -Count = 863 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87BEB9868DD060B679EF70C7256238960C - -Count = 864 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87E0BD22CD00E084C545E9C47346796037 - -Count = 865 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D879579F5BFDF9B565E7E7E85C2F3C180D8 - -Count = 866 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D8776EA302DE67246A0EEB0016918232BEA - -Count = 867 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D8739C62481B129AE07A1B77AF4E3D6A0E1 - -Count = 868 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CF176DBEFE255A87EA7DC29DE9E639E - -Count = 869 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D878354C9352526999303D47D6CDD7B7B5E - -Count = 870 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D879A90E09993BBC18D7C139F74F50154E7 - -Count = 871 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87702E39CFD71944BA86109DE200D8FAA5 - -Count = 872 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87BDB3F84D585CFF414555B7A5CACEA415 - -Count = 873 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87553F0184FD9F7A142E6EEE2E10C63383 - -Count = 874 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D877E0DA3B60DF1C7BF16515B4841CC9238 - -Count = 875 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87D0E7C2DF9FC51E4ADA113F6AAC645C5E - -Count = 876 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87891ED3EE8E72C09CA5AB4670A924023C - -Count = 877 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D874C0D2D539B796741A23120D87C861420 - -Count = 878 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D8706B33F337A4A5BE0F3186F5408DA65C3 - -Count = 879 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87F93E4E8DF099B641ECB49DDA3BF0E9ED - -Count = 880 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D879C097FC5C1D996B09CC6D43D295F3AEA - -Count = 881 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D8730E5646B75281A680857D1A34D6CF579 - -Count = 882 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87A3C7007DEDC88AF57FBB19769C1B4C6C - -Count = 883 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D870F030AE2EA72CED9C1844B050169253F - -Count = 884 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D8714759990101F2E4C12C08055734EEA7F - -Count = 885 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87132A7CE824BC953D8EC796E3F9A4DBB4 - -Count = 886 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876F5604275472C7809B6C5469193878FC - -Count = 887 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D871BD463B8C92BF9FBA9036ACCC60A1BE5 - -Count = 888 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87FBC6E3AF78BB4E0B87117DEB0B201B25 - -Count = 889 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87815FDCF0A163C26A815720BB8544B062 - -Count = 890 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D87C58CB47E9D498A64DACBE79A4666E5A4 - -Count = 891 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D8743D1C63E8B0496DB3215DCB05AFA05E1 - -Count = 892 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C82C7537A40CC8B7810CE8B95A63D8D39 - -Count = 893 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C045BF7856D2C00769AA421727907AEA5 - -Count = 894 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CE49FA4060262AFD26D6843BD23CBEFBD - -Count = 895 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C411E5F8600A613F4F5893A35A559629D - -Count = 896 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C050C691F618483316A9D171C6B4E476E - -Count = 897 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C36BFBDAC37B4A7ABC3B08DC2AAE1743B - -Count = 898 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C0960BEE7DAE54C79B7B8FDCE7A2FB9E3 - -Count = 899 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C547931339E1A3475130CDC20C7D0A630 - -Count = 900 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CB7712F6D29FC570972D1EB92A14155BF - -Count = 901 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CB410469590A1D27DB50AB89251B77E02 - -Count = 902 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C399D305C73E14C76630218601C507F4C - -Count = 903 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C636B5E5DE9D09264E3873E02DFF10044 - -Count = 904 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C9CCDC4747ACDE23D8CAA104D21212306 - -Count = 905 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CF7AED42BED0C323283D6FB91051ED67A - -Count = 906 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C0A163D32AD25ADB70BB22E24EA36701B - -Count = 907 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CA6F549D881D13FD9752440E620F82480 - -Count = 908 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CD1948EBCC1859DEB58262F3B79ED8653 - -Count = 909 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C6C5CC67CFA4E9FD281ECC7E16940598B - -Count = 910 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C8FFA84A9166EF266FE09DCE59083174F - -Count = 911 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C4DDEBDBC10A500AB7939FCC574EABFD9 - -Count = 912 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CCC59073046BD4B147F7B47843060A950 - -Count = 913 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C2A46883881A63D898772818411E6DB06 - -Count = 914 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CECB9F84E0B00FD34E97F19FAC85851C7 - -Count = 915 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CD5992787B846514F4841C535359E9B97 - -Count = 916 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C32A7F52E3EBBF3B01EE36B07947D4D3D - -Count = 917 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CA971B97F703E1A4BD7CAC7E5D3198223 - -Count = 918 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CB49ADF9EAF2DB688146EC5B986E6E1A2 - -Count = 919 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C9E9ACC043736A66ECA60782CBD73A8B4 - -Count = 920 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CDB467524352EAFE07ADC94C99BBD0278 - -Count = 921 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C5B46F71343A623E99B844590065BA545 - -Count = 922 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C5ECE67A401ED747B59B7E8296A7560EC - -Count = 923 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CA615711631A4DD02E1C07D2DA662A4D6 - -Count = 924 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876C8E1C0768867203AD8B62BCFF204FD746 - -Count = 925 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1F5630ECCC4373FA1238DB9E057890D66 - -Count = 926 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1486F2CB1BFDED34BECCD234B19764A4D - -Count = 927 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC11FCD537AD1E6FBFF47A945D92A9467BB - -Count = 928 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1D993EF9473732E0213DCE65ECA791973 - -Count = 929 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC148D44EC16829E4E64512C2F1CC24ED8F - -Count = 930 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1FD72CE22139E5A1B1C0F99E17B4D274C - -Count = 931 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1078946F2C679C9E3C6A7D2328D91F37A - -Count = 932 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1668C37CA4EE7D97A6912F2414C9AC383 - -Count = 933 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1EC5192B73FAB4CF2ABAF47F6F58E3B86 - -Count = 934 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1CF71B736D001377145F9FC864E458174 - -Count = 935 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC14D5BA9B4BABECD7FEEDE25C9E4A44A21 - -Count = 936 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1EA5E97754B2810D82E5B932A7A8CBAEB - -Count = 937 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1681DBE8177388223470122CE65A0458A - -Count = 938 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1028E8C857856A2AD3FF611C8D87CDA94 - -Count = 939 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1216255B358723D217AA8D06542E35860 - -Count = 940 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC11D0F00A00986D512455E20D26DD4C521 - -Count = 941 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1EB7A28EDC8509E3D1580CD1BCFA81967 - -Count = 942 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC15258F54880EF3EF1D44F5C49E5B0D395 - -Count = 943 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1EB0270BD3F673327155C3C0B07E554BB - -Count = 944 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1F8A98C734023EB3BCD2CA9D1849AF243 - -Count = 945 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1E1DEE90D3F2280E8EEFEB10A19137D79 - -Count = 946 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1D079553CF021DFDA03DE90210885C5BD - -Count = 947 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC129AACE7FEAB3E339C89D3C47EA112D63 - -Count = 948 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC15A8A6193530E061DD1B5AA1182D1B5B6 - -Count = 949 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC145F09727FA9CB58CCD33EC2B01D16AD7 - -Count = 950 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC14EC6D51736F932F50E5AECA2C1986411 - -Count = 951 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1D204E957C143045A449B78FC6F0DBB33 - -Count = 952 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC125AFDDBE7AD59A06DF9C4A90C22D267E - -Count = 953 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1DF0C08D8530F17A9F391A3F2E47D5F74 - -Count = 954 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1545966E82E9CF57E1513FE62EB0CA95A - -Count = 955 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC17ED6D968FE17DEE3CB8197C10628B71D - -Count = 956 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1A1C8079D1BE3BA06ECF25AC3C94B956A - -Count = 957 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC161A8D6E9587DD581380D78A8FF3CDF55 - -Count = 958 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7EB2C940D16323835BDCC6D3FFDC1A933 - -Count = 959 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7EAEA033E98FDC6E44699D8115DDBCEC4 - -Count = 960 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7F948EC4C911BD98E47EF47A81EB69B8C - -Count = 961 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7657CA0EFC8309D337F28F0689EFFBB44 - -Count = 962 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7FE9DA69A7DB60A320BAB9119035D79EB - -Count = 963 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B74F87131EDDC061A0558E503F5023A643 - -Count = 964 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B756C58BEF3401D0E0F1B7136775491D2E - -Count = 965 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B755AC091225254EC28A2B880AD2EAE1CA - -Count = 966 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7409E1C37EC6F62B2DDFF254C0A4CD69C - -Count = 967 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B785D7C7DD776E4CDE1FF14BD00B14AE8E - -Count = 968 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7683489BAC6753C1D03092AAD48B2B40B - -Count = 969 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ECC5F1CA4DFFBD6988A0781375C0E67D - -Count = 970 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7FE65625939DE023C5B315E822058F347 - -Count = 971 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7C2047D0F7B9C07BE45FD0DD5A6A4BD8D - -Count = 972 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7C82F9BFB210D503C5F92123729B9055F - -Count = 973 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7516CB597FB42648DC0E8B0E841F8E830 - -Count = 974 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B70A84D9965665F32FBC3521E669829797 - -Count = 975 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7895C1AAAF5093ABF39D220A40865805E - -Count = 976 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7C23E64B0D89C053585DE284498CC851F - -Count = 977 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B78D655A4860901989CECC33008A213F57 - -Count = 978 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B736287F42AB55B29E0414A38E7BF873E9 - -Count = 979 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B72ED50229949D3ED4D700E590A5D0FFBF - -Count = 980 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B786CDCBDF5D94DAF4F21A99A8DDC17FF4 - -Count = 981 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7A3C3069364B519111736D6E6B3C27910 - -Count = 982 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B79190FC9F6B6D445F0366799FE6F651DC - -Count = 983 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B79469BD4ADC9C618105179DF919EB4A71 - -Count = 984 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7E1CA0DC98D7CD1AE57472C439185F25C - -Count = 985 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B760599575BBF80370A02E5757D43CA438 - -Count = 986 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B72E50080E0BB7C028282E2CB4C1EA8C0C - -Count = 987 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7FFA427341BE3F871A72C048F04AF9F79 - -Count = 988 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B758BE6E05A6E83858C2F2FAF0F4470D43 - -Count = 989 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7F8A8B661B9D6EA421AA04E4BAF5E51C3 - -Count = 990 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7638D3DABA63D4EB283528A6FABEDDC3E - -Count = 991 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADC5213CFDA610FCAADB9956F2BE1785CC - -Count = 992 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADDB320432F49B733E9A5F3FD2097BDB76 - -Count = 993 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD4779AAA01B09E004BA02A1811E5030A4 - -Count = 994 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD3FB7BA6DBB1F2173CEFEE4E81E06BED3 - -Count = 995 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADE0F9D19ACEEB243D15BDA6F367408C1F - -Count = 996 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD0C399CFA743FEB630B93D37D475A95CF - -Count = 997 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADFBBBE75EE503290EFE1FFFC772B418BE - -Count = 998 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADA2D0D551F9A4EB19E0F956A3955DC4C5 - -Count = 999 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD1AC438BA6A9E09A6658D36C35BAE6A4D - -Count = 1000 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADC10D448D3B43537D5609D083564AB796 - -Count = 1001 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADFB51A1A21CDA26607F0820352405463A - -Count = 1002 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD12B52748817907B5CD3333D8532A32D7 - -Count = 1003 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD3E0E3CFBF755ADD1D277CC2E0580D29B - -Count = 1004 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD1A3D22D26F9CDA65E5B9FE201CCAA2D7 - -Count = 1005 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD794B54C8C9DCE10553898CB5F4B7FEE4 - -Count = 1006 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD060B7CC2AF5DA75B1F6B12F8906492EC - -Count = 1007 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADE889BA20738B6FDC692EA8D5AFDCD26B - -Count = 1008 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADA606072B142F37B9FBDC381F4579E726 - -Count = 1009 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD45721303A6AA6903657B97AD79C8B25A - -Count = 1010 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD87AA3F1A6F60DB07EE4F2E903E39740F - -Count = 1011 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADC79423C689FC65D691225722D09A4A36 - -Count = 1012 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD29E9EA39819EF2C445E57AF62F45A8DD - -Count = 1013 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADD770752D81CAEA7C74C034AF162B5DF5 - -Count = 1014 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD648652A42DAB44A7ED35D13484335801 - -Count = 1015 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD59738A1C05BCBE706636D3D2CFB39EE7 - -Count = 1016 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADFE35C5A3FF7A09A0505FBE953448882A - -Count = 1017 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD5B380ED4C9C06F4CCF88C941959763EB - -Count = 1018 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7ADF41556865B398F814216368FBB02AD6C - -Count = 1019 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD5DC41F8F835568C5671F636B8A96ECBD - -Count = 1020 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD30621CE4646D690C7EC6310B666197D5 - -Count = 1021 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD14FCA40B338125735869B6CA4651C19D - -Count = 1022 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD012A7D3E5A76207FE278F56C2F25A436 - -Count = 1023 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD0111D14C7497DBA56E2043829516260E - -Count = 1024 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73FF8A0BC1F54F34361025CE35FD0F03F2 - -Count = 1025 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD739803A189FE20D98E59B7E04D2DF99223 - -Count = 1026 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD7396931318D760CDB7B084191DA4989BB2 - -Count = 1027 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73219039CD85CED20006F2050A51E3A39A - -Count = 1028 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A1BA2B29EED38DD9E1BCA6007AE2773D - -Count = 1029 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A9C4D2692D4C99F94C7694CFB2EF5F20 - -Count = 1030 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73DC428EA5862D7D81D82D39A1C977B0E2 - -Count = 1031 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73700BAA043B6BA9CB4310F5D0CE0695BC - -Count = 1032 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A9DF1992B478697E733B6497810D8BC4 - -Count = 1033 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73B4F8A2F74DC6C78C989E0D77821F7A91 - -Count = 1034 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD731FF4ACB4FB1D90CA856CA4E926712880 - -Count = 1035 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73BE6A520ACBCE39697CEAE621579B52D9 - -Count = 1036 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73DBDA70409A486740E87DDC27DFDE0869 - -Count = 1037 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD738A1BDEFF61DA711DD411919CCBD9E410 - -Count = 1038 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD734FC593223A0182592D30667D89EF9BE4 - -Count = 1039 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73E1370CC6B0FFB470D54FB22BD6FD24B2 - -Count = 1040 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD731D15299E9226B9398F72E44FCBAD501E - -Count = 1041 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73AA9BE81D6C858C8B93242588D5ADED29 - -Count = 1042 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73386142068FB5677E9875A58CB3607F84 - -Count = 1043 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD732B8E413396F27D2804F013AC79B2B3EA - -Count = 1044 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD730BB33B9A328B7A4A43610E1DFE1905BC - -Count = 1045 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73102F2CB8F317BB049EA5A96D37ED145B - -Count = 1046 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73754CDF5B46C2BD0FD279112E94F77348 - -Count = 1047 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73DA93011F49F2B5E7C083E1DFACA08E2D - -Count = 1048 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD7379FBD72F07BC9FE5FB430D9DBD5A62B7 - -Count = 1049 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD732BCB00B018AFD1EEAA92B4E157FBA4EA - -Count = 1050 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73B1F1FE1F85C1A36FC7CD453EE079F4EE - -Count = 1051 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73D24F75125AB4BAA457D9D09A127228A0 - -Count = 1052 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD7321A7E4F2F089767A98AFC62556D56B7F - -Count = 1053 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73564D9F2D2D06066880A2ACBAD016D7F9 - -Count = 1054 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD7337B90AF70ABDAD2D88A6152CCFEB8F4E - -Count = 1055 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73EE5BD51E09FB636238ABA1E3423A091E - -Count = 1056 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD738E0416B48CB653F7E46353F988D334BD - -Count = 1057 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A309D48992E694008BC85750B4CF8D1EC9 - -Count = 1058 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A3289655787FF3FF9BDB28C879F826B003 - -Count = 1059 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A350448EC83950637FF8FB17ACBF00D508 - -Count = 1060 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A317CDAC2EE15128E0393DD1C27A691AAA - -Count = 1061 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A36C37E437BE1369DC845D461F7A676A24 - -Count = 1062 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A3B79600F07CECB309C81079F39C900D24 - -Count = 1063 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A312B5F0EAC304CBA1F11D8FD2B8C06B56 - -Count = 1064 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A30982D08DC284D34FFCEAD159F4418C28 - -Count = 1065 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304050607 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A3B6EA693C0975607BF3F845BEE8CAA015 - -Count = 1066 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A35920C48E1DCF883C83924E36580F9312 - -Count = 1067 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506070809 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A33F7296C9D1FC1D21A3A599DEAD7220EA - -Count = 1068 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A30069C99FEEDD98108E4FC34BF2BDD4AB - -Count = 1069 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A35FFDD19745A9E63AC87888F56CD4E9DB - -Count = 1070 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A3D9F65680B439013B0D5F4108F9FA975C - -Count = 1071 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A3304E326E296EDD5A88F0DC8079272D16 - -Count = 1072 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A331F009CA52DBE5D16BE114C7AF74C256 - -Count = 1073 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A31453533EC74604DE513A7D7AA834DB12 - -Count = 1074 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A3F5A450B7E3481DC42F79522DF6D5BAA3 - -Count = 1075 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A38ADB04222A3A349176DD427AB1C31E3E - -Count = 1076 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A30608584484B150D2D1E41530B2278F1F - -Count = 1077 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A3C6BEE2433839E5E8FE935C1227E3ABD4 - -Count = 1078 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A322D6EDDC0058690B33C6E237C17F4E2B - -Count = 1079 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A34C9FF9BE3AA963F01EB8193E94205269 - -Count = 1080 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A3077F0309CE755D2FD8973F72E002505C - -Count = 1081 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A33B4CD5DD4031158F9BBE96F91BE27B94 - -Count = 1082 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A38706A0B4AE7CFD6EA6665A56D3036648 - -Count = 1083 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A3FE7E3A366D28D541BA352AB5A18A4EF7 - -Count = 1084 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A34FF83D42BAAA1B0A3D92582A3C64AC91 - -Count = 1085 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A36E10C177D00C16ECD4EFD2B1311E8D6E - -Count = 1086 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A301A4471A6A1DCC2D848E824FD3C3BC80 - -Count = 1087 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A3DED27A2F2DE5F406C20052FB5E7AE797 - -Count = 1088 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A396BE7DC1DB3BB585EE762A8E4641E83F - -Count = 1089 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 59D5A45BCBCB332311869B73F633D29606056B791F8A684E4D876CC1B7AD73A37CABFFC9C255FB9531F303E966332FFD - diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys/aead-common.c b/isap/Implementations/crypto_aead/isapk128v20/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128v20/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys/aead-common.h b/isap/Implementations/crypto_aead/isapk128v20/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128v20/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys/api.h b/isap/Implementations/crypto_aead/isapk128v20/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128v20/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys/encrypt.c b/isap/Implementations/crypto_aead/isapk128v20/rhys/encrypt.c new file mode 100644 index 0000000..72d2d68 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128v20/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "isap.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return isap_keccak_128_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return isap_keccak_128_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-ascon.c b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-ascon.c new file mode 100644 index 0000000..12a8ec6 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-ascon.c @@ -0,0 +1,76 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-ascon.h" + +void ascon_permute(ascon_state_t *state, uint8_t first_round) +{ + uint64_t t0, t1, t2, t3, t4; +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = be_load_word64(state->B); + uint64_t x1 = be_load_word64(state->B + 8); + uint64_t x2 = be_load_word64(state->B + 16); + uint64_t x3 = be_load_word64(state->B + 24); + uint64_t x4 = be_load_word64(state->B + 32); +#else + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; + uint64_t x4 = state->S[4]; +#endif + while (first_round < 12) { + /* Add the round constant to the state */ + x2 ^= ((0x0F - first_round) << 4) | first_round; + + /* Substitution layer - apply the s-box using bit-slicing + * according to the algorithm recommended in the specification */ + x0 ^= x4; x4 ^= x3; x2 ^= x1; + t0 = ~x0; t1 = ~x1; t2 = ~x2; t3 = ~x3; t4 = ~x4; + t0 &= x1; t1 &= x2; t2 &= x3; t3 &= x4; t4 &= x0; + x0 ^= t1; x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t0; + x1 ^= x0; x0 ^= x4; x3 ^= x2; x2 = ~x2; + + /* Linear diffusion layer */ + x0 ^= rightRotate19_64(x0) ^ rightRotate28_64(x0); + x1 ^= rightRotate61_64(x1) ^ rightRotate39_64(x1); + x2 ^= rightRotate1_64(x2) ^ rightRotate6_64(x2); + x3 ^= rightRotate10_64(x3) ^ rightRotate17_64(x3); + x4 ^= rightRotate7_64(x4) ^ rightRotate41_64(x4); + + /* Move onto the next round */ + ++first_round; + } +#if defined(LW_UTIL_LITTLE_ENDIAN) + be_store_word64(state->B, x0); + be_store_word64(state->B + 8, x1); + be_store_word64(state->B + 16, x2); + be_store_word64(state->B + 24, x3); + be_store_word64(state->B + 32, x4); +#else + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; + state->S[4] = x4; +#endif +} diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-ascon.h b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-ascon.h new file mode 100644 index 0000000..d3fa3ca --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-ascon.h @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_ASCON_H +#define LW_INTERNAL_ASCON_H + +#include "internal-util.h" + +/** + * \file internal-ascon.h + * \brief Internal implementation of the ASCON permutation. + * + * References: http://competitions.cr.yp.to/round3/asconv12.pdf, + * http://ascon.iaik.tugraz.at/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Structure of the internal state of the ASCON permutation. + */ +typedef union +{ + uint64_t S[5]; /**< Words of the state */ + uint8_t B[40]; /**< Bytes of the state */ + +} ascon_state_t; + +/** + * \brief Permutes the ASCON state. + * + * \param state The ASCON state to be permuted. + * \param first_round The first round (of 12) to be performed; 0, 4, or 6. + * + * The input and output \a state will be in big-endian byte order. + */ +void ascon_permute(ascon_state_t *state, uint8_t first_round); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-isap.h b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-isap.h new file mode 100644 index 0000000..ba99f2a --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-isap.h @@ -0,0 +1,249 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +/* We expect a number of macros to be defined before this file + * is included to configure the underlying ISAP variant. + * + * ISAP_ALG_NAME Name of the ISAP algorithm; e.g. isap_keccak_128 + * ISAP_RATE Number of bytes in the rate for hashing and encryption. + * ISAP_sH Number of rounds for hashing. + * ISAP_sE Number of rounds for encryption. + * ISAP_sB Number of rounds for key bit absorption. + * ISAP_sK Number of rounds for keying. + * ISAP_STATE Type for the permuation state; e.g. ascon_state_t + * ISAP_PERMUTE(s,r) Permutes the state "s" with number of rounds "r". + */ +#if defined(ISAP_ALG_NAME) + +#define ISAP_CONCAT_INNER(name,suffix) name##suffix +#define ISAP_CONCAT(name,suffix) ISAP_CONCAT_INNER(name,suffix) + +/* IV string for initialising the associated data */ +static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_A) + [sizeof(ISAP_STATE) - ISAP_NONCE_SIZE] = { + 0x01, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, + ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK +}; + +/* IV string for authenticating associated data */ +static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_KA) + [sizeof(ISAP_STATE) - ISAP_KEY_SIZE] = { + 0x02, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, + ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK +}; + +/* IV string for encrypting payload data */ +static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_KE) + [sizeof(ISAP_STATE) - ISAP_KEY_SIZE] = { + 0x03, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, + ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK +}; + +/** + * \brief Re-keys the ISAP permutation state. + * + * \param state The permutation state to be re-keyed. + * \param k Points to the 128-bit key for the ISAP cipher. + * \param iv Points to the initialization vector for this re-keying operation. + * \param data Points to the data to be absorbed to perform the re-keying. + * \param data_len Length of the data to be absorbed. + * + * The output key will be left in the leading bytes of \a state. + */ +static void ISAP_CONCAT(ISAP_ALG_NAME,_rekey) + (ISAP_STATE *state, const unsigned char *k, const unsigned char *iv, + const unsigned char *data, unsigned data_len) +{ + unsigned bit, num_bits; + + /* Initialize the state with the key and IV */ + memcpy(state->B, k, ISAP_KEY_SIZE); + memcpy(state->B + ISAP_KEY_SIZE, iv, sizeof(state->B) - ISAP_KEY_SIZE); + ISAP_PERMUTE(state, ISAP_sK); + + /* Absorb all of the bits of the data buffer one by one */ + num_bits = data_len * 8 - 1; + for (bit = 0; bit < num_bits; ++bit) { + state->B[0] ^= (data[bit / 8] << (bit % 8)) & 0x80; + ISAP_PERMUTE(state, ISAP_sB); + } + state->B[0] ^= (data[bit / 8] << (bit % 8)) & 0x80; + ISAP_PERMUTE(state, ISAP_sK); +} + +/** + * \brief Encrypts (or decrypts) a message payload with ISAP. + * + * \param state ISAP permutation state. + * \param k Points to the 128-bit key for the ISAP cipher. + * \param npub Points to the 128-bit nonce for the ISAP cipher. + * \param c Buffer to receive the output ciphertext. + * \param m Buffer to receive the input plaintext. + * \param mlen Length of the input plaintext. + */ +static void ISAP_CONCAT(ISAP_ALG_NAME,_encrypt) + (ISAP_STATE *state, const unsigned char *k, const unsigned char *npub, + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Set up the re-keyed encryption key and nonce in the state */ + ISAP_CONCAT(ISAP_ALG_NAME,_rekey) + (state, k, ISAP_CONCAT(ISAP_ALG_NAME,_IV_KE), npub, ISAP_NONCE_SIZE); + memcpy(state->B + sizeof(ISAP_STATE) - ISAP_NONCE_SIZE, + npub, ISAP_NONCE_SIZE); + + /* Encrypt the plaintext to produce the ciphertext */ + while (mlen >= ISAP_RATE) { + ISAP_PERMUTE(state, ISAP_sE); + lw_xor_block_2_src(c, state->B, m, ISAP_RATE); + c += ISAP_RATE; + m += ISAP_RATE; + mlen -= ISAP_RATE; + } + if (mlen > 0) { + ISAP_PERMUTE(state, ISAP_sE); + lw_xor_block_2_src(c, state->B, m, (unsigned)mlen); + } +} + +/** + * \brief Authenticates the associated data and ciphertext using ISAP. + * + * \param state ISAP permutation state. + * \param k Points to the 128-bit key for the ISAP cipher. + * \param npub Points to the 128-bit nonce for the ISAP cipher. + * \param ad Buffer containing the associated data. + * \param adlen Length of the associated data. + * \param c Buffer containing the ciphertext. + * \param clen Length of the ciphertext. + */ +static void ISAP_CONCAT(ISAP_ALG_NAME,_mac) + (ISAP_STATE *state, const unsigned char *k, const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *c, unsigned long long clen, + unsigned char *tag) +{ + unsigned char preserve[sizeof(ISAP_STATE) - ISAP_TAG_SIZE]; + unsigned temp; + + /* Absorb the associated data */ + memcpy(state->B, npub, ISAP_NONCE_SIZE); + memcpy(state->B + ISAP_NONCE_SIZE, ISAP_CONCAT(ISAP_ALG_NAME,_IV_A), + sizeof(state->B) - ISAP_NONCE_SIZE); + ISAP_PERMUTE(state, ISAP_sH); + while (adlen >= ISAP_RATE) { + lw_xor_block(state->B, ad, ISAP_RATE); + ISAP_PERMUTE(state, ISAP_sH); + ad += ISAP_RATE; + adlen -= ISAP_RATE; + } + temp = (unsigned)adlen; + lw_xor_block(state->B, ad, temp); + state->B[temp] ^= 0x80; /* padding */ + ISAP_PERMUTE(state, ISAP_sH); + state->B[sizeof(state->B) - 1] ^= 0x01; /* domain separation */ + + /* Absorb the ciphertext */ + while (clen >= ISAP_RATE) { + lw_xor_block(state->B, c, ISAP_RATE); + ISAP_PERMUTE(state, ISAP_sH); + c += ISAP_RATE; + clen -= ISAP_RATE; + } + temp = (unsigned)clen; + lw_xor_block(state->B, c, temp); + state->B[temp] ^= 0x80; /* padding */ + ISAP_PERMUTE(state, ISAP_sH); + + /* Re-key the state and generate the authentication tag */ + memcpy(tag, state->B, ISAP_TAG_SIZE); + memcpy(preserve, state->B + ISAP_TAG_SIZE, sizeof(preserve)); + ISAP_CONCAT(ISAP_ALG_NAME,_rekey) + (state, k, ISAP_CONCAT(ISAP_ALG_NAME,_IV_KA), tag, ISAP_TAG_SIZE); + memcpy(state->B + ISAP_TAG_SIZE, preserve, sizeof(preserve)); + ISAP_PERMUTE(state, ISAP_sH); + memcpy(tag, state->B, ISAP_TAG_SIZE); +} + +int ISAP_CONCAT(ISAP_ALG_NAME,_aead_encrypt) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + ISAP_STATE state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ISAP_TAG_SIZE; + + /* Encrypt the plaintext to produce the ciphertext */ + ISAP_CONCAT(ISAP_ALG_NAME,_encrypt)(&state, k, npub, c, m, mlen); + + /* Authenticate the associated data and ciphertext to generate the tag */ + ISAP_CONCAT(ISAP_ALG_NAME,_mac) + (&state, k, npub, ad, adlen, c, mlen, c + mlen); + return 0; +} + +int ISAP_CONCAT(ISAP_ALG_NAME,_aead_decrypt) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + ISAP_STATE state; + unsigned char tag[ISAP_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ISAP_TAG_SIZE) + return -1; + *mlen = clen - ISAP_TAG_SIZE; + + /* Authenticate the associated data and ciphertext to generate the tag */ + ISAP_CONCAT(ISAP_ALG_NAME,_mac)(&state, k, npub, ad, adlen, c, *mlen, tag); + + /* Decrypt the ciphertext to produce the plaintext */ + ISAP_CONCAT(ISAP_ALG_NAME,_encrypt)(&state, k, npub, m, c, *mlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, tag, c + *mlen, ISAP_TAG_SIZE); +} + +#endif /* ISAP_ALG_NAME */ + +/* Now undefine everything so that we can include this file again for + * another variant on the ISAP algorithm */ +#undef ISAP_ALG_NAME +#undef ISAP_RATE +#undef ISAP_sH +#undef ISAP_sE +#undef ISAP_sB +#undef ISAP_sK +#undef ISAP_STATE +#undef ISAP_PERMUTE +#undef ISAP_CONCAT_INNER +#undef ISAP_CONCAT diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak.c b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak.c new file mode 100644 index 0000000..c3c4011 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak.c @@ -0,0 +1,204 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-keccak.h" + +/* Faster method to compute ((x + y) % 5) that avoids the division */ +static unsigned char const addMod5Table[9] = { + 0, 1, 2, 3, 4, 0, 1, 2, 3 +}; +#define addMod5(x, y) (addMod5Table[(x) + (y)]) + +void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds) +{ + static uint8_t const RC[18] = { + 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, + 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, + 0x02, 0x80 + }; + uint8_t B[5][5]; + uint8_t D; + unsigned round; + unsigned index, index2; + for (round = 18 - rounds; round < 18; ++round) { + /* Step mapping theta. The specification mentions two temporary + * arrays of size 5 called C and D. To save a bit of memory, + * we use the first row of B to store C and compute D on the fly */ + for (index = 0; index < 5; ++index) { + B[0][index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; + } + for (index = 0; index < 5; ++index) { + D = B[0][addMod5(index, 4)] ^ + leftRotate1_8(B[0][addMod5(index, 1)]); + for (index2 = 0; index2 < 5; ++index2) + state->A[index2][index] ^= D; + } + + /* Step mapping rho and pi combined into a single step. + * Rotate all lanes by a specific offset and rearrange */ + B[0][0] = state->A[0][0]; + B[1][0] = leftRotate4_8(state->A[0][3]); + B[2][0] = leftRotate1_8(state->A[0][1]); + B[3][0] = leftRotate3_8(state->A[0][4]); + B[4][0] = leftRotate6_8(state->A[0][2]); + B[0][1] = leftRotate4_8(state->A[1][1]); + B[1][1] = leftRotate4_8(state->A[1][4]); + B[2][1] = leftRotate6_8(state->A[1][2]); + B[3][1] = leftRotate4_8(state->A[1][0]); + B[4][1] = leftRotate7_8(state->A[1][3]); + B[0][2] = leftRotate3_8(state->A[2][2]); + B[1][2] = leftRotate3_8(state->A[2][0]); + B[2][2] = leftRotate1_8(state->A[2][3]); + B[3][2] = leftRotate2_8(state->A[2][1]); + B[4][2] = leftRotate7_8(state->A[2][4]); + B[0][3] = leftRotate5_8(state->A[3][3]); + B[1][3] = leftRotate5_8(state->A[3][1]); + B[2][3] = state->A[3][4]; + B[3][3] = leftRotate7_8(state->A[3][2]); + B[4][3] = leftRotate1_8(state->A[3][0]); + B[0][4] = leftRotate6_8(state->A[4][4]); + B[1][4] = leftRotate5_8(state->A[4][2]); + B[2][4] = leftRotate2_8(state->A[4][0]); + B[3][4] = state->A[4][3]; + B[4][4] = leftRotate2_8(state->A[4][1]); + + /* Step mapping chi. Combine each lane with two others in its row */ + for (index = 0; index < 5; ++index) { + for (index2 = 0; index2 < 5; ++index2) { + state->A[index2][index] = + B[index2][index] ^ + ((~B[index2][addMod5(index, 1)]) & + B[index2][addMod5(index, 2)]); + } + } + + /* Step mapping iota. XOR A[0][0] with the round constant */ + state->A[0][0] ^= RC[round]; + } +} + +#if defined(LW_UTIL_LITTLE_ENDIAN) +#define keccakp_400_permute_host keccakp_400_permute +#endif + +/* Keccak-p[400] that assumes that the input is already in host byte order */ +void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) +{ + static uint16_t const RC[20] = { + 0x0001, 0x8082, 0x808A, 0x8000, 0x808B, 0x0001, 0x8081, 0x8009, + 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, + 0x8002, 0x0080, 0x800A, 0x000A + }; + uint16_t B[5][5]; + uint16_t D; + unsigned round; + unsigned index, index2; + for (round = 20 - rounds; round < 20; ++round) { + /* Step mapping theta. The specification mentions two temporary + * arrays of size 5 called C and D. To save a bit of memory, + * we use the first row of B to store C and compute D on the fly */ + for (index = 0; index < 5; ++index) { + B[0][index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; + } + for (index = 0; index < 5; ++index) { + D = B[0][addMod5(index, 4)] ^ + leftRotate1_16(B[0][addMod5(index, 1)]); + for (index2 = 0; index2 < 5; ++index2) + state->A[index2][index] ^= D; + } + + /* Step mapping rho and pi combined into a single step. + * Rotate all lanes by a specific offset and rearrange */ + B[0][0] = state->A[0][0]; + B[1][0] = leftRotate12_16(state->A[0][3]); + B[2][0] = leftRotate1_16 (state->A[0][1]); + B[3][0] = leftRotate11_16(state->A[0][4]); + B[4][0] = leftRotate14_16(state->A[0][2]); + B[0][1] = leftRotate12_16(state->A[1][1]); + B[1][1] = leftRotate4_16 (state->A[1][4]); + B[2][1] = leftRotate6_16 (state->A[1][2]); + B[3][1] = leftRotate4_16 (state->A[1][0]); + B[4][1] = leftRotate7_16 (state->A[1][3]); + B[0][2] = leftRotate11_16(state->A[2][2]); + B[1][2] = leftRotate3_16 (state->A[2][0]); + B[2][2] = leftRotate9_16 (state->A[2][3]); + B[3][2] = leftRotate10_16(state->A[2][1]); + B[4][2] = leftRotate7_16 (state->A[2][4]); + B[0][3] = leftRotate5_16 (state->A[3][3]); + B[1][3] = leftRotate13_16(state->A[3][1]); + B[2][3] = leftRotate8_16 (state->A[3][4]); + B[3][3] = leftRotate15_16(state->A[3][2]); + B[4][3] = leftRotate9_16 (state->A[3][0]); + B[0][4] = leftRotate14_16(state->A[4][4]); + B[1][4] = leftRotate13_16(state->A[4][2]); + B[2][4] = leftRotate2_16 (state->A[4][0]); + B[3][4] = leftRotate8_16 (state->A[4][3]); + B[4][4] = leftRotate2_16 (state->A[4][1]); + + /* Step mapping chi. Combine each lane with two others in its row */ + for (index = 0; index < 5; ++index) { + for (index2 = 0; index2 < 5; ++index2) { + state->A[index2][index] = + B[index2][index] ^ + ((~B[index2][addMod5(index, 1)]) & + B[index2][addMod5(index, 2)]); + } + } + + /* Step mapping iota. XOR A[0][0] with the round constant */ + state->A[0][0] ^= RC[round]; + } +} + +#if !defined(LW_UTIL_LITTLE_ENDIAN) + +/** + * \brief Reverses the bytes in a Keccak-p[400] state. + * + * \param state The Keccak-p[400] state to apply byte-reversal to. + */ +static void keccakp_400_reverse_bytes(keccakp_400_state_t *state) +{ + unsigned index; + unsigned char temp1; + unsigned char temp2; + for (index = 0; index < 50; index += 2) { + temp1 = state->B[index]; + temp2 = state->B[index + 1]; + state->B[index] = temp2; + state->B[index + 1] = temp1; + } +} + +/* Keccak-p[400] that requires byte reversal on input and output */ +void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) +{ + keccakp_400_reverse_bytes(state); + keccakp_400_permute_host(state, rounds); + keccakp_400_reverse_bytes(state); +} + +#endif diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak.h b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak.h new file mode 100644 index 0000000..026da50 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak.h @@ -0,0 +1,88 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_KECCAK_H +#define LW_INTERNAL_KECCAK_H + +#include "internal-util.h" + +/** + * \file internal-keccak.h + * \brief Internal implementation of the Keccak-p permutation. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the state for the Keccak-p[200] permutation. + */ +#define KECCAKP_200_STATE_SIZE 25 + +/** + * \brief Size of the state for the Keccak-p[400] permutation. + */ +#define KECCAKP_400_STATE_SIZE 50 + +/** + * \brief Structure of the internal state of the Keccak-p[200] permutation. + */ +typedef union +{ + uint8_t A[5][5]; /**< Keccak-p[200] state as a 5x5 array of lanes */ + uint8_t B[25]; /**< Keccak-p[200] state as a byte array */ + +} keccakp_200_state_t; + +/** + * \brief Structure of the internal state of the Keccak-p[400] permutation. + */ +typedef union +{ + uint16_t A[5][5]; /**< Keccak-p[400] state as a 5x5 array of lanes */ + uint8_t B[50]; /**< Keccak-p[400] state as a byte array */ + +} keccakp_400_state_t; + +/** + * \brief Permutes the Keccak-p[200] state. + * + * \param state The Keccak-p[200] state to be permuted. + * \param rounds The number of rounds to perform (up to 18). + */ +void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds); + +/** + * \brief Permutes the Keccak-p[400] state, which is assumed to be in + * little-endian byte order. + * + * \param state The Keccak-p[400] state to be permuted. + * \param rounds The number of rounds to perform (up to 20). + */ +void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-util.h b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys/isap.c b/isap/Implementations/crypto_aead/isapk128v20/rhys/isap.c new file mode 100644 index 0000000..26d50a3 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128v20/rhys/isap.c @@ -0,0 +1,110 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "isap.h" +#include "internal-keccak.h" +#include "internal-ascon.h" +#include + +aead_cipher_t const isap_keccak_128a_cipher = { + "ISAP-K-128A", + ISAP_KEY_SIZE, + ISAP_NONCE_SIZE, + ISAP_TAG_SIZE, + AEAD_FLAG_NONE, + isap_keccak_128a_aead_encrypt, + isap_keccak_128a_aead_decrypt +}; + +aead_cipher_t const isap_ascon_128a_cipher = { + "ISAP-A-128A", + ISAP_KEY_SIZE, + ISAP_NONCE_SIZE, + ISAP_TAG_SIZE, + AEAD_FLAG_NONE, + isap_ascon_128a_aead_encrypt, + isap_ascon_128a_aead_decrypt +}; + +aead_cipher_t const isap_keccak_128_cipher = { + "ISAP-K-128", + ISAP_KEY_SIZE, + ISAP_NONCE_SIZE, + ISAP_TAG_SIZE, + AEAD_FLAG_NONE, + isap_keccak_128_aead_encrypt, + isap_keccak_128_aead_decrypt +}; + +aead_cipher_t const isap_ascon_128_cipher = { + "ISAP-A-128", + ISAP_KEY_SIZE, + ISAP_NONCE_SIZE, + ISAP_TAG_SIZE, + AEAD_FLAG_NONE, + isap_ascon_128_aead_encrypt, + isap_ascon_128_aead_decrypt +}; + +/* ISAP-K-128A */ +#define ISAP_ALG_NAME isap_keccak_128a +#define ISAP_RATE (144 / 8) +#define ISAP_sH 16 +#define ISAP_sE 8 +#define ISAP_sB 1 +#define ISAP_sK 8 +#define ISAP_STATE keccakp_400_state_t +#define ISAP_PERMUTE(s,r) keccakp_400_permute((s), (r)) +#include "internal-isap.h" + +/* ISAP-A-128A */ +#define ISAP_ALG_NAME isap_ascon_128a +#define ISAP_RATE (64 / 8) +#define ISAP_sH 12 +#define ISAP_sE 6 +#define ISAP_sB 1 +#define ISAP_sK 12 +#define ISAP_STATE ascon_state_t +#define ISAP_PERMUTE(s,r) ascon_permute((s), 12 - (r)) +#include "internal-isap.h" + +/* ISAP-K-128 */ +#define ISAP_ALG_NAME isap_keccak_128 +#define ISAP_RATE (144 / 8) +#define ISAP_sH 20 +#define ISAP_sE 12 +#define ISAP_sB 12 +#define ISAP_sK 12 +#define ISAP_STATE keccakp_400_state_t +#define ISAP_PERMUTE(s,r) keccakp_400_permute((s), (r)) +#include "internal-isap.h" + +/* ISAP-A-128 */ +#define ISAP_ALG_NAME isap_ascon_128 +#define ISAP_RATE (64 / 8) +#define ISAP_sH 12 +#define ISAP_sE 12 +#define ISAP_sB 12 +#define ISAP_sK 12 +#define ISAP_STATE ascon_state_t +#define ISAP_PERMUTE(s,r) ascon_permute((s), 12 - (r)) +#include "internal-isap.h" diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys/isap.h b/isap/Implementations/crypto_aead/isapk128v20/rhys/isap.h new file mode 100644 index 0000000..ddf8203 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128v20/rhys/isap.h @@ -0,0 +1,330 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ISAP_H +#define LWCRYPTO_ISAP_H + +#include "aead-common.h" + +/** + * \file isap.h + * \brief ISAP authenticated encryption algorithm. + * + * ISAP is a family of authenticated encryption algorithms that are built + * around the Keccak-p[400] or ASCON permutations. There are four algorithms + * in the family, each of which have a 128-bit key, a 128-bit nonce, and a + * 128-bit tag: + * + * \li ISAP-K-128A based around the Keccak-p[400] permutation with a + * reduced number of rounds. This is the primary member in the family. + * \li ISAP-A-128A based around the ASCON permutation with a reduced + * number of rounds. + * \li ISAP-K-128 based around the Keccak-p[400] permutation. + * \li ISAP-A-128 based around the ASCON permutation. + * + * ISAP is designed to provide some protection against adversaries + * using differential power analysis to determine the key. The + * downside is that key setup is very slow. + * + * References: https://isap.iaik.tugraz.at/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all ISAP family members. + */ +#define ISAP_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for all ISAP family members. + */ +#define ISAP_TAG_SIZE 16 + +/** + * \brief Size of the nonce for all ISAP family members. + */ +#define ISAP_NONCE_SIZE 16 + +/** + * \brief Meta-information block for the ISAP-K-128A cipher. + */ +extern aead_cipher_t const isap_keccak_128a_cipher; + +/** + * \brief Meta-information block for the ISAP-A-128A cipher. + */ +extern aead_cipher_t const isap_ascon_128a_cipher; + +/** + * \brief Meta-information block for the ISAP-K-128 cipher. + */ +extern aead_cipher_t const isap_keccak_128_cipher; + +/** + * \brief Meta-information block for the ISAP-A-128 cipher. + */ +extern aead_cipher_t const isap_ascon_128_cipher; + +/** + * \brief Encrypts and authenticates a packet with ISAP-K-128A. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa isap_keccak_128a_aead_decrypt() + */ +int isap_keccak_128a_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ISAP-K-128A. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa isap_keccak_128a_aead_encrypt() + */ +int isap_keccak_128a_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with ISAP-A-128A. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa isap_ascon_128a_aead_decrypt() + */ +int isap_ascon_128a_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ISAP-A-128A. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa isap_ascon_128a_aead_encrypt() + */ +int isap_ascon_128a_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with ISAP-K-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa isap_keccak_128_aead_decrypt() + */ +int isap_keccak_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ISAP-K-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa isap_keccak_128_aead_encrypt() + */ +int isap_keccak_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with ISAP-A-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa isap_ascon_128_aead_decrypt() + */ +int isap_ascon_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ISAP-A-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa isap_ascon_128_aead_encrypt() + */ +int isap_ascon_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys/aead-common.c b/knot/Implementations/crypto_aead/knot128v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys/aead-common.h b/knot/Implementations/crypto_aead/knot128v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys/api.h b/knot/Implementations/crypto_aead/knot128v1/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys/encrypt.c b/knot/Implementations/crypto_aead/knot128v1/rhys/encrypt.c new file mode 100644 index 0000000..0d644de --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "knot.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return knot_aead_128_256_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return knot_aead_128_256_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot.c b/knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot.c new file mode 100644 index 0000000..3486e6e --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot.c @@ -0,0 +1,297 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-knot.h" + +/* Round constants for the KNOT-256, KNOT-384, and KNOT-512 permutations */ +static uint8_t const rc6[52] = { + 0x01, 0x02, 0x04, 0x08, 0x10, 0x21, 0x03, 0x06, 0x0c, 0x18, 0x31, 0x22, + 0x05, 0x0a, 0x14, 0x29, 0x13, 0x27, 0x0f, 0x1e, 0x3d, 0x3a, 0x34, 0x28, + 0x11, 0x23, 0x07, 0x0e, 0x1c, 0x39, 0x32, 0x24, 0x09, 0x12, 0x25, 0x0b, + 0x16, 0x2d, 0x1b, 0x37, 0x2e, 0x1d, 0x3b, 0x36, 0x2c, 0x19, 0x33, 0x26, + 0x0d, 0x1a, 0x35, 0x2a +}; +static uint8_t const rc7[104] = { + 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x41, 0x03, 0x06, 0x0c, 0x18, 0x30, + 0x61, 0x42, 0x05, 0x0a, 0x14, 0x28, 0x51, 0x23, 0x47, 0x0f, 0x1e, 0x3c, + 0x79, 0x72, 0x64, 0x48, 0x11, 0x22, 0x45, 0x0b, 0x16, 0x2c, 0x59, 0x33, + 0x67, 0x4e, 0x1d, 0x3a, 0x75, 0x6a, 0x54, 0x29, 0x53, 0x27, 0x4f, 0x1f, + 0x3e, 0x7d, 0x7a, 0x74, 0x68, 0x50, 0x21, 0x43, 0x07, 0x0e, 0x1c, 0x38, + 0x71, 0x62, 0x44, 0x09, 0x12, 0x24, 0x49, 0x13, 0x26, 0x4d, 0x1b, 0x36, + 0x6d, 0x5a, 0x35, 0x6b, 0x56, 0x2d, 0x5b, 0x37, 0x6f, 0x5e, 0x3d, 0x7b, + 0x76, 0x6c, 0x58, 0x31, 0x63, 0x46, 0x0d, 0x1a, 0x34, 0x69, 0x52, 0x25, + 0x4b, 0x17, 0x2e, 0x5d, 0x3b, 0x77, 0x6e, 0x5c +}; +static uint8_t const rc8[140] = { + 0x01, 0x02, 0x04, 0x08, 0x11, 0x23, 0x47, 0x8e, 0x1c, 0x38, 0x71, 0xe2, + 0xc4, 0x89, 0x12, 0x25, 0x4b, 0x97, 0x2e, 0x5c, 0xb8, 0x70, 0xe0, 0xc0, + 0x81, 0x03, 0x06, 0x0c, 0x19, 0x32, 0x64, 0xc9, 0x92, 0x24, 0x49, 0x93, + 0x26, 0x4d, 0x9b, 0x37, 0x6e, 0xdc, 0xb9, 0x72, 0xe4, 0xc8, 0x90, 0x20, + 0x41, 0x82, 0x05, 0x0a, 0x15, 0x2b, 0x56, 0xad, 0x5b, 0xb6, 0x6d, 0xda, + 0xb5, 0x6b, 0xd6, 0xac, 0x59, 0xb2, 0x65, 0xcb, 0x96, 0x2c, 0x58, 0xb0, + 0x61, 0xc3, 0x87, 0x0f, 0x1f, 0x3e, 0x7d, 0xfb, 0xf6, 0xed, 0xdb, 0xb7, + 0x6f, 0xde, 0xbd, 0x7a, 0xf5, 0xeb, 0xd7, 0xae, 0x5d, 0xba, 0x74, 0xe8, + 0xd1, 0xa2, 0x44, 0x88, 0x10, 0x21, 0x43, 0x86, 0x0d, 0x1b, 0x36, 0x6c, + 0xd8, 0xb1, 0x63, 0xc7, 0x8f, 0x1e, 0x3c, 0x79, 0xf3, 0xe7, 0xce, 0x9c, + 0x39, 0x73, 0xe6, 0xcc, 0x98, 0x31, 0x62, 0xc5, 0x8b, 0x16, 0x2d, 0x5a, + 0xb4, 0x69, 0xd2, 0xa4, 0x48, 0x91, 0x22, 0x45 +}; + +/* Applies the KNOT S-box to four 64-bit words in bit-sliced mode */ +#define knot_sbox64(a0, a1, a2, a3, b1, b2, b3) \ + do { \ + uint64_t t1, t3, t6; \ + t1 = ~(a0); \ + t3 = (a2) ^ ((a1) & t1); \ + (b3) = (a3) ^ t3; \ + t6 = (a3) ^ t1; \ + (b2) = ((a1) | (a2)) ^ t6; \ + t1 = (a1) ^ (a3); \ + (a0) = t1 ^ (t3 & t6); \ + (b1) = t3 ^ ((b2) & t1); \ + } while (0) + +/* Applies the KNOT S-box to four 32-bit words in bit-sliced mode */ +#define knot_sbox32(a0, a1, a2, a3, b1, b2, b3) \ + do { \ + uint32_t t1, t3, t6; \ + t1 = ~(a0); \ + t3 = (a2) ^ ((a1) & t1); \ + (b3) = (a3) ^ t3; \ + t6 = (a3) ^ t1; \ + (b2) = ((a1) | (a2)) ^ t6; \ + t1 = (a1) ^ (a3); \ + (a0) = t1 ^ (t3 & t6); \ + (b1) = t3 ^ ((b2) & t1); \ + } while (0) + +static void knot256_permute + (knot256_state_t *state, const uint8_t *rc, uint8_t rounds) +{ + uint64_t b1, b2, b3; + + /* Load the input state into local variables; each row is 64 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; +#else + uint64_t x0 = le_load_word64(state->B); + uint64_t x1 = le_load_word64(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 16); + uint64_t x3 = le_load_word64(state->B + 24); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x1, x2, x3, b1, b2, b3); + + /* Linear diffusion layer */ + x1 = leftRotate1_64(b1); + x2 = leftRotate8_64(b2); + x3 = leftRotate25_64(b3); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; +#else + le_store_word64(state->B, x0); + le_store_word64(state->B + 8, x1); + le_store_word64(state->B + 16, x2); + le_store_word64(state->B + 24, x3); +#endif +} + +void knot256_permute_6(knot256_state_t *state, uint8_t rounds) +{ + knot256_permute(state, rc6, rounds); +} + +void knot256_permute_7(knot256_state_t *state, uint8_t rounds) +{ + knot256_permute(state, rc7, rounds); +} + +void knot384_permute_7(knot384_state_t *state, uint8_t rounds) +{ + const uint8_t *rc = rc7; + uint64_t b2, b4, b6; + uint32_t b3, b5, b7; + + /* Load the input state into local variables; each row is 96 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint32_t x1 = state->W[2]; + uint64_t x2 = state->W[3] | (((uint64_t)(state->W[4])) << 32); + uint32_t x3 = state->W[5]; + uint64_t x4 = state->S[3]; + uint32_t x5 = state->W[8]; + uint64_t x6 = state->W[9] | (((uint64_t)(state->W[10])) << 32); + uint32_t x7 = state->W[11]; +#else + uint64_t x0 = le_load_word64(state->B); + uint32_t x1 = le_load_word32(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 12); + uint32_t x3 = le_load_word32(state->B + 20); + uint64_t x4 = le_load_word64(state->B + 24); + uint32_t x5 = le_load_word32(state->B + 32); + uint64_t x6 = le_load_word64(state->B + 36); + uint32_t x7 = le_load_word32(state->B + 44); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x2, x4, x6, b2, b4, b6); + knot_sbox32(x1, x3, x5, x7, b3, b5, b7); + + /* Linear diffusion layer */ + #define leftRotateShort_96(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | ((b1) >> (32 - (bits))); \ + (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ + } while (0) + #define leftRotateLong_96(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | \ + (((uint64_t)(b1)) << ((bits) - 32)) | \ + ((b0) >> (96 - (bits))); \ + (a1) = (uint32_t)(((b0) << ((bits) - 32)) >> 32); \ + } while (0) + leftRotateShort_96(x2, x3, b2, b3, 1); + leftRotateShort_96(x4, x5, b4, b5, 8); + leftRotateLong_96(x6, x7, b6, b7, 55); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->W[2] = x1; + state->W[3] = (uint32_t)x2; + state->W[4] = (uint32_t)(x2 >> 32); + state->W[5] = x3; + state->S[3] = x4; + state->W[8] = x5; + state->W[9] = (uint32_t)x6; + state->W[10] = (uint32_t)(x6 >> 32); + state->W[11] = x7; +#else + le_store_word64(state->B, x0); + le_store_word32(state->B + 8, x1); + le_store_word64(state->B + 12, x2); + le_store_word32(state->B + 20, x3); + le_store_word64(state->B + 24, x4); + le_store_word32(state->B + 32, x5); + le_store_word64(state->B + 36, x6); + le_store_word32(state->B + 44, x7); +#endif +} + +static void knot512_permute + (knot512_state_t *state, const uint8_t *rc, uint8_t rounds) +{ + uint64_t b2, b3, b4, b5, b6, b7; + + /* Load the input state into local variables; each row is 128 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; + uint64_t x4 = state->S[4]; + uint64_t x5 = state->S[5]; + uint64_t x6 = state->S[6]; + uint64_t x7 = state->S[7]; +#else + uint64_t x0 = le_load_word64(state->B); + uint64_t x1 = le_load_word64(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 16); + uint64_t x3 = le_load_word64(state->B + 24); + uint64_t x4 = le_load_word64(state->B + 32); + uint64_t x5 = le_load_word64(state->B + 40); + uint64_t x6 = le_load_word64(state->B + 48); + uint64_t x7 = le_load_word64(state->B + 56); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x2, x4, x6, b2, b4, b6); + knot_sbox64(x1, x3, x5, x7, b3, b5, b7); + + /* Linear diffusion layer */ + #define leftRotate_128(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | ((b1) >> (64 - (bits))); \ + (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ + } while (0) + leftRotate_128(x2, x3, b2, b3, 1); + leftRotate_128(x4, x5, b4, b5, 16); + leftRotate_128(x6, x7, b6, b7, 25); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; + state->S[4] = x4; + state->S[5] = x5; + state->S[6] = x6; + state->S[7] = x7; +#else + le_store_word64(state->B, x0); + le_store_word64(state->B + 8, x1); + le_store_word64(state->B + 16, x2); + le_store_word64(state->B + 24, x3); + le_store_word64(state->B + 32, x4); + le_store_word64(state->B + 40, x5); + le_store_word64(state->B + 48, x6); + le_store_word64(state->B + 56, x7); +#endif +} + +void knot512_permute_7(knot512_state_t *state, uint8_t rounds) +{ + knot512_permute(state, rc7, rounds); +} + +void knot512_permute_8(knot512_state_t *state, uint8_t rounds) +{ + knot512_permute(state, rc8, rounds); +} diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot.h b/knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot.h new file mode 100644 index 0000000..88a782c --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot.h @@ -0,0 +1,130 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_KNOT_H +#define LW_INTERNAL_KNOT_H + +#include "internal-util.h" + +/** + * \file internal-knot.h + * \brief Permutations that are used by the KNOT AEAD and hash algorithms. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Internal state of the KNOT-256 permutation. + */ +typedef union +{ + uint64_t S[4]; /**< Words of the state */ + uint8_t B[32]; /**< Bytes of the state */ + +} knot256_state_t; + +/** + * \brief Internal state of the KNOT-384 permutation. + */ +typedef union +{ + uint64_t S[6]; /**< 64-bit words of the state */ + uint32_t W[12]; /**< 32-bit words of the state */ + uint8_t B[48]; /**< Bytes of the state */ + +} knot384_state_t; + +/** + * \brief Internal state of the KNOT-512 permutation. + */ +typedef union +{ + uint64_t S[8]; /**< Words of the state */ + uint8_t B[64]; /**< Bytes of the state */ + +} knot512_state_t; + +/** + * \brief Permutes the KNOT-256 state, using 6-bit round constants. + * + * \param state The KNOT-256 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 52. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot256_permute_6(knot256_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-256 state, using 7-bit round constants. + * + * \param state The KNOT-256 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot256_permute_7(knot256_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-384 state, using 7-bit round constants. + * + * \param state The KNOT-384 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot384_permute_7(knot384_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-512 state, using 7-bit round constants. + * + * \param state The KNOT-512 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot512_permute_7(knot512_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-512 state, using 8-bit round constants. + * + * \param state The KNOT-512 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 140. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot512_permute_8(knot512_state_t *state, uint8_t rounds); + +/** + * \brief Generic pointer to a function that performs a KNOT permutation. + * + * \param state Points to the permutation state. + * \param round Number of rounds to perform. + */ +typedef void (*knot_permute_t)(void *state, uint8_t rounds); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys/internal-util.h b/knot/Implementations/crypto_aead/knot128v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys/knot-aead.c b/knot/Implementations/crypto_aead/knot128v1/rhys/knot-aead.c new file mode 100644 index 0000000..5825f01 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v1/rhys/knot-aead.c @@ -0,0 +1,503 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "knot.h" +#include "internal-knot.h" +#include + +aead_cipher_t const knot_aead_128_256_cipher = { + "KNOT-AEAD-128-256", + KNOT_AEAD_128_KEY_SIZE, + KNOT_AEAD_128_NONCE_SIZE, + KNOT_AEAD_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_aead_128_256_encrypt, + knot_aead_128_256_decrypt +}; + +aead_cipher_t const knot_aead_128_384_cipher = { + "KNOT-AEAD-128-384", + KNOT_AEAD_128_KEY_SIZE, + KNOT_AEAD_128_NONCE_SIZE, + KNOT_AEAD_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_aead_128_384_encrypt, + knot_aead_128_384_decrypt +}; + +aead_cipher_t const knot_aead_192_384_cipher = { + "KNOT-AEAD-192-384", + KNOT_AEAD_192_KEY_SIZE, + KNOT_AEAD_192_NONCE_SIZE, + KNOT_AEAD_192_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_aead_192_384_encrypt, + knot_aead_192_384_decrypt +}; + +aead_cipher_t const knot_aead_256_512_cipher = { + "KNOT-AEAD-256-512", + KNOT_AEAD_256_KEY_SIZE, + KNOT_AEAD_256_NONCE_SIZE, + KNOT_AEAD_256_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_aead_256_512_encrypt, + knot_aead_256_512_decrypt +}; + +/** + * \brief Rate for KNOT-AEAD-128-256. + */ +#define KNOT_AEAD_128_256_RATE 8 + +/** + * \brief Rate for KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_384_RATE 24 + +/** + * \brief Rate for KNOT-AEAD-192-384. + */ +#define KNOT_AEAD_192_384_RATE 12 + +/** + * \brief Rate for KNOT-AEAD-256-512. + */ +#define KNOT_AEAD_256_512_RATE 16 + +/** + * \brief Absorbs the associated data into a KNOT permutation state. + * + * \param state Points to the KNOT permutation state. + * \param permute Points to the function to perform the KNOT permutation. + * \param rounds Number of rounds to perform. + * \param rate Rate of absorption to use with the permutation. + * \param ad Points to the associated data. + * \param adlen Length of the associated data, must be at least 1. + */ +static void knot_aead_absorb_ad + (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen >= rate) { + lw_xor_block((unsigned char *)state, ad, rate); + permute(state, rounds); + ad += rate; + adlen -= rate; + } + rate = (unsigned)adlen; + lw_xor_block((unsigned char *)state, ad, rate); + ((unsigned char *)state)[rate] ^= 0x01; + permute(state, rounds); +} + +/** + * \brief Encrypts plaintext data with a KNOT permutation state. + * + * \param state Points to the KNOT permutation state. + * \param permute Points to the function to perform the KNOT permutation. + * \param rounds Number of rounds to perform. + * \param rate Rate of absorption to use with the permutation. + * \param c Buffer to receive the ciphertext. + * \param m Buffer containing the plaintext. + * \param len Length of the plaintext data, must be at least 1. + */ +static void knot_aead_encrypt + (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, + unsigned char *c, const unsigned char *m, unsigned long long len) +{ + while (len >= rate) { + lw_xor_block_2_dest(c, (unsigned char *)state, m, rate); + permute(state, rounds); + c += rate; + m += rate; + len -= rate; + } + rate = (unsigned)len; + lw_xor_block_2_dest(c, (unsigned char *)state, m, rate); + ((unsigned char *)state)[rate] ^= 0x01; +} + +/** + * \brief Decrypts ciphertext data with a KNOT permutation state. + * + * \param state Points to the KNOT permutation state. + * \param permute Points to the function to perform the KNOT permutation. + * \param rounds Number of rounds to perform. + * \param rate Rate of absorption to use with the permutation. + * \param m Buffer to receive the plaintext. + * \param c Buffer containing the ciphertext. + * \param len Length of the plaintext data, must be at least 1. + */ +static void knot_aead_decrypt + (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, + unsigned char *m, const unsigned char *c, unsigned long long len) +{ + while (len >= rate) { + lw_xor_block_swap(m, (unsigned char *)state, c, rate); + permute(state, rounds); + c += rate; + m += rate; + len -= rate; + } + rate = (unsigned)len; + lw_xor_block_swap(m, (unsigned char *)state, c, rate); + ((unsigned char *)state)[rate] ^= 0x01; +} + +int knot_aead_128_256_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + knot256_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + KNOT_AEAD_128_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); + knot256_permute_6(&state, 52); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot256_permute_6, + 28, KNOT_AEAD_128_256_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Encrypts the plaintext to produce the ciphertext */ + if (mlen > 0) { + knot_aead_encrypt + (&state, (knot_permute_t)knot256_permute_6, + 28, KNOT_AEAD_128_256_RATE, c, m, mlen); + } + + /* Compute the authentication tag */ + knot256_permute_6(&state, 32); + memcpy(c + mlen, state.B, KNOT_AEAD_128_TAG_SIZE); + return 0; +} + +int knot_aead_128_256_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + knot256_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < KNOT_AEAD_128_TAG_SIZE) + return -1; + *mlen = clen - KNOT_AEAD_128_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); + knot256_permute_6(&state, 52); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot256_permute_6, + 28, KNOT_AEAD_128_256_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Decrypts the ciphertext to produce the plaintext */ + clen -= KNOT_AEAD_128_TAG_SIZE; + if (clen > 0) { + knot_aead_decrypt + (&state, (knot_permute_t)knot256_permute_6, + 28, KNOT_AEAD_128_256_RATE, m, c, clen); + } + + /* Check the authentication tag */ + knot256_permute_6(&state, 32); + return aead_check_tag + (m, clen, state.B, c + clen, KNOT_AEAD_128_TAG_SIZE); +} + +int knot_aead_128_384_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + knot384_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + KNOT_AEAD_128_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); + memset(state.B + KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE, + 0, 47 - (KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE)); + state.B[47] = 0x80; + knot384_permute_7(&state, 76); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot384_permute_7, + 28, KNOT_AEAD_128_384_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Encrypts the plaintext to produce the ciphertext */ + if (mlen > 0) { + knot_aead_encrypt + (&state, (knot_permute_t)knot384_permute_7, + 28, KNOT_AEAD_128_384_RATE, c, m, mlen); + } + + /* Compute the authentication tag */ + knot384_permute_7(&state, 32); + memcpy(c + mlen, state.B, KNOT_AEAD_128_TAG_SIZE); + return 0; +} + +int knot_aead_128_384_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + knot384_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < KNOT_AEAD_128_TAG_SIZE) + return -1; + *mlen = clen - KNOT_AEAD_128_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); + memset(state.B + KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE, + 0, 47 - (KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE)); + state.B[47] = 0x80; + knot384_permute_7(&state, 76); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot384_permute_7, + 28, KNOT_AEAD_128_384_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Decrypts the ciphertext to produce the plaintext */ + clen -= KNOT_AEAD_128_TAG_SIZE; + if (clen > 0) { + knot_aead_decrypt + (&state, (knot_permute_t)knot384_permute_7, + 28, KNOT_AEAD_128_384_RATE, m, c, clen); + } + + /* Check the authentication tag */ + knot384_permute_7(&state, 32); + return aead_check_tag + (m, clen, state.B, c + clen, KNOT_AEAD_128_TAG_SIZE); +} + +int knot_aead_192_384_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + knot384_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + KNOT_AEAD_192_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_192_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_192_NONCE_SIZE, k, KNOT_AEAD_192_KEY_SIZE); + knot384_permute_7(&state, 76); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot384_permute_7, + 40, KNOT_AEAD_192_384_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Encrypts the plaintext to produce the ciphertext */ + if (mlen > 0) { + knot_aead_encrypt + (&state, (knot_permute_t)knot384_permute_7, + 40, KNOT_AEAD_192_384_RATE, c, m, mlen); + } + + /* Compute the authentication tag */ + knot384_permute_7(&state, 44); + memcpy(c + mlen, state.B, KNOT_AEAD_192_TAG_SIZE); + return 0; +} + +int knot_aead_192_384_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + knot384_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < KNOT_AEAD_192_TAG_SIZE) + return -1; + *mlen = clen - KNOT_AEAD_192_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_192_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_192_NONCE_SIZE, k, KNOT_AEAD_192_KEY_SIZE); + knot384_permute_7(&state, 76); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot384_permute_7, + 40, KNOT_AEAD_192_384_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Decrypts the ciphertext to produce the plaintext */ + clen -= KNOT_AEAD_192_TAG_SIZE; + if (clen > 0) { + knot_aead_decrypt + (&state, (knot_permute_t)knot384_permute_7, + 40, KNOT_AEAD_192_384_RATE, m, c, clen); + } + + /* Check the authentication tag */ + knot384_permute_7(&state, 44); + return aead_check_tag + (m, clen, state.B, c + clen, KNOT_AEAD_192_TAG_SIZE); +} + +int knot_aead_256_512_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + knot512_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + KNOT_AEAD_256_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_256_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_256_NONCE_SIZE, k, KNOT_AEAD_256_KEY_SIZE); + knot512_permute_7(&state, 100); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot512_permute_7, + 52, KNOT_AEAD_256_512_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Encrypts the plaintext to produce the ciphertext */ + if (mlen > 0) { + knot_aead_encrypt + (&state, (knot_permute_t)knot512_permute_7, + 52, KNOT_AEAD_256_512_RATE, c, m, mlen); + } + + /* Compute the authentication tag */ + knot512_permute_7(&state, 56); + memcpy(c + mlen, state.B, KNOT_AEAD_256_TAG_SIZE); + return 0; +} + +int knot_aead_256_512_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + knot512_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < KNOT_AEAD_256_TAG_SIZE) + return -1; + *mlen = clen - KNOT_AEAD_256_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_256_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_256_NONCE_SIZE, k, KNOT_AEAD_256_KEY_SIZE); + knot512_permute_7(&state, 100); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot512_permute_7, + 52, KNOT_AEAD_256_512_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Decrypts the ciphertext to produce the plaintext */ + clen -= KNOT_AEAD_256_TAG_SIZE; + if (clen > 0) { + knot_aead_decrypt + (&state, (knot_permute_t)knot512_permute_7, + 52, KNOT_AEAD_256_512_RATE, m, c, clen); + } + + /* Check the authentication tag */ + knot512_permute_7(&state, 56); + return aead_check_tag + (m, clen, state.B, c + clen, KNOT_AEAD_256_TAG_SIZE); +} diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys/knot.h b/knot/Implementations/crypto_aead/knot128v1/rhys/knot.h new file mode 100644 index 0000000..e2c5198 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v1/rhys/knot.h @@ -0,0 +1,459 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_KNOT_H +#define LWCRYPTO_KNOT_H + +#include "aead-common.h" + +/** + * \file knot.h + * \brief KNOT authenticated encryption and hash algorithms. + * + * KNOT is a family of authenticated encryption and hash algorithms built + * around a permutation and the MonkeyDuplex sponge construction. The + * family members are: + * + * \li KNOT-AEAD-128-256 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag, built around a 256-bit permutation. This is the primary + * encryption member of the family. + * \li KNOT-AEAD-128-384 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag, built around a 384-bit permutation. + * \li KNOT-AEAD-192-384 with a 192-bit key, a 192-bit nonce, and a + * 192-bit tag, built around a 384-bit permutation. + * \li KNOT-AEAD-256-512 with a 256-bit key, a 256-bit nonce, and a + * 256-bit tag, built around a 512-bit permutation. + * \li KNOT-HASH-256-256 with a 256-bit hash output, built around a + * 256-bit permutation. This is the primary hashing member of the family. + * \li KNOT-HASH-256-384 with a 256-bit hash output, built around a + * 384-bit permutation. + * \li KNOT-HASH-384-384 with a 384-bit hash output, built around a + * 384-bit permutation. + * \li KNOT-HASH-512-512 with a 512-bit hash output, built around a + * 512-bit permutation. + * + * References: https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/knot-spec-round.pdf + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for KNOT-AEAD-128-256 and + * KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_NONCE_SIZE 16 + +/** + * \brief Size of the key for KNOT-AEAD-192-384. + */ +#define KNOT_AEAD_192_KEY_SIZE 24 + +/** + * \brief Size of the authentication tag for KNOT-AEAD-192-384. + */ +#define KNOT_AEAD_192_TAG_SIZE 24 + +/** + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-192-384. + */ +#define KNOT_AEAD_192_NONCE_SIZE 24 + +/** + * \brief Size of the key for KNOT-AEAD-256-512. + */ +#define KNOT_AEAD_256_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for KNOT-AEAD-256-512. + */ +#define KNOT_AEAD_256_TAG_SIZE 32 + +/** + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_256_NONCE_SIZE 32 + +/** + * \brief Size of the hash for KNOT-HASH-256-256 and KNOT-HASH-256-384. + */ +#define KNOT_HASH_256_SIZE 32 + +/** + * \brief Size of the hash for KNOT-HASH-384-384. + */ +#define KNOT_HASH_384_SIZE 48 + +/** + * \brief Size of the hash for KNOT-HASH-512-512. + */ +#define KNOT_HASH_512_SIZE 64 + +/** + * \brief Meta-information block for the KNOT-AEAD-128-256 cipher. + */ +extern aead_cipher_t const knot_aead_128_256_cipher; + +/** + * \brief Meta-information block for the KNOT-AEAD-128-384 cipher. + */ +extern aead_cipher_t const knot_aead_128_384_cipher; + +/** + * \brief Meta-information block for the KNOT-AEAD-192-384 cipher. + */ +extern aead_cipher_t const knot_aead_192_384_cipher; + +/** + * \brief Meta-information block for the KNOT-AEAD-256-512 cipher. + */ +extern aead_cipher_t const knot_aead_256_512_cipher; + +/** + * \brief Meta-information block for the KNOT-HASH-256-256 algorithm. + */ +extern aead_hash_algorithm_t const knot_hash_256_256_algorithm; + +/** + * \brief Meta-information block for the KNOT-HASH-256-384 algorithm. + */ +extern aead_hash_algorithm_t const knot_hash_256_384_algorithm; + +/** + * \brief Meta-information block for the KNOT-HASH-384-384 algorithm. + */ +extern aead_hash_algorithm_t const knot_hash_384_384_algorithm; + +/** + * \brief Meta-information block for the KNOT-HASH-512-512 algorithm. + */ +extern aead_hash_algorithm_t const knot_hash_512_512_algorithm; + +/** + * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa knot_aead_128_256_decrypt() + */ +int knot_aead_128_256_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa knot_aead_128_256_encrypt() + */ +int knot_aead_128_256_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-384. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa knot_aead_128_384_decrypt() + */ +int knot_aead_128_384_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-384. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa knot_aead_128_384_encrypt() + */ +int knot_aead_128_384_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + + +/** + * \brief Encrypts and authenticates a packet with KNOT-AEAD-192-384. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa knot_aead_192_384_decrypt() + */ +int knot_aead_192_384_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with KNOT-AEAD-192-384. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa knot_aead_192_384_encrypt() + */ +int knot_aead_192_384_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with KNOT-AEAD-256-512. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa knot_aead_256_512_decrypt() + */ +int knot_aead_256_512_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with KNOT-AEAD-256-512. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa knot_aead_256_512_encrypt() + */ +int knot_aead_256_512_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with KNOT-HASH-256-256. + * + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_256_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int knot_hash_256_256 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Hashes a block of input data with KNOT-HASH-256-384. + * + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_256_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int knot_hash_256_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Hashes a block of input data with KNOT-HASH-384-384. + * + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_384_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int knot_hash_384_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Hashes a block of input data with KNOT-HASH-512-512. + * + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_512_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int knot_hash_512_512 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys/aead-common.c b/knot/Implementations/crypto_aead/knot128v2/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v2/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys/aead-common.h b/knot/Implementations/crypto_aead/knot128v2/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v2/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys/api.h b/knot/Implementations/crypto_aead/knot128v2/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v2/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys/encrypt.c b/knot/Implementations/crypto_aead/knot128v2/rhys/encrypt.c new file mode 100644 index 0000000..e80d720 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v2/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "knot.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return knot_aead_128_384_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return knot_aead_128_384_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot.c b/knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot.c new file mode 100644 index 0000000..3486e6e --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot.c @@ -0,0 +1,297 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-knot.h" + +/* Round constants for the KNOT-256, KNOT-384, and KNOT-512 permutations */ +static uint8_t const rc6[52] = { + 0x01, 0x02, 0x04, 0x08, 0x10, 0x21, 0x03, 0x06, 0x0c, 0x18, 0x31, 0x22, + 0x05, 0x0a, 0x14, 0x29, 0x13, 0x27, 0x0f, 0x1e, 0x3d, 0x3a, 0x34, 0x28, + 0x11, 0x23, 0x07, 0x0e, 0x1c, 0x39, 0x32, 0x24, 0x09, 0x12, 0x25, 0x0b, + 0x16, 0x2d, 0x1b, 0x37, 0x2e, 0x1d, 0x3b, 0x36, 0x2c, 0x19, 0x33, 0x26, + 0x0d, 0x1a, 0x35, 0x2a +}; +static uint8_t const rc7[104] = { + 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x41, 0x03, 0x06, 0x0c, 0x18, 0x30, + 0x61, 0x42, 0x05, 0x0a, 0x14, 0x28, 0x51, 0x23, 0x47, 0x0f, 0x1e, 0x3c, + 0x79, 0x72, 0x64, 0x48, 0x11, 0x22, 0x45, 0x0b, 0x16, 0x2c, 0x59, 0x33, + 0x67, 0x4e, 0x1d, 0x3a, 0x75, 0x6a, 0x54, 0x29, 0x53, 0x27, 0x4f, 0x1f, + 0x3e, 0x7d, 0x7a, 0x74, 0x68, 0x50, 0x21, 0x43, 0x07, 0x0e, 0x1c, 0x38, + 0x71, 0x62, 0x44, 0x09, 0x12, 0x24, 0x49, 0x13, 0x26, 0x4d, 0x1b, 0x36, + 0x6d, 0x5a, 0x35, 0x6b, 0x56, 0x2d, 0x5b, 0x37, 0x6f, 0x5e, 0x3d, 0x7b, + 0x76, 0x6c, 0x58, 0x31, 0x63, 0x46, 0x0d, 0x1a, 0x34, 0x69, 0x52, 0x25, + 0x4b, 0x17, 0x2e, 0x5d, 0x3b, 0x77, 0x6e, 0x5c +}; +static uint8_t const rc8[140] = { + 0x01, 0x02, 0x04, 0x08, 0x11, 0x23, 0x47, 0x8e, 0x1c, 0x38, 0x71, 0xe2, + 0xc4, 0x89, 0x12, 0x25, 0x4b, 0x97, 0x2e, 0x5c, 0xb8, 0x70, 0xe0, 0xc0, + 0x81, 0x03, 0x06, 0x0c, 0x19, 0x32, 0x64, 0xc9, 0x92, 0x24, 0x49, 0x93, + 0x26, 0x4d, 0x9b, 0x37, 0x6e, 0xdc, 0xb9, 0x72, 0xe4, 0xc8, 0x90, 0x20, + 0x41, 0x82, 0x05, 0x0a, 0x15, 0x2b, 0x56, 0xad, 0x5b, 0xb6, 0x6d, 0xda, + 0xb5, 0x6b, 0xd6, 0xac, 0x59, 0xb2, 0x65, 0xcb, 0x96, 0x2c, 0x58, 0xb0, + 0x61, 0xc3, 0x87, 0x0f, 0x1f, 0x3e, 0x7d, 0xfb, 0xf6, 0xed, 0xdb, 0xb7, + 0x6f, 0xde, 0xbd, 0x7a, 0xf5, 0xeb, 0xd7, 0xae, 0x5d, 0xba, 0x74, 0xe8, + 0xd1, 0xa2, 0x44, 0x88, 0x10, 0x21, 0x43, 0x86, 0x0d, 0x1b, 0x36, 0x6c, + 0xd8, 0xb1, 0x63, 0xc7, 0x8f, 0x1e, 0x3c, 0x79, 0xf3, 0xe7, 0xce, 0x9c, + 0x39, 0x73, 0xe6, 0xcc, 0x98, 0x31, 0x62, 0xc5, 0x8b, 0x16, 0x2d, 0x5a, + 0xb4, 0x69, 0xd2, 0xa4, 0x48, 0x91, 0x22, 0x45 +}; + +/* Applies the KNOT S-box to four 64-bit words in bit-sliced mode */ +#define knot_sbox64(a0, a1, a2, a3, b1, b2, b3) \ + do { \ + uint64_t t1, t3, t6; \ + t1 = ~(a0); \ + t3 = (a2) ^ ((a1) & t1); \ + (b3) = (a3) ^ t3; \ + t6 = (a3) ^ t1; \ + (b2) = ((a1) | (a2)) ^ t6; \ + t1 = (a1) ^ (a3); \ + (a0) = t1 ^ (t3 & t6); \ + (b1) = t3 ^ ((b2) & t1); \ + } while (0) + +/* Applies the KNOT S-box to four 32-bit words in bit-sliced mode */ +#define knot_sbox32(a0, a1, a2, a3, b1, b2, b3) \ + do { \ + uint32_t t1, t3, t6; \ + t1 = ~(a0); \ + t3 = (a2) ^ ((a1) & t1); \ + (b3) = (a3) ^ t3; \ + t6 = (a3) ^ t1; \ + (b2) = ((a1) | (a2)) ^ t6; \ + t1 = (a1) ^ (a3); \ + (a0) = t1 ^ (t3 & t6); \ + (b1) = t3 ^ ((b2) & t1); \ + } while (0) + +static void knot256_permute + (knot256_state_t *state, const uint8_t *rc, uint8_t rounds) +{ + uint64_t b1, b2, b3; + + /* Load the input state into local variables; each row is 64 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; +#else + uint64_t x0 = le_load_word64(state->B); + uint64_t x1 = le_load_word64(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 16); + uint64_t x3 = le_load_word64(state->B + 24); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x1, x2, x3, b1, b2, b3); + + /* Linear diffusion layer */ + x1 = leftRotate1_64(b1); + x2 = leftRotate8_64(b2); + x3 = leftRotate25_64(b3); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; +#else + le_store_word64(state->B, x0); + le_store_word64(state->B + 8, x1); + le_store_word64(state->B + 16, x2); + le_store_word64(state->B + 24, x3); +#endif +} + +void knot256_permute_6(knot256_state_t *state, uint8_t rounds) +{ + knot256_permute(state, rc6, rounds); +} + +void knot256_permute_7(knot256_state_t *state, uint8_t rounds) +{ + knot256_permute(state, rc7, rounds); +} + +void knot384_permute_7(knot384_state_t *state, uint8_t rounds) +{ + const uint8_t *rc = rc7; + uint64_t b2, b4, b6; + uint32_t b3, b5, b7; + + /* Load the input state into local variables; each row is 96 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint32_t x1 = state->W[2]; + uint64_t x2 = state->W[3] | (((uint64_t)(state->W[4])) << 32); + uint32_t x3 = state->W[5]; + uint64_t x4 = state->S[3]; + uint32_t x5 = state->W[8]; + uint64_t x6 = state->W[9] | (((uint64_t)(state->W[10])) << 32); + uint32_t x7 = state->W[11]; +#else + uint64_t x0 = le_load_word64(state->B); + uint32_t x1 = le_load_word32(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 12); + uint32_t x3 = le_load_word32(state->B + 20); + uint64_t x4 = le_load_word64(state->B + 24); + uint32_t x5 = le_load_word32(state->B + 32); + uint64_t x6 = le_load_word64(state->B + 36); + uint32_t x7 = le_load_word32(state->B + 44); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x2, x4, x6, b2, b4, b6); + knot_sbox32(x1, x3, x5, x7, b3, b5, b7); + + /* Linear diffusion layer */ + #define leftRotateShort_96(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | ((b1) >> (32 - (bits))); \ + (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ + } while (0) + #define leftRotateLong_96(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | \ + (((uint64_t)(b1)) << ((bits) - 32)) | \ + ((b0) >> (96 - (bits))); \ + (a1) = (uint32_t)(((b0) << ((bits) - 32)) >> 32); \ + } while (0) + leftRotateShort_96(x2, x3, b2, b3, 1); + leftRotateShort_96(x4, x5, b4, b5, 8); + leftRotateLong_96(x6, x7, b6, b7, 55); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->W[2] = x1; + state->W[3] = (uint32_t)x2; + state->W[4] = (uint32_t)(x2 >> 32); + state->W[5] = x3; + state->S[3] = x4; + state->W[8] = x5; + state->W[9] = (uint32_t)x6; + state->W[10] = (uint32_t)(x6 >> 32); + state->W[11] = x7; +#else + le_store_word64(state->B, x0); + le_store_word32(state->B + 8, x1); + le_store_word64(state->B + 12, x2); + le_store_word32(state->B + 20, x3); + le_store_word64(state->B + 24, x4); + le_store_word32(state->B + 32, x5); + le_store_word64(state->B + 36, x6); + le_store_word32(state->B + 44, x7); +#endif +} + +static void knot512_permute + (knot512_state_t *state, const uint8_t *rc, uint8_t rounds) +{ + uint64_t b2, b3, b4, b5, b6, b7; + + /* Load the input state into local variables; each row is 128 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; + uint64_t x4 = state->S[4]; + uint64_t x5 = state->S[5]; + uint64_t x6 = state->S[6]; + uint64_t x7 = state->S[7]; +#else + uint64_t x0 = le_load_word64(state->B); + uint64_t x1 = le_load_word64(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 16); + uint64_t x3 = le_load_word64(state->B + 24); + uint64_t x4 = le_load_word64(state->B + 32); + uint64_t x5 = le_load_word64(state->B + 40); + uint64_t x6 = le_load_word64(state->B + 48); + uint64_t x7 = le_load_word64(state->B + 56); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x2, x4, x6, b2, b4, b6); + knot_sbox64(x1, x3, x5, x7, b3, b5, b7); + + /* Linear diffusion layer */ + #define leftRotate_128(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | ((b1) >> (64 - (bits))); \ + (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ + } while (0) + leftRotate_128(x2, x3, b2, b3, 1); + leftRotate_128(x4, x5, b4, b5, 16); + leftRotate_128(x6, x7, b6, b7, 25); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; + state->S[4] = x4; + state->S[5] = x5; + state->S[6] = x6; + state->S[7] = x7; +#else + le_store_word64(state->B, x0); + le_store_word64(state->B + 8, x1); + le_store_word64(state->B + 16, x2); + le_store_word64(state->B + 24, x3); + le_store_word64(state->B + 32, x4); + le_store_word64(state->B + 40, x5); + le_store_word64(state->B + 48, x6); + le_store_word64(state->B + 56, x7); +#endif +} + +void knot512_permute_7(knot512_state_t *state, uint8_t rounds) +{ + knot512_permute(state, rc7, rounds); +} + +void knot512_permute_8(knot512_state_t *state, uint8_t rounds) +{ + knot512_permute(state, rc8, rounds); +} diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot.h b/knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot.h new file mode 100644 index 0000000..88a782c --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot.h @@ -0,0 +1,130 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_KNOT_H +#define LW_INTERNAL_KNOT_H + +#include "internal-util.h" + +/** + * \file internal-knot.h + * \brief Permutations that are used by the KNOT AEAD and hash algorithms. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Internal state of the KNOT-256 permutation. + */ +typedef union +{ + uint64_t S[4]; /**< Words of the state */ + uint8_t B[32]; /**< Bytes of the state */ + +} knot256_state_t; + +/** + * \brief Internal state of the KNOT-384 permutation. + */ +typedef union +{ + uint64_t S[6]; /**< 64-bit words of the state */ + uint32_t W[12]; /**< 32-bit words of the state */ + uint8_t B[48]; /**< Bytes of the state */ + +} knot384_state_t; + +/** + * \brief Internal state of the KNOT-512 permutation. + */ +typedef union +{ + uint64_t S[8]; /**< Words of the state */ + uint8_t B[64]; /**< Bytes of the state */ + +} knot512_state_t; + +/** + * \brief Permutes the KNOT-256 state, using 6-bit round constants. + * + * \param state The KNOT-256 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 52. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot256_permute_6(knot256_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-256 state, using 7-bit round constants. + * + * \param state The KNOT-256 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot256_permute_7(knot256_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-384 state, using 7-bit round constants. + * + * \param state The KNOT-384 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot384_permute_7(knot384_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-512 state, using 7-bit round constants. + * + * \param state The KNOT-512 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot512_permute_7(knot512_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-512 state, using 8-bit round constants. + * + * \param state The KNOT-512 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 140. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot512_permute_8(knot512_state_t *state, uint8_t rounds); + +/** + * \brief Generic pointer to a function that performs a KNOT permutation. + * + * \param state Points to the permutation state. + * \param round Number of rounds to perform. + */ +typedef void (*knot_permute_t)(void *state, uint8_t rounds); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys/internal-util.h b/knot/Implementations/crypto_aead/knot128v2/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v2/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys/knot-aead.c b/knot/Implementations/crypto_aead/knot128v2/rhys/knot-aead.c new file mode 100644 index 0000000..5825f01 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v2/rhys/knot-aead.c @@ -0,0 +1,503 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "knot.h" +#include "internal-knot.h" +#include + +aead_cipher_t const knot_aead_128_256_cipher = { + "KNOT-AEAD-128-256", + KNOT_AEAD_128_KEY_SIZE, + KNOT_AEAD_128_NONCE_SIZE, + KNOT_AEAD_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_aead_128_256_encrypt, + knot_aead_128_256_decrypt +}; + +aead_cipher_t const knot_aead_128_384_cipher = { + "KNOT-AEAD-128-384", + KNOT_AEAD_128_KEY_SIZE, + KNOT_AEAD_128_NONCE_SIZE, + KNOT_AEAD_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_aead_128_384_encrypt, + knot_aead_128_384_decrypt +}; + +aead_cipher_t const knot_aead_192_384_cipher = { + "KNOT-AEAD-192-384", + KNOT_AEAD_192_KEY_SIZE, + KNOT_AEAD_192_NONCE_SIZE, + KNOT_AEAD_192_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_aead_192_384_encrypt, + knot_aead_192_384_decrypt +}; + +aead_cipher_t const knot_aead_256_512_cipher = { + "KNOT-AEAD-256-512", + KNOT_AEAD_256_KEY_SIZE, + KNOT_AEAD_256_NONCE_SIZE, + KNOT_AEAD_256_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_aead_256_512_encrypt, + knot_aead_256_512_decrypt +}; + +/** + * \brief Rate for KNOT-AEAD-128-256. + */ +#define KNOT_AEAD_128_256_RATE 8 + +/** + * \brief Rate for KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_384_RATE 24 + +/** + * \brief Rate for KNOT-AEAD-192-384. + */ +#define KNOT_AEAD_192_384_RATE 12 + +/** + * \brief Rate for KNOT-AEAD-256-512. + */ +#define KNOT_AEAD_256_512_RATE 16 + +/** + * \brief Absorbs the associated data into a KNOT permutation state. + * + * \param state Points to the KNOT permutation state. + * \param permute Points to the function to perform the KNOT permutation. + * \param rounds Number of rounds to perform. + * \param rate Rate of absorption to use with the permutation. + * \param ad Points to the associated data. + * \param adlen Length of the associated data, must be at least 1. + */ +static void knot_aead_absorb_ad + (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen >= rate) { + lw_xor_block((unsigned char *)state, ad, rate); + permute(state, rounds); + ad += rate; + adlen -= rate; + } + rate = (unsigned)adlen; + lw_xor_block((unsigned char *)state, ad, rate); + ((unsigned char *)state)[rate] ^= 0x01; + permute(state, rounds); +} + +/** + * \brief Encrypts plaintext data with a KNOT permutation state. + * + * \param state Points to the KNOT permutation state. + * \param permute Points to the function to perform the KNOT permutation. + * \param rounds Number of rounds to perform. + * \param rate Rate of absorption to use with the permutation. + * \param c Buffer to receive the ciphertext. + * \param m Buffer containing the plaintext. + * \param len Length of the plaintext data, must be at least 1. + */ +static void knot_aead_encrypt + (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, + unsigned char *c, const unsigned char *m, unsigned long long len) +{ + while (len >= rate) { + lw_xor_block_2_dest(c, (unsigned char *)state, m, rate); + permute(state, rounds); + c += rate; + m += rate; + len -= rate; + } + rate = (unsigned)len; + lw_xor_block_2_dest(c, (unsigned char *)state, m, rate); + ((unsigned char *)state)[rate] ^= 0x01; +} + +/** + * \brief Decrypts ciphertext data with a KNOT permutation state. + * + * \param state Points to the KNOT permutation state. + * \param permute Points to the function to perform the KNOT permutation. + * \param rounds Number of rounds to perform. + * \param rate Rate of absorption to use with the permutation. + * \param m Buffer to receive the plaintext. + * \param c Buffer containing the ciphertext. + * \param len Length of the plaintext data, must be at least 1. + */ +static void knot_aead_decrypt + (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, + unsigned char *m, const unsigned char *c, unsigned long long len) +{ + while (len >= rate) { + lw_xor_block_swap(m, (unsigned char *)state, c, rate); + permute(state, rounds); + c += rate; + m += rate; + len -= rate; + } + rate = (unsigned)len; + lw_xor_block_swap(m, (unsigned char *)state, c, rate); + ((unsigned char *)state)[rate] ^= 0x01; +} + +int knot_aead_128_256_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + knot256_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + KNOT_AEAD_128_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); + knot256_permute_6(&state, 52); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot256_permute_6, + 28, KNOT_AEAD_128_256_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Encrypts the plaintext to produce the ciphertext */ + if (mlen > 0) { + knot_aead_encrypt + (&state, (knot_permute_t)knot256_permute_6, + 28, KNOT_AEAD_128_256_RATE, c, m, mlen); + } + + /* Compute the authentication tag */ + knot256_permute_6(&state, 32); + memcpy(c + mlen, state.B, KNOT_AEAD_128_TAG_SIZE); + return 0; +} + +int knot_aead_128_256_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + knot256_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < KNOT_AEAD_128_TAG_SIZE) + return -1; + *mlen = clen - KNOT_AEAD_128_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); + knot256_permute_6(&state, 52); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot256_permute_6, + 28, KNOT_AEAD_128_256_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Decrypts the ciphertext to produce the plaintext */ + clen -= KNOT_AEAD_128_TAG_SIZE; + if (clen > 0) { + knot_aead_decrypt + (&state, (knot_permute_t)knot256_permute_6, + 28, KNOT_AEAD_128_256_RATE, m, c, clen); + } + + /* Check the authentication tag */ + knot256_permute_6(&state, 32); + return aead_check_tag + (m, clen, state.B, c + clen, KNOT_AEAD_128_TAG_SIZE); +} + +int knot_aead_128_384_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + knot384_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + KNOT_AEAD_128_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); + memset(state.B + KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE, + 0, 47 - (KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE)); + state.B[47] = 0x80; + knot384_permute_7(&state, 76); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot384_permute_7, + 28, KNOT_AEAD_128_384_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Encrypts the plaintext to produce the ciphertext */ + if (mlen > 0) { + knot_aead_encrypt + (&state, (knot_permute_t)knot384_permute_7, + 28, KNOT_AEAD_128_384_RATE, c, m, mlen); + } + + /* Compute the authentication tag */ + knot384_permute_7(&state, 32); + memcpy(c + mlen, state.B, KNOT_AEAD_128_TAG_SIZE); + return 0; +} + +int knot_aead_128_384_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + knot384_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < KNOT_AEAD_128_TAG_SIZE) + return -1; + *mlen = clen - KNOT_AEAD_128_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); + memset(state.B + KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE, + 0, 47 - (KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE)); + state.B[47] = 0x80; + knot384_permute_7(&state, 76); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot384_permute_7, + 28, KNOT_AEAD_128_384_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Decrypts the ciphertext to produce the plaintext */ + clen -= KNOT_AEAD_128_TAG_SIZE; + if (clen > 0) { + knot_aead_decrypt + (&state, (knot_permute_t)knot384_permute_7, + 28, KNOT_AEAD_128_384_RATE, m, c, clen); + } + + /* Check the authentication tag */ + knot384_permute_7(&state, 32); + return aead_check_tag + (m, clen, state.B, c + clen, KNOT_AEAD_128_TAG_SIZE); +} + +int knot_aead_192_384_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + knot384_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + KNOT_AEAD_192_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_192_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_192_NONCE_SIZE, k, KNOT_AEAD_192_KEY_SIZE); + knot384_permute_7(&state, 76); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot384_permute_7, + 40, KNOT_AEAD_192_384_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Encrypts the plaintext to produce the ciphertext */ + if (mlen > 0) { + knot_aead_encrypt + (&state, (knot_permute_t)knot384_permute_7, + 40, KNOT_AEAD_192_384_RATE, c, m, mlen); + } + + /* Compute the authentication tag */ + knot384_permute_7(&state, 44); + memcpy(c + mlen, state.B, KNOT_AEAD_192_TAG_SIZE); + return 0; +} + +int knot_aead_192_384_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + knot384_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < KNOT_AEAD_192_TAG_SIZE) + return -1; + *mlen = clen - KNOT_AEAD_192_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_192_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_192_NONCE_SIZE, k, KNOT_AEAD_192_KEY_SIZE); + knot384_permute_7(&state, 76); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot384_permute_7, + 40, KNOT_AEAD_192_384_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Decrypts the ciphertext to produce the plaintext */ + clen -= KNOT_AEAD_192_TAG_SIZE; + if (clen > 0) { + knot_aead_decrypt + (&state, (knot_permute_t)knot384_permute_7, + 40, KNOT_AEAD_192_384_RATE, m, c, clen); + } + + /* Check the authentication tag */ + knot384_permute_7(&state, 44); + return aead_check_tag + (m, clen, state.B, c + clen, KNOT_AEAD_192_TAG_SIZE); +} + +int knot_aead_256_512_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + knot512_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + KNOT_AEAD_256_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_256_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_256_NONCE_SIZE, k, KNOT_AEAD_256_KEY_SIZE); + knot512_permute_7(&state, 100); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot512_permute_7, + 52, KNOT_AEAD_256_512_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Encrypts the plaintext to produce the ciphertext */ + if (mlen > 0) { + knot_aead_encrypt + (&state, (knot_permute_t)knot512_permute_7, + 52, KNOT_AEAD_256_512_RATE, c, m, mlen); + } + + /* Compute the authentication tag */ + knot512_permute_7(&state, 56); + memcpy(c + mlen, state.B, KNOT_AEAD_256_TAG_SIZE); + return 0; +} + +int knot_aead_256_512_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + knot512_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < KNOT_AEAD_256_TAG_SIZE) + return -1; + *mlen = clen - KNOT_AEAD_256_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_256_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_256_NONCE_SIZE, k, KNOT_AEAD_256_KEY_SIZE); + knot512_permute_7(&state, 100); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot512_permute_7, + 52, KNOT_AEAD_256_512_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Decrypts the ciphertext to produce the plaintext */ + clen -= KNOT_AEAD_256_TAG_SIZE; + if (clen > 0) { + knot_aead_decrypt + (&state, (knot_permute_t)knot512_permute_7, + 52, KNOT_AEAD_256_512_RATE, m, c, clen); + } + + /* Check the authentication tag */ + knot512_permute_7(&state, 56); + return aead_check_tag + (m, clen, state.B, c + clen, KNOT_AEAD_256_TAG_SIZE); +} diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys/knot.h b/knot/Implementations/crypto_aead/knot128v2/rhys/knot.h new file mode 100644 index 0000000..e2c5198 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v2/rhys/knot.h @@ -0,0 +1,459 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_KNOT_H +#define LWCRYPTO_KNOT_H + +#include "aead-common.h" + +/** + * \file knot.h + * \brief KNOT authenticated encryption and hash algorithms. + * + * KNOT is a family of authenticated encryption and hash algorithms built + * around a permutation and the MonkeyDuplex sponge construction. The + * family members are: + * + * \li KNOT-AEAD-128-256 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag, built around a 256-bit permutation. This is the primary + * encryption member of the family. + * \li KNOT-AEAD-128-384 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag, built around a 384-bit permutation. + * \li KNOT-AEAD-192-384 with a 192-bit key, a 192-bit nonce, and a + * 192-bit tag, built around a 384-bit permutation. + * \li KNOT-AEAD-256-512 with a 256-bit key, a 256-bit nonce, and a + * 256-bit tag, built around a 512-bit permutation. + * \li KNOT-HASH-256-256 with a 256-bit hash output, built around a + * 256-bit permutation. This is the primary hashing member of the family. + * \li KNOT-HASH-256-384 with a 256-bit hash output, built around a + * 384-bit permutation. + * \li KNOT-HASH-384-384 with a 384-bit hash output, built around a + * 384-bit permutation. + * \li KNOT-HASH-512-512 with a 512-bit hash output, built around a + * 512-bit permutation. + * + * References: https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/knot-spec-round.pdf + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for KNOT-AEAD-128-256 and + * KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_NONCE_SIZE 16 + +/** + * \brief Size of the key for KNOT-AEAD-192-384. + */ +#define KNOT_AEAD_192_KEY_SIZE 24 + +/** + * \brief Size of the authentication tag for KNOT-AEAD-192-384. + */ +#define KNOT_AEAD_192_TAG_SIZE 24 + +/** + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-192-384. + */ +#define KNOT_AEAD_192_NONCE_SIZE 24 + +/** + * \brief Size of the key for KNOT-AEAD-256-512. + */ +#define KNOT_AEAD_256_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for KNOT-AEAD-256-512. + */ +#define KNOT_AEAD_256_TAG_SIZE 32 + +/** + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_256_NONCE_SIZE 32 + +/** + * \brief Size of the hash for KNOT-HASH-256-256 and KNOT-HASH-256-384. + */ +#define KNOT_HASH_256_SIZE 32 + +/** + * \brief Size of the hash for KNOT-HASH-384-384. + */ +#define KNOT_HASH_384_SIZE 48 + +/** + * \brief Size of the hash for KNOT-HASH-512-512. + */ +#define KNOT_HASH_512_SIZE 64 + +/** + * \brief Meta-information block for the KNOT-AEAD-128-256 cipher. + */ +extern aead_cipher_t const knot_aead_128_256_cipher; + +/** + * \brief Meta-information block for the KNOT-AEAD-128-384 cipher. + */ +extern aead_cipher_t const knot_aead_128_384_cipher; + +/** + * \brief Meta-information block for the KNOT-AEAD-192-384 cipher. + */ +extern aead_cipher_t const knot_aead_192_384_cipher; + +/** + * \brief Meta-information block for the KNOT-AEAD-256-512 cipher. + */ +extern aead_cipher_t const knot_aead_256_512_cipher; + +/** + * \brief Meta-information block for the KNOT-HASH-256-256 algorithm. + */ +extern aead_hash_algorithm_t const knot_hash_256_256_algorithm; + +/** + * \brief Meta-information block for the KNOT-HASH-256-384 algorithm. + */ +extern aead_hash_algorithm_t const knot_hash_256_384_algorithm; + +/** + * \brief Meta-information block for the KNOT-HASH-384-384 algorithm. + */ +extern aead_hash_algorithm_t const knot_hash_384_384_algorithm; + +/** + * \brief Meta-information block for the KNOT-HASH-512-512 algorithm. + */ +extern aead_hash_algorithm_t const knot_hash_512_512_algorithm; + +/** + * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa knot_aead_128_256_decrypt() + */ +int knot_aead_128_256_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa knot_aead_128_256_encrypt() + */ +int knot_aead_128_256_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-384. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa knot_aead_128_384_decrypt() + */ +int knot_aead_128_384_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-384. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa knot_aead_128_384_encrypt() + */ +int knot_aead_128_384_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + + +/** + * \brief Encrypts and authenticates a packet with KNOT-AEAD-192-384. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa knot_aead_192_384_decrypt() + */ +int knot_aead_192_384_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with KNOT-AEAD-192-384. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa knot_aead_192_384_encrypt() + */ +int knot_aead_192_384_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with KNOT-AEAD-256-512. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa knot_aead_256_512_decrypt() + */ +int knot_aead_256_512_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with KNOT-AEAD-256-512. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa knot_aead_256_512_encrypt() + */ +int knot_aead_256_512_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with KNOT-HASH-256-256. + * + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_256_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int knot_hash_256_256 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Hashes a block of input data with KNOT-HASH-256-384. + * + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_256_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int knot_hash_256_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Hashes a block of input data with KNOT-HASH-384-384. + * + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_384_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int knot_hash_384_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Hashes a block of input data with KNOT-HASH-512-512. + * + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_512_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int knot_hash_512_512 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/knot/Implementations/crypto_aead/knot192/rhys/aead-common.c b/knot/Implementations/crypto_aead/knot192/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/knot/Implementations/crypto_aead/knot192/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/knot/Implementations/crypto_aead/knot192/rhys/aead-common.h b/knot/Implementations/crypto_aead/knot192/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/knot/Implementations/crypto_aead/knot192/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/knot/Implementations/crypto_aead/knot192/rhys/api.h b/knot/Implementations/crypto_aead/knot192/rhys/api.h new file mode 100644 index 0000000..c340ebc --- /dev/null +++ b/knot/Implementations/crypto_aead/knot192/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 24 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 24 +#define CRYPTO_ABYTES 24 +#define CRYPTO_NOOVERLAP 1 diff --git a/knot/Implementations/crypto_aead/knot192/rhys/encrypt.c b/knot/Implementations/crypto_aead/knot192/rhys/encrypt.c new file mode 100644 index 0000000..7d9ae8b --- /dev/null +++ b/knot/Implementations/crypto_aead/knot192/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "knot.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return knot_aead_192_384_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return knot_aead_192_384_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/knot/Implementations/crypto_aead/knot192/rhys/internal-knot.c b/knot/Implementations/crypto_aead/knot192/rhys/internal-knot.c new file mode 100644 index 0000000..3486e6e --- /dev/null +++ b/knot/Implementations/crypto_aead/knot192/rhys/internal-knot.c @@ -0,0 +1,297 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-knot.h" + +/* Round constants for the KNOT-256, KNOT-384, and KNOT-512 permutations */ +static uint8_t const rc6[52] = { + 0x01, 0x02, 0x04, 0x08, 0x10, 0x21, 0x03, 0x06, 0x0c, 0x18, 0x31, 0x22, + 0x05, 0x0a, 0x14, 0x29, 0x13, 0x27, 0x0f, 0x1e, 0x3d, 0x3a, 0x34, 0x28, + 0x11, 0x23, 0x07, 0x0e, 0x1c, 0x39, 0x32, 0x24, 0x09, 0x12, 0x25, 0x0b, + 0x16, 0x2d, 0x1b, 0x37, 0x2e, 0x1d, 0x3b, 0x36, 0x2c, 0x19, 0x33, 0x26, + 0x0d, 0x1a, 0x35, 0x2a +}; +static uint8_t const rc7[104] = { + 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x41, 0x03, 0x06, 0x0c, 0x18, 0x30, + 0x61, 0x42, 0x05, 0x0a, 0x14, 0x28, 0x51, 0x23, 0x47, 0x0f, 0x1e, 0x3c, + 0x79, 0x72, 0x64, 0x48, 0x11, 0x22, 0x45, 0x0b, 0x16, 0x2c, 0x59, 0x33, + 0x67, 0x4e, 0x1d, 0x3a, 0x75, 0x6a, 0x54, 0x29, 0x53, 0x27, 0x4f, 0x1f, + 0x3e, 0x7d, 0x7a, 0x74, 0x68, 0x50, 0x21, 0x43, 0x07, 0x0e, 0x1c, 0x38, + 0x71, 0x62, 0x44, 0x09, 0x12, 0x24, 0x49, 0x13, 0x26, 0x4d, 0x1b, 0x36, + 0x6d, 0x5a, 0x35, 0x6b, 0x56, 0x2d, 0x5b, 0x37, 0x6f, 0x5e, 0x3d, 0x7b, + 0x76, 0x6c, 0x58, 0x31, 0x63, 0x46, 0x0d, 0x1a, 0x34, 0x69, 0x52, 0x25, + 0x4b, 0x17, 0x2e, 0x5d, 0x3b, 0x77, 0x6e, 0x5c +}; +static uint8_t const rc8[140] = { + 0x01, 0x02, 0x04, 0x08, 0x11, 0x23, 0x47, 0x8e, 0x1c, 0x38, 0x71, 0xe2, + 0xc4, 0x89, 0x12, 0x25, 0x4b, 0x97, 0x2e, 0x5c, 0xb8, 0x70, 0xe0, 0xc0, + 0x81, 0x03, 0x06, 0x0c, 0x19, 0x32, 0x64, 0xc9, 0x92, 0x24, 0x49, 0x93, + 0x26, 0x4d, 0x9b, 0x37, 0x6e, 0xdc, 0xb9, 0x72, 0xe4, 0xc8, 0x90, 0x20, + 0x41, 0x82, 0x05, 0x0a, 0x15, 0x2b, 0x56, 0xad, 0x5b, 0xb6, 0x6d, 0xda, + 0xb5, 0x6b, 0xd6, 0xac, 0x59, 0xb2, 0x65, 0xcb, 0x96, 0x2c, 0x58, 0xb0, + 0x61, 0xc3, 0x87, 0x0f, 0x1f, 0x3e, 0x7d, 0xfb, 0xf6, 0xed, 0xdb, 0xb7, + 0x6f, 0xde, 0xbd, 0x7a, 0xf5, 0xeb, 0xd7, 0xae, 0x5d, 0xba, 0x74, 0xe8, + 0xd1, 0xa2, 0x44, 0x88, 0x10, 0x21, 0x43, 0x86, 0x0d, 0x1b, 0x36, 0x6c, + 0xd8, 0xb1, 0x63, 0xc7, 0x8f, 0x1e, 0x3c, 0x79, 0xf3, 0xe7, 0xce, 0x9c, + 0x39, 0x73, 0xe6, 0xcc, 0x98, 0x31, 0x62, 0xc5, 0x8b, 0x16, 0x2d, 0x5a, + 0xb4, 0x69, 0xd2, 0xa4, 0x48, 0x91, 0x22, 0x45 +}; + +/* Applies the KNOT S-box to four 64-bit words in bit-sliced mode */ +#define knot_sbox64(a0, a1, a2, a3, b1, b2, b3) \ + do { \ + uint64_t t1, t3, t6; \ + t1 = ~(a0); \ + t3 = (a2) ^ ((a1) & t1); \ + (b3) = (a3) ^ t3; \ + t6 = (a3) ^ t1; \ + (b2) = ((a1) | (a2)) ^ t6; \ + t1 = (a1) ^ (a3); \ + (a0) = t1 ^ (t3 & t6); \ + (b1) = t3 ^ ((b2) & t1); \ + } while (0) + +/* Applies the KNOT S-box to four 32-bit words in bit-sliced mode */ +#define knot_sbox32(a0, a1, a2, a3, b1, b2, b3) \ + do { \ + uint32_t t1, t3, t6; \ + t1 = ~(a0); \ + t3 = (a2) ^ ((a1) & t1); \ + (b3) = (a3) ^ t3; \ + t6 = (a3) ^ t1; \ + (b2) = ((a1) | (a2)) ^ t6; \ + t1 = (a1) ^ (a3); \ + (a0) = t1 ^ (t3 & t6); \ + (b1) = t3 ^ ((b2) & t1); \ + } while (0) + +static void knot256_permute + (knot256_state_t *state, const uint8_t *rc, uint8_t rounds) +{ + uint64_t b1, b2, b3; + + /* Load the input state into local variables; each row is 64 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; +#else + uint64_t x0 = le_load_word64(state->B); + uint64_t x1 = le_load_word64(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 16); + uint64_t x3 = le_load_word64(state->B + 24); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x1, x2, x3, b1, b2, b3); + + /* Linear diffusion layer */ + x1 = leftRotate1_64(b1); + x2 = leftRotate8_64(b2); + x3 = leftRotate25_64(b3); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; +#else + le_store_word64(state->B, x0); + le_store_word64(state->B + 8, x1); + le_store_word64(state->B + 16, x2); + le_store_word64(state->B + 24, x3); +#endif +} + +void knot256_permute_6(knot256_state_t *state, uint8_t rounds) +{ + knot256_permute(state, rc6, rounds); +} + +void knot256_permute_7(knot256_state_t *state, uint8_t rounds) +{ + knot256_permute(state, rc7, rounds); +} + +void knot384_permute_7(knot384_state_t *state, uint8_t rounds) +{ + const uint8_t *rc = rc7; + uint64_t b2, b4, b6; + uint32_t b3, b5, b7; + + /* Load the input state into local variables; each row is 96 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint32_t x1 = state->W[2]; + uint64_t x2 = state->W[3] | (((uint64_t)(state->W[4])) << 32); + uint32_t x3 = state->W[5]; + uint64_t x4 = state->S[3]; + uint32_t x5 = state->W[8]; + uint64_t x6 = state->W[9] | (((uint64_t)(state->W[10])) << 32); + uint32_t x7 = state->W[11]; +#else + uint64_t x0 = le_load_word64(state->B); + uint32_t x1 = le_load_word32(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 12); + uint32_t x3 = le_load_word32(state->B + 20); + uint64_t x4 = le_load_word64(state->B + 24); + uint32_t x5 = le_load_word32(state->B + 32); + uint64_t x6 = le_load_word64(state->B + 36); + uint32_t x7 = le_load_word32(state->B + 44); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x2, x4, x6, b2, b4, b6); + knot_sbox32(x1, x3, x5, x7, b3, b5, b7); + + /* Linear diffusion layer */ + #define leftRotateShort_96(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | ((b1) >> (32 - (bits))); \ + (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ + } while (0) + #define leftRotateLong_96(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | \ + (((uint64_t)(b1)) << ((bits) - 32)) | \ + ((b0) >> (96 - (bits))); \ + (a1) = (uint32_t)(((b0) << ((bits) - 32)) >> 32); \ + } while (0) + leftRotateShort_96(x2, x3, b2, b3, 1); + leftRotateShort_96(x4, x5, b4, b5, 8); + leftRotateLong_96(x6, x7, b6, b7, 55); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->W[2] = x1; + state->W[3] = (uint32_t)x2; + state->W[4] = (uint32_t)(x2 >> 32); + state->W[5] = x3; + state->S[3] = x4; + state->W[8] = x5; + state->W[9] = (uint32_t)x6; + state->W[10] = (uint32_t)(x6 >> 32); + state->W[11] = x7; +#else + le_store_word64(state->B, x0); + le_store_word32(state->B + 8, x1); + le_store_word64(state->B + 12, x2); + le_store_word32(state->B + 20, x3); + le_store_word64(state->B + 24, x4); + le_store_word32(state->B + 32, x5); + le_store_word64(state->B + 36, x6); + le_store_word32(state->B + 44, x7); +#endif +} + +static void knot512_permute + (knot512_state_t *state, const uint8_t *rc, uint8_t rounds) +{ + uint64_t b2, b3, b4, b5, b6, b7; + + /* Load the input state into local variables; each row is 128 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; + uint64_t x4 = state->S[4]; + uint64_t x5 = state->S[5]; + uint64_t x6 = state->S[6]; + uint64_t x7 = state->S[7]; +#else + uint64_t x0 = le_load_word64(state->B); + uint64_t x1 = le_load_word64(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 16); + uint64_t x3 = le_load_word64(state->B + 24); + uint64_t x4 = le_load_word64(state->B + 32); + uint64_t x5 = le_load_word64(state->B + 40); + uint64_t x6 = le_load_word64(state->B + 48); + uint64_t x7 = le_load_word64(state->B + 56); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x2, x4, x6, b2, b4, b6); + knot_sbox64(x1, x3, x5, x7, b3, b5, b7); + + /* Linear diffusion layer */ + #define leftRotate_128(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | ((b1) >> (64 - (bits))); \ + (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ + } while (0) + leftRotate_128(x2, x3, b2, b3, 1); + leftRotate_128(x4, x5, b4, b5, 16); + leftRotate_128(x6, x7, b6, b7, 25); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; + state->S[4] = x4; + state->S[5] = x5; + state->S[6] = x6; + state->S[7] = x7; +#else + le_store_word64(state->B, x0); + le_store_word64(state->B + 8, x1); + le_store_word64(state->B + 16, x2); + le_store_word64(state->B + 24, x3); + le_store_word64(state->B + 32, x4); + le_store_word64(state->B + 40, x5); + le_store_word64(state->B + 48, x6); + le_store_word64(state->B + 56, x7); +#endif +} + +void knot512_permute_7(knot512_state_t *state, uint8_t rounds) +{ + knot512_permute(state, rc7, rounds); +} + +void knot512_permute_8(knot512_state_t *state, uint8_t rounds) +{ + knot512_permute(state, rc8, rounds); +} diff --git a/knot/Implementations/crypto_aead/knot192/rhys/internal-knot.h b/knot/Implementations/crypto_aead/knot192/rhys/internal-knot.h new file mode 100644 index 0000000..88a782c --- /dev/null +++ b/knot/Implementations/crypto_aead/knot192/rhys/internal-knot.h @@ -0,0 +1,130 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_KNOT_H +#define LW_INTERNAL_KNOT_H + +#include "internal-util.h" + +/** + * \file internal-knot.h + * \brief Permutations that are used by the KNOT AEAD and hash algorithms. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Internal state of the KNOT-256 permutation. + */ +typedef union +{ + uint64_t S[4]; /**< Words of the state */ + uint8_t B[32]; /**< Bytes of the state */ + +} knot256_state_t; + +/** + * \brief Internal state of the KNOT-384 permutation. + */ +typedef union +{ + uint64_t S[6]; /**< 64-bit words of the state */ + uint32_t W[12]; /**< 32-bit words of the state */ + uint8_t B[48]; /**< Bytes of the state */ + +} knot384_state_t; + +/** + * \brief Internal state of the KNOT-512 permutation. + */ +typedef union +{ + uint64_t S[8]; /**< Words of the state */ + uint8_t B[64]; /**< Bytes of the state */ + +} knot512_state_t; + +/** + * \brief Permutes the KNOT-256 state, using 6-bit round constants. + * + * \param state The KNOT-256 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 52. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot256_permute_6(knot256_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-256 state, using 7-bit round constants. + * + * \param state The KNOT-256 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot256_permute_7(knot256_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-384 state, using 7-bit round constants. + * + * \param state The KNOT-384 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot384_permute_7(knot384_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-512 state, using 7-bit round constants. + * + * \param state The KNOT-512 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot512_permute_7(knot512_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-512 state, using 8-bit round constants. + * + * \param state The KNOT-512 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 140. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot512_permute_8(knot512_state_t *state, uint8_t rounds); + +/** + * \brief Generic pointer to a function that performs a KNOT permutation. + * + * \param state Points to the permutation state. + * \param round Number of rounds to perform. + */ +typedef void (*knot_permute_t)(void *state, uint8_t rounds); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/knot/Implementations/crypto_aead/knot192/rhys/internal-util.h b/knot/Implementations/crypto_aead/knot192/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/knot/Implementations/crypto_aead/knot192/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/knot/Implementations/crypto_aead/knot192/rhys/knot-aead.c b/knot/Implementations/crypto_aead/knot192/rhys/knot-aead.c new file mode 100644 index 0000000..5825f01 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot192/rhys/knot-aead.c @@ -0,0 +1,503 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "knot.h" +#include "internal-knot.h" +#include + +aead_cipher_t const knot_aead_128_256_cipher = { + "KNOT-AEAD-128-256", + KNOT_AEAD_128_KEY_SIZE, + KNOT_AEAD_128_NONCE_SIZE, + KNOT_AEAD_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_aead_128_256_encrypt, + knot_aead_128_256_decrypt +}; + +aead_cipher_t const knot_aead_128_384_cipher = { + "KNOT-AEAD-128-384", + KNOT_AEAD_128_KEY_SIZE, + KNOT_AEAD_128_NONCE_SIZE, + KNOT_AEAD_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_aead_128_384_encrypt, + knot_aead_128_384_decrypt +}; + +aead_cipher_t const knot_aead_192_384_cipher = { + "KNOT-AEAD-192-384", + KNOT_AEAD_192_KEY_SIZE, + KNOT_AEAD_192_NONCE_SIZE, + KNOT_AEAD_192_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_aead_192_384_encrypt, + knot_aead_192_384_decrypt +}; + +aead_cipher_t const knot_aead_256_512_cipher = { + "KNOT-AEAD-256-512", + KNOT_AEAD_256_KEY_SIZE, + KNOT_AEAD_256_NONCE_SIZE, + KNOT_AEAD_256_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_aead_256_512_encrypt, + knot_aead_256_512_decrypt +}; + +/** + * \brief Rate for KNOT-AEAD-128-256. + */ +#define KNOT_AEAD_128_256_RATE 8 + +/** + * \brief Rate for KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_384_RATE 24 + +/** + * \brief Rate for KNOT-AEAD-192-384. + */ +#define KNOT_AEAD_192_384_RATE 12 + +/** + * \brief Rate for KNOT-AEAD-256-512. + */ +#define KNOT_AEAD_256_512_RATE 16 + +/** + * \brief Absorbs the associated data into a KNOT permutation state. + * + * \param state Points to the KNOT permutation state. + * \param permute Points to the function to perform the KNOT permutation. + * \param rounds Number of rounds to perform. + * \param rate Rate of absorption to use with the permutation. + * \param ad Points to the associated data. + * \param adlen Length of the associated data, must be at least 1. + */ +static void knot_aead_absorb_ad + (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen >= rate) { + lw_xor_block((unsigned char *)state, ad, rate); + permute(state, rounds); + ad += rate; + adlen -= rate; + } + rate = (unsigned)adlen; + lw_xor_block((unsigned char *)state, ad, rate); + ((unsigned char *)state)[rate] ^= 0x01; + permute(state, rounds); +} + +/** + * \brief Encrypts plaintext data with a KNOT permutation state. + * + * \param state Points to the KNOT permutation state. + * \param permute Points to the function to perform the KNOT permutation. + * \param rounds Number of rounds to perform. + * \param rate Rate of absorption to use with the permutation. + * \param c Buffer to receive the ciphertext. + * \param m Buffer containing the plaintext. + * \param len Length of the plaintext data, must be at least 1. + */ +static void knot_aead_encrypt + (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, + unsigned char *c, const unsigned char *m, unsigned long long len) +{ + while (len >= rate) { + lw_xor_block_2_dest(c, (unsigned char *)state, m, rate); + permute(state, rounds); + c += rate; + m += rate; + len -= rate; + } + rate = (unsigned)len; + lw_xor_block_2_dest(c, (unsigned char *)state, m, rate); + ((unsigned char *)state)[rate] ^= 0x01; +} + +/** + * \brief Decrypts ciphertext data with a KNOT permutation state. + * + * \param state Points to the KNOT permutation state. + * \param permute Points to the function to perform the KNOT permutation. + * \param rounds Number of rounds to perform. + * \param rate Rate of absorption to use with the permutation. + * \param m Buffer to receive the plaintext. + * \param c Buffer containing the ciphertext. + * \param len Length of the plaintext data, must be at least 1. + */ +static void knot_aead_decrypt + (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, + unsigned char *m, const unsigned char *c, unsigned long long len) +{ + while (len >= rate) { + lw_xor_block_swap(m, (unsigned char *)state, c, rate); + permute(state, rounds); + c += rate; + m += rate; + len -= rate; + } + rate = (unsigned)len; + lw_xor_block_swap(m, (unsigned char *)state, c, rate); + ((unsigned char *)state)[rate] ^= 0x01; +} + +int knot_aead_128_256_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + knot256_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + KNOT_AEAD_128_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); + knot256_permute_6(&state, 52); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot256_permute_6, + 28, KNOT_AEAD_128_256_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Encrypts the plaintext to produce the ciphertext */ + if (mlen > 0) { + knot_aead_encrypt + (&state, (knot_permute_t)knot256_permute_6, + 28, KNOT_AEAD_128_256_RATE, c, m, mlen); + } + + /* Compute the authentication tag */ + knot256_permute_6(&state, 32); + memcpy(c + mlen, state.B, KNOT_AEAD_128_TAG_SIZE); + return 0; +} + +int knot_aead_128_256_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + knot256_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < KNOT_AEAD_128_TAG_SIZE) + return -1; + *mlen = clen - KNOT_AEAD_128_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); + knot256_permute_6(&state, 52); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot256_permute_6, + 28, KNOT_AEAD_128_256_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Decrypts the ciphertext to produce the plaintext */ + clen -= KNOT_AEAD_128_TAG_SIZE; + if (clen > 0) { + knot_aead_decrypt + (&state, (knot_permute_t)knot256_permute_6, + 28, KNOT_AEAD_128_256_RATE, m, c, clen); + } + + /* Check the authentication tag */ + knot256_permute_6(&state, 32); + return aead_check_tag + (m, clen, state.B, c + clen, KNOT_AEAD_128_TAG_SIZE); +} + +int knot_aead_128_384_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + knot384_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + KNOT_AEAD_128_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); + memset(state.B + KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE, + 0, 47 - (KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE)); + state.B[47] = 0x80; + knot384_permute_7(&state, 76); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot384_permute_7, + 28, KNOT_AEAD_128_384_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Encrypts the plaintext to produce the ciphertext */ + if (mlen > 0) { + knot_aead_encrypt + (&state, (knot_permute_t)knot384_permute_7, + 28, KNOT_AEAD_128_384_RATE, c, m, mlen); + } + + /* Compute the authentication tag */ + knot384_permute_7(&state, 32); + memcpy(c + mlen, state.B, KNOT_AEAD_128_TAG_SIZE); + return 0; +} + +int knot_aead_128_384_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + knot384_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < KNOT_AEAD_128_TAG_SIZE) + return -1; + *mlen = clen - KNOT_AEAD_128_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); + memset(state.B + KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE, + 0, 47 - (KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE)); + state.B[47] = 0x80; + knot384_permute_7(&state, 76); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot384_permute_7, + 28, KNOT_AEAD_128_384_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Decrypts the ciphertext to produce the plaintext */ + clen -= KNOT_AEAD_128_TAG_SIZE; + if (clen > 0) { + knot_aead_decrypt + (&state, (knot_permute_t)knot384_permute_7, + 28, KNOT_AEAD_128_384_RATE, m, c, clen); + } + + /* Check the authentication tag */ + knot384_permute_7(&state, 32); + return aead_check_tag + (m, clen, state.B, c + clen, KNOT_AEAD_128_TAG_SIZE); +} + +int knot_aead_192_384_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + knot384_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + KNOT_AEAD_192_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_192_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_192_NONCE_SIZE, k, KNOT_AEAD_192_KEY_SIZE); + knot384_permute_7(&state, 76); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot384_permute_7, + 40, KNOT_AEAD_192_384_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Encrypts the plaintext to produce the ciphertext */ + if (mlen > 0) { + knot_aead_encrypt + (&state, (knot_permute_t)knot384_permute_7, + 40, KNOT_AEAD_192_384_RATE, c, m, mlen); + } + + /* Compute the authentication tag */ + knot384_permute_7(&state, 44); + memcpy(c + mlen, state.B, KNOT_AEAD_192_TAG_SIZE); + return 0; +} + +int knot_aead_192_384_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + knot384_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < KNOT_AEAD_192_TAG_SIZE) + return -1; + *mlen = clen - KNOT_AEAD_192_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_192_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_192_NONCE_SIZE, k, KNOT_AEAD_192_KEY_SIZE); + knot384_permute_7(&state, 76); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot384_permute_7, + 40, KNOT_AEAD_192_384_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Decrypts the ciphertext to produce the plaintext */ + clen -= KNOT_AEAD_192_TAG_SIZE; + if (clen > 0) { + knot_aead_decrypt + (&state, (knot_permute_t)knot384_permute_7, + 40, KNOT_AEAD_192_384_RATE, m, c, clen); + } + + /* Check the authentication tag */ + knot384_permute_7(&state, 44); + return aead_check_tag + (m, clen, state.B, c + clen, KNOT_AEAD_192_TAG_SIZE); +} + +int knot_aead_256_512_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + knot512_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + KNOT_AEAD_256_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_256_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_256_NONCE_SIZE, k, KNOT_AEAD_256_KEY_SIZE); + knot512_permute_7(&state, 100); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot512_permute_7, + 52, KNOT_AEAD_256_512_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Encrypts the plaintext to produce the ciphertext */ + if (mlen > 0) { + knot_aead_encrypt + (&state, (knot_permute_t)knot512_permute_7, + 52, KNOT_AEAD_256_512_RATE, c, m, mlen); + } + + /* Compute the authentication tag */ + knot512_permute_7(&state, 56); + memcpy(c + mlen, state.B, KNOT_AEAD_256_TAG_SIZE); + return 0; +} + +int knot_aead_256_512_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + knot512_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < KNOT_AEAD_256_TAG_SIZE) + return -1; + *mlen = clen - KNOT_AEAD_256_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_256_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_256_NONCE_SIZE, k, KNOT_AEAD_256_KEY_SIZE); + knot512_permute_7(&state, 100); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot512_permute_7, + 52, KNOT_AEAD_256_512_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Decrypts the ciphertext to produce the plaintext */ + clen -= KNOT_AEAD_256_TAG_SIZE; + if (clen > 0) { + knot_aead_decrypt + (&state, (knot_permute_t)knot512_permute_7, + 52, KNOT_AEAD_256_512_RATE, m, c, clen); + } + + /* Check the authentication tag */ + knot512_permute_7(&state, 56); + return aead_check_tag + (m, clen, state.B, c + clen, KNOT_AEAD_256_TAG_SIZE); +} diff --git a/knot/Implementations/crypto_aead/knot192/rhys/knot.h b/knot/Implementations/crypto_aead/knot192/rhys/knot.h new file mode 100644 index 0000000..e2c5198 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot192/rhys/knot.h @@ -0,0 +1,459 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_KNOT_H +#define LWCRYPTO_KNOT_H + +#include "aead-common.h" + +/** + * \file knot.h + * \brief KNOT authenticated encryption and hash algorithms. + * + * KNOT is a family of authenticated encryption and hash algorithms built + * around a permutation and the MonkeyDuplex sponge construction. The + * family members are: + * + * \li KNOT-AEAD-128-256 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag, built around a 256-bit permutation. This is the primary + * encryption member of the family. + * \li KNOT-AEAD-128-384 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag, built around a 384-bit permutation. + * \li KNOT-AEAD-192-384 with a 192-bit key, a 192-bit nonce, and a + * 192-bit tag, built around a 384-bit permutation. + * \li KNOT-AEAD-256-512 with a 256-bit key, a 256-bit nonce, and a + * 256-bit tag, built around a 512-bit permutation. + * \li KNOT-HASH-256-256 with a 256-bit hash output, built around a + * 256-bit permutation. This is the primary hashing member of the family. + * \li KNOT-HASH-256-384 with a 256-bit hash output, built around a + * 384-bit permutation. + * \li KNOT-HASH-384-384 with a 384-bit hash output, built around a + * 384-bit permutation. + * \li KNOT-HASH-512-512 with a 512-bit hash output, built around a + * 512-bit permutation. + * + * References: https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/knot-spec-round.pdf + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for KNOT-AEAD-128-256 and + * KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_NONCE_SIZE 16 + +/** + * \brief Size of the key for KNOT-AEAD-192-384. + */ +#define KNOT_AEAD_192_KEY_SIZE 24 + +/** + * \brief Size of the authentication tag for KNOT-AEAD-192-384. + */ +#define KNOT_AEAD_192_TAG_SIZE 24 + +/** + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-192-384. + */ +#define KNOT_AEAD_192_NONCE_SIZE 24 + +/** + * \brief Size of the key for KNOT-AEAD-256-512. + */ +#define KNOT_AEAD_256_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for KNOT-AEAD-256-512. + */ +#define KNOT_AEAD_256_TAG_SIZE 32 + +/** + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_256_NONCE_SIZE 32 + +/** + * \brief Size of the hash for KNOT-HASH-256-256 and KNOT-HASH-256-384. + */ +#define KNOT_HASH_256_SIZE 32 + +/** + * \brief Size of the hash for KNOT-HASH-384-384. + */ +#define KNOT_HASH_384_SIZE 48 + +/** + * \brief Size of the hash for KNOT-HASH-512-512. + */ +#define KNOT_HASH_512_SIZE 64 + +/** + * \brief Meta-information block for the KNOT-AEAD-128-256 cipher. + */ +extern aead_cipher_t const knot_aead_128_256_cipher; + +/** + * \brief Meta-information block for the KNOT-AEAD-128-384 cipher. + */ +extern aead_cipher_t const knot_aead_128_384_cipher; + +/** + * \brief Meta-information block for the KNOT-AEAD-192-384 cipher. + */ +extern aead_cipher_t const knot_aead_192_384_cipher; + +/** + * \brief Meta-information block for the KNOT-AEAD-256-512 cipher. + */ +extern aead_cipher_t const knot_aead_256_512_cipher; + +/** + * \brief Meta-information block for the KNOT-HASH-256-256 algorithm. + */ +extern aead_hash_algorithm_t const knot_hash_256_256_algorithm; + +/** + * \brief Meta-information block for the KNOT-HASH-256-384 algorithm. + */ +extern aead_hash_algorithm_t const knot_hash_256_384_algorithm; + +/** + * \brief Meta-information block for the KNOT-HASH-384-384 algorithm. + */ +extern aead_hash_algorithm_t const knot_hash_384_384_algorithm; + +/** + * \brief Meta-information block for the KNOT-HASH-512-512 algorithm. + */ +extern aead_hash_algorithm_t const knot_hash_512_512_algorithm; + +/** + * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa knot_aead_128_256_decrypt() + */ +int knot_aead_128_256_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa knot_aead_128_256_encrypt() + */ +int knot_aead_128_256_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-384. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa knot_aead_128_384_decrypt() + */ +int knot_aead_128_384_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-384. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa knot_aead_128_384_encrypt() + */ +int knot_aead_128_384_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + + +/** + * \brief Encrypts and authenticates a packet with KNOT-AEAD-192-384. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa knot_aead_192_384_decrypt() + */ +int knot_aead_192_384_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with KNOT-AEAD-192-384. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa knot_aead_192_384_encrypt() + */ +int knot_aead_192_384_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with KNOT-AEAD-256-512. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa knot_aead_256_512_decrypt() + */ +int knot_aead_256_512_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with KNOT-AEAD-256-512. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa knot_aead_256_512_encrypt() + */ +int knot_aead_256_512_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with KNOT-HASH-256-256. + * + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_256_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int knot_hash_256_256 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Hashes a block of input data with KNOT-HASH-256-384. + * + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_256_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int knot_hash_256_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Hashes a block of input data with KNOT-HASH-384-384. + * + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_384_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int knot_hash_384_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Hashes a block of input data with KNOT-HASH-512-512. + * + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_512_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int knot_hash_512_512 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/knot/Implementations/crypto_aead/knot256/rhys/aead-common.c b/knot/Implementations/crypto_aead/knot256/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/knot/Implementations/crypto_aead/knot256/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/knot/Implementations/crypto_aead/knot256/rhys/aead-common.h b/knot/Implementations/crypto_aead/knot256/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/knot/Implementations/crypto_aead/knot256/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/knot/Implementations/crypto_aead/knot256/rhys/api.h b/knot/Implementations/crypto_aead/knot256/rhys/api.h new file mode 100644 index 0000000..c11fc10 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot256/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 32 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 32 +#define CRYPTO_ABYTES 32 +#define CRYPTO_NOOVERLAP 1 diff --git a/knot/Implementations/crypto_aead/knot256/rhys/encrypt.c b/knot/Implementations/crypto_aead/knot256/rhys/encrypt.c new file mode 100644 index 0000000..8f6225a --- /dev/null +++ b/knot/Implementations/crypto_aead/knot256/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "knot.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return knot_aead_256_512_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return knot_aead_256_512_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/knot/Implementations/crypto_aead/knot256/rhys/internal-knot.c b/knot/Implementations/crypto_aead/knot256/rhys/internal-knot.c new file mode 100644 index 0000000..3486e6e --- /dev/null +++ b/knot/Implementations/crypto_aead/knot256/rhys/internal-knot.c @@ -0,0 +1,297 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-knot.h" + +/* Round constants for the KNOT-256, KNOT-384, and KNOT-512 permutations */ +static uint8_t const rc6[52] = { + 0x01, 0x02, 0x04, 0x08, 0x10, 0x21, 0x03, 0x06, 0x0c, 0x18, 0x31, 0x22, + 0x05, 0x0a, 0x14, 0x29, 0x13, 0x27, 0x0f, 0x1e, 0x3d, 0x3a, 0x34, 0x28, + 0x11, 0x23, 0x07, 0x0e, 0x1c, 0x39, 0x32, 0x24, 0x09, 0x12, 0x25, 0x0b, + 0x16, 0x2d, 0x1b, 0x37, 0x2e, 0x1d, 0x3b, 0x36, 0x2c, 0x19, 0x33, 0x26, + 0x0d, 0x1a, 0x35, 0x2a +}; +static uint8_t const rc7[104] = { + 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x41, 0x03, 0x06, 0x0c, 0x18, 0x30, + 0x61, 0x42, 0x05, 0x0a, 0x14, 0x28, 0x51, 0x23, 0x47, 0x0f, 0x1e, 0x3c, + 0x79, 0x72, 0x64, 0x48, 0x11, 0x22, 0x45, 0x0b, 0x16, 0x2c, 0x59, 0x33, + 0x67, 0x4e, 0x1d, 0x3a, 0x75, 0x6a, 0x54, 0x29, 0x53, 0x27, 0x4f, 0x1f, + 0x3e, 0x7d, 0x7a, 0x74, 0x68, 0x50, 0x21, 0x43, 0x07, 0x0e, 0x1c, 0x38, + 0x71, 0x62, 0x44, 0x09, 0x12, 0x24, 0x49, 0x13, 0x26, 0x4d, 0x1b, 0x36, + 0x6d, 0x5a, 0x35, 0x6b, 0x56, 0x2d, 0x5b, 0x37, 0x6f, 0x5e, 0x3d, 0x7b, + 0x76, 0x6c, 0x58, 0x31, 0x63, 0x46, 0x0d, 0x1a, 0x34, 0x69, 0x52, 0x25, + 0x4b, 0x17, 0x2e, 0x5d, 0x3b, 0x77, 0x6e, 0x5c +}; +static uint8_t const rc8[140] = { + 0x01, 0x02, 0x04, 0x08, 0x11, 0x23, 0x47, 0x8e, 0x1c, 0x38, 0x71, 0xe2, + 0xc4, 0x89, 0x12, 0x25, 0x4b, 0x97, 0x2e, 0x5c, 0xb8, 0x70, 0xe0, 0xc0, + 0x81, 0x03, 0x06, 0x0c, 0x19, 0x32, 0x64, 0xc9, 0x92, 0x24, 0x49, 0x93, + 0x26, 0x4d, 0x9b, 0x37, 0x6e, 0xdc, 0xb9, 0x72, 0xe4, 0xc8, 0x90, 0x20, + 0x41, 0x82, 0x05, 0x0a, 0x15, 0x2b, 0x56, 0xad, 0x5b, 0xb6, 0x6d, 0xda, + 0xb5, 0x6b, 0xd6, 0xac, 0x59, 0xb2, 0x65, 0xcb, 0x96, 0x2c, 0x58, 0xb0, + 0x61, 0xc3, 0x87, 0x0f, 0x1f, 0x3e, 0x7d, 0xfb, 0xf6, 0xed, 0xdb, 0xb7, + 0x6f, 0xde, 0xbd, 0x7a, 0xf5, 0xeb, 0xd7, 0xae, 0x5d, 0xba, 0x74, 0xe8, + 0xd1, 0xa2, 0x44, 0x88, 0x10, 0x21, 0x43, 0x86, 0x0d, 0x1b, 0x36, 0x6c, + 0xd8, 0xb1, 0x63, 0xc7, 0x8f, 0x1e, 0x3c, 0x79, 0xf3, 0xe7, 0xce, 0x9c, + 0x39, 0x73, 0xe6, 0xcc, 0x98, 0x31, 0x62, 0xc5, 0x8b, 0x16, 0x2d, 0x5a, + 0xb4, 0x69, 0xd2, 0xa4, 0x48, 0x91, 0x22, 0x45 +}; + +/* Applies the KNOT S-box to four 64-bit words in bit-sliced mode */ +#define knot_sbox64(a0, a1, a2, a3, b1, b2, b3) \ + do { \ + uint64_t t1, t3, t6; \ + t1 = ~(a0); \ + t3 = (a2) ^ ((a1) & t1); \ + (b3) = (a3) ^ t3; \ + t6 = (a3) ^ t1; \ + (b2) = ((a1) | (a2)) ^ t6; \ + t1 = (a1) ^ (a3); \ + (a0) = t1 ^ (t3 & t6); \ + (b1) = t3 ^ ((b2) & t1); \ + } while (0) + +/* Applies the KNOT S-box to four 32-bit words in bit-sliced mode */ +#define knot_sbox32(a0, a1, a2, a3, b1, b2, b3) \ + do { \ + uint32_t t1, t3, t6; \ + t1 = ~(a0); \ + t3 = (a2) ^ ((a1) & t1); \ + (b3) = (a3) ^ t3; \ + t6 = (a3) ^ t1; \ + (b2) = ((a1) | (a2)) ^ t6; \ + t1 = (a1) ^ (a3); \ + (a0) = t1 ^ (t3 & t6); \ + (b1) = t3 ^ ((b2) & t1); \ + } while (0) + +static void knot256_permute + (knot256_state_t *state, const uint8_t *rc, uint8_t rounds) +{ + uint64_t b1, b2, b3; + + /* Load the input state into local variables; each row is 64 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; +#else + uint64_t x0 = le_load_word64(state->B); + uint64_t x1 = le_load_word64(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 16); + uint64_t x3 = le_load_word64(state->B + 24); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x1, x2, x3, b1, b2, b3); + + /* Linear diffusion layer */ + x1 = leftRotate1_64(b1); + x2 = leftRotate8_64(b2); + x3 = leftRotate25_64(b3); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; +#else + le_store_word64(state->B, x0); + le_store_word64(state->B + 8, x1); + le_store_word64(state->B + 16, x2); + le_store_word64(state->B + 24, x3); +#endif +} + +void knot256_permute_6(knot256_state_t *state, uint8_t rounds) +{ + knot256_permute(state, rc6, rounds); +} + +void knot256_permute_7(knot256_state_t *state, uint8_t rounds) +{ + knot256_permute(state, rc7, rounds); +} + +void knot384_permute_7(knot384_state_t *state, uint8_t rounds) +{ + const uint8_t *rc = rc7; + uint64_t b2, b4, b6; + uint32_t b3, b5, b7; + + /* Load the input state into local variables; each row is 96 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint32_t x1 = state->W[2]; + uint64_t x2 = state->W[3] | (((uint64_t)(state->W[4])) << 32); + uint32_t x3 = state->W[5]; + uint64_t x4 = state->S[3]; + uint32_t x5 = state->W[8]; + uint64_t x6 = state->W[9] | (((uint64_t)(state->W[10])) << 32); + uint32_t x7 = state->W[11]; +#else + uint64_t x0 = le_load_word64(state->B); + uint32_t x1 = le_load_word32(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 12); + uint32_t x3 = le_load_word32(state->B + 20); + uint64_t x4 = le_load_word64(state->B + 24); + uint32_t x5 = le_load_word32(state->B + 32); + uint64_t x6 = le_load_word64(state->B + 36); + uint32_t x7 = le_load_word32(state->B + 44); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x2, x4, x6, b2, b4, b6); + knot_sbox32(x1, x3, x5, x7, b3, b5, b7); + + /* Linear diffusion layer */ + #define leftRotateShort_96(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | ((b1) >> (32 - (bits))); \ + (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ + } while (0) + #define leftRotateLong_96(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | \ + (((uint64_t)(b1)) << ((bits) - 32)) | \ + ((b0) >> (96 - (bits))); \ + (a1) = (uint32_t)(((b0) << ((bits) - 32)) >> 32); \ + } while (0) + leftRotateShort_96(x2, x3, b2, b3, 1); + leftRotateShort_96(x4, x5, b4, b5, 8); + leftRotateLong_96(x6, x7, b6, b7, 55); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->W[2] = x1; + state->W[3] = (uint32_t)x2; + state->W[4] = (uint32_t)(x2 >> 32); + state->W[5] = x3; + state->S[3] = x4; + state->W[8] = x5; + state->W[9] = (uint32_t)x6; + state->W[10] = (uint32_t)(x6 >> 32); + state->W[11] = x7; +#else + le_store_word64(state->B, x0); + le_store_word32(state->B + 8, x1); + le_store_word64(state->B + 12, x2); + le_store_word32(state->B + 20, x3); + le_store_word64(state->B + 24, x4); + le_store_word32(state->B + 32, x5); + le_store_word64(state->B + 36, x6); + le_store_word32(state->B + 44, x7); +#endif +} + +static void knot512_permute + (knot512_state_t *state, const uint8_t *rc, uint8_t rounds) +{ + uint64_t b2, b3, b4, b5, b6, b7; + + /* Load the input state into local variables; each row is 128 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; + uint64_t x4 = state->S[4]; + uint64_t x5 = state->S[5]; + uint64_t x6 = state->S[6]; + uint64_t x7 = state->S[7]; +#else + uint64_t x0 = le_load_word64(state->B); + uint64_t x1 = le_load_word64(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 16); + uint64_t x3 = le_load_word64(state->B + 24); + uint64_t x4 = le_load_word64(state->B + 32); + uint64_t x5 = le_load_word64(state->B + 40); + uint64_t x6 = le_load_word64(state->B + 48); + uint64_t x7 = le_load_word64(state->B + 56); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x2, x4, x6, b2, b4, b6); + knot_sbox64(x1, x3, x5, x7, b3, b5, b7); + + /* Linear diffusion layer */ + #define leftRotate_128(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | ((b1) >> (64 - (bits))); \ + (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ + } while (0) + leftRotate_128(x2, x3, b2, b3, 1); + leftRotate_128(x4, x5, b4, b5, 16); + leftRotate_128(x6, x7, b6, b7, 25); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; + state->S[4] = x4; + state->S[5] = x5; + state->S[6] = x6; + state->S[7] = x7; +#else + le_store_word64(state->B, x0); + le_store_word64(state->B + 8, x1); + le_store_word64(state->B + 16, x2); + le_store_word64(state->B + 24, x3); + le_store_word64(state->B + 32, x4); + le_store_word64(state->B + 40, x5); + le_store_word64(state->B + 48, x6); + le_store_word64(state->B + 56, x7); +#endif +} + +void knot512_permute_7(knot512_state_t *state, uint8_t rounds) +{ + knot512_permute(state, rc7, rounds); +} + +void knot512_permute_8(knot512_state_t *state, uint8_t rounds) +{ + knot512_permute(state, rc8, rounds); +} diff --git a/knot/Implementations/crypto_aead/knot256/rhys/internal-knot.h b/knot/Implementations/crypto_aead/knot256/rhys/internal-knot.h new file mode 100644 index 0000000..88a782c --- /dev/null +++ b/knot/Implementations/crypto_aead/knot256/rhys/internal-knot.h @@ -0,0 +1,130 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_KNOT_H +#define LW_INTERNAL_KNOT_H + +#include "internal-util.h" + +/** + * \file internal-knot.h + * \brief Permutations that are used by the KNOT AEAD and hash algorithms. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Internal state of the KNOT-256 permutation. + */ +typedef union +{ + uint64_t S[4]; /**< Words of the state */ + uint8_t B[32]; /**< Bytes of the state */ + +} knot256_state_t; + +/** + * \brief Internal state of the KNOT-384 permutation. + */ +typedef union +{ + uint64_t S[6]; /**< 64-bit words of the state */ + uint32_t W[12]; /**< 32-bit words of the state */ + uint8_t B[48]; /**< Bytes of the state */ + +} knot384_state_t; + +/** + * \brief Internal state of the KNOT-512 permutation. + */ +typedef union +{ + uint64_t S[8]; /**< Words of the state */ + uint8_t B[64]; /**< Bytes of the state */ + +} knot512_state_t; + +/** + * \brief Permutes the KNOT-256 state, using 6-bit round constants. + * + * \param state The KNOT-256 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 52. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot256_permute_6(knot256_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-256 state, using 7-bit round constants. + * + * \param state The KNOT-256 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot256_permute_7(knot256_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-384 state, using 7-bit round constants. + * + * \param state The KNOT-384 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot384_permute_7(knot384_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-512 state, using 7-bit round constants. + * + * \param state The KNOT-512 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot512_permute_7(knot512_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-512 state, using 8-bit round constants. + * + * \param state The KNOT-512 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 140. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot512_permute_8(knot512_state_t *state, uint8_t rounds); + +/** + * \brief Generic pointer to a function that performs a KNOT permutation. + * + * \param state Points to the permutation state. + * \param round Number of rounds to perform. + */ +typedef void (*knot_permute_t)(void *state, uint8_t rounds); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/knot/Implementations/crypto_aead/knot256/rhys/internal-util.h b/knot/Implementations/crypto_aead/knot256/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/knot/Implementations/crypto_aead/knot256/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/knot/Implementations/crypto_aead/knot256/rhys/knot-aead.c b/knot/Implementations/crypto_aead/knot256/rhys/knot-aead.c new file mode 100644 index 0000000..5825f01 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot256/rhys/knot-aead.c @@ -0,0 +1,503 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "knot.h" +#include "internal-knot.h" +#include + +aead_cipher_t const knot_aead_128_256_cipher = { + "KNOT-AEAD-128-256", + KNOT_AEAD_128_KEY_SIZE, + KNOT_AEAD_128_NONCE_SIZE, + KNOT_AEAD_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_aead_128_256_encrypt, + knot_aead_128_256_decrypt +}; + +aead_cipher_t const knot_aead_128_384_cipher = { + "KNOT-AEAD-128-384", + KNOT_AEAD_128_KEY_SIZE, + KNOT_AEAD_128_NONCE_SIZE, + KNOT_AEAD_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_aead_128_384_encrypt, + knot_aead_128_384_decrypt +}; + +aead_cipher_t const knot_aead_192_384_cipher = { + "KNOT-AEAD-192-384", + KNOT_AEAD_192_KEY_SIZE, + KNOT_AEAD_192_NONCE_SIZE, + KNOT_AEAD_192_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_aead_192_384_encrypt, + knot_aead_192_384_decrypt +}; + +aead_cipher_t const knot_aead_256_512_cipher = { + "KNOT-AEAD-256-512", + KNOT_AEAD_256_KEY_SIZE, + KNOT_AEAD_256_NONCE_SIZE, + KNOT_AEAD_256_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_aead_256_512_encrypt, + knot_aead_256_512_decrypt +}; + +/** + * \brief Rate for KNOT-AEAD-128-256. + */ +#define KNOT_AEAD_128_256_RATE 8 + +/** + * \brief Rate for KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_384_RATE 24 + +/** + * \brief Rate for KNOT-AEAD-192-384. + */ +#define KNOT_AEAD_192_384_RATE 12 + +/** + * \brief Rate for KNOT-AEAD-256-512. + */ +#define KNOT_AEAD_256_512_RATE 16 + +/** + * \brief Absorbs the associated data into a KNOT permutation state. + * + * \param state Points to the KNOT permutation state. + * \param permute Points to the function to perform the KNOT permutation. + * \param rounds Number of rounds to perform. + * \param rate Rate of absorption to use with the permutation. + * \param ad Points to the associated data. + * \param adlen Length of the associated data, must be at least 1. + */ +static void knot_aead_absorb_ad + (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen >= rate) { + lw_xor_block((unsigned char *)state, ad, rate); + permute(state, rounds); + ad += rate; + adlen -= rate; + } + rate = (unsigned)adlen; + lw_xor_block((unsigned char *)state, ad, rate); + ((unsigned char *)state)[rate] ^= 0x01; + permute(state, rounds); +} + +/** + * \brief Encrypts plaintext data with a KNOT permutation state. + * + * \param state Points to the KNOT permutation state. + * \param permute Points to the function to perform the KNOT permutation. + * \param rounds Number of rounds to perform. + * \param rate Rate of absorption to use with the permutation. + * \param c Buffer to receive the ciphertext. + * \param m Buffer containing the plaintext. + * \param len Length of the plaintext data, must be at least 1. + */ +static void knot_aead_encrypt + (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, + unsigned char *c, const unsigned char *m, unsigned long long len) +{ + while (len >= rate) { + lw_xor_block_2_dest(c, (unsigned char *)state, m, rate); + permute(state, rounds); + c += rate; + m += rate; + len -= rate; + } + rate = (unsigned)len; + lw_xor_block_2_dest(c, (unsigned char *)state, m, rate); + ((unsigned char *)state)[rate] ^= 0x01; +} + +/** + * \brief Decrypts ciphertext data with a KNOT permutation state. + * + * \param state Points to the KNOT permutation state. + * \param permute Points to the function to perform the KNOT permutation. + * \param rounds Number of rounds to perform. + * \param rate Rate of absorption to use with the permutation. + * \param m Buffer to receive the plaintext. + * \param c Buffer containing the ciphertext. + * \param len Length of the plaintext data, must be at least 1. + */ +static void knot_aead_decrypt + (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, + unsigned char *m, const unsigned char *c, unsigned long long len) +{ + while (len >= rate) { + lw_xor_block_swap(m, (unsigned char *)state, c, rate); + permute(state, rounds); + c += rate; + m += rate; + len -= rate; + } + rate = (unsigned)len; + lw_xor_block_swap(m, (unsigned char *)state, c, rate); + ((unsigned char *)state)[rate] ^= 0x01; +} + +int knot_aead_128_256_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + knot256_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + KNOT_AEAD_128_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); + knot256_permute_6(&state, 52); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot256_permute_6, + 28, KNOT_AEAD_128_256_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Encrypts the plaintext to produce the ciphertext */ + if (mlen > 0) { + knot_aead_encrypt + (&state, (knot_permute_t)knot256_permute_6, + 28, KNOT_AEAD_128_256_RATE, c, m, mlen); + } + + /* Compute the authentication tag */ + knot256_permute_6(&state, 32); + memcpy(c + mlen, state.B, KNOT_AEAD_128_TAG_SIZE); + return 0; +} + +int knot_aead_128_256_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + knot256_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < KNOT_AEAD_128_TAG_SIZE) + return -1; + *mlen = clen - KNOT_AEAD_128_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); + knot256_permute_6(&state, 52); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot256_permute_6, + 28, KNOT_AEAD_128_256_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Decrypts the ciphertext to produce the plaintext */ + clen -= KNOT_AEAD_128_TAG_SIZE; + if (clen > 0) { + knot_aead_decrypt + (&state, (knot_permute_t)knot256_permute_6, + 28, KNOT_AEAD_128_256_RATE, m, c, clen); + } + + /* Check the authentication tag */ + knot256_permute_6(&state, 32); + return aead_check_tag + (m, clen, state.B, c + clen, KNOT_AEAD_128_TAG_SIZE); +} + +int knot_aead_128_384_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + knot384_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + KNOT_AEAD_128_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); + memset(state.B + KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE, + 0, 47 - (KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE)); + state.B[47] = 0x80; + knot384_permute_7(&state, 76); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot384_permute_7, + 28, KNOT_AEAD_128_384_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Encrypts the plaintext to produce the ciphertext */ + if (mlen > 0) { + knot_aead_encrypt + (&state, (knot_permute_t)knot384_permute_7, + 28, KNOT_AEAD_128_384_RATE, c, m, mlen); + } + + /* Compute the authentication tag */ + knot384_permute_7(&state, 32); + memcpy(c + mlen, state.B, KNOT_AEAD_128_TAG_SIZE); + return 0; +} + +int knot_aead_128_384_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + knot384_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < KNOT_AEAD_128_TAG_SIZE) + return -1; + *mlen = clen - KNOT_AEAD_128_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); + memset(state.B + KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE, + 0, 47 - (KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE)); + state.B[47] = 0x80; + knot384_permute_7(&state, 76); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot384_permute_7, + 28, KNOT_AEAD_128_384_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Decrypts the ciphertext to produce the plaintext */ + clen -= KNOT_AEAD_128_TAG_SIZE; + if (clen > 0) { + knot_aead_decrypt + (&state, (knot_permute_t)knot384_permute_7, + 28, KNOT_AEAD_128_384_RATE, m, c, clen); + } + + /* Check the authentication tag */ + knot384_permute_7(&state, 32); + return aead_check_tag + (m, clen, state.B, c + clen, KNOT_AEAD_128_TAG_SIZE); +} + +int knot_aead_192_384_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + knot384_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + KNOT_AEAD_192_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_192_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_192_NONCE_SIZE, k, KNOT_AEAD_192_KEY_SIZE); + knot384_permute_7(&state, 76); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot384_permute_7, + 40, KNOT_AEAD_192_384_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Encrypts the plaintext to produce the ciphertext */ + if (mlen > 0) { + knot_aead_encrypt + (&state, (knot_permute_t)knot384_permute_7, + 40, KNOT_AEAD_192_384_RATE, c, m, mlen); + } + + /* Compute the authentication tag */ + knot384_permute_7(&state, 44); + memcpy(c + mlen, state.B, KNOT_AEAD_192_TAG_SIZE); + return 0; +} + +int knot_aead_192_384_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + knot384_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < KNOT_AEAD_192_TAG_SIZE) + return -1; + *mlen = clen - KNOT_AEAD_192_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_192_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_192_NONCE_SIZE, k, KNOT_AEAD_192_KEY_SIZE); + knot384_permute_7(&state, 76); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot384_permute_7, + 40, KNOT_AEAD_192_384_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Decrypts the ciphertext to produce the plaintext */ + clen -= KNOT_AEAD_192_TAG_SIZE; + if (clen > 0) { + knot_aead_decrypt + (&state, (knot_permute_t)knot384_permute_7, + 40, KNOT_AEAD_192_384_RATE, m, c, clen); + } + + /* Check the authentication tag */ + knot384_permute_7(&state, 44); + return aead_check_tag + (m, clen, state.B, c + clen, KNOT_AEAD_192_TAG_SIZE); +} + +int knot_aead_256_512_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + knot512_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + KNOT_AEAD_256_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_256_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_256_NONCE_SIZE, k, KNOT_AEAD_256_KEY_SIZE); + knot512_permute_7(&state, 100); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot512_permute_7, + 52, KNOT_AEAD_256_512_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Encrypts the plaintext to produce the ciphertext */ + if (mlen > 0) { + knot_aead_encrypt + (&state, (knot_permute_t)knot512_permute_7, + 52, KNOT_AEAD_256_512_RATE, c, m, mlen); + } + + /* Compute the authentication tag */ + knot512_permute_7(&state, 56); + memcpy(c + mlen, state.B, KNOT_AEAD_256_TAG_SIZE); + return 0; +} + +int knot_aead_256_512_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + knot512_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < KNOT_AEAD_256_TAG_SIZE) + return -1; + *mlen = clen - KNOT_AEAD_256_TAG_SIZE; + + /* Initialize the permutation state to the nonce and the key */ + memcpy(state.B, npub, KNOT_AEAD_256_NONCE_SIZE); + memcpy(state.B + KNOT_AEAD_256_NONCE_SIZE, k, KNOT_AEAD_256_KEY_SIZE); + knot512_permute_7(&state, 100); + + /* Absorb the associated data */ + if (adlen > 0) { + knot_aead_absorb_ad + (&state, (knot_permute_t)knot512_permute_7, + 52, KNOT_AEAD_256_512_RATE, ad, adlen); + } + state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ + + /* Decrypts the ciphertext to produce the plaintext */ + clen -= KNOT_AEAD_256_TAG_SIZE; + if (clen > 0) { + knot_aead_decrypt + (&state, (knot_permute_t)knot512_permute_7, + 52, KNOT_AEAD_256_512_RATE, m, c, clen); + } + + /* Check the authentication tag */ + knot512_permute_7(&state, 56); + return aead_check_tag + (m, clen, state.B, c + clen, KNOT_AEAD_256_TAG_SIZE); +} diff --git a/knot/Implementations/crypto_aead/knot256/rhys/knot.h b/knot/Implementations/crypto_aead/knot256/rhys/knot.h new file mode 100644 index 0000000..e2c5198 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot256/rhys/knot.h @@ -0,0 +1,459 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_KNOT_H +#define LWCRYPTO_KNOT_H + +#include "aead-common.h" + +/** + * \file knot.h + * \brief KNOT authenticated encryption and hash algorithms. + * + * KNOT is a family of authenticated encryption and hash algorithms built + * around a permutation and the MonkeyDuplex sponge construction. The + * family members are: + * + * \li KNOT-AEAD-128-256 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag, built around a 256-bit permutation. This is the primary + * encryption member of the family. + * \li KNOT-AEAD-128-384 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag, built around a 384-bit permutation. + * \li KNOT-AEAD-192-384 with a 192-bit key, a 192-bit nonce, and a + * 192-bit tag, built around a 384-bit permutation. + * \li KNOT-AEAD-256-512 with a 256-bit key, a 256-bit nonce, and a + * 256-bit tag, built around a 512-bit permutation. + * \li KNOT-HASH-256-256 with a 256-bit hash output, built around a + * 256-bit permutation. This is the primary hashing member of the family. + * \li KNOT-HASH-256-384 with a 256-bit hash output, built around a + * 384-bit permutation. + * \li KNOT-HASH-384-384 with a 384-bit hash output, built around a + * 384-bit permutation. + * \li KNOT-HASH-512-512 with a 512-bit hash output, built around a + * 512-bit permutation. + * + * References: https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/knot-spec-round.pdf + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for KNOT-AEAD-128-256 and + * KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_NONCE_SIZE 16 + +/** + * \brief Size of the key for KNOT-AEAD-192-384. + */ +#define KNOT_AEAD_192_KEY_SIZE 24 + +/** + * \brief Size of the authentication tag for KNOT-AEAD-192-384. + */ +#define KNOT_AEAD_192_TAG_SIZE 24 + +/** + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-192-384. + */ +#define KNOT_AEAD_192_NONCE_SIZE 24 + +/** + * \brief Size of the key for KNOT-AEAD-256-512. + */ +#define KNOT_AEAD_256_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for KNOT-AEAD-256-512. + */ +#define KNOT_AEAD_256_TAG_SIZE 32 + +/** + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_256_NONCE_SIZE 32 + +/** + * \brief Size of the hash for KNOT-HASH-256-256 and KNOT-HASH-256-384. + */ +#define KNOT_HASH_256_SIZE 32 + +/** + * \brief Size of the hash for KNOT-HASH-384-384. + */ +#define KNOT_HASH_384_SIZE 48 + +/** + * \brief Size of the hash for KNOT-HASH-512-512. + */ +#define KNOT_HASH_512_SIZE 64 + +/** + * \brief Meta-information block for the KNOT-AEAD-128-256 cipher. + */ +extern aead_cipher_t const knot_aead_128_256_cipher; + +/** + * \brief Meta-information block for the KNOT-AEAD-128-384 cipher. + */ +extern aead_cipher_t const knot_aead_128_384_cipher; + +/** + * \brief Meta-information block for the KNOT-AEAD-192-384 cipher. + */ +extern aead_cipher_t const knot_aead_192_384_cipher; + +/** + * \brief Meta-information block for the KNOT-AEAD-256-512 cipher. + */ +extern aead_cipher_t const knot_aead_256_512_cipher; + +/** + * \brief Meta-information block for the KNOT-HASH-256-256 algorithm. + */ +extern aead_hash_algorithm_t const knot_hash_256_256_algorithm; + +/** + * \brief Meta-information block for the KNOT-HASH-256-384 algorithm. + */ +extern aead_hash_algorithm_t const knot_hash_256_384_algorithm; + +/** + * \brief Meta-information block for the KNOT-HASH-384-384 algorithm. + */ +extern aead_hash_algorithm_t const knot_hash_384_384_algorithm; + +/** + * \brief Meta-information block for the KNOT-HASH-512-512 algorithm. + */ +extern aead_hash_algorithm_t const knot_hash_512_512_algorithm; + +/** + * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa knot_aead_128_256_decrypt() + */ +int knot_aead_128_256_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa knot_aead_128_256_encrypt() + */ +int knot_aead_128_256_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-384. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa knot_aead_128_384_decrypt() + */ +int knot_aead_128_384_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-384. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa knot_aead_128_384_encrypt() + */ +int knot_aead_128_384_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + + +/** + * \brief Encrypts and authenticates a packet with KNOT-AEAD-192-384. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa knot_aead_192_384_decrypt() + */ +int knot_aead_192_384_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with KNOT-AEAD-192-384. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa knot_aead_192_384_encrypt() + */ +int knot_aead_192_384_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with KNOT-AEAD-256-512. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa knot_aead_256_512_decrypt() + */ +int knot_aead_256_512_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with KNOT-AEAD-256-512. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa knot_aead_256_512_encrypt() + */ +int knot_aead_256_512_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with KNOT-HASH-256-256. + * + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_256_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int knot_hash_256_256 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Hashes a block of input data with KNOT-HASH-256-384. + * + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_256_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int knot_hash_256_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Hashes a block of input data with KNOT-HASH-384-384. + * + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_384_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int knot_hash_384_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Hashes a block of input data with KNOT-HASH-512-512. + * + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_512_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int knot_hash_512_512 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/aead-common.c b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/aead-common.h b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/api.h b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/api.h new file mode 100644 index 0000000..4bf8f5c --- /dev/null +++ b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 8 +#define CRYPTO_NOOVERLAP 1 diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/encrypt.c b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/encrypt.c new file mode 100644 index 0000000..1573370 --- /dev/null +++ b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "lotus-locus.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return locus_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return locus_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64.c b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64.c new file mode 100644 index 0000000..321d079 --- /dev/null +++ b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64.c @@ -0,0 +1,745 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-gift64.h" +#include "internal-util.h" +#include + +/* Round constants for GIFT-64 in the fixsliced representation */ +static uint32_t const GIFT64_RC[28] = { + 0x22000011, 0x00002299, 0x11118811, 0x880000ff, 0x33111199, 0x990022ee, + 0x22119933, 0x880033bb, 0x22119999, 0x880022ff, 0x11119922, 0x880033cc, + 0x33008899, 0x99002299, 0x33118811, 0x880000ee, 0x33110099, 0x990022aa, + 0x22118833, 0x880022bb, 0x22111188, 0x88002266, 0x00009922, 0x88003300, + 0x22008811, 0x00002288, 0x00118811, 0x880000bb +}; + +int gift64b_init + (gift64b_key_schedule_t *ks, const unsigned char *key, size_t key_len) +{ + if (!ks || !key || key_len != 16) + return 0; + ks->k[0] = be_load_word32(key); + ks->k[1] = be_load_word32(key + 4); + ks->k[2] = be_load_word32(key + 8); + ks->k[3] = be_load_word32(key + 12); + gift64b_update_round_keys(ks); + return 1; +} + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/** + * \brief Swaps bits within two words. + * + * \param a The first word. + * \param b The second word. + * \param mask Mask for the bits to shift. + * \param shift Shift amount in bits. + */ +#define gift64b_swap_move(a, b, mask, shift) \ + do { \ + uint32_t t = ((b) ^ ((a) >> (shift))) & (mask); \ + (b) ^= t; \ + (a) ^= t << (shift); \ + } while (0) + +/** + * \brief Performs the GIFT-64 S-box on the bit-sliced state. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift64b_sbox(s0, s1, s2, s3) \ + do { \ + s1 ^= s0 & s2; \ + s0 ^= s1 & s3; \ + s2 ^= s0 | s1; \ + s3 ^= s2; \ + s1 ^= s3; \ + s2 ^= s0 & s1; \ + } while (0) + +/** + * \brief Performs the inverse of the GIFT-64 S-box on the bit-sliced state. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift64b_inv_sbox(s0, s1, s2, s3) \ + do { \ + s2 ^= s3 & s1; \ + s1 ^= s0; \ + s0 ^= s2; \ + s2 ^= s3 | s1; \ + s3 ^= s1 & s0; \ + s1 ^= s3 & s2; \ + } while (0) + +/* Rotates a state word left by 1 position in the fixsliced representation: + * + * 0 1 2 3 1 2 3 0 + * 4 5 6 7 ==> 5 6 7 4 + * 8 9 10 11 9 10 11 8 + * 12 13 14 15 13 14 14 12 + */ +#define gift64b_rotate_left_1(x) \ + ((((x) >> 1) & 0x77777777U) | (((x) & 0x11111111U) << 3)) + +/* Rotates a state word left by 2 positions in the fixsliced representation: + * + * 0 1 2 3 2 3 0 1 + * 4 5 6 7 ==> 6 7 4 5 + * 8 9 10 11 10 11 8 9 + * 12 13 14 15 14 15 12 13 + */ +#define gift64b_rotate_left_2(x) \ + ((((x) >> 2) & 0x33333333U) | (((x) & 0x33333333U) << 2)) + +/* Rotates a state word left by 3 positions in the fixsliced representation: + * + * 0 1 2 3 3 0 1 2 + * 4 5 6 7 ==> 7 4 5 6 + * 8 9 10 11 11 8 9 10 + * 12 13 14 15 15 12 13 14 + */ +#define gift64b_rotate_left_3(x) \ + ((((x) >> 3) & 0x11111111U) | (((x) & 0x77777777U) << 1)) + +/* Rotates a state word right by 1 position in the fixsliced representation */ +#define gift64b_rotate_right_1(x) gift64b_rotate_left_3(x) + +/* Rotates a state word right by 2 positions in the fixsliced representation */ +#define gift64b_rotate_right_2(x) gift64b_rotate_left_2(x) + +/* Rotates a state word right by 3 positions in the fixsliced representation */ +#define gift64b_rotate_right_3(x) gift64b_rotate_left_1(x) + +/* Rotates a state word up by 1 position in the fixsliced representation: + * + * 0 1 2 3 4 5 6 7 + * 4 5 6 7 ==> 8 9 10 11 + * 8 9 10 11 12 13 14 15 + * 12 13 14 15 0 1 2 3 + */ +#define gift64b_rotate_up_1(x) (rightRotate8((x))) + +/* Rotates a state word up by 2 positions in the fixsliced representation: + * + * 0 1 2 3 8 9 10 11 + * 4 5 6 7 ==> 12 13 14 15 + * 8 9 10 11 0 1 2 3 + * 12 13 14 15 4 5 6 7 + */ +#define gift64b_rotate_up_2(x) (rightRotate16((x))) + +/* Rotates a state word up by 3 positions in the fixsliced representation: + * + * 0 1 2 3 12 13 14 15 + * 4 5 6 7 ==> 0 1 2 3 + * 8 9 10 11 4 5 6 7 + * 12 13 14 15 8 9 10 11 + */ +#define gift64b_rotate_up_3(x) (rightRotate24((x))) + +/* Rotates a state word down by 1 position in the fixsliced representation */ +#define gift64b_rotate_down_1(x) gift64b_rotate_up_3(x) + +/* Rotates a state word down by 2 positions in the fixsliced representation */ +#define gift64b_rotate_down_2(x) gift64b_rotate_up_2(x) + +/* Rotates a state word down by 3 positions in the fixsliced representation */ +#define gift64b_rotate_down_3(x) gift64b_rotate_up_1(x) + +/* Permutation code to rearrange key bits into fixsliced form. Permutations + * generated wth "http://programming.sirrida.de/calcperm.php" */ +#define gift64b_rearrange1_transpose_low(out, in) \ + do { \ + out = (in) & 0x0000FFFFU; \ + /* 0 8 16 24 3 11 19 27 2 10 18 26 1 9 17 25 * */ \ + bit_permute_step(out, 0x0000CCCCU, 16); \ + bit_permute_step(out, 0x30030330U, 2); \ + bit_permute_step(out, 0x00960096U, 8); \ + bit_permute_step(out, 0x05500550U, 1); \ + bit_permute_step(out, 0x0A0A0A0AU, 4); \ + } while (0) +#define gift64b_rearrange1_transpose_high(out, in) \ + do { \ + out = (in) >> 16; \ + /* 0 8 16 24 3 11 19 27 2 10 18 26 1 9 17 25 * */ \ + bit_permute_step(out, 0x0000CCCCU, 16); \ + bit_permute_step(out, 0x30030330U, 2); \ + bit_permute_step(out, 0x00960096U, 8); \ + bit_permute_step(out, 0x05500550U, 1); \ + bit_permute_step(out, 0x0A0A0A0AU, 4); \ + } while (0) +#define gift64b_rearrange1_low(out, in) \ + do { \ + out = (in) & 0x0000FFFFU; \ + /* 0 1 2 3 24 25 26 27 16 17 18 19 8 9 10 11 * */ \ + out = (out & 0x0000000FU) | ((out & 0x00000F00U) << 8) | \ + ((out & 0x000000F0U) << 20) | ((out & 0x0000F000U) >> 4); \ + } while (0) +#define gift64b_rearrange1_high(out, in) \ + do { \ + out = (in) >> 16; \ + /* 0 1 2 3 24 25 26 27 16 17 18 19 8 9 10 11 * */ \ + out = (out & 0x0000000FU) | ((out & 0x00000F00U) << 8) | \ + ((out & 0x000000F0U) << 20) | ((out & 0x0000F000U) >> 4); \ + } while (0) +#define gift64b_rearrange2_transpose_low(out, in) \ + do { \ + out = (in) & 0x0000FFFFU; \ + /* 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 * */ \ + bit_permute_step(out, 0x0A0A0A0AU, 3); \ + bit_permute_step(out, 0x00CC00CCU, 6); \ + bit_permute_step(out, 0x0000F0F0U, 12); \ + bit_permute_step(out, 0x0000FF00U, 8); \ + } while (0) +#define gift64b_rearrange2_transpose_high(out, in) \ + do { \ + out = (in) >> 16; \ + /* 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 * */ \ + bit_permute_step(out, 0x0A0A0A0AU, 3); \ + bit_permute_step(out, 0x00CC00CCU, 6); \ + bit_permute_step(out, 0x0000F0F0U, 12); \ + bit_permute_step(out, 0x0000FF00U, 8); \ + } while (0) +#define gift64b_rearrange2_low(out, in) \ + do { \ + out = (in) & 0x0000FFFFU; \ + /* 0 1 2 3 8 9 10 11 16 17 18 19 24 25 26 27 * */ \ + out = (out & 0x0000000FU) | ((out & 0x000000F0U) << 4) | \ + ((out & 0x00000F00U) << 8) | ((out & 0x0000F000U) << 12); \ + } while (0) +#define gift64b_rearrange2_high(out, in) \ + do { \ + out = (in) >> 16; \ + /* 0 1 2 3 8 9 10 11 16 17 18 19 24 25 26 27 * */ \ + out = (out & 0x0000000FU) | ((out & 0x000000F0U) << 4) | \ + ((out & 0x00000F00U) << 8) | ((out & 0x0000F000U) << 12); \ + } while (0) + +void gift64b_update_round_keys(gift64b_key_schedule_t *ks) +{ + uint32_t x; + + /* First round */ + gift64b_rearrange1_transpose_low(x, ks->k[3]); + ks->rk[0] = ~(x | (x << 4)); + gift64b_rearrange1_transpose_high(x, ks->k[3]); + ks->rk[1] = x | (x << 4); + + /* Second round */ + gift64b_rearrange1_low(x, ks->k[2]); + x = x | (x << 4); + gift64b_swap_move(x, x, 0x22222222U, 2); + ks->rk[2] = ~x; + gift64b_rearrange1_high(x, ks->k[2]); + x = x | (x << 4); + gift64b_swap_move(x, x, 0x22222222U, 2); + ks->rk[3] = x; + + /* Third round */ + gift64b_rearrange2_transpose_low(x, ks->k[1]); + gift64b_swap_move(x, x, 0x00000F00U, 16); + ks->rk[4] = ~(x | (x << 4)); + gift64b_rearrange2_transpose_high(x, ks->k[1]); + gift64b_swap_move(x, x, 0x00000F00U, 16); + ks->rk[5] = x | (x << 4); + + /* Fourth round */ + gift64b_rearrange2_low(x, ks->k[0]); + ks->rk[6] = ~(x | (x << 4)); + gift64b_rearrange2_high(x, ks->k[0]); + ks->rk[7] = x | (x << 4); +} + +/** + * \brief Perform the core of GIFT-64 encryption on two blocks in parallel. + * + * \param ks Points to the key schedule to use to encrypt the blocks. + * \param state Buffer containing the two blocks in bit-sliced form, + * on input and output. + * \param Tweak value or zero if there is no tweak. + */ +static void gift64b_encrypt_core + (const gift64b_key_schedule_t *ks, uint32_t state[4], uint32_t tweak) +{ + const uint32_t *rc = GIFT64_RC; + uint32_t s0, s1, s2, s3, temp; + uint32_t rk[8]; + uint8_t round; + + /* Start with the pre-computed round keys for the first four rounds */ + memcpy(rk, ks->rk, sizeof(ks->rk)); + + /* Load the state into local variables */ + s0 = state[0]; + s1 = state[1]; + s2 = state[2]; + s3 = state[3]; + + /* Perform all 28 rounds four at a time. We use the "fixslicing" method. + * + * The permutation is restructured so that one of the words each round + * does not need to be permuted, with the others rotating left, up, right, + * and down to keep the bits in line with their non-moving counterparts. + * This reduces the number of shifts required significantly. + * + * At the end of four rounds, the bit ordering will return to the + * original position. We then repeat the process for the next 4 rounds. + */ + for (round = 0; round < 28; round += 4, rc += 4) { + /* 1st round - S-box, rotate left, add round key */ + gift64b_sbox(s0, s1, s2, s3); + s1 = gift64b_rotate_left_1(s1); + s2 = gift64b_rotate_left_2(s2); + s0 = gift64b_rotate_left_3(s0); + s3 ^= rk[0]; + s1 ^= rk[1]; + s0 ^= rc[0]; + + /* 2nd round - S-box, rotate up, add round key (s0 and s3 swapped) */ + gift64b_sbox(s3, s1, s2, s0); + s1 = gift64b_rotate_up_1(s1); + s2 = gift64b_rotate_up_2(s2); + s3 = gift64b_rotate_up_3(s3); + s0 ^= rk[2]; + s1 ^= rk[3]; + s3 ^= rc[1]; + + /* 3rd round - S-box, rotate right, add round key */ + gift64b_sbox(s0, s1, s2, s3); + s1 = gift64b_rotate_right_1(s1); + s2 = gift64b_rotate_right_2(s2); + s0 = gift64b_rotate_right_3(s0); + s3 ^= rk[4]; + s1 ^= rk[5]; + s0 ^= rc[2]; + + /* 4th round - S-box, rotate down, add round key (s0 and s3 swapped) */ + gift64b_sbox(s3, s1, s2, s0); + s1 = gift64b_rotate_down_1(s1); + s2 = gift64b_rotate_down_2(s2); + s3 = gift64b_rotate_down_3(s3); + s0 ^= rk[6]; + s1 ^= rk[7]; + s3 ^= rc[3]; + + /* Add the tweak every four encryption rounds except the last */ + if (round < 24) + s2 ^= tweak; + + /* Derive the round keys for the next 4 rounds */ + rk[0] = gift64b_rotate_left_1(rk[0]); + rk[1] = (gift64b_rotate_left_3(rk[1]) << 16) | (rk[1] >> 16); + rk[2] = rightRotate8(rk[2]); + temp = gift64b_rotate_left_2(rk[3]); + rk[3] = (temp & 0x99999999U) | leftRotate8(temp & 0x66666666U); + rk[4] = gift64b_rotate_left_3(rk[4]); + temp = rightRotate16(rk[5]); + rk[5] = (gift64b_rotate_left_1(temp) & 0x00FFFF00U) | + (temp & 0xFF0000FFU); + rk[6] = leftRotate8(rk[6]); + temp = gift64b_rotate_left_2(rk[7]); + rk[7] = (temp & 0x33333333U) | rightRotate8(temp & 0xCCCCCCCCU); + } + + /* Copy the local variables to the output state */ + state[0] = s0; + state[1] = s1; + state[2] = s2; + state[3] = s3; +} + +/** + * \brief Perform the core of GIFT-64 decryption on two blocks in parallel. + * + * \param ks Points to the key schedule to use to encrypt the blocks. + * \param state Buffer containing the two blocks in bit-sliced form, + * on input and output. + * \param Tweak value or zero if there is no tweak. + */ +static void gift64b_decrypt_core + (const gift64b_key_schedule_t *ks, uint32_t state[4], uint32_t tweak) +{ + const uint32_t *rc = GIFT64_RC + 28 - 4; + uint32_t s0, s1, s2, s3, temp; + uint32_t rk[8]; + uint8_t round; + + /* Start with the pre-computed round keys for the first four rounds */ + memcpy(rk, ks->rk, sizeof(ks->rk)); + + /* Fast forward the key schedule to the end by permuting each round + * key by the amount it would see under the full set of rounds. + * Generated with "http://programming.sirrida.de/calcperm.php" */ + /* P0: 1 2 3 0 5 6 7 4 9 10 11 8 13 14 15 12 17 18 + * 19 16 21 22 23 20 25 26 27 24 29 30 31 28 */ + rk[0] = ((rk[0] & 0x77777777U) << 1) | ((rk[0] & 0x88888888U) >> 3); + /* P1: 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 + * 31 3 0 1 2 7 4 5 6 11 8 9 10 15 12 13 14 */ + rk[1] = ((rk[1] & 0xEEEE0000U) >> 17) | ((rk[1] & 0x0000FFFFU) << 16) | + ((rk[1] & 0x11110000U) >> 13); + /* P2: 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 + * 24 25 26 27 28 29 30 31 0 1 2 3 4 5 6 7 */ + rk[2] = leftRotate8(rk[2]); + /* P3: 2 27 24 1 6 31 28 5 10 3 0 9 14 7 4 13 18 11 + * 8 17 22 15 12 21 26 19 16 25 30 23 20 29 */ + rk[3] = ((rk[3] & 0x11111111U) << 2) | leftRotate22(rk[3] & 0x44444444U) | + leftRotate26(rk[3] & 0x22222222U) | ((rk[3] & 0x88888888U) >> 2); + /* P4: 3 0 1 2 7 4 5 6 11 8 9 10 15 12 13 14 19 16 + * 17 18 23 20 21 22 27 24 25 26 31 28 29 30 */ + rk[4] = ((rk[4] & 0x11111111U) << 3) | ((rk[4] & 0xEEEEEEEEU) >> 1); + /* P5: 16 17 18 19 20 21 22 23 25 26 27 24 29 30 31 + * 28 1 2 3 0 5 6 7 4 8 9 10 11 12 13 14 15 */ + rk[5] = leftRotate13(rk[5] & 0x00888800U) | + leftRotate16(rk[5] & 0xFF0000FFU) | + leftRotate17(rk[5] & 0x00777700U); + /* P6: 24 25 26 27 28 29 30 31 0 1 2 3 4 5 6 7 8 9 10 + * 11 12 13 14 15 16 17 18 19 20 21 22 23 */ + rk[6] = leftRotate24(rk[6]); + /* P7: 2 3 8 9 6 7 12 13 10 11 16 17 14 15 20 21 18 19 + * 24 25 22 23 28 29 26 27 0 1 30 31 4 5 */ + rk[7] = ((rk[7] & 0x33333333U) << 2) | leftRotate6(rk[7] & 0xCCCCCCCCU); + + /* Load the state into local variables */ + s0 = state[0]; + s1 = state[1]; + s2 = state[2]; + s3 = state[3]; + + /* Perform all 28 rounds four at a time. We use the "fixslicing" method. + * + * The permutation is restructured so that one of the words each round + * does not need to be permuted, with the others rotating left, up, right, + * and down to keep the bits in line with their non-moving counterparts. + * This reduces the number of shifts required significantly. + * + * At the end of four rounds, the bit ordering will return to the + * original position. We then repeat the process for the next 4 rounds. + */ + for (round = 0; round < 28; round += 4, rc -= 4) { + /* Derive the round keys for the previous 4 rounds */ + rk[0] = gift64b_rotate_right_1(rk[0]); + temp = rk[1] >> 16; + rk[1] = gift64b_rotate_right_3(temp) | (rk[1] << 16); + rk[2] = leftRotate8(rk[2]); + temp = (rk[3] & 0x99999999U) | rightRotate8(rk[3] & 0x66666666U); + rk[3] = gift64b_rotate_right_2(temp); + rk[4] = gift64b_rotate_right_3(rk[4]); + temp = (gift64b_rotate_right_1(rk[5]) & 0x00FFFF00U) | + (rk[5] & 0xFF0000FFU); + rk[5] = leftRotate16(temp); + rk[6] = rightRotate8(rk[6]); + temp = (rk[7] & 0x33333333U) | leftRotate8(rk[7] & 0xCCCCCCCCU); + rk[7] = gift64b_rotate_right_2(temp); + + /* Add the tweak every four decryption rounds except the first */ + if (round != 0) + s2 ^= tweak; + + /* 4th round - S-box, rotate down, add round key (s0 and s3 swapped) */ + s0 ^= rk[6]; + s1 ^= rk[7]; + s3 ^= rc[3]; + s1 = gift64b_rotate_up_1(s1); + s2 = gift64b_rotate_up_2(s2); + s3 = gift64b_rotate_up_3(s3); + gift64b_inv_sbox(s0, s1, s2, s3); + + /* 3rd round - S-box, rotate right, add round key */ + s3 ^= rk[4]; + s1 ^= rk[5]; + s0 ^= rc[2]; + s1 = gift64b_rotate_left_1(s1); + s2 = gift64b_rotate_left_2(s2); + s0 = gift64b_rotate_left_3(s0); + gift64b_inv_sbox(s3, s1, s2, s0); + + /* 2nd round - S-box, rotate up, add round key (s0 and s3 swapped) */ + s0 ^= rk[2]; + s1 ^= rk[3]; + s3 ^= rc[1]; + s1 = gift64b_rotate_down_1(s1); + s2 = gift64b_rotate_down_2(s2); + s3 = gift64b_rotate_down_3(s3); + gift64b_inv_sbox(s0, s1, s2, s3); + + /* 1st round - S-box, rotate left, add round key */ + s3 ^= rk[0]; + s1 ^= rk[1]; + s0 ^= rc[0]; + s1 = gift64b_rotate_right_1(s1); + s2 = gift64b_rotate_right_2(s2); + s0 = gift64b_rotate_right_3(s0); + gift64b_inv_sbox(s3, s1, s2, s0); + } + + /* Copy the local variables to the output state */ + state[0] = s0; + state[1] = s1; + state[2] = s2; + state[3] = s3; +} + +int gift64n_init + (gift64n_key_schedule_t *ks, const unsigned char *key, size_t key_len) +{ + /* Use the little-endian byte order from the LOTUS-AEAD submission */ + if (!ks || !key || key_len != 16) + return 0; + ks->k[0] = le_load_word32(key + 12); + ks->k[1] = le_load_word32(key + 8); + ks->k[2] = le_load_word32(key + 4); + ks->k[3] = le_load_word32(key); + gift64b_update_round_keys(ks); + return 1; +} + +/** + * \brief Converts the GIFT-64 nibble-based representation into word-based + * (littlen-endian version). + * + * \param output Output buffer to write the word-based version to. + * \param input Input buffer to read the nibble-based version from. + * + * The output words will be in fixsliced form. Technically the output will + * contain two blocks for gift64b_encrypt_core() to process in parallel but + * both blocks will have the same value. + */ +static void gift64n_to_words(uint32_t output[4], const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input block into 32-bit words */ + s0 = le_load_word32(input); + s2 = le_load_word32(input + 4); + + /* Rearrange the bits in the block */ + gift64b_swap_move(s0, s0, 0x0A0A0A0AU, 3); + gift64b_swap_move(s0, s0, 0x00CC00CCU, 6); + gift64b_swap_move(s0, s0, 0x0000FF00U, 8); + gift64b_swap_move(s2, s2, 0x0A0A0A0AU, 3); + gift64b_swap_move(s2, s2, 0x00CC00CCU, 6); + gift64b_swap_move(s2, s2, 0x0000FF00U, 8); + + /* Split into two identical blocks in fixsliced form */ + s1 = s0; + s3 = s2; + gift64b_swap_move(s0, s1, 0x0F0F0F0FU, 4); + gift64b_swap_move(s2, s3, 0x0F0F0F0FU, 4); + gift64b_swap_move(s0, s2, 0x0000FFFFU, 16); + gift64b_swap_move(s1, s3, 0x0000FFFFU, 16); + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; +} + +/** + * \brief Converts the GIFT-64 word-based representation into nibble-based + * (little-endian version). + * + * \param output Output buffer to write the nibble-based version to. + * \param input Input buffer to read the word-based version from. + * + * The input words are in fixsliced form. Technically there are two + * identical blocks in the input. We drop one when we write to the output. + */ +static void gift64n_to_nibbles(unsigned char *output, const uint32_t input[4]) +{ + uint32_t s0, s1, s2, s3; + + /* Load the state and split the two blocks into separate words */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; + gift64b_swap_move(s0, s2, 0x0000FFFFU, 16); + gift64b_swap_move(s1, s3, 0x0000FFFFU, 16); + gift64b_swap_move(s0, s1, 0x0F0F0F0FU, 4); + gift64b_swap_move(s2, s3, 0x0F0F0F0FU, 4); + + /* Rearrange the bits in the first block back into nibble form */ + gift64b_swap_move(s0, s0, 0x0000FF00U, 8); + gift64b_swap_move(s0, s0, 0x00CC00CCU, 6); + gift64b_swap_move(s0, s0, 0x0A0A0A0AU, 3); + gift64b_swap_move(s2, s2, 0x0000FF00U, 8); + gift64b_swap_move(s2, s2, 0x00CC00CCU, 6); + gift64b_swap_move(s2, s2, 0x0A0A0A0AU, 3); + le_store_word32(output, s0); + le_store_word32(output + 4, s2); +} + +void gift64n_encrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t state[4]; + gift64n_to_words(state, input); + gift64b_encrypt_core(ks, state, 0); + gift64n_to_nibbles(output, state); +} + +void gift64n_decrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t state[4]; + gift64n_to_words(state, input); + gift64b_decrypt_core(ks, state, 0); + gift64n_to_nibbles(output, state); +} + +/** + * \brief Converts the GIFT-64 nibble-based representation into word-based + * (big-endian version). + * + * \param output Output buffer to write the word-based version to. + * \param input Input buffer to read the nibble-based version from. + * + * The output words will be in fixsliced form. Technically the output will + * contain two blocks for gift64b_encrypt_core() to process in parallel but + * both blocks will have the same value. + */ +static void gift64nb_to_words(uint32_t output[4], const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input block into 32-bit words */ + s0 = be_load_word32(input + 4); + s2 = be_load_word32(input); + + /* Rearrange the bits in the block */ + gift64b_swap_move(s0, s0, 0x0A0A0A0AU, 3); + gift64b_swap_move(s0, s0, 0x00CC00CCU, 6); + gift64b_swap_move(s0, s0, 0x0000FF00U, 8); + gift64b_swap_move(s2, s2, 0x0A0A0A0AU, 3); + gift64b_swap_move(s2, s2, 0x00CC00CCU, 6); + gift64b_swap_move(s2, s2, 0x0000FF00U, 8); + + /* Split into two identical blocks in fixsliced form */ + s1 = s0; + s3 = s2; + gift64b_swap_move(s0, s1, 0x0F0F0F0FU, 4); + gift64b_swap_move(s2, s3, 0x0F0F0F0FU, 4); + gift64b_swap_move(s0, s2, 0x0000FFFFU, 16); + gift64b_swap_move(s1, s3, 0x0000FFFFU, 16); + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; +} + +/** + * \brief Converts the GIFT-64 word-based representation into nibble-based + * (big-endian version). + * + * \param output Output buffer to write the nibble-based version to. + * \param input Input buffer to read the word-based version from. + * + * The input words are in fixsliced form. Technically there are two + * identical blocks in the input. We drop one when we write to the output. + */ +static void gift64nb_to_nibbles(unsigned char *output, const uint32_t input[4]) +{ + uint32_t s0, s1, s2, s3; + + /* Load the state and split the two blocks into separate words */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; + gift64b_swap_move(s0, s2, 0x0000FFFFU, 16); + gift64b_swap_move(s1, s3, 0x0000FFFFU, 16); + gift64b_swap_move(s0, s1, 0x0F0F0F0FU, 4); + gift64b_swap_move(s2, s3, 0x0F0F0F0FU, 4); + + /* Rearrange the bits in the first block back into nibble form */ + gift64b_swap_move(s0, s0, 0x0000FF00U, 8); + gift64b_swap_move(s0, s0, 0x00CC00CCU, 6); + gift64b_swap_move(s0, s0, 0x0A0A0A0AU, 3); + gift64b_swap_move(s2, s2, 0x0000FF00U, 8); + gift64b_swap_move(s2, s2, 0x00CC00CCU, 6); + gift64b_swap_move(s2, s2, 0x0A0A0A0AU, 3); + be_store_word32(output, s2); + be_store_word32(output + 4, s0); +} + +void gift64nb_encrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t state[4]; + gift64nb_to_words(state, input); + gift64b_encrypt_core(ks, state, 0); + gift64nb_to_nibbles(output, state); +} + +void gift64nb_decrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t state[4]; + gift64nb_to_words(state, input); + gift64b_decrypt_core(ks, state, 0); + gift64nb_to_nibbles(output, state); +} + +/* 4-bit tweak values expanded to 32-bit in fixsliced form */ +static uint32_t const GIFT64_tweaks[16] = { + 0x00000000, 0xee11ee11, 0xdd22dd22, 0x33333333, 0xbb44bb44, 0x55555555, + 0x66666666, 0x88778877, 0x77887788, 0x99999999, 0xaaaaaaaa, 0x44bb44bb, + 0xcccccccc, 0x22dd22dd, 0x11ee11ee, 0xffffffff +}; + +void gift64t_encrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak) +{ + uint32_t state[4]; + gift64n_to_words(state, input); + gift64b_encrypt_core(ks, state, GIFT64_tweaks[tweak]); + gift64n_to_nibbles(output, state); +} + +void gift64t_decrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak) +{ + uint32_t state[4]; + gift64n_to_words(state, input); + gift64b_decrypt_core(ks, state, GIFT64_tweaks[tweak]); + gift64n_to_nibbles(output, state); +} diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64.h b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64.h new file mode 100644 index 0000000..40479c7 --- /dev/null +++ b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64.h @@ -0,0 +1,194 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_GIFT64_H +#define LW_INTERNAL_GIFT64_H + +/** + * \file internal-gift64.h + * \brief GIFT-64 block cipher. + * + * References: https://eprint.iacr.org/2017/622.pdf, + * https://giftcipher.github.io/gift/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a GIFT-64 block in bytes. + */ +#define GIFT64_BLOCK_SIZE 8 + +/** + * \brief Structure of the key schedule for GIFT-64 (bit-sliced). + */ +typedef struct +{ + uint32_t k[4]; /**< Words of the key schedule */ + uint32_t rk[8]; /**< Pre-computed round keys for fixsliced form */ + +} gift64b_key_schedule_t; + +/** + * \brief Initializes the key schedule for GIFT-64 (bit-sliced). + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int gift64b_init + (gift64b_key_schedule_t *ks, const unsigned char *key, size_t key_len); + +/** + * \brief Updates the round keys after a change in the base key. + * + * \param ks Points to the key schedule to update. + */ +void gift64b_update_round_keys(gift64b_key_schedule_t *ks); + +/** + * \brief Structure of the key schedule for GIFT-64 (nibble-based). + */ +typedef gift64b_key_schedule_t gift64n_key_schedule_t; + +/** + * \brief Initializes the key schedule for GIFT-64 (nibble-based). + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int gift64n_init + (gift64n_key_schedule_t *ks, const unsigned char *key, size_t key_len); + +/** + * \brief Encrypts a 64-bit block with GIFT-64 (nibble-based). + * + * \param ks Points to the GIFT-64 key schedule. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void gift64n_encrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 64-bit block with GIFT-64 (nibble-based). + * + * \param ks Points to the GIFT-64 key schedule. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + */ +void gift64n_decrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 64-bit block with GIFT-64 (nibble-based big-endian). + * + * \param ks Points to the GIFT-64 key schedule. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void gift64nb_encrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 64-bit block with GIFT-64 (nibble-based big-endian). + * + * \param ks Points to the GIFT-64 key schedule. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + */ +void gift64nb_decrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 64-bit block with TweGIFT-64 (tweakable variant). + * + * \param ks Points to the GIFT-64 key schedule. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. + * \param tweak 4-bit tweak value. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This variant of GIFT-64 is used by the LOTUS/LOCUS submission to the + * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to + * some of the rounds to provide domain separation. If the tweak is + * zero, then this function is identical to gift64n_encrypt(). + */ +void gift64t_encrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak); + +/** + * \brief Decrypts a 64-bit block with TweGIFT-64 (tweakable variant). + * + * \param ks Points to the GIFT-64 key schedule. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. + * \param tweak 4-bit tweak value. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This variant of GIFT-64 is used by the LOTUS/LOCUS submission to the + * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to + * some of the rounds to provide domain separation. If the tweak is + * zero, then this function is identical to gift64n_decrypt(). + */ +void gift64t_decrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-util.h b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/lotus-locus.c b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/lotus-locus.c new file mode 100644 index 0000000..e60b084 --- /dev/null +++ b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/lotus-locus.c @@ -0,0 +1,436 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "lotus-locus.h" +#include "internal-gift64.h" +#include "internal-util.h" +#include + +aead_cipher_t const lotus_aead_cipher = { + "LOTUS-AEAD", + LOTUS_AEAD_KEY_SIZE, + LOTUS_AEAD_NONCE_SIZE, + LOTUS_AEAD_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + lotus_aead_encrypt, + lotus_aead_decrypt +}; + +aead_cipher_t const locus_aead_cipher = { + "LOCUS-AEAD", + LOCUS_AEAD_KEY_SIZE, + LOCUS_AEAD_NONCE_SIZE, + LOCUS_AEAD_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + locus_aead_encrypt, + locus_aead_decrypt +}; + +/** + * \brief Multiplies a key by 2 in the GF(128) field. + * + * \param ks The key schedule structure containing the key in host byte order. + */ +STATIC_INLINE void lotus_or_locus_mul_2(gift64n_key_schedule_t *ks) +{ + uint32_t mask = (uint32_t)(((int32_t)(ks->k[0])) >> 31); + ks->k[0] = (ks->k[0] << 1) | (ks->k[1] >> 31); + ks->k[1] = (ks->k[1] << 1) | (ks->k[2] >> 31); + ks->k[2] = (ks->k[2] << 1) | (ks->k[3] >> 31); + ks->k[3] = (ks->k[3] << 1) ^ (mask & 0x87); + gift64b_update_round_keys(ks); +} + +/** + * \brief Initializes a LOTUS-AEAD or LOCUS-AEAD cipher instance. + * + * \param ks Key schedule to initialize. + * \param deltaN Delta-N value for the cipher state. + * \param key Points to the 16-byte key for the cipher instance. + * \param nonce Points to the 16-byte key for the cipher instance. + * \param T Points to a temporary buffer of LOTUS_AEAD_KEY_SIZE bytes + * that will be destroyed during this function. + */ +static void lotus_or_locus_init + (gift64n_key_schedule_t *ks, + unsigned char deltaN[GIFT64_BLOCK_SIZE], + const unsigned char *key, + const unsigned char *nonce, + unsigned char *T) +{ + gift64n_init(ks, key, LOTUS_AEAD_KEY_SIZE); + memset(deltaN, 0, GIFT64_BLOCK_SIZE); + gift64t_encrypt(ks, deltaN, deltaN, 0); + lw_xor_block_2_src(T, key, nonce, LOTUS_AEAD_KEY_SIZE); + gift64n_init(ks, T, LOTUS_AEAD_KEY_SIZE); + gift64t_encrypt(ks, deltaN, deltaN, 1); +} + +/** + * \brief Processes associated data for LOTUS-AEAD or LOCUS-AEAD. + * + * \param ks Points to the key schedule. + * \param deltaN Points to the Delta-N value from the state. + * \param V Points to the V value from the state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes, must be non-zero. + */ +static void lotus_or_locus_process_ad + (gift64n_key_schedule_t *ks, + const unsigned char deltaN[GIFT64_BLOCK_SIZE], + unsigned char V[GIFT64_BLOCK_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char X[GIFT64_BLOCK_SIZE]; + unsigned char temp; + while (adlen > GIFT64_BLOCK_SIZE) { + lotus_or_locus_mul_2(ks); + lw_xor_block_2_src(X, ad, deltaN, GIFT64_BLOCK_SIZE); + gift64t_encrypt(ks, X, X, 2); + lw_xor_block(V, X, GIFT64_BLOCK_SIZE); + ad += GIFT64_BLOCK_SIZE; + adlen -= GIFT64_BLOCK_SIZE; + } + lotus_or_locus_mul_2(ks); + temp = (unsigned)adlen; + if (temp < GIFT64_BLOCK_SIZE) { + memcpy(X, deltaN, GIFT64_BLOCK_SIZE); + lw_xor_block(X, ad, temp); + X[temp] ^= 0x01; + gift64t_encrypt(ks, X, X, 3); + } else { + lw_xor_block_2_src(X, ad, deltaN, GIFT64_BLOCK_SIZE); + gift64t_encrypt(ks, X, X, 2); + } + lw_xor_block(V, X, GIFT64_BLOCK_SIZE); +} + +/** + * \brief Generates the authentication tag for LOTUS-AEAD or LOCUS-AEAD. + * + * \param ks Points to the key schedule. + * \param tag Points to the buffer to receive the authentication tag. + * \param deltaN Points to the Delta-N value from the state. + * \param W Points to the W value from the state. + * \param V Points to the V value from the state. + */ +static void lotus_or_locus_gen_tag + (gift64n_key_schedule_t *ks, unsigned char *tag, + unsigned char deltaN[GIFT64_BLOCK_SIZE], + unsigned char W[GIFT64_BLOCK_SIZE], + unsigned char V[GIFT64_BLOCK_SIZE]) +{ + lotus_or_locus_mul_2(ks); + lw_xor_block(W, deltaN, GIFT64_BLOCK_SIZE); + lw_xor_block(W, V, GIFT64_BLOCK_SIZE); + gift64t_encrypt(ks, W, W, 6); + lw_xor_block_2_src(tag, W, deltaN, GIFT64_BLOCK_SIZE); +} + +int lotus_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + gift64n_key_schedule_t ks; + unsigned char WV[GIFT64_BLOCK_SIZE * 2]; + unsigned char deltaN[GIFT64_BLOCK_SIZE]; + unsigned char X1[GIFT64_BLOCK_SIZE]; + unsigned char X2[GIFT64_BLOCK_SIZE]; + unsigned temp; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + LOTUS_AEAD_TAG_SIZE; + + /* Initialize the state with the key and the nonce */ + lotus_or_locus_init(&ks, deltaN, k, npub, WV); + memset(WV, 0, sizeof(WV)); + + /* Process the associated data */ + if (adlen > 0) { + lotus_or_locus_process_ad + (&ks, deltaN, WV + GIFT64_BLOCK_SIZE, ad, adlen); + } + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > (GIFT64_BLOCK_SIZE * 2)) { + lotus_or_locus_mul_2(&ks); + lw_xor_block_2_src(X1, m, deltaN, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X1, 4); + lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X2, 4); + lw_xor_block_2_src + (X2, m + GIFT64_BLOCK_SIZE, X2, GIFT64_BLOCK_SIZE); + lw_xor_block_2_src(c, X2, deltaN, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X2, 5); + lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X2, 5); + lw_xor_block_2_src + (c + GIFT64_BLOCK_SIZE, X1, X2, GIFT64_BLOCK_SIZE); + c += GIFT64_BLOCK_SIZE * 2; + m += GIFT64_BLOCK_SIZE * 2; + mlen -= GIFT64_BLOCK_SIZE * 2; + } + temp = (unsigned)mlen; + lotus_or_locus_mul_2(&ks); + memcpy(X1, deltaN, GIFT64_BLOCK_SIZE); + X1[0] ^= (unsigned char)temp; + gift64t_encrypt(&ks, X2, X1, 12); + lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X2, 12); + if (temp <= GIFT64_BLOCK_SIZE) { + lw_xor_block(WV, m, temp); + lw_xor_block(X2, m, temp); + lw_xor_block_2_src(c, X2, deltaN, temp); + } else { + lw_xor_block(X2, m, GIFT64_BLOCK_SIZE); + lw_xor_block_2_src(c, X2, deltaN, GIFT64_BLOCK_SIZE); + c += GIFT64_BLOCK_SIZE; + m += GIFT64_BLOCK_SIZE; + temp -= GIFT64_BLOCK_SIZE; + gift64t_encrypt(&ks, X2, X2, 13); + lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X2, 13); + lw_xor_block(WV, m, temp); + lw_xor_block(X1, X2, temp); + lw_xor_block_2_src(c, X1, m, temp); + } + c += temp; + } + + /* Generate the authentication tag */ + lotus_or_locus_gen_tag(&ks, c, deltaN, WV, WV + GIFT64_BLOCK_SIZE); + return 0; +} + +int lotus_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + gift64n_key_schedule_t ks; + unsigned char WV[GIFT64_BLOCK_SIZE * 2]; + unsigned char deltaN[GIFT64_BLOCK_SIZE]; + unsigned char X1[GIFT64_BLOCK_SIZE]; + unsigned char X2[GIFT64_BLOCK_SIZE]; + unsigned char *mtemp = m; + unsigned temp; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < LOTUS_AEAD_TAG_SIZE) + return -1; + *mlen = clen - LOTUS_AEAD_TAG_SIZE; + + /* Initialize the state with the key and the nonce */ + lotus_or_locus_init(&ks, deltaN, k, npub, WV); + memset(WV, 0, sizeof(WV)); + + /* Process the associated data */ + if (adlen > 0) { + lotus_or_locus_process_ad + (&ks, deltaN, WV + GIFT64_BLOCK_SIZE, ad, adlen); + } + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= LOTUS_AEAD_TAG_SIZE; + if (clen > 0) { + while (clen > (GIFT64_BLOCK_SIZE * 2)) { + lotus_or_locus_mul_2(&ks); + lw_xor_block_2_src(X1, c, deltaN, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X1, 5); + lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X2, 5); + lw_xor_block(X2, c + GIFT64_BLOCK_SIZE, GIFT64_BLOCK_SIZE); + lw_xor_block_2_src(m, X2, deltaN, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X2, 4); + lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X2, 4); + lw_xor_block_2_src + (m + GIFT64_BLOCK_SIZE, X1, X2, GIFT64_BLOCK_SIZE); + c += GIFT64_BLOCK_SIZE * 2; + m += GIFT64_BLOCK_SIZE * 2; + clen -= GIFT64_BLOCK_SIZE * 2; + } + temp = (unsigned)clen; + lotus_or_locus_mul_2(&ks); + memcpy(X1, deltaN, GIFT64_BLOCK_SIZE); + X1[0] ^= (unsigned char)temp; + gift64t_encrypt(&ks, X2, X1, 12); + lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X2, 12); + if (temp <= GIFT64_BLOCK_SIZE) { + lw_xor_block_2_src(m, X2, c, temp); + lw_xor_block(m, deltaN, temp); + lw_xor_block(X2, m, temp); + lw_xor_block(WV, m, temp); + } else { + lw_xor_block_2_src(m, X2, c, GIFT64_BLOCK_SIZE); + lw_xor_block(m, deltaN, GIFT64_BLOCK_SIZE); + lw_xor_block(X2, m, GIFT64_BLOCK_SIZE); + c += GIFT64_BLOCK_SIZE; + m += GIFT64_BLOCK_SIZE; + temp -= GIFT64_BLOCK_SIZE; + gift64t_encrypt(&ks, X2, X2, 13); + lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X2, 13); + lw_xor_block(X1, X2, temp); + lw_xor_block_2_src(m, X1, c, temp); + lw_xor_block(WV, m, temp); + } + c += temp; + } + + /* Check the authentication tag */ + lotus_or_locus_gen_tag(&ks, WV, deltaN, WV, WV + GIFT64_BLOCK_SIZE); + return aead_check_tag(mtemp, *mlen, WV, c, LOTUS_AEAD_TAG_SIZE); +} + +int locus_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + gift64n_key_schedule_t ks; + unsigned char WV[GIFT64_BLOCK_SIZE * 2]; + unsigned char deltaN[GIFT64_BLOCK_SIZE]; + unsigned char X[GIFT64_BLOCK_SIZE]; + unsigned temp; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + LOCUS_AEAD_TAG_SIZE; + + /* Initialize the state with the key and the nonce */ + lotus_or_locus_init(&ks, deltaN, k, npub, WV); + memset(WV, 0, sizeof(WV)); + + /* Process the associated data */ + if (adlen > 0) { + lotus_or_locus_process_ad + (&ks, deltaN, WV + GIFT64_BLOCK_SIZE, ad, adlen); + } + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > GIFT64_BLOCK_SIZE) { + lotus_or_locus_mul_2(&ks); + lw_xor_block_2_src(X, m, deltaN, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X, X, 4); + lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X, X, 4); + lw_xor_block_2_src(c, X, deltaN, GIFT64_BLOCK_SIZE); + c += GIFT64_BLOCK_SIZE; + m += GIFT64_BLOCK_SIZE; + mlen -= GIFT64_BLOCK_SIZE; + } + temp = (unsigned)mlen; + lotus_or_locus_mul_2(&ks); + memcpy(X, deltaN, GIFT64_BLOCK_SIZE); + X[0] ^= (unsigned char)temp; + gift64t_encrypt(&ks, X, X, 5); + lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); + lw_xor_block(WV, m, temp); + gift64t_encrypt(&ks, X, X, 5); + lw_xor_block(X, deltaN, temp); + lw_xor_block_2_src(c, m, X, temp); + c += temp; + } + + /* Generate the authentication tag */ + lotus_or_locus_gen_tag(&ks, c, deltaN, WV, WV + GIFT64_BLOCK_SIZE); + return 0; +} + +int locus_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + gift64n_key_schedule_t ks; + unsigned char WV[GIFT64_BLOCK_SIZE * 2]; + unsigned char deltaN[GIFT64_BLOCK_SIZE]; + unsigned char X[GIFT64_BLOCK_SIZE]; + unsigned char *mtemp = m; + unsigned temp; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < LOCUS_AEAD_TAG_SIZE) + return -1; + *mlen = clen - LOCUS_AEAD_TAG_SIZE; + + /* Initialize the state with the key and the nonce */ + lotus_or_locus_init(&ks, deltaN, k, npub, WV); + memset(WV, 0, sizeof(WV)); + + /* Process the associated data */ + if (adlen > 0) { + lotus_or_locus_process_ad + (&ks, deltaN, WV + GIFT64_BLOCK_SIZE, ad, adlen); + } + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= LOCUS_AEAD_TAG_SIZE; + if (clen > 0) { + while (clen > GIFT64_BLOCK_SIZE) { + lotus_or_locus_mul_2(&ks); + lw_xor_block_2_src(X, c, deltaN, GIFT64_BLOCK_SIZE); + gift64t_decrypt(&ks, X, X, 4); + lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); + gift64t_decrypt(&ks, X, X, 4); + lw_xor_block_2_src(m, X, deltaN, GIFT64_BLOCK_SIZE); + c += GIFT64_BLOCK_SIZE; + m += GIFT64_BLOCK_SIZE; + clen -= GIFT64_BLOCK_SIZE; + } + temp = (unsigned)clen; + lotus_or_locus_mul_2(&ks); + memcpy(X, deltaN, GIFT64_BLOCK_SIZE); + X[0] ^= (unsigned char)temp; + gift64t_encrypt(&ks, X, X, 5); + lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X, X, 5); + lw_xor_block(X, deltaN, temp); + lw_xor_block_2_src(m, c, X, temp); + lw_xor_block(WV, m, temp); + c += temp; + } + + /* Check the authentication tag */ + lotus_or_locus_gen_tag(&ks, WV, deltaN, WV, WV + GIFT64_BLOCK_SIZE); + return aead_check_tag(mtemp, *mlen, WV, c, LOCUS_AEAD_TAG_SIZE); +} diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/lotus-locus.h b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/lotus-locus.h new file mode 100644 index 0000000..85434a8 --- /dev/null +++ b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/lotus-locus.h @@ -0,0 +1,223 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_LOTUS_LOCUS_H +#define LWCRYPTO_LOTUS_LOCUS_H + +#include "aead-common.h" + +/** + * \file lotus-locus.h + * \brief LOTUS-AEAD and LOCUS-AEAD authenticated encryption algorithms. + * + * LOTUS-AEAD and LOCUS-AEAD are authenticated encryption algorithms + * that are based around a tweakable variant of the GIFT-64 block cipher + * called TweGIFT-64. Both AEAD algorithms have a 128-bit key, a 128-bit + * nonce, and a 64-bit tag. + * + * The two algorithms have the same key initialization, associated data + * processing, and tag generation mechanisms. They differ in how the + * input is encrypted with TweGIFT-64. + * + * LOTUS-AEAD uses a method similar to the block cipher mode OTR. + * TweGIFT-64 is essentially converted into a 128-bit block cipher + * using a Feistel construction and four TweGIFT-64 block operations + * every 16 bytes of input. + * + * LOCUS-AEAD uses a method similar to the block cipher mode OCB + * with two TweGIFT-64 block operations for every 8 bytes of input. + * LOCUS-AEAD requires both the block encrypt and block decrypt + * operations of TweGIFT-64, which increases the overall code size. + * LOTUS-AEAD only needs the block encrypt operation. + * + * LOTUS-AEAD is the primary member of the family. + * + * References: https://www.isical.ac.in/~lightweight/lotus/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for LOTUS-AEAD. + */ +#define LOTUS_AEAD_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for LOTUS-AEAD. + */ +#define LOTUS_AEAD_TAG_SIZE 8 + +/** + * \brief Size of the nonce for LOTUS-AEAD. + */ +#define LOTUS_AEAD_NONCE_SIZE 16 + +/** + * \brief Size of the key for LOCUS-AEAD. + */ +#define LOCUS_AEAD_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for LOCUS-AEAD. + */ +#define LOCUS_AEAD_TAG_SIZE 8 + +/** + * \brief Size of the nonce for LOCUS-AEAD. + */ +#define LOCUS_AEAD_NONCE_SIZE 16 + +/** + * \brief Meta-information block for the LOTUS-AEAD cipher. + */ +extern aead_cipher_t const lotus_aead_cipher; + +/** + * \brief Meta-information block for the LOCUS-AEAD cipher. + */ +extern aead_cipher_t const locus_aead_cipher; + +/** + * \brief Encrypts and authenticates a packet with LOTUS-AEAD. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa lotus_aead_decrypt() + */ +int lotus_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with LOTUS-AEAD. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 9 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa lotus_aead_encrypt() + */ +int lotus_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with LOCUS-AEAD. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa locus_aead_decrypt() + */ +int locus_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with LOCUS-AEAD. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 9 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa locus_aead_encrypt() + */ +int locus_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/aead-common.c b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/aead-common.h b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/api.h b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/api.h new file mode 100644 index 0000000..4bf8f5c --- /dev/null +++ b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 8 +#define CRYPTO_NOOVERLAP 1 diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/encrypt.c b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/encrypt.c new file mode 100644 index 0000000..e089543 --- /dev/null +++ b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "lotus-locus.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return lotus_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return lotus_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64.c b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64.c new file mode 100644 index 0000000..321d079 --- /dev/null +++ b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64.c @@ -0,0 +1,745 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-gift64.h" +#include "internal-util.h" +#include + +/* Round constants for GIFT-64 in the fixsliced representation */ +static uint32_t const GIFT64_RC[28] = { + 0x22000011, 0x00002299, 0x11118811, 0x880000ff, 0x33111199, 0x990022ee, + 0x22119933, 0x880033bb, 0x22119999, 0x880022ff, 0x11119922, 0x880033cc, + 0x33008899, 0x99002299, 0x33118811, 0x880000ee, 0x33110099, 0x990022aa, + 0x22118833, 0x880022bb, 0x22111188, 0x88002266, 0x00009922, 0x88003300, + 0x22008811, 0x00002288, 0x00118811, 0x880000bb +}; + +int gift64b_init + (gift64b_key_schedule_t *ks, const unsigned char *key, size_t key_len) +{ + if (!ks || !key || key_len != 16) + return 0; + ks->k[0] = be_load_word32(key); + ks->k[1] = be_load_word32(key + 4); + ks->k[2] = be_load_word32(key + 8); + ks->k[3] = be_load_word32(key + 12); + gift64b_update_round_keys(ks); + return 1; +} + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/** + * \brief Swaps bits within two words. + * + * \param a The first word. + * \param b The second word. + * \param mask Mask for the bits to shift. + * \param shift Shift amount in bits. + */ +#define gift64b_swap_move(a, b, mask, shift) \ + do { \ + uint32_t t = ((b) ^ ((a) >> (shift))) & (mask); \ + (b) ^= t; \ + (a) ^= t << (shift); \ + } while (0) + +/** + * \brief Performs the GIFT-64 S-box on the bit-sliced state. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift64b_sbox(s0, s1, s2, s3) \ + do { \ + s1 ^= s0 & s2; \ + s0 ^= s1 & s3; \ + s2 ^= s0 | s1; \ + s3 ^= s2; \ + s1 ^= s3; \ + s2 ^= s0 & s1; \ + } while (0) + +/** + * \brief Performs the inverse of the GIFT-64 S-box on the bit-sliced state. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift64b_inv_sbox(s0, s1, s2, s3) \ + do { \ + s2 ^= s3 & s1; \ + s1 ^= s0; \ + s0 ^= s2; \ + s2 ^= s3 | s1; \ + s3 ^= s1 & s0; \ + s1 ^= s3 & s2; \ + } while (0) + +/* Rotates a state word left by 1 position in the fixsliced representation: + * + * 0 1 2 3 1 2 3 0 + * 4 5 6 7 ==> 5 6 7 4 + * 8 9 10 11 9 10 11 8 + * 12 13 14 15 13 14 14 12 + */ +#define gift64b_rotate_left_1(x) \ + ((((x) >> 1) & 0x77777777U) | (((x) & 0x11111111U) << 3)) + +/* Rotates a state word left by 2 positions in the fixsliced representation: + * + * 0 1 2 3 2 3 0 1 + * 4 5 6 7 ==> 6 7 4 5 + * 8 9 10 11 10 11 8 9 + * 12 13 14 15 14 15 12 13 + */ +#define gift64b_rotate_left_2(x) \ + ((((x) >> 2) & 0x33333333U) | (((x) & 0x33333333U) << 2)) + +/* Rotates a state word left by 3 positions in the fixsliced representation: + * + * 0 1 2 3 3 0 1 2 + * 4 5 6 7 ==> 7 4 5 6 + * 8 9 10 11 11 8 9 10 + * 12 13 14 15 15 12 13 14 + */ +#define gift64b_rotate_left_3(x) \ + ((((x) >> 3) & 0x11111111U) | (((x) & 0x77777777U) << 1)) + +/* Rotates a state word right by 1 position in the fixsliced representation */ +#define gift64b_rotate_right_1(x) gift64b_rotate_left_3(x) + +/* Rotates a state word right by 2 positions in the fixsliced representation */ +#define gift64b_rotate_right_2(x) gift64b_rotate_left_2(x) + +/* Rotates a state word right by 3 positions in the fixsliced representation */ +#define gift64b_rotate_right_3(x) gift64b_rotate_left_1(x) + +/* Rotates a state word up by 1 position in the fixsliced representation: + * + * 0 1 2 3 4 5 6 7 + * 4 5 6 7 ==> 8 9 10 11 + * 8 9 10 11 12 13 14 15 + * 12 13 14 15 0 1 2 3 + */ +#define gift64b_rotate_up_1(x) (rightRotate8((x))) + +/* Rotates a state word up by 2 positions in the fixsliced representation: + * + * 0 1 2 3 8 9 10 11 + * 4 5 6 7 ==> 12 13 14 15 + * 8 9 10 11 0 1 2 3 + * 12 13 14 15 4 5 6 7 + */ +#define gift64b_rotate_up_2(x) (rightRotate16((x))) + +/* Rotates a state word up by 3 positions in the fixsliced representation: + * + * 0 1 2 3 12 13 14 15 + * 4 5 6 7 ==> 0 1 2 3 + * 8 9 10 11 4 5 6 7 + * 12 13 14 15 8 9 10 11 + */ +#define gift64b_rotate_up_3(x) (rightRotate24((x))) + +/* Rotates a state word down by 1 position in the fixsliced representation */ +#define gift64b_rotate_down_1(x) gift64b_rotate_up_3(x) + +/* Rotates a state word down by 2 positions in the fixsliced representation */ +#define gift64b_rotate_down_2(x) gift64b_rotate_up_2(x) + +/* Rotates a state word down by 3 positions in the fixsliced representation */ +#define gift64b_rotate_down_3(x) gift64b_rotate_up_1(x) + +/* Permutation code to rearrange key bits into fixsliced form. Permutations + * generated wth "http://programming.sirrida.de/calcperm.php" */ +#define gift64b_rearrange1_transpose_low(out, in) \ + do { \ + out = (in) & 0x0000FFFFU; \ + /* 0 8 16 24 3 11 19 27 2 10 18 26 1 9 17 25 * */ \ + bit_permute_step(out, 0x0000CCCCU, 16); \ + bit_permute_step(out, 0x30030330U, 2); \ + bit_permute_step(out, 0x00960096U, 8); \ + bit_permute_step(out, 0x05500550U, 1); \ + bit_permute_step(out, 0x0A0A0A0AU, 4); \ + } while (0) +#define gift64b_rearrange1_transpose_high(out, in) \ + do { \ + out = (in) >> 16; \ + /* 0 8 16 24 3 11 19 27 2 10 18 26 1 9 17 25 * */ \ + bit_permute_step(out, 0x0000CCCCU, 16); \ + bit_permute_step(out, 0x30030330U, 2); \ + bit_permute_step(out, 0x00960096U, 8); \ + bit_permute_step(out, 0x05500550U, 1); \ + bit_permute_step(out, 0x0A0A0A0AU, 4); \ + } while (0) +#define gift64b_rearrange1_low(out, in) \ + do { \ + out = (in) & 0x0000FFFFU; \ + /* 0 1 2 3 24 25 26 27 16 17 18 19 8 9 10 11 * */ \ + out = (out & 0x0000000FU) | ((out & 0x00000F00U) << 8) | \ + ((out & 0x000000F0U) << 20) | ((out & 0x0000F000U) >> 4); \ + } while (0) +#define gift64b_rearrange1_high(out, in) \ + do { \ + out = (in) >> 16; \ + /* 0 1 2 3 24 25 26 27 16 17 18 19 8 9 10 11 * */ \ + out = (out & 0x0000000FU) | ((out & 0x00000F00U) << 8) | \ + ((out & 0x000000F0U) << 20) | ((out & 0x0000F000U) >> 4); \ + } while (0) +#define gift64b_rearrange2_transpose_low(out, in) \ + do { \ + out = (in) & 0x0000FFFFU; \ + /* 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 * */ \ + bit_permute_step(out, 0x0A0A0A0AU, 3); \ + bit_permute_step(out, 0x00CC00CCU, 6); \ + bit_permute_step(out, 0x0000F0F0U, 12); \ + bit_permute_step(out, 0x0000FF00U, 8); \ + } while (0) +#define gift64b_rearrange2_transpose_high(out, in) \ + do { \ + out = (in) >> 16; \ + /* 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 * */ \ + bit_permute_step(out, 0x0A0A0A0AU, 3); \ + bit_permute_step(out, 0x00CC00CCU, 6); \ + bit_permute_step(out, 0x0000F0F0U, 12); \ + bit_permute_step(out, 0x0000FF00U, 8); \ + } while (0) +#define gift64b_rearrange2_low(out, in) \ + do { \ + out = (in) & 0x0000FFFFU; \ + /* 0 1 2 3 8 9 10 11 16 17 18 19 24 25 26 27 * */ \ + out = (out & 0x0000000FU) | ((out & 0x000000F0U) << 4) | \ + ((out & 0x00000F00U) << 8) | ((out & 0x0000F000U) << 12); \ + } while (0) +#define gift64b_rearrange2_high(out, in) \ + do { \ + out = (in) >> 16; \ + /* 0 1 2 3 8 9 10 11 16 17 18 19 24 25 26 27 * */ \ + out = (out & 0x0000000FU) | ((out & 0x000000F0U) << 4) | \ + ((out & 0x00000F00U) << 8) | ((out & 0x0000F000U) << 12); \ + } while (0) + +void gift64b_update_round_keys(gift64b_key_schedule_t *ks) +{ + uint32_t x; + + /* First round */ + gift64b_rearrange1_transpose_low(x, ks->k[3]); + ks->rk[0] = ~(x | (x << 4)); + gift64b_rearrange1_transpose_high(x, ks->k[3]); + ks->rk[1] = x | (x << 4); + + /* Second round */ + gift64b_rearrange1_low(x, ks->k[2]); + x = x | (x << 4); + gift64b_swap_move(x, x, 0x22222222U, 2); + ks->rk[2] = ~x; + gift64b_rearrange1_high(x, ks->k[2]); + x = x | (x << 4); + gift64b_swap_move(x, x, 0x22222222U, 2); + ks->rk[3] = x; + + /* Third round */ + gift64b_rearrange2_transpose_low(x, ks->k[1]); + gift64b_swap_move(x, x, 0x00000F00U, 16); + ks->rk[4] = ~(x | (x << 4)); + gift64b_rearrange2_transpose_high(x, ks->k[1]); + gift64b_swap_move(x, x, 0x00000F00U, 16); + ks->rk[5] = x | (x << 4); + + /* Fourth round */ + gift64b_rearrange2_low(x, ks->k[0]); + ks->rk[6] = ~(x | (x << 4)); + gift64b_rearrange2_high(x, ks->k[0]); + ks->rk[7] = x | (x << 4); +} + +/** + * \brief Perform the core of GIFT-64 encryption on two blocks in parallel. + * + * \param ks Points to the key schedule to use to encrypt the blocks. + * \param state Buffer containing the two blocks in bit-sliced form, + * on input and output. + * \param Tweak value or zero if there is no tweak. + */ +static void gift64b_encrypt_core + (const gift64b_key_schedule_t *ks, uint32_t state[4], uint32_t tweak) +{ + const uint32_t *rc = GIFT64_RC; + uint32_t s0, s1, s2, s3, temp; + uint32_t rk[8]; + uint8_t round; + + /* Start with the pre-computed round keys for the first four rounds */ + memcpy(rk, ks->rk, sizeof(ks->rk)); + + /* Load the state into local variables */ + s0 = state[0]; + s1 = state[1]; + s2 = state[2]; + s3 = state[3]; + + /* Perform all 28 rounds four at a time. We use the "fixslicing" method. + * + * The permutation is restructured so that one of the words each round + * does not need to be permuted, with the others rotating left, up, right, + * and down to keep the bits in line with their non-moving counterparts. + * This reduces the number of shifts required significantly. + * + * At the end of four rounds, the bit ordering will return to the + * original position. We then repeat the process for the next 4 rounds. + */ + for (round = 0; round < 28; round += 4, rc += 4) { + /* 1st round - S-box, rotate left, add round key */ + gift64b_sbox(s0, s1, s2, s3); + s1 = gift64b_rotate_left_1(s1); + s2 = gift64b_rotate_left_2(s2); + s0 = gift64b_rotate_left_3(s0); + s3 ^= rk[0]; + s1 ^= rk[1]; + s0 ^= rc[0]; + + /* 2nd round - S-box, rotate up, add round key (s0 and s3 swapped) */ + gift64b_sbox(s3, s1, s2, s0); + s1 = gift64b_rotate_up_1(s1); + s2 = gift64b_rotate_up_2(s2); + s3 = gift64b_rotate_up_3(s3); + s0 ^= rk[2]; + s1 ^= rk[3]; + s3 ^= rc[1]; + + /* 3rd round - S-box, rotate right, add round key */ + gift64b_sbox(s0, s1, s2, s3); + s1 = gift64b_rotate_right_1(s1); + s2 = gift64b_rotate_right_2(s2); + s0 = gift64b_rotate_right_3(s0); + s3 ^= rk[4]; + s1 ^= rk[5]; + s0 ^= rc[2]; + + /* 4th round - S-box, rotate down, add round key (s0 and s3 swapped) */ + gift64b_sbox(s3, s1, s2, s0); + s1 = gift64b_rotate_down_1(s1); + s2 = gift64b_rotate_down_2(s2); + s3 = gift64b_rotate_down_3(s3); + s0 ^= rk[6]; + s1 ^= rk[7]; + s3 ^= rc[3]; + + /* Add the tweak every four encryption rounds except the last */ + if (round < 24) + s2 ^= tweak; + + /* Derive the round keys for the next 4 rounds */ + rk[0] = gift64b_rotate_left_1(rk[0]); + rk[1] = (gift64b_rotate_left_3(rk[1]) << 16) | (rk[1] >> 16); + rk[2] = rightRotate8(rk[2]); + temp = gift64b_rotate_left_2(rk[3]); + rk[3] = (temp & 0x99999999U) | leftRotate8(temp & 0x66666666U); + rk[4] = gift64b_rotate_left_3(rk[4]); + temp = rightRotate16(rk[5]); + rk[5] = (gift64b_rotate_left_1(temp) & 0x00FFFF00U) | + (temp & 0xFF0000FFU); + rk[6] = leftRotate8(rk[6]); + temp = gift64b_rotate_left_2(rk[7]); + rk[7] = (temp & 0x33333333U) | rightRotate8(temp & 0xCCCCCCCCU); + } + + /* Copy the local variables to the output state */ + state[0] = s0; + state[1] = s1; + state[2] = s2; + state[3] = s3; +} + +/** + * \brief Perform the core of GIFT-64 decryption on two blocks in parallel. + * + * \param ks Points to the key schedule to use to encrypt the blocks. + * \param state Buffer containing the two blocks in bit-sliced form, + * on input and output. + * \param Tweak value or zero if there is no tweak. + */ +static void gift64b_decrypt_core + (const gift64b_key_schedule_t *ks, uint32_t state[4], uint32_t tweak) +{ + const uint32_t *rc = GIFT64_RC + 28 - 4; + uint32_t s0, s1, s2, s3, temp; + uint32_t rk[8]; + uint8_t round; + + /* Start with the pre-computed round keys for the first four rounds */ + memcpy(rk, ks->rk, sizeof(ks->rk)); + + /* Fast forward the key schedule to the end by permuting each round + * key by the amount it would see under the full set of rounds. + * Generated with "http://programming.sirrida.de/calcperm.php" */ + /* P0: 1 2 3 0 5 6 7 4 9 10 11 8 13 14 15 12 17 18 + * 19 16 21 22 23 20 25 26 27 24 29 30 31 28 */ + rk[0] = ((rk[0] & 0x77777777U) << 1) | ((rk[0] & 0x88888888U) >> 3); + /* P1: 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 + * 31 3 0 1 2 7 4 5 6 11 8 9 10 15 12 13 14 */ + rk[1] = ((rk[1] & 0xEEEE0000U) >> 17) | ((rk[1] & 0x0000FFFFU) << 16) | + ((rk[1] & 0x11110000U) >> 13); + /* P2: 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 + * 24 25 26 27 28 29 30 31 0 1 2 3 4 5 6 7 */ + rk[2] = leftRotate8(rk[2]); + /* P3: 2 27 24 1 6 31 28 5 10 3 0 9 14 7 4 13 18 11 + * 8 17 22 15 12 21 26 19 16 25 30 23 20 29 */ + rk[3] = ((rk[3] & 0x11111111U) << 2) | leftRotate22(rk[3] & 0x44444444U) | + leftRotate26(rk[3] & 0x22222222U) | ((rk[3] & 0x88888888U) >> 2); + /* P4: 3 0 1 2 7 4 5 6 11 8 9 10 15 12 13 14 19 16 + * 17 18 23 20 21 22 27 24 25 26 31 28 29 30 */ + rk[4] = ((rk[4] & 0x11111111U) << 3) | ((rk[4] & 0xEEEEEEEEU) >> 1); + /* P5: 16 17 18 19 20 21 22 23 25 26 27 24 29 30 31 + * 28 1 2 3 0 5 6 7 4 8 9 10 11 12 13 14 15 */ + rk[5] = leftRotate13(rk[5] & 0x00888800U) | + leftRotate16(rk[5] & 0xFF0000FFU) | + leftRotate17(rk[5] & 0x00777700U); + /* P6: 24 25 26 27 28 29 30 31 0 1 2 3 4 5 6 7 8 9 10 + * 11 12 13 14 15 16 17 18 19 20 21 22 23 */ + rk[6] = leftRotate24(rk[6]); + /* P7: 2 3 8 9 6 7 12 13 10 11 16 17 14 15 20 21 18 19 + * 24 25 22 23 28 29 26 27 0 1 30 31 4 5 */ + rk[7] = ((rk[7] & 0x33333333U) << 2) | leftRotate6(rk[7] & 0xCCCCCCCCU); + + /* Load the state into local variables */ + s0 = state[0]; + s1 = state[1]; + s2 = state[2]; + s3 = state[3]; + + /* Perform all 28 rounds four at a time. We use the "fixslicing" method. + * + * The permutation is restructured so that one of the words each round + * does not need to be permuted, with the others rotating left, up, right, + * and down to keep the bits in line with their non-moving counterparts. + * This reduces the number of shifts required significantly. + * + * At the end of four rounds, the bit ordering will return to the + * original position. We then repeat the process for the next 4 rounds. + */ + for (round = 0; round < 28; round += 4, rc -= 4) { + /* Derive the round keys for the previous 4 rounds */ + rk[0] = gift64b_rotate_right_1(rk[0]); + temp = rk[1] >> 16; + rk[1] = gift64b_rotate_right_3(temp) | (rk[1] << 16); + rk[2] = leftRotate8(rk[2]); + temp = (rk[3] & 0x99999999U) | rightRotate8(rk[3] & 0x66666666U); + rk[3] = gift64b_rotate_right_2(temp); + rk[4] = gift64b_rotate_right_3(rk[4]); + temp = (gift64b_rotate_right_1(rk[5]) & 0x00FFFF00U) | + (rk[5] & 0xFF0000FFU); + rk[5] = leftRotate16(temp); + rk[6] = rightRotate8(rk[6]); + temp = (rk[7] & 0x33333333U) | leftRotate8(rk[7] & 0xCCCCCCCCU); + rk[7] = gift64b_rotate_right_2(temp); + + /* Add the tweak every four decryption rounds except the first */ + if (round != 0) + s2 ^= tweak; + + /* 4th round - S-box, rotate down, add round key (s0 and s3 swapped) */ + s0 ^= rk[6]; + s1 ^= rk[7]; + s3 ^= rc[3]; + s1 = gift64b_rotate_up_1(s1); + s2 = gift64b_rotate_up_2(s2); + s3 = gift64b_rotate_up_3(s3); + gift64b_inv_sbox(s0, s1, s2, s3); + + /* 3rd round - S-box, rotate right, add round key */ + s3 ^= rk[4]; + s1 ^= rk[5]; + s0 ^= rc[2]; + s1 = gift64b_rotate_left_1(s1); + s2 = gift64b_rotate_left_2(s2); + s0 = gift64b_rotate_left_3(s0); + gift64b_inv_sbox(s3, s1, s2, s0); + + /* 2nd round - S-box, rotate up, add round key (s0 and s3 swapped) */ + s0 ^= rk[2]; + s1 ^= rk[3]; + s3 ^= rc[1]; + s1 = gift64b_rotate_down_1(s1); + s2 = gift64b_rotate_down_2(s2); + s3 = gift64b_rotate_down_3(s3); + gift64b_inv_sbox(s0, s1, s2, s3); + + /* 1st round - S-box, rotate left, add round key */ + s3 ^= rk[0]; + s1 ^= rk[1]; + s0 ^= rc[0]; + s1 = gift64b_rotate_right_1(s1); + s2 = gift64b_rotate_right_2(s2); + s0 = gift64b_rotate_right_3(s0); + gift64b_inv_sbox(s3, s1, s2, s0); + } + + /* Copy the local variables to the output state */ + state[0] = s0; + state[1] = s1; + state[2] = s2; + state[3] = s3; +} + +int gift64n_init + (gift64n_key_schedule_t *ks, const unsigned char *key, size_t key_len) +{ + /* Use the little-endian byte order from the LOTUS-AEAD submission */ + if (!ks || !key || key_len != 16) + return 0; + ks->k[0] = le_load_word32(key + 12); + ks->k[1] = le_load_word32(key + 8); + ks->k[2] = le_load_word32(key + 4); + ks->k[3] = le_load_word32(key); + gift64b_update_round_keys(ks); + return 1; +} + +/** + * \brief Converts the GIFT-64 nibble-based representation into word-based + * (littlen-endian version). + * + * \param output Output buffer to write the word-based version to. + * \param input Input buffer to read the nibble-based version from. + * + * The output words will be in fixsliced form. Technically the output will + * contain two blocks for gift64b_encrypt_core() to process in parallel but + * both blocks will have the same value. + */ +static void gift64n_to_words(uint32_t output[4], const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input block into 32-bit words */ + s0 = le_load_word32(input); + s2 = le_load_word32(input + 4); + + /* Rearrange the bits in the block */ + gift64b_swap_move(s0, s0, 0x0A0A0A0AU, 3); + gift64b_swap_move(s0, s0, 0x00CC00CCU, 6); + gift64b_swap_move(s0, s0, 0x0000FF00U, 8); + gift64b_swap_move(s2, s2, 0x0A0A0A0AU, 3); + gift64b_swap_move(s2, s2, 0x00CC00CCU, 6); + gift64b_swap_move(s2, s2, 0x0000FF00U, 8); + + /* Split into two identical blocks in fixsliced form */ + s1 = s0; + s3 = s2; + gift64b_swap_move(s0, s1, 0x0F0F0F0FU, 4); + gift64b_swap_move(s2, s3, 0x0F0F0F0FU, 4); + gift64b_swap_move(s0, s2, 0x0000FFFFU, 16); + gift64b_swap_move(s1, s3, 0x0000FFFFU, 16); + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; +} + +/** + * \brief Converts the GIFT-64 word-based representation into nibble-based + * (little-endian version). + * + * \param output Output buffer to write the nibble-based version to. + * \param input Input buffer to read the word-based version from. + * + * The input words are in fixsliced form. Technically there are two + * identical blocks in the input. We drop one when we write to the output. + */ +static void gift64n_to_nibbles(unsigned char *output, const uint32_t input[4]) +{ + uint32_t s0, s1, s2, s3; + + /* Load the state and split the two blocks into separate words */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; + gift64b_swap_move(s0, s2, 0x0000FFFFU, 16); + gift64b_swap_move(s1, s3, 0x0000FFFFU, 16); + gift64b_swap_move(s0, s1, 0x0F0F0F0FU, 4); + gift64b_swap_move(s2, s3, 0x0F0F0F0FU, 4); + + /* Rearrange the bits in the first block back into nibble form */ + gift64b_swap_move(s0, s0, 0x0000FF00U, 8); + gift64b_swap_move(s0, s0, 0x00CC00CCU, 6); + gift64b_swap_move(s0, s0, 0x0A0A0A0AU, 3); + gift64b_swap_move(s2, s2, 0x0000FF00U, 8); + gift64b_swap_move(s2, s2, 0x00CC00CCU, 6); + gift64b_swap_move(s2, s2, 0x0A0A0A0AU, 3); + le_store_word32(output, s0); + le_store_word32(output + 4, s2); +} + +void gift64n_encrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t state[4]; + gift64n_to_words(state, input); + gift64b_encrypt_core(ks, state, 0); + gift64n_to_nibbles(output, state); +} + +void gift64n_decrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t state[4]; + gift64n_to_words(state, input); + gift64b_decrypt_core(ks, state, 0); + gift64n_to_nibbles(output, state); +} + +/** + * \brief Converts the GIFT-64 nibble-based representation into word-based + * (big-endian version). + * + * \param output Output buffer to write the word-based version to. + * \param input Input buffer to read the nibble-based version from. + * + * The output words will be in fixsliced form. Technically the output will + * contain two blocks for gift64b_encrypt_core() to process in parallel but + * both blocks will have the same value. + */ +static void gift64nb_to_words(uint32_t output[4], const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input block into 32-bit words */ + s0 = be_load_word32(input + 4); + s2 = be_load_word32(input); + + /* Rearrange the bits in the block */ + gift64b_swap_move(s0, s0, 0x0A0A0A0AU, 3); + gift64b_swap_move(s0, s0, 0x00CC00CCU, 6); + gift64b_swap_move(s0, s0, 0x0000FF00U, 8); + gift64b_swap_move(s2, s2, 0x0A0A0A0AU, 3); + gift64b_swap_move(s2, s2, 0x00CC00CCU, 6); + gift64b_swap_move(s2, s2, 0x0000FF00U, 8); + + /* Split into two identical blocks in fixsliced form */ + s1 = s0; + s3 = s2; + gift64b_swap_move(s0, s1, 0x0F0F0F0FU, 4); + gift64b_swap_move(s2, s3, 0x0F0F0F0FU, 4); + gift64b_swap_move(s0, s2, 0x0000FFFFU, 16); + gift64b_swap_move(s1, s3, 0x0000FFFFU, 16); + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; +} + +/** + * \brief Converts the GIFT-64 word-based representation into nibble-based + * (big-endian version). + * + * \param output Output buffer to write the nibble-based version to. + * \param input Input buffer to read the word-based version from. + * + * The input words are in fixsliced form. Technically there are two + * identical blocks in the input. We drop one when we write to the output. + */ +static void gift64nb_to_nibbles(unsigned char *output, const uint32_t input[4]) +{ + uint32_t s0, s1, s2, s3; + + /* Load the state and split the two blocks into separate words */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; + gift64b_swap_move(s0, s2, 0x0000FFFFU, 16); + gift64b_swap_move(s1, s3, 0x0000FFFFU, 16); + gift64b_swap_move(s0, s1, 0x0F0F0F0FU, 4); + gift64b_swap_move(s2, s3, 0x0F0F0F0FU, 4); + + /* Rearrange the bits in the first block back into nibble form */ + gift64b_swap_move(s0, s0, 0x0000FF00U, 8); + gift64b_swap_move(s0, s0, 0x00CC00CCU, 6); + gift64b_swap_move(s0, s0, 0x0A0A0A0AU, 3); + gift64b_swap_move(s2, s2, 0x0000FF00U, 8); + gift64b_swap_move(s2, s2, 0x00CC00CCU, 6); + gift64b_swap_move(s2, s2, 0x0A0A0A0AU, 3); + be_store_word32(output, s2); + be_store_word32(output + 4, s0); +} + +void gift64nb_encrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t state[4]; + gift64nb_to_words(state, input); + gift64b_encrypt_core(ks, state, 0); + gift64nb_to_nibbles(output, state); +} + +void gift64nb_decrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t state[4]; + gift64nb_to_words(state, input); + gift64b_decrypt_core(ks, state, 0); + gift64nb_to_nibbles(output, state); +} + +/* 4-bit tweak values expanded to 32-bit in fixsliced form */ +static uint32_t const GIFT64_tweaks[16] = { + 0x00000000, 0xee11ee11, 0xdd22dd22, 0x33333333, 0xbb44bb44, 0x55555555, + 0x66666666, 0x88778877, 0x77887788, 0x99999999, 0xaaaaaaaa, 0x44bb44bb, + 0xcccccccc, 0x22dd22dd, 0x11ee11ee, 0xffffffff +}; + +void gift64t_encrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak) +{ + uint32_t state[4]; + gift64n_to_words(state, input); + gift64b_encrypt_core(ks, state, GIFT64_tweaks[tweak]); + gift64n_to_nibbles(output, state); +} + +void gift64t_decrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak) +{ + uint32_t state[4]; + gift64n_to_words(state, input); + gift64b_decrypt_core(ks, state, GIFT64_tweaks[tweak]); + gift64n_to_nibbles(output, state); +} diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64.h b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64.h new file mode 100644 index 0000000..40479c7 --- /dev/null +++ b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64.h @@ -0,0 +1,194 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_GIFT64_H +#define LW_INTERNAL_GIFT64_H + +/** + * \file internal-gift64.h + * \brief GIFT-64 block cipher. + * + * References: https://eprint.iacr.org/2017/622.pdf, + * https://giftcipher.github.io/gift/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a GIFT-64 block in bytes. + */ +#define GIFT64_BLOCK_SIZE 8 + +/** + * \brief Structure of the key schedule for GIFT-64 (bit-sliced). + */ +typedef struct +{ + uint32_t k[4]; /**< Words of the key schedule */ + uint32_t rk[8]; /**< Pre-computed round keys for fixsliced form */ + +} gift64b_key_schedule_t; + +/** + * \brief Initializes the key schedule for GIFT-64 (bit-sliced). + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int gift64b_init + (gift64b_key_schedule_t *ks, const unsigned char *key, size_t key_len); + +/** + * \brief Updates the round keys after a change in the base key. + * + * \param ks Points to the key schedule to update. + */ +void gift64b_update_round_keys(gift64b_key_schedule_t *ks); + +/** + * \brief Structure of the key schedule for GIFT-64 (nibble-based). + */ +typedef gift64b_key_schedule_t gift64n_key_schedule_t; + +/** + * \brief Initializes the key schedule for GIFT-64 (nibble-based). + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int gift64n_init + (gift64n_key_schedule_t *ks, const unsigned char *key, size_t key_len); + +/** + * \brief Encrypts a 64-bit block with GIFT-64 (nibble-based). + * + * \param ks Points to the GIFT-64 key schedule. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void gift64n_encrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 64-bit block with GIFT-64 (nibble-based). + * + * \param ks Points to the GIFT-64 key schedule. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + */ +void gift64n_decrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 64-bit block with GIFT-64 (nibble-based big-endian). + * + * \param ks Points to the GIFT-64 key schedule. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void gift64nb_encrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 64-bit block with GIFT-64 (nibble-based big-endian). + * + * \param ks Points to the GIFT-64 key schedule. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + */ +void gift64nb_decrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 64-bit block with TweGIFT-64 (tweakable variant). + * + * \param ks Points to the GIFT-64 key schedule. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. + * \param tweak 4-bit tweak value. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This variant of GIFT-64 is used by the LOTUS/LOCUS submission to the + * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to + * some of the rounds to provide domain separation. If the tweak is + * zero, then this function is identical to gift64n_encrypt(). + */ +void gift64t_encrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak); + +/** + * \brief Decrypts a 64-bit block with TweGIFT-64 (tweakable variant). + * + * \param ks Points to the GIFT-64 key schedule. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. + * \param tweak 4-bit tweak value. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This variant of GIFT-64 is used by the LOTUS/LOCUS submission to the + * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to + * some of the rounds to provide domain separation. If the tweak is + * zero, then this function is identical to gift64n_decrypt(). + */ +void gift64t_decrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-util.h b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/lotus-locus.c b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/lotus-locus.c new file mode 100644 index 0000000..e60b084 --- /dev/null +++ b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/lotus-locus.c @@ -0,0 +1,436 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "lotus-locus.h" +#include "internal-gift64.h" +#include "internal-util.h" +#include + +aead_cipher_t const lotus_aead_cipher = { + "LOTUS-AEAD", + LOTUS_AEAD_KEY_SIZE, + LOTUS_AEAD_NONCE_SIZE, + LOTUS_AEAD_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + lotus_aead_encrypt, + lotus_aead_decrypt +}; + +aead_cipher_t const locus_aead_cipher = { + "LOCUS-AEAD", + LOCUS_AEAD_KEY_SIZE, + LOCUS_AEAD_NONCE_SIZE, + LOCUS_AEAD_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + locus_aead_encrypt, + locus_aead_decrypt +}; + +/** + * \brief Multiplies a key by 2 in the GF(128) field. + * + * \param ks The key schedule structure containing the key in host byte order. + */ +STATIC_INLINE void lotus_or_locus_mul_2(gift64n_key_schedule_t *ks) +{ + uint32_t mask = (uint32_t)(((int32_t)(ks->k[0])) >> 31); + ks->k[0] = (ks->k[0] << 1) | (ks->k[1] >> 31); + ks->k[1] = (ks->k[1] << 1) | (ks->k[2] >> 31); + ks->k[2] = (ks->k[2] << 1) | (ks->k[3] >> 31); + ks->k[3] = (ks->k[3] << 1) ^ (mask & 0x87); + gift64b_update_round_keys(ks); +} + +/** + * \brief Initializes a LOTUS-AEAD or LOCUS-AEAD cipher instance. + * + * \param ks Key schedule to initialize. + * \param deltaN Delta-N value for the cipher state. + * \param key Points to the 16-byte key for the cipher instance. + * \param nonce Points to the 16-byte key for the cipher instance. + * \param T Points to a temporary buffer of LOTUS_AEAD_KEY_SIZE bytes + * that will be destroyed during this function. + */ +static void lotus_or_locus_init + (gift64n_key_schedule_t *ks, + unsigned char deltaN[GIFT64_BLOCK_SIZE], + const unsigned char *key, + const unsigned char *nonce, + unsigned char *T) +{ + gift64n_init(ks, key, LOTUS_AEAD_KEY_SIZE); + memset(deltaN, 0, GIFT64_BLOCK_SIZE); + gift64t_encrypt(ks, deltaN, deltaN, 0); + lw_xor_block_2_src(T, key, nonce, LOTUS_AEAD_KEY_SIZE); + gift64n_init(ks, T, LOTUS_AEAD_KEY_SIZE); + gift64t_encrypt(ks, deltaN, deltaN, 1); +} + +/** + * \brief Processes associated data for LOTUS-AEAD or LOCUS-AEAD. + * + * \param ks Points to the key schedule. + * \param deltaN Points to the Delta-N value from the state. + * \param V Points to the V value from the state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes, must be non-zero. + */ +static void lotus_or_locus_process_ad + (gift64n_key_schedule_t *ks, + const unsigned char deltaN[GIFT64_BLOCK_SIZE], + unsigned char V[GIFT64_BLOCK_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char X[GIFT64_BLOCK_SIZE]; + unsigned char temp; + while (adlen > GIFT64_BLOCK_SIZE) { + lotus_or_locus_mul_2(ks); + lw_xor_block_2_src(X, ad, deltaN, GIFT64_BLOCK_SIZE); + gift64t_encrypt(ks, X, X, 2); + lw_xor_block(V, X, GIFT64_BLOCK_SIZE); + ad += GIFT64_BLOCK_SIZE; + adlen -= GIFT64_BLOCK_SIZE; + } + lotus_or_locus_mul_2(ks); + temp = (unsigned)adlen; + if (temp < GIFT64_BLOCK_SIZE) { + memcpy(X, deltaN, GIFT64_BLOCK_SIZE); + lw_xor_block(X, ad, temp); + X[temp] ^= 0x01; + gift64t_encrypt(ks, X, X, 3); + } else { + lw_xor_block_2_src(X, ad, deltaN, GIFT64_BLOCK_SIZE); + gift64t_encrypt(ks, X, X, 2); + } + lw_xor_block(V, X, GIFT64_BLOCK_SIZE); +} + +/** + * \brief Generates the authentication tag for LOTUS-AEAD or LOCUS-AEAD. + * + * \param ks Points to the key schedule. + * \param tag Points to the buffer to receive the authentication tag. + * \param deltaN Points to the Delta-N value from the state. + * \param W Points to the W value from the state. + * \param V Points to the V value from the state. + */ +static void lotus_or_locus_gen_tag + (gift64n_key_schedule_t *ks, unsigned char *tag, + unsigned char deltaN[GIFT64_BLOCK_SIZE], + unsigned char W[GIFT64_BLOCK_SIZE], + unsigned char V[GIFT64_BLOCK_SIZE]) +{ + lotus_or_locus_mul_2(ks); + lw_xor_block(W, deltaN, GIFT64_BLOCK_SIZE); + lw_xor_block(W, V, GIFT64_BLOCK_SIZE); + gift64t_encrypt(ks, W, W, 6); + lw_xor_block_2_src(tag, W, deltaN, GIFT64_BLOCK_SIZE); +} + +int lotus_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + gift64n_key_schedule_t ks; + unsigned char WV[GIFT64_BLOCK_SIZE * 2]; + unsigned char deltaN[GIFT64_BLOCK_SIZE]; + unsigned char X1[GIFT64_BLOCK_SIZE]; + unsigned char X2[GIFT64_BLOCK_SIZE]; + unsigned temp; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + LOTUS_AEAD_TAG_SIZE; + + /* Initialize the state with the key and the nonce */ + lotus_or_locus_init(&ks, deltaN, k, npub, WV); + memset(WV, 0, sizeof(WV)); + + /* Process the associated data */ + if (adlen > 0) { + lotus_or_locus_process_ad + (&ks, deltaN, WV + GIFT64_BLOCK_SIZE, ad, adlen); + } + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > (GIFT64_BLOCK_SIZE * 2)) { + lotus_or_locus_mul_2(&ks); + lw_xor_block_2_src(X1, m, deltaN, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X1, 4); + lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X2, 4); + lw_xor_block_2_src + (X2, m + GIFT64_BLOCK_SIZE, X2, GIFT64_BLOCK_SIZE); + lw_xor_block_2_src(c, X2, deltaN, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X2, 5); + lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X2, 5); + lw_xor_block_2_src + (c + GIFT64_BLOCK_SIZE, X1, X2, GIFT64_BLOCK_SIZE); + c += GIFT64_BLOCK_SIZE * 2; + m += GIFT64_BLOCK_SIZE * 2; + mlen -= GIFT64_BLOCK_SIZE * 2; + } + temp = (unsigned)mlen; + lotus_or_locus_mul_2(&ks); + memcpy(X1, deltaN, GIFT64_BLOCK_SIZE); + X1[0] ^= (unsigned char)temp; + gift64t_encrypt(&ks, X2, X1, 12); + lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X2, 12); + if (temp <= GIFT64_BLOCK_SIZE) { + lw_xor_block(WV, m, temp); + lw_xor_block(X2, m, temp); + lw_xor_block_2_src(c, X2, deltaN, temp); + } else { + lw_xor_block(X2, m, GIFT64_BLOCK_SIZE); + lw_xor_block_2_src(c, X2, deltaN, GIFT64_BLOCK_SIZE); + c += GIFT64_BLOCK_SIZE; + m += GIFT64_BLOCK_SIZE; + temp -= GIFT64_BLOCK_SIZE; + gift64t_encrypt(&ks, X2, X2, 13); + lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X2, 13); + lw_xor_block(WV, m, temp); + lw_xor_block(X1, X2, temp); + lw_xor_block_2_src(c, X1, m, temp); + } + c += temp; + } + + /* Generate the authentication tag */ + lotus_or_locus_gen_tag(&ks, c, deltaN, WV, WV + GIFT64_BLOCK_SIZE); + return 0; +} + +int lotus_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + gift64n_key_schedule_t ks; + unsigned char WV[GIFT64_BLOCK_SIZE * 2]; + unsigned char deltaN[GIFT64_BLOCK_SIZE]; + unsigned char X1[GIFT64_BLOCK_SIZE]; + unsigned char X2[GIFT64_BLOCK_SIZE]; + unsigned char *mtemp = m; + unsigned temp; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < LOTUS_AEAD_TAG_SIZE) + return -1; + *mlen = clen - LOTUS_AEAD_TAG_SIZE; + + /* Initialize the state with the key and the nonce */ + lotus_or_locus_init(&ks, deltaN, k, npub, WV); + memset(WV, 0, sizeof(WV)); + + /* Process the associated data */ + if (adlen > 0) { + lotus_or_locus_process_ad + (&ks, deltaN, WV + GIFT64_BLOCK_SIZE, ad, adlen); + } + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= LOTUS_AEAD_TAG_SIZE; + if (clen > 0) { + while (clen > (GIFT64_BLOCK_SIZE * 2)) { + lotus_or_locus_mul_2(&ks); + lw_xor_block_2_src(X1, c, deltaN, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X1, 5); + lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X2, 5); + lw_xor_block(X2, c + GIFT64_BLOCK_SIZE, GIFT64_BLOCK_SIZE); + lw_xor_block_2_src(m, X2, deltaN, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X2, 4); + lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X2, 4); + lw_xor_block_2_src + (m + GIFT64_BLOCK_SIZE, X1, X2, GIFT64_BLOCK_SIZE); + c += GIFT64_BLOCK_SIZE * 2; + m += GIFT64_BLOCK_SIZE * 2; + clen -= GIFT64_BLOCK_SIZE * 2; + } + temp = (unsigned)clen; + lotus_or_locus_mul_2(&ks); + memcpy(X1, deltaN, GIFT64_BLOCK_SIZE); + X1[0] ^= (unsigned char)temp; + gift64t_encrypt(&ks, X2, X1, 12); + lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X2, 12); + if (temp <= GIFT64_BLOCK_SIZE) { + lw_xor_block_2_src(m, X2, c, temp); + lw_xor_block(m, deltaN, temp); + lw_xor_block(X2, m, temp); + lw_xor_block(WV, m, temp); + } else { + lw_xor_block_2_src(m, X2, c, GIFT64_BLOCK_SIZE); + lw_xor_block(m, deltaN, GIFT64_BLOCK_SIZE); + lw_xor_block(X2, m, GIFT64_BLOCK_SIZE); + c += GIFT64_BLOCK_SIZE; + m += GIFT64_BLOCK_SIZE; + temp -= GIFT64_BLOCK_SIZE; + gift64t_encrypt(&ks, X2, X2, 13); + lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X2, X2, 13); + lw_xor_block(X1, X2, temp); + lw_xor_block_2_src(m, X1, c, temp); + lw_xor_block(WV, m, temp); + } + c += temp; + } + + /* Check the authentication tag */ + lotus_or_locus_gen_tag(&ks, WV, deltaN, WV, WV + GIFT64_BLOCK_SIZE); + return aead_check_tag(mtemp, *mlen, WV, c, LOTUS_AEAD_TAG_SIZE); +} + +int locus_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + gift64n_key_schedule_t ks; + unsigned char WV[GIFT64_BLOCK_SIZE * 2]; + unsigned char deltaN[GIFT64_BLOCK_SIZE]; + unsigned char X[GIFT64_BLOCK_SIZE]; + unsigned temp; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + LOCUS_AEAD_TAG_SIZE; + + /* Initialize the state with the key and the nonce */ + lotus_or_locus_init(&ks, deltaN, k, npub, WV); + memset(WV, 0, sizeof(WV)); + + /* Process the associated data */ + if (adlen > 0) { + lotus_or_locus_process_ad + (&ks, deltaN, WV + GIFT64_BLOCK_SIZE, ad, adlen); + } + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > GIFT64_BLOCK_SIZE) { + lotus_or_locus_mul_2(&ks); + lw_xor_block_2_src(X, m, deltaN, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X, X, 4); + lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X, X, 4); + lw_xor_block_2_src(c, X, deltaN, GIFT64_BLOCK_SIZE); + c += GIFT64_BLOCK_SIZE; + m += GIFT64_BLOCK_SIZE; + mlen -= GIFT64_BLOCK_SIZE; + } + temp = (unsigned)mlen; + lotus_or_locus_mul_2(&ks); + memcpy(X, deltaN, GIFT64_BLOCK_SIZE); + X[0] ^= (unsigned char)temp; + gift64t_encrypt(&ks, X, X, 5); + lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); + lw_xor_block(WV, m, temp); + gift64t_encrypt(&ks, X, X, 5); + lw_xor_block(X, deltaN, temp); + lw_xor_block_2_src(c, m, X, temp); + c += temp; + } + + /* Generate the authentication tag */ + lotus_or_locus_gen_tag(&ks, c, deltaN, WV, WV + GIFT64_BLOCK_SIZE); + return 0; +} + +int locus_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + gift64n_key_schedule_t ks; + unsigned char WV[GIFT64_BLOCK_SIZE * 2]; + unsigned char deltaN[GIFT64_BLOCK_SIZE]; + unsigned char X[GIFT64_BLOCK_SIZE]; + unsigned char *mtemp = m; + unsigned temp; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < LOCUS_AEAD_TAG_SIZE) + return -1; + *mlen = clen - LOCUS_AEAD_TAG_SIZE; + + /* Initialize the state with the key and the nonce */ + lotus_or_locus_init(&ks, deltaN, k, npub, WV); + memset(WV, 0, sizeof(WV)); + + /* Process the associated data */ + if (adlen > 0) { + lotus_or_locus_process_ad + (&ks, deltaN, WV + GIFT64_BLOCK_SIZE, ad, adlen); + } + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= LOCUS_AEAD_TAG_SIZE; + if (clen > 0) { + while (clen > GIFT64_BLOCK_SIZE) { + lotus_or_locus_mul_2(&ks); + lw_xor_block_2_src(X, c, deltaN, GIFT64_BLOCK_SIZE); + gift64t_decrypt(&ks, X, X, 4); + lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); + gift64t_decrypt(&ks, X, X, 4); + lw_xor_block_2_src(m, X, deltaN, GIFT64_BLOCK_SIZE); + c += GIFT64_BLOCK_SIZE; + m += GIFT64_BLOCK_SIZE; + clen -= GIFT64_BLOCK_SIZE; + } + temp = (unsigned)clen; + lotus_or_locus_mul_2(&ks); + memcpy(X, deltaN, GIFT64_BLOCK_SIZE); + X[0] ^= (unsigned char)temp; + gift64t_encrypt(&ks, X, X, 5); + lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); + gift64t_encrypt(&ks, X, X, 5); + lw_xor_block(X, deltaN, temp); + lw_xor_block_2_src(m, c, X, temp); + lw_xor_block(WV, m, temp); + c += temp; + } + + /* Check the authentication tag */ + lotus_or_locus_gen_tag(&ks, WV, deltaN, WV, WV + GIFT64_BLOCK_SIZE); + return aead_check_tag(mtemp, *mlen, WV, c, LOCUS_AEAD_TAG_SIZE); +} diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/lotus-locus.h b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/lotus-locus.h new file mode 100644 index 0000000..85434a8 --- /dev/null +++ b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/lotus-locus.h @@ -0,0 +1,223 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_LOTUS_LOCUS_H +#define LWCRYPTO_LOTUS_LOCUS_H + +#include "aead-common.h" + +/** + * \file lotus-locus.h + * \brief LOTUS-AEAD and LOCUS-AEAD authenticated encryption algorithms. + * + * LOTUS-AEAD and LOCUS-AEAD are authenticated encryption algorithms + * that are based around a tweakable variant of the GIFT-64 block cipher + * called TweGIFT-64. Both AEAD algorithms have a 128-bit key, a 128-bit + * nonce, and a 64-bit tag. + * + * The two algorithms have the same key initialization, associated data + * processing, and tag generation mechanisms. They differ in how the + * input is encrypted with TweGIFT-64. + * + * LOTUS-AEAD uses a method similar to the block cipher mode OTR. + * TweGIFT-64 is essentially converted into a 128-bit block cipher + * using a Feistel construction and four TweGIFT-64 block operations + * every 16 bytes of input. + * + * LOCUS-AEAD uses a method similar to the block cipher mode OCB + * with two TweGIFT-64 block operations for every 8 bytes of input. + * LOCUS-AEAD requires both the block encrypt and block decrypt + * operations of TweGIFT-64, which increases the overall code size. + * LOTUS-AEAD only needs the block encrypt operation. + * + * LOTUS-AEAD is the primary member of the family. + * + * References: https://www.isical.ac.in/~lightweight/lotus/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for LOTUS-AEAD. + */ +#define LOTUS_AEAD_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for LOTUS-AEAD. + */ +#define LOTUS_AEAD_TAG_SIZE 8 + +/** + * \brief Size of the nonce for LOTUS-AEAD. + */ +#define LOTUS_AEAD_NONCE_SIZE 16 + +/** + * \brief Size of the key for LOCUS-AEAD. + */ +#define LOCUS_AEAD_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for LOCUS-AEAD. + */ +#define LOCUS_AEAD_TAG_SIZE 8 + +/** + * \brief Size of the nonce for LOCUS-AEAD. + */ +#define LOCUS_AEAD_NONCE_SIZE 16 + +/** + * \brief Meta-information block for the LOTUS-AEAD cipher. + */ +extern aead_cipher_t const lotus_aead_cipher; + +/** + * \brief Meta-information block for the LOCUS-AEAD cipher. + */ +extern aead_cipher_t const locus_aead_cipher; + +/** + * \brief Encrypts and authenticates a packet with LOTUS-AEAD. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa lotus_aead_decrypt() + */ +int lotus_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with LOTUS-AEAD. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 9 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa lotus_aead_encrypt() + */ +int lotus_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with LOCUS-AEAD. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa locus_aead_decrypt() + */ +int locus_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with LOCUS-AEAD. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 9 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa locus_aead_encrypt() + */ +int locus_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/orange/Implementations/crypto_aead/orangezestv1/rhys/aead-common.c b/orange/Implementations/crypto_aead/orangezestv1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/orange/Implementations/crypto_aead/orangezestv1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/orange/Implementations/crypto_aead/orangezestv1/rhys/aead-common.h b/orange/Implementations/crypto_aead/orangezestv1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/orange/Implementations/crypto_aead/orangezestv1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/orange/Implementations/crypto_aead/orangezestv1/rhys/api.h b/orange/Implementations/crypto_aead/orangezestv1/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/orange/Implementations/crypto_aead/orangezestv1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/orange/Implementations/crypto_aead/orangezestv1/rhys/encrypt.c b/orange/Implementations/crypto_aead/orangezestv1/rhys/encrypt.c new file mode 100644 index 0000000..e1ea967 --- /dev/null +++ b/orange/Implementations/crypto_aead/orangezestv1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "orange.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return orange_zest_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return orange_zest_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/orange/Implementations/crypto_aead/orangezestv1/rhys/internal-photon256.c b/orange/Implementations/crypto_aead/orangezestv1/rhys/internal-photon256.c new file mode 100644 index 0000000..b8743fe --- /dev/null +++ b/orange/Implementations/crypto_aead/orangezestv1/rhys/internal-photon256.c @@ -0,0 +1,479 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-photon256.h" +#include "internal-util.h" + +/** + * \brief Number of rounds in the PHOTON-256 permutation in bit-sliced form. + */ +#define PHOTON256_ROUNDS 12 + +/* Round constants for PHOTON-256 */ +static uint32_t const photon256_rc[PHOTON256_ROUNDS] = { + 0x96d2f0e1, 0xb4f0d2c3, 0xf0b49687, 0x692d0f1e, + 0x5a1e3c2d, 0x3c785a4b, 0xe1a58796, 0x4b0f2d3c, + 0x1e5a7869, 0xa5e1c3d2, 0xd296b4a5, 0x2d694b5a +}; + +/** + * \brief Evaluates the PHOTON-256 S-box in bit-sliced form. + * + * \param x0 Slice with bit 0 of all nibbles. + * \param x1 Slice with bit 1 of all nibbles. + * \param x2 Slice with bit 2 of all nibbles. + * \param x3 Slice with bit 3 of all nibbles. + * + * This bit-sliced S-box implementation is based on the AVR version + * "add_avr8_bitslice_asm" from the PHOTON-Beetle reference code. + */ +#define photon256_sbox(x0, x1, x2, x3) \ + do { \ + x1 ^= x2; \ + x3 ^= (x2 & x1); \ + t1 = x3; \ + x3 = (x3 & x1) ^ x2; \ + t2 = x3; \ + x3 ^= x0; \ + x3 = ~(x3); \ + x2 = x3; \ + t2 |= x0; \ + x0 ^= t1; \ + x1 ^= x0; \ + x2 |= x1; \ + x2 ^= t1; \ + x1 ^= t2; \ + x3 ^= x1; \ + } while (0) + +/** + * \brief Performs a field multiplication on the 8 nibbles in a row. + * + * \param a Field constant to multiply by. + * \param x Bit-sliced form of the row, with bits 0..3 of each nibble + * in bytes 0..3 of the word. + * + * \return a * x packed into the bytes of a word. + */ +static uint32_t photon256_field_multiply(uint8_t a, uint32_t x) +{ + /* For each 4-bit nibble we need to do this: + * + * result = 0; + * for (bit = 0; bit < 4; ++ bit) { + * if ((a & (1 << bit)) != 0) + * result ^= x; + * if ((x & 0x08) != 0) { + * x = (x << 1) ^ 3; + * } else { + * x = (x << 1); + * } + * } + * + * We don't need to worry about constant time for "a" because it is a + * known constant that isn't data-dependent. But we do need to worry + * about constant time for "x" as it is data. + */ + uint32_t result = 0; + uint32_t t; + #define PARALLEL_CONDITIONAL_ADD(bit) \ + do { \ + if ((a) & (1 << (bit))) \ + result ^= x; \ + } while (0) + #define PARALELL_ROTATE() \ + do { \ + t = x >> 24; \ + x = (x << 8) ^ t ^ (t << 8); \ + } while (0) + PARALLEL_CONDITIONAL_ADD(0); + PARALELL_ROTATE(); + PARALLEL_CONDITIONAL_ADD(1); + PARALELL_ROTATE(); + PARALLEL_CONDITIONAL_ADD(2); + PARALELL_ROTATE(); + PARALLEL_CONDITIONAL_ADD(3); + return result; +} + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/** + * \brief Converts a PHOTON-256 state into bit-sliced form. + * + * \param out Points to the converted output. + * \param in Points to the PHOTON-256 state to convert. + */ +static void photon256_to_sliced + (uint32_t out[PHOTON256_STATE_SIZE / 4], + const unsigned char in[PHOTON256_STATE_SIZE]) +{ + /* We first scatter bits 0..3 of the nibbles to bytes 0..3 of the words. + * Then we rearrange the bytes to group all bits N into word N. + * + * Permutation generated with "http://programming.sirrida.de/calcperm.php". + * + * P = [0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 + * 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31] + */ + uint32_t t0, t1, t2, t3; + #define TO_BITSLICED_PERM(x) \ + do { \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x0000ff00, 8); \ + } while (0) + #define FROM_BITSLICED_PERM(x) \ + do { \ + bit_permute_step(x, 0x00aa00aa, 7); \ + bit_permute_step(x, 0x0000cccc, 14); \ + bit_permute_step(x, 0x00f000f0, 4); \ + bit_permute_step(x, 0x0000ff00, 8); \ + } while (0) + t0 = le_load_word32(in); + t1 = le_load_word32(in + 4); + t2 = le_load_word32(in + 8); + t3 = le_load_word32(in + 12); + TO_BITSLICED_PERM(t0); + TO_BITSLICED_PERM(t1); + TO_BITSLICED_PERM(t2); + TO_BITSLICED_PERM(t3); + out[0] = (t0 & 0x000000FFU) | ((t1 << 8) & 0x0000FF00U) | + ((t2 << 16) & 0x00FF0000U) | ((t3 << 24) & 0xFF000000U); + out[1] = ((t0 >> 8) & 0x000000FFU) | (t1 & 0x0000FF00U) | + ((t2 << 8) & 0x00FF0000U) | ((t3 << 16) & 0xFF000000U); + out[2] = ((t0 >> 16) & 0x000000FFU) | ((t1 >> 8) & 0x0000FF00U) | + (t2 & 0x00FF0000U) | ((t3 << 8) & 0xFF000000U); + out[3] = ((t0 >> 24) & 0x000000FFU) | ((t1 >> 16) & 0x0000FF00U) | + ((t2 >> 8) & 0x00FF0000U) | (t3 & 0xFF000000U); + t0 = le_load_word32(in + 16); + t1 = le_load_word32(in + 20); + t2 = le_load_word32(in + 24); + t3 = le_load_word32(in + 28); + TO_BITSLICED_PERM(t0); + TO_BITSLICED_PERM(t1); + TO_BITSLICED_PERM(t2); + TO_BITSLICED_PERM(t3); + out[4] = (t0 & 0x000000FFU) | ((t1 << 8) & 0x0000FF00U) | + ((t2 << 16) & 0x00FF0000U) | ((t3 << 24) & 0xFF000000U); + out[5] = ((t0 >> 8) & 0x000000FFU) | (t1 & 0x0000FF00U) | + ((t2 << 8) & 0x00FF0000U) | ((t3 << 16) & 0xFF000000U); + out[6] = ((t0 >> 16) & 0x000000FFU) | ((t1 >> 8) & 0x0000FF00U) | + (t2 & 0x00FF0000U) | ((t3 << 8) & 0xFF000000U); + out[7] = ((t0 >> 24) & 0x000000FFU) | ((t1 >> 16) & 0x0000FF00U) | + ((t2 >> 8) & 0x00FF0000U) | (t3 & 0xFF000000U); +} + +/** + * \brief Converts a PHOTON-256 state from bit-sliced form. + * + * \param out Points to the converted output. + * \param in Points to the PHOTON-256 state to convert. + */ +static void photon256_from_sliced + (unsigned char out[PHOTON256_STATE_SIZE], + const unsigned char in[PHOTON256_STATE_SIZE]) +{ + /* Do the reverse of photon256_to_sliced() */ + uint32_t x0, x1, x2, x3; + x0 = ((uint32_t)(in[0])) | + (((uint32_t)(in[4])) << 8) | + (((uint32_t)(in[8])) << 16) | + (((uint32_t)(in[12])) << 24); + x1 = ((uint32_t)(in[1])) | + (((uint32_t)(in[5])) << 8) | + (((uint32_t)(in[9])) << 16) | + (((uint32_t)(in[13])) << 24); + x2 = ((uint32_t)(in[2])) | + (((uint32_t)(in[6])) << 8) | + (((uint32_t)(in[10])) << 16) | + (((uint32_t)(in[14])) << 24); + x3 = ((uint32_t)(in[3])) | + (((uint32_t)(in[7])) << 8) | + (((uint32_t)(in[11])) << 16) | + (((uint32_t)(in[15])) << 24); + FROM_BITSLICED_PERM(x0); + FROM_BITSLICED_PERM(x1); + FROM_BITSLICED_PERM(x2); + FROM_BITSLICED_PERM(x3); + le_store_word32(out, x0); + le_store_word32(out + 4, x1); + le_store_word32(out + 8, x2); + le_store_word32(out + 12, x3); + x0 = ((uint32_t)(in[16])) | + (((uint32_t)(in[20])) << 8) | + (((uint32_t)(in[24])) << 16) | + (((uint32_t)(in[28])) << 24); + x1 = ((uint32_t)(in[17])) | + (((uint32_t)(in[21])) << 8) | + (((uint32_t)(in[25])) << 16) | + (((uint32_t)(in[29])) << 24); + x2 = ((uint32_t)(in[18])) | + (((uint32_t)(in[22])) << 8) | + (((uint32_t)(in[26])) << 16) | + (((uint32_t)(in[30])) << 24); + x3 = ((uint32_t)(in[19])) | + (((uint32_t)(in[23])) << 8) | + (((uint32_t)(in[27])) << 16) | + (((uint32_t)(in[31])) << 24); + FROM_BITSLICED_PERM(x0); + FROM_BITSLICED_PERM(x1); + FROM_BITSLICED_PERM(x2); + FROM_BITSLICED_PERM(x3); + le_store_word32(out + 16, x0); + le_store_word32(out + 20, x1); + le_store_word32(out + 24, x2); + le_store_word32(out + 28, x3); +} + +#if defined(LW_UTIL_LITTLE_ENDIAN) +/* Index the bit-sliced state bytes in little-endian byte order */ +#define READ_ROW0() \ + (((uint32_t)(S.bytes[0])) | \ + (((uint32_t)(S.bytes[4])) << 8) | \ + (((uint32_t)(S.bytes[8])) << 16) | \ + (((uint32_t)(S.bytes[12])) << 24)) +#define READ_ROW1() \ + (((uint32_t)(S.bytes[1])) | \ + (((uint32_t)(S.bytes[5])) << 8) | \ + (((uint32_t)(S.bytes[9])) << 16) | \ + (((uint32_t)(S.bytes[13])) << 24)) +#define READ_ROW2() \ + (((uint32_t)(S.bytes[2])) | \ + (((uint32_t)(S.bytes[6])) << 8) | \ + (((uint32_t)(S.bytes[10])) << 16) | \ + (((uint32_t)(S.bytes[14])) << 24)) +#define READ_ROW3() \ + (((uint32_t)(S.bytes[3])) | \ + (((uint32_t)(S.bytes[7])) << 8) | \ + (((uint32_t)(S.bytes[11])) << 16) | \ + (((uint32_t)(S.bytes[15])) << 24)) +#define READ_ROW4() \ + (((uint32_t)(S.bytes[16])) | \ + (((uint32_t)(S.bytes[20])) << 8) | \ + (((uint32_t)(S.bytes[24])) << 16) | \ + (((uint32_t)(S.bytes[28])) << 24)) +#define READ_ROW5() \ + (((uint32_t)(S.bytes[17])) | \ + (((uint32_t)(S.bytes[21])) << 8) | \ + (((uint32_t)(S.bytes[25])) << 16) | \ + (((uint32_t)(S.bytes[29])) << 24)) +#define READ_ROW6() \ + (((uint32_t)(S.bytes[18])) | \ + (((uint32_t)(S.bytes[22])) << 8) | \ + (((uint32_t)(S.bytes[26])) << 16) | \ + (((uint32_t)(S.bytes[30])) << 24)) +#define READ_ROW7() \ + (((uint32_t)(S.bytes[19])) | \ + (((uint32_t)(S.bytes[23])) << 8) | \ + (((uint32_t)(S.bytes[27])) << 16) | \ + (((uint32_t)(S.bytes[31])) << 24)) +#define WRITE_ROW(row, value) \ + do { \ + if ((row) < 4) { \ + S.bytes[(row)] = (uint8_t)(value); \ + S.bytes[(row) + 4] = (uint8_t)((value) >> 8); \ + S.bytes[(row) + 8] = (uint8_t)((value) >> 16); \ + S.bytes[(row) + 12] = (uint8_t)((value) >> 24); \ + } else { \ + S.bytes[(row) + 12] = (uint8_t)(value); \ + S.bytes[(row) + 16] = (uint8_t)((value) >> 8); \ + S.bytes[(row) + 20] = (uint8_t)((value) >> 16); \ + S.bytes[(row) + 24] = (uint8_t)((value) >> 24); \ + } \ + } while (0) +#else +/* Index the bit-sliced state bytes in big-endian byte order */ +#define READ_ROW0() \ + (((uint32_t)(S.bytes[3])) | \ + (((uint32_t)(S.bytes[7])) << 8) | \ + (((uint32_t)(S.bytes[11])) << 16) | \ + (((uint32_t)(S.bytes[15])) << 24)) +#define READ_ROW1() \ + (((uint32_t)(S.bytes[2])) | \ + (((uint32_t)(S.bytes[6])) << 8) | \ + (((uint32_t)(S.bytes[10])) << 16) | \ + (((uint32_t)(S.bytes[14])) << 24)) +#define READ_ROW2() \ + (((uint32_t)(S.bytes[1])) | \ + (((uint32_t)(S.bytes[5])) << 8) | \ + (((uint32_t)(S.bytes[9])) << 16) | \ + (((uint32_t)(S.bytes[13])) << 24)) +#define READ_ROW3() \ + (((uint32_t)(S.bytes[0])) | \ + (((uint32_t)(S.bytes[4])) << 8) | \ + (((uint32_t)(S.bytes[8])) << 16) | \ + (((uint32_t)(S.bytes[12])) << 24)) +#define READ_ROW4() \ + (((uint32_t)(S.bytes[19])) | \ + (((uint32_t)(S.bytes[23])) << 8) | \ + (((uint32_t)(S.bytes[27])) << 16) | \ + (((uint32_t)(S.bytes[31])) << 24)) +#define READ_ROW5() \ + (((uint32_t)(S.bytes[18])) | \ + (((uint32_t)(S.bytes[22])) << 8) | \ + (((uint32_t)(S.bytes[26])) << 16) | \ + (((uint32_t)(S.bytes[30])) << 24)) +#define READ_ROW6() \ + (((uint32_t)(S.bytes[17])) | \ + (((uint32_t)(S.bytes[21])) << 8) | \ + (((uint32_t)(S.bytes[25])) << 16) | \ + (((uint32_t)(S.bytes[29])) << 24)) +#define READ_ROW7() \ + (((uint32_t)(S.bytes[16])) | \ + (((uint32_t)(S.bytes[20])) << 8) | \ + (((uint32_t)(S.bytes[24])) << 16) | \ + (((uint32_t)(S.bytes[28])) << 24)) +#define WRITE_ROW(row, value) \ + do { \ + if ((row) < 4) { \ + S.bytes[3 - (row)] = (uint8_t)(value); \ + S.bytes[7 - (row)] = (uint8_t)((value) >> 8); \ + S.bytes[11 - (row)] = (uint8_t)((value) >> 16); \ + S.bytes[15 - (row)] = (uint8_t)((value) >> 24); \ + } else { \ + S.bytes[20 - (row)] = (uint8_t)(value); \ + S.bytes[24 - (row)] = (uint8_t)((value) >> 8); \ + S.bytes[28 - (row)] = (uint8_t)((value) >> 16); \ + S.bytes[32 - (row)] = (uint8_t)((value) >> 24); \ + } \ + } while (0) +#endif + +void photon256_permute(unsigned char state[PHOTON256_STATE_SIZE]) +{ + union { + uint32_t words[PHOTON256_STATE_SIZE / 4]; + uint8_t bytes[PHOTON256_STATE_SIZE]; + } S; + uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8; + uint8_t round; + + /* Convert the state into bit-sliced form */ + photon256_to_sliced(S.words, state); + + /* Perform all 12 permutation rounds */ + for (round = 0; round < PHOTON256_ROUNDS; ++round) { + /* Add the constants for this round */ + t0 = photon256_rc[round]; + S.words[0] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[1] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[2] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[3] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[4] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[5] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[6] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[7] ^= t0 & 0x01010101U; + + /* Apply the sbox to all nibbles in the state */ + photon256_sbox(S.words[0], S.words[1], S.words[2], S.words[3]); + photon256_sbox(S.words[4], S.words[5], S.words[6], S.words[7]); + + /* Rotate all rows left by the row number. + * + * We do this by applying permutations to the top and bottom words + * to rearrange the bits into the rotated form. Permutations + * generated with "http://programming.sirrida.de/calcperm.php". + * + * P_top = [0 1 2 3 4 5 6 7 15 8 9 10 11 12 13 14 22 23 + * 16 17 18 19 20 21 29 30 31 24 25 26 27 28] + * P_bot = [4 5 6 7 0 1 2 3 11 12 13 14 15 8 9 10 18 19 + * 20 21 22 23 16 17 25 26 27 28 29 30 31 24 + */ + #define TOP_ROTATE_PERM(x) \ + do { \ + t1 = (x); \ + bit_permute_step(t1, 0x07030100, 4); \ + bit_permute_step(t1, 0x22331100, 2); \ + bit_permute_step(t1, 0x55005500, 1); \ + (x) = t1; \ + } while (0) + #define BOTTOM_ROTATE_PERM(x) \ + do { \ + t1 = (x); \ + bit_permute_step(t1, 0x080c0e0f, 4); \ + bit_permute_step(t1, 0x22331100, 2); \ + bit_permute_step(t1, 0x55005500, 1); \ + (x) = t1; \ + } while (0) + TOP_ROTATE_PERM(S.words[0]); + TOP_ROTATE_PERM(S.words[1]); + TOP_ROTATE_PERM(S.words[2]); + TOP_ROTATE_PERM(S.words[3]); + BOTTOM_ROTATE_PERM(S.words[4]); + BOTTOM_ROTATE_PERM(S.words[5]); + BOTTOM_ROTATE_PERM(S.words[6]); + BOTTOM_ROTATE_PERM(S.words[7]); + + /* Mix the columns */ + #define MUL(a, x) (photon256_field_multiply((a), (x))) + t0 = READ_ROW0(); + t1 = READ_ROW1(); + t2 = READ_ROW2(); + t3 = READ_ROW3(); + t4 = READ_ROW4(); + t5 = READ_ROW5(); + t6 = READ_ROW6(); + t7 = READ_ROW7(); + t8 = MUL(0x02, t0) ^ MUL(0x04, t1) ^ MUL(0x02, t2) ^ MUL(0x0b, t3) ^ + MUL(0x02, t4) ^ MUL(0x08, t5) ^ MUL(0x05, t6) ^ MUL(0x06, t7); + WRITE_ROW(0, t8); + t8 = MUL(0x0c, t0) ^ MUL(0x09, t1) ^ MUL(0x08, t2) ^ MUL(0x0d, t3) ^ + MUL(0x07, t4) ^ MUL(0x07, t5) ^ MUL(0x05, t6) ^ MUL(0x02, t7); + WRITE_ROW(1, t8); + t8 = MUL(0x04, t0) ^ MUL(0x04, t1) ^ MUL(0x0d, t2) ^ MUL(0x0d, t3) ^ + MUL(0x09, t4) ^ MUL(0x04, t5) ^ MUL(0x0d, t6) ^ MUL(0x09, t7); + WRITE_ROW(2, t8); + t8 = MUL(0x01, t0) ^ MUL(0x06, t1) ^ MUL(0x05, t2) ^ MUL(0x01, t3) ^ + MUL(0x0c, t4) ^ MUL(0x0d, t5) ^ MUL(0x0f, t6) ^ MUL(0x0e, t7); + WRITE_ROW(3, t8); + t8 = MUL(0x0f, t0) ^ MUL(0x0c, t1) ^ MUL(0x09, t2) ^ MUL(0x0d, t3) ^ + MUL(0x0e, t4) ^ MUL(0x05, t5) ^ MUL(0x0e, t6) ^ MUL(0x0d, t7); + WRITE_ROW(4, t8); + t8 = MUL(0x09, t0) ^ MUL(0x0e, t1) ^ MUL(0x05, t2) ^ MUL(0x0f, t3) ^ + MUL(0x04, t4) ^ MUL(0x0c, t5) ^ MUL(0x09, t6) ^ MUL(0x06, t7); + WRITE_ROW(5, t8); + t8 = MUL(0x0c, t0) ^ MUL(0x02, t1) ^ MUL(0x02, t2) ^ MUL(0x0a, t3) ^ + MUL(0x03, t4) ^ MUL(0x01, t5) ^ MUL(0x01, t6) ^ MUL(0x0e, t7); + WRITE_ROW(6, t8); + t8 = MUL(0x0f, t0) ^ MUL(0x01, t1) ^ MUL(0x0d, t2) ^ MUL(0x0a, t3) ^ + MUL(0x05, t4) ^ MUL(0x0a, t5) ^ MUL(0x02, t6) ^ MUL(0x03, t7); + WRITE_ROW(7, t8); + } + + /* Convert back from bit-sliced form to regular form */ + photon256_from_sliced(state, S.bytes); +} diff --git a/orange/Implementations/crypto_aead/orangezestv1/rhys/internal-photon256.h b/orange/Implementations/crypto_aead/orangezestv1/rhys/internal-photon256.h new file mode 100644 index 0000000..ce8729a --- /dev/null +++ b/orange/Implementations/crypto_aead/orangezestv1/rhys/internal-photon256.h @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_PHOTON256_H +#define LW_INTERNAL_PHOTON256_H + +/** + * \file internal-photon256.h + * \brief Internal implementation of the PHOTON-256 permutation. + * + * Warning: The current implementation of PHOTON-256 is constant-time + * but not constant-cache. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the PHOTON-256 permutation state in bytes. + */ +#define PHOTON256_STATE_SIZE 32 + +/** + * \brief Permutes the PHOTON-256 state. + * + * \param state The state to be permuted. + */ +void photon256_permute(unsigned char state[PHOTON256_STATE_SIZE]); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/orange/Implementations/crypto_aead/orangezestv1/rhys/internal-util.h b/orange/Implementations/crypto_aead/orangezestv1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/orange/Implementations/crypto_aead/orangezestv1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/orange/Implementations/crypto_aead/orangezestv1/rhys/orange.c b/orange/Implementations/crypto_aead/orangezestv1/rhys/orange.c new file mode 100644 index 0000000..641e117 --- /dev/null +++ b/orange/Implementations/crypto_aead/orangezestv1/rhys/orange.c @@ -0,0 +1,384 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "orange.h" +#include "internal-photon256.h" +#include "internal-util.h" +#include + +aead_cipher_t const orange_zest_cipher = { + "ORANGE-Zest", + ORANGE_ZEST_KEY_SIZE, + ORANGE_ZEST_NONCE_SIZE, + ORANGE_ZEST_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + orange_zest_aead_encrypt, + orange_zest_aead_decrypt +}; + +aead_hash_algorithm_t const orangish_hash_algorithm = { + "ORANGISH", + sizeof(int), + ORANGISH_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + orangish_hash, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/** + * \brief Doubles a block in the GF(128) field a number of times. + * + * \param block The block to be doubled. + * \param value The number of times to double the block. + */ +static void orange_block_double(unsigned char block[16], unsigned char value) +{ + unsigned index; + unsigned char mask; + while (value > 0) { + mask = (unsigned char)(((signed char)(block[15])) >> 7); + for (index = 15; index > 0; --index) + block[index] = (block[index] << 1) | (block[index - 1] >> 7); + block[0] = (block[0] << 1) ^ (mask & 0x87); + --value; + } +} + +/** + * \brief Rotates a block left by 1 bit. + * + * \param out The output block to be set to the rotated version. + * \param in The input block to be rotated, must not overlap with \a out. + */ +static void orange_block_rotate + (unsigned char out[16], const unsigned char in[16]) +{ + unsigned index; + for (index = 15; index > 0; --index) + out[index] = (in[index] << 1) | (in[index - 1] >> 7); + out[0] = (in[0] << 1) | (in[15] >> 7); +} + +/** + * \brief Hash input data with ORANGE. + * + * \param state PHOTON-256 permutation state. + * \param data Points to the data to be hashed. + * \param len Length of the data to be hashed, must not be zero. + * \param domain0 Domain separation value for full last block. + * \param domain1 Domain separation value for partial last block. + */ +static void orange_process_hash + (unsigned char state[PHOTON256_STATE_SIZE], + const unsigned char *data, unsigned long long len, + unsigned char domain0, unsigned char domain1) +{ + unsigned temp; + while (len > PHOTON256_STATE_SIZE) { + photon256_permute(state); + lw_xor_block(state, data, PHOTON256_STATE_SIZE); + data += PHOTON256_STATE_SIZE; + len -= PHOTON256_STATE_SIZE; + } + photon256_permute(state); + temp = (unsigned)len; + if (temp < PHOTON256_STATE_SIZE) { + orange_block_double(state + 16, domain1); + state[temp] ^= 0x01; /* padding */ + } else { + orange_block_double(state + 16, domain0); + } + lw_xor_block(state, data, temp); +} + +/** + * \brief Applies the rho function to the ORANGE state. + * + * \param KS Output keystream to use to encrypt the plaintext or to + * decrypt the ciphertext. + * \param S Rolling key state. + * \param state Rolling PHOTON-256 permutation state. + */ +static void orange_rho + (unsigned char KS[32], unsigned char S[16], const unsigned char state[32]) +{ + orange_block_double(S, 1); + orange_block_rotate(KS, state); + lw_xor_block_2_src(KS + 16, state + 16, S, 16); + memcpy(S, state + 16, 16); +} + +/** + * \brief Encrypts plaintext with ORANGE. + * + * \param state PHOTON-256 permutation state. + * \param k Points to the key for the cipher. + * \param c Points to the ciphertext output buffer. + * \param m Points to the plaintext input buffer. + * \param len Length of the plaintext in bytes, must not be zero. + */ +static void orange_encrypt + (unsigned char state[PHOTON256_STATE_SIZE], const unsigned char *k, + unsigned char *c, const unsigned char *m, unsigned long long len) +{ + unsigned char S[ORANGE_ZEST_KEY_SIZE]; + unsigned char KS[PHOTON256_STATE_SIZE]; + unsigned temp; + memcpy(S, k, ORANGE_ZEST_KEY_SIZE); + while (len > PHOTON256_STATE_SIZE) { + photon256_permute(state); + orange_rho(KS, S, state); + lw_xor_block_2_src(c, m, KS, PHOTON256_STATE_SIZE); + lw_xor_block(state, c, PHOTON256_STATE_SIZE); + c += PHOTON256_STATE_SIZE; + m += PHOTON256_STATE_SIZE; + len -= PHOTON256_STATE_SIZE; + } + photon256_permute(state); + temp = (unsigned)len; + if (temp < PHOTON256_STATE_SIZE) { + orange_block_double(state + 16, 2); + orange_rho(KS, S, state); + lw_xor_block_2_src(c, m, KS, temp); + lw_xor_block(state, c, temp); + state[temp] ^= 0x01; /* padding */ + } else { + orange_block_double(state + 16, 1); + orange_rho(KS, S, state); + lw_xor_block_2_src(c, m, KS, PHOTON256_STATE_SIZE); + lw_xor_block(state, c, PHOTON256_STATE_SIZE); + } +} + +/** + * \brief Decrypts ciphertext with ORANGE. + * + * \param state PHOTON-256 permutation state. + * \param k Points to the key for the cipher. + * \param m Points to the plaintext output buffer. + * \param c Points to the ciphertext input buffer. + * \param len Length of the plaintext in bytes, must not be zero. + */ +static void orange_decrypt + (unsigned char state[PHOTON256_STATE_SIZE], const unsigned char *k, + unsigned char *m, const unsigned char *c, unsigned long long len) +{ + unsigned char S[ORANGE_ZEST_KEY_SIZE]; + unsigned char KS[PHOTON256_STATE_SIZE]; + unsigned temp; + memcpy(S, k, ORANGE_ZEST_KEY_SIZE); + while (len > PHOTON256_STATE_SIZE) { + photon256_permute(state); + orange_rho(KS, S, state); + lw_xor_block(state, c, PHOTON256_STATE_SIZE); + lw_xor_block_2_src(m, c, KS, PHOTON256_STATE_SIZE); + c += PHOTON256_STATE_SIZE; + m += PHOTON256_STATE_SIZE; + len -= PHOTON256_STATE_SIZE; + } + photon256_permute(state); + temp = (unsigned)len; + if (temp < PHOTON256_STATE_SIZE) { + orange_block_double(state + 16, 2); + orange_rho(KS, S, state); + lw_xor_block(state, c, temp); + lw_xor_block_2_src(m, c, KS, temp); + state[temp] ^= 0x01; /* padding */ + } else { + orange_block_double(state + 16, 1); + orange_rho(KS, S, state); + lw_xor_block(state, c, PHOTON256_STATE_SIZE); + lw_xor_block_2_src(m, c, KS, PHOTON256_STATE_SIZE); + } +} + +/** + * \brief Generates the authentication tag for ORANGE-Zest. + * + * \param state PHOTON-256 permutation state. + * + * The tag will be left in the leading bytes of the state on exit. + */ +static void orange_generate_tag(unsigned char state[PHOTON256_STATE_SIZE]) +{ + /* Swap the two halves of the state and run the permutation again */ + unsigned posn; + for (posn = 0; posn < (PHOTON256_STATE_SIZE / 2); ++posn) { + unsigned char temp = state[posn]; + state[posn] = state[posn + (PHOTON256_STATE_SIZE / 2)]; + state[posn + (PHOTON256_STATE_SIZE / 2)] = temp; + } + photon256_permute(state); +} + +int orange_zest_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ORANGE_ZEST_TAG_SIZE; + + /* Initialize the PHOTON-256 state with the nonce and key */ + memcpy(state, npub, 16); + memcpy(state + 16, k, 16); + + /* Handle the associated data and message payload */ + if (adlen == 0) { + if (mlen == 0) { + state[16] ^= 2; /* domain separation */ + photon256_permute(state); + memcpy(c + mlen, state, ORANGE_ZEST_TAG_SIZE); + return 0; + } else { + state[16] ^= 1; /* domain separation */ + orange_encrypt(state, k, c, m, mlen); + } + } else { + orange_process_hash(state, ad, adlen, 1, 2); + if (mlen != 0) + orange_encrypt(state, k, c, m, mlen); + } + + /* Generate the authentication tag */ + orange_generate_tag(state); + memcpy(c + mlen, state, ORANGE_ZEST_TAG_SIZE); + return 0; +} + +int orange_zest_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ORANGE_ZEST_TAG_SIZE) + return -1; + *mlen = clen - ORANGE_ZEST_TAG_SIZE; + + /* Initialize the PHOTON-256 state with the nonce and key */ + memcpy(state, npub, 16); + memcpy(state + 16, k, 16); + + /* Handle the associated data and message payload */ + clen -= ORANGE_ZEST_TAG_SIZE; + if (adlen == 0) { + if (clen == 0) { + state[16] ^= 2; /* domain separation */ + photon256_permute(state); + return aead_check_tag(m, 0, state, c, ORANGE_ZEST_TAG_SIZE); + } else { + state[16] ^= 1; /* domain separation */ + orange_decrypt(state, k, m, c, clen); + } + } else { + orange_process_hash(state, ad, adlen, 1, 2); + if (clen != 0) + orange_decrypt(state, k, m, c, clen); + } + + /* Check the authentication tag */ + orange_generate_tag(state); + return aead_check_tag(m, clen, state, c + clen, ORANGE_ZEST_TAG_SIZE); +} + +/** + * \brief Rate of absorbing data into the ORANGISH hash state. + */ +#define ORANGISH_RATE 16 + +int orangish_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + unsigned temp; + memset(state, 0, sizeof(state)); + if (inlen == 0) { + /* No absorption necessary for a zero-length input */ + } else if (inlen < ORANGISH_RATE) { + /* Single partial block */ + temp = (unsigned)inlen; + memcpy(state, in, temp); + state[temp] ^= 0x01; /* padding */ + photon256_permute(state); + lw_xor_block(state + 16, in, temp); + state[16 + temp] ^= 0x01; /* padding */ + state[0] ^= 0x02; /* domain separation */ + } else if (inlen == ORANGISH_RATE) { + /* Single full block */ + memcpy(state, in, ORANGISH_RATE); + photon256_permute(state); + lw_xor_block(state + 16, in, ORANGISH_RATE); + state[0] ^= 0x01; /* domain separation */ + } else { + /* Process double blocks until we run out */ + memcpy(state, in, ORANGISH_RATE); + photon256_permute(state); + lw_xor_block(state + 16, in, ORANGISH_RATE); + in += ORANGISH_RATE; + inlen -= ORANGISH_RATE; + while (inlen > ORANGISH_RATE) { + lw_xor_block(state, in, ORANGISH_RATE); + photon256_permute(state); + lw_xor_block(state + 16, in, ORANGISH_RATE); + in += ORANGISH_RATE; + inlen -= ORANGISH_RATE; + } + temp = (unsigned)inlen; + if (temp < ORANGISH_RATE) { + /* Last double block is partial */ + lw_xor_block(state, in, temp); + state[temp] ^= 0x01; /* padding */ + photon256_permute(state); + lw_xor_block(state + 16, in, temp); + state[16 + temp] ^= 0x01; /* padding */ + state[0] ^= 0x02; /* domain separation */ + } else { + /* Last double block is full */ + lw_xor_block(state, in, ORANGISH_RATE); + photon256_permute(state); + lw_xor_block(state + 16, in, ORANGISH_RATE); + state[0] ^= 0x01; /* domain separation */ + } + } + photon256_permute(state); + memcpy(out, state, 16); + photon256_permute(state); + memcpy(out + 16, state, 16); + return 0; +} diff --git a/orange/Implementations/crypto_aead/orangezestv1/rhys/orange.h b/orange/Implementations/crypto_aead/orangezestv1/rhys/orange.h new file mode 100644 index 0000000..de5b00c --- /dev/null +++ b/orange/Implementations/crypto_aead/orangezestv1/rhys/orange.h @@ -0,0 +1,153 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ORANGE_H +#define LWCRYPTO_ORANGE_H + +#include "aead-common.h" + +/** + * \file orange.h + * \brief ORANGE authenticated encryption algorithm. + * + * ORANGE is a family of algorithms built around the PHOTON-256 permutation. + * There are two members of the family at present: + * + * \li ORANGE-Zest is an authenticated encryption algorithm with a 128-bit + * key, a 128-bit nonce, and a 128-bit tag. + * \li ORANGISH is a hash algorithm with a 256-bit output. + * + * References: https://www.isical.ac.in/~lightweight/Orange/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for ORANGE-Zest. + */ +#define ORANGE_ZEST_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for ORANGE-Zest. + */ +#define ORANGE_ZEST_TAG_SIZE 16 + +/** + * \brief Size of the nonce for ORANGE-Zest. + */ +#define ORANGE_ZEST_NONCE_SIZE 16 + +/** + * \brief Size of the hash output for the ORANGISH hash algorithm. + */ +#define ORANGISH_HASH_SIZE 32 + +/** + * \brief Meta-information block for the ORANGE-Zest cipher. + */ +extern aead_cipher_t const orange_zest_cipher; + +/** + * \brief Meta-information block for the ORANGISH hash algorithm. + */ +extern aead_hash_algorithm_t const orangish_hash_algorithm; + +/** + * \brief Encrypts and authenticates a packet with ORANGE-Zest. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa orange_zest_aead_decrypt() + */ +int orange_zest_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with ORANGE-Zest. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa orange_zest_aead_encrypt() + */ +int orange_zest_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with ORANGISH to generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * ORANGISH_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int orangish_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/aead-common.c b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/aead-common.h b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/api.h b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/api.h new file mode 100644 index 0000000..bd8cdcb --- /dev/null +++ b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 8 +#define CRYPTO_ABYTES 12 +#define CRYPTO_NOOVERLAP 1 diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/encrypt.c b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/encrypt.c new file mode 100644 index 0000000..681e037 --- /dev/null +++ b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "oribatida.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return oribatida_192_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return oribatida_192_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-simp.c b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-simp.c new file mode 100644 index 0000000..4ca50d0 --- /dev/null +++ b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-simp.c @@ -0,0 +1,168 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-simp.h" + +/** + * \brief Number of rounds for the inner block cipher within SimP-256. + */ +#define SIMP_256_ROUNDS 34 + +/** + * \brief Number of rounds for the inner block cipher within SimP-192. + */ +#define SIMP_192_ROUNDS 26 + +/** + * \brief Round constants for each of the rounds in SimP-256 or SimP-192. + * + * Bit i is the round constant for round i, repeated every 62 rounds. + */ +#define SIMP_RC 0x3369F885192C0EF5ULL + +void simp_256_permute(unsigned char state[SIMP_256_STATE_SIZE], unsigned steps) +{ + uint64_t z = SIMP_RC; + uint64_t x0, x1, x2, x3, t0, t1; + unsigned round; + + /* Load the state into local variables */ + x0 = be_load_word64(state); + x1 = be_load_word64(state + 8); + x2 = be_load_word64(state + 16); + x3 = be_load_word64(state + 24); + + /* Perform all steps */ + for (; steps > 0; --steps) { + /* Perform all rounds for this step, two at a time */ + for (round = 0; round < (SIMP_256_ROUNDS / 2); ++round) { + t1 = x3 ^ (leftRotate1_64(x2) & leftRotate8_64(x2)) ^ + leftRotate2_64(x2) ^ x1; + t0 = x1 ^ rightRotate3_64(x0) ^ rightRotate4_64(x0) ^ + 0xFFFFFFFFFFFFFFFCULL ^ (z & 1); + z = (z >> 1) | (z << 61); /* z repeats every 62 rounds */ + x2 = x2 ^ (leftRotate1_64(t1) & leftRotate8_64(t1)) ^ + leftRotate2_64(t1) ^ x0; + x0 = x0 ^ rightRotate3_64(t0) ^ rightRotate4_64(t0) ^ + 0xFFFFFFFFFFFFFFFCULL ^ (z & 1); + x1 = t0; + x3 = t1; + z = (z >> 1) | (z << 61); /* z repeats every 62 rounds */ + } + + /* Swap the words of the state for all steps except the last */ + if (steps > 1) { + t0 = x0; + t1 = x1; + x0 = x2; + x1 = x3; + x2 = t0; + x3 = t1; + } + } + + /* Write the local variables back to the state */ + be_store_word64(state, x0); + be_store_word64(state + 8, x1); + be_store_word64(state + 16, x2); + be_store_word64(state + 24, x3); +} + +/* Load a big-endian 48-bit word from a byte buffer */ +#define be_load_word48(ptr) \ + ((((uint64_t)((ptr)[0])) << 40) | \ + (((uint64_t)((ptr)[1])) << 32) | \ + (((uint64_t)((ptr)[2])) << 24) | \ + (((uint64_t)((ptr)[3])) << 16) | \ + (((uint64_t)((ptr)[4])) << 8) | \ + ((uint64_t)((ptr)[5]))) + +/* Store a big-endian 48-bit word into a byte buffer */ +#define be_store_word48(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 40); \ + (ptr)[1] = (uint8_t)(_x >> 32); \ + (ptr)[2] = (uint8_t)(_x >> 24); \ + (ptr)[3] = (uint8_t)(_x >> 16); \ + (ptr)[4] = (uint8_t)(_x >> 8); \ + (ptr)[5] = (uint8_t)_x; \ + } while (0) + +/* 48-bit rotations with the high bits set to garbage - truncated later */ +#define rightRotate3_48(x) (((x) >> 3) | ((x) << 45)) +#define rightRotate4_48(x) (((x) >> 4) | ((x) << 44)) +#define leftRotate1_48(x) (((x) << 1) | ((x) >> 47)) +#define leftRotate2_48(x) (((x) << 2) | ((x) >> 46)) +#define leftRotate8_48(x) (((x) << 8) | ((x) >> 40)) + +void simp_192_permute(unsigned char state[SIMP_192_STATE_SIZE], unsigned steps) +{ + uint64_t z = SIMP_RC; + uint64_t x0, x1, x2, x3, t0, t1; + unsigned round; + + /* Load the state into local variables */ + x0 = be_load_word48(state); + x1 = be_load_word48(state + 6); + x2 = be_load_word48(state + 12); + x3 = be_load_word48(state + 18); + + /* Perform all steps */ + for (; steps > 0; --steps) { + /* Perform all rounds for this step, two at a time */ + for (round = 0; round < (SIMP_192_ROUNDS / 2); ++round) { + t1 = x3 ^ (leftRotate1_48(x2) & leftRotate8_48(x2)) ^ + leftRotate2_48(x2) ^ x1; + t0 = x1 ^ rightRotate3_48(x0) ^ rightRotate4_48(x0) ^ + 0xFFFFFFFFFFFFFFFCULL ^ (z & 1); + t0 &= 0x0000FFFFFFFFFFFFULL; /* Truncate back to 48 bits */ + t1 &= 0x0000FFFFFFFFFFFFULL; + z = (z >> 1) | (z << 61); /* z repeats every 62 rounds */ + x2 = x2 ^ (leftRotate1_48(t1) & leftRotate8_48(t1)) ^ + leftRotate2_48(t1) ^ x0; + x0 = x0 ^ rightRotate3_48(t0) ^ rightRotate4_48(t0) ^ + 0xFFFFFFFFFFFFFFFCULL ^ (z & 1); + x0 &= 0x0000FFFFFFFFFFFFULL; + x2 &= 0x0000FFFFFFFFFFFFULL; + x1 = t0; + x3 = t1; + z = (z >> 1) | (z << 61); /* z repeats every 62 rounds */ + } + + /* Swap the words of the state for all steps except the last */ + if (steps > 1) { + t0 = x0; + t1 = x1; + x0 = x2; + x1 = x3; + x2 = t0; + x3 = t1; + } + } + + /* Write the local variables back to the state */ + be_store_word48(state, x0); + be_store_word48(state + 6, x1); + be_store_word48(state + 12, x2); + be_store_word48(state + 18, x3); +} diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-simp.h b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-simp.h new file mode 100644 index 0000000..3a95e80 --- /dev/null +++ b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-simp.h @@ -0,0 +1,74 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SIMP_H +#define LW_INTERNAL_SIMP_H + +#include "internal-util.h" + +/** + * \file internal-simp.h + * \brief SimP permutation family. + * + * SimP-256 and SimP-192 are used by the Oribatida submission to + * round 2 of the NIST Lightweight Cryptography Competition. + * The permutations are built around reduced-round variants of the + * Simon-128-128 and Simon-96-96 block ciphers. + * + * References: https://www.isical.ac.in/~lightweight/oribatida/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief State size of the SimP-256 permutation. + */ +#define SIMP_256_STATE_SIZE 32 + +/** + * \brief State size of the SimP-192 permutation. + */ +#define SIMP_192_STATE_SIZE 24 + +/** + * \brief Permutes a state with SimP-256. + * + * \param state State to be permuted. + * \param steps Number of steps to perform (usually 2 or 4). + */ +void simp_256_permute(unsigned char state[SIMP_256_STATE_SIZE], unsigned steps); + +/** + * \brief Permutes a state with SimP-192. + * + * \param state State to be permuted. + * \param steps Number of steps to perform (usually 2 or 4). + */ +void simp_192_permute(unsigned char state[SIMP_192_STATE_SIZE], unsigned steps); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-util.h b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/oribatida.c b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/oribatida.c new file mode 100644 index 0000000..55a3914 --- /dev/null +++ b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/oribatida.c @@ -0,0 +1,480 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "oribatida.h" +#include "internal-simp.h" +#include + +/** + * \brief Rate for processing data for the Oribatida-256-64 state. + */ +#define ORIBATIDA_256_RATE 16 + +/** + * \brief Size of the masking value for Oribatida-256-64. + */ +#define ORIBATIDA_256_MASK_SIZE 8 + +/** + * \brief Rate for processing data for the Oribatida-192-96 state. + */ +#define ORIBATIDA_192_RATE 12 + +/** + * \brief Size of the masking value for Oribatida-192-96. + */ +#define ORIBATIDA_192_MASK_SIZE 12 + +aead_cipher_t const oribatida_256_cipher = { + "Oribatida-256-64", + ORIBATIDA_256_KEY_SIZE, + ORIBATIDA_256_NONCE_SIZE, + ORIBATIDA_256_TAG_SIZE, + AEAD_FLAG_NONE, + oribatida_256_aead_encrypt, + oribatida_256_aead_decrypt +}; + +aead_cipher_t const oribatida_192_cipher = { + "Oribatida-192-96", + ORIBATIDA_192_KEY_SIZE, + ORIBATIDA_192_NONCE_SIZE, + ORIBATIDA_192_TAG_SIZE, + AEAD_FLAG_NONE, + oribatida_192_aead_encrypt, + oribatida_192_aead_decrypt +}; + +/* Definitions for domain separation values */ +#define ORIBATIDA_NUM_DOMAINS 3 +#define ORIBATIDA_DOMAIN_NONCE 0 +#define ORIBATIDA_DOMAIN_AD 1 +#define ORIBATIDA_DOMAIN_MSG 2 + +/** + * \brief Gets the domain separation values to use for different phases + * of the Oribatida encryption process. + * + * \param domains Returns the domain separation values to use. + * \param adlen Length of the associated data. + * \param mlen Length of the plaintext message. + * \param rate Rate of processing message blocks, 12 or 16. + */ +static void oribatida_get_domains + (unsigned char domains[ORIBATIDA_NUM_DOMAINS], + unsigned long long adlen, unsigned long long mlen, unsigned rate) +{ + /* Domain separation value for the nonce */ + if (adlen == 0 && mlen == 0) { + domains[ORIBATIDA_DOMAIN_NONCE] = 9; + } else { + domains[ORIBATIDA_DOMAIN_NONCE] = 5; + } + + /* Domain separation value for associated data processing */ + if (mlen == 0) { + if ((adlen % rate) == 0) + domains[ORIBATIDA_DOMAIN_AD] = 12; + else + domains[ORIBATIDA_DOMAIN_AD] = 14; + } else { + if ((adlen % rate) == 0) + domains[ORIBATIDA_DOMAIN_AD] = 4; + else + domains[ORIBATIDA_DOMAIN_AD] = 6; + } + + /* Domain separation value for message processing */ + if ((mlen % rate) == 0) { + domains[ORIBATIDA_DOMAIN_MSG] = 13; + } else { + domains[ORIBATIDA_DOMAIN_MSG] = 15; + } +} + +/** + * \brief Initializes the Oribatida-256-64 state. + * + * \param state Oribatida-256-64 permutation state. + * \param mask Oribatida-256-64 masking state. + * \param domains Precomputed domain separation values. + * \param k Points to the key. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data. + */ +static void oribatida_256_init + (unsigned char state[SIMP_256_STATE_SIZE], + unsigned char mask[ORIBATIDA_256_MASK_SIZE], + const unsigned char domains[ORIBATIDA_NUM_DOMAINS], + const unsigned char *k, const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned temp; + + /* Initialize the state with the key and nonce */ + memcpy(state, npub, ORIBATIDA_256_NONCE_SIZE); + memcpy(state + ORIBATIDA_256_NONCE_SIZE, k, ORIBATIDA_256_KEY_SIZE); + + /* Use the current state as the mask for zero-length associated data */ + if (adlen == 0) { + memcpy(mask, state + SIMP_256_STATE_SIZE - ORIBATIDA_256_MASK_SIZE, + ORIBATIDA_256_MASK_SIZE); + } + + /* Add the domain separation value for the nonce */ + state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_NONCE]; + + /* Run the permutation for the first time */ + simp_256_permute(state, 4); + + /* If there is no associated data, then we are done */ + if (adlen == 0) + return; + + /* Use the current state as the mask for non-zero length associated data */ + memcpy(mask, state + SIMP_256_STATE_SIZE - ORIBATIDA_256_MASK_SIZE, + ORIBATIDA_256_MASK_SIZE); + + /* Process all associated data blocks except the last */ + while (adlen > ORIBATIDA_256_RATE) { + lw_xor_block(state, ad, ORIBATIDA_256_RATE); + simp_256_permute(state, 2); + ad += ORIBATIDA_256_RATE; + adlen -= ORIBATIDA_256_RATE; + } + + /* Process the final associated data block */ + temp = (unsigned)adlen; + if (temp == ORIBATIDA_256_RATE) { + lw_xor_block(state, ad, ORIBATIDA_256_RATE); + } else { + lw_xor_block(state, ad, temp); + state[temp] ^= 0x80; /* padding */ + } + state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_AD]; + simp_256_permute(state, 4); +} + +/** + * \brief Initializes the Oribatida-192-96 state. + * + * \param state Oribatida-192-96 permutation state. + * \param mask Oribatida-192-96 masking state. + * \param domains Precomputed domain separation values. + * \param k Points to the key. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data. + */ +static void oribatida_192_init + (unsigned char state[SIMP_192_STATE_SIZE], + unsigned char mask[ORIBATIDA_192_MASK_SIZE], + const unsigned char domains[ORIBATIDA_NUM_DOMAINS], + const unsigned char *k, const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned temp; + + /* Initialize the state with the key and nonce */ + memcpy(state, npub, ORIBATIDA_192_NONCE_SIZE); + memcpy(state + ORIBATIDA_192_NONCE_SIZE, k, ORIBATIDA_256_KEY_SIZE); + + /* Use the current state as the mask for zero-length associated data */ + if (adlen == 0) { + memcpy(mask, state + SIMP_192_STATE_SIZE - ORIBATIDA_192_MASK_SIZE, + ORIBATIDA_192_MASK_SIZE); + } + + /* Add the domain separation value for the nonce */ + state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_NONCE]; + + /* Run the permutation for the first time */ + simp_192_permute(state, 4); + + /* If there is no associated data, then we are done */ + if (adlen == 0) + return; + + /* Use the current state as the mask for non-zero length associated data */ + memcpy(mask, state + SIMP_192_STATE_SIZE - ORIBATIDA_192_MASK_SIZE, + ORIBATIDA_192_MASK_SIZE); + + /* Process all associated data blocks except the last */ + while (adlen > ORIBATIDA_192_RATE) { + lw_xor_block(state, ad, ORIBATIDA_192_RATE); + simp_192_permute(state, 2); + ad += ORIBATIDA_192_RATE; + adlen -= ORIBATIDA_192_RATE; + } + + /* Process the final associated data block */ + temp = (unsigned)adlen; + if (temp == ORIBATIDA_192_RATE) { + lw_xor_block(state, ad, ORIBATIDA_192_RATE); + } else { + lw_xor_block(state, ad, temp); + state[temp] ^= 0x80; /* padding */ + } + state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_AD]; + simp_192_permute(state, 4); +} + +int oribatida_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[SIMP_256_STATE_SIZE]; + unsigned char mask[ORIBATIDA_256_MASK_SIZE]; + unsigned char domains[ORIBATIDA_NUM_DOMAINS]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ORIBATIDA_256_TAG_SIZE; + + /* Initialize the state and absorb the associated data */ + oribatida_get_domains(domains, adlen, mlen, ORIBATIDA_256_RATE); + oribatida_256_init(state, mask, domains, k, npub, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + while (mlen > ORIBATIDA_256_RATE) { + lw_xor_block_2_dest(c, state, m, ORIBATIDA_256_RATE); + lw_xor_block(c + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, + mask, ORIBATIDA_256_MASK_SIZE); + memcpy(mask, state + SIMP_256_STATE_SIZE - ORIBATIDA_256_MASK_SIZE, + ORIBATIDA_256_MASK_SIZE); + simp_256_permute(state, 4); + c += ORIBATIDA_256_RATE; + m += ORIBATIDA_256_RATE; + mlen -= ORIBATIDA_256_RATE; + } + if (mlen == ORIBATIDA_256_RATE) { + lw_xor_block_2_dest(c, state, m, ORIBATIDA_256_RATE); + lw_xor_block(c + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, + mask, ORIBATIDA_256_MASK_SIZE); + state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; + simp_256_permute(state, 4); + } else if (mlen > 0) { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_dest(c, state, m, temp); + if (temp > (ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE)) { + lw_xor_block + (c + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, mask, + temp - (ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE)); + } + state[temp] ^= 0x80; /* padding */ + state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; + simp_256_permute(state, 4); + } + + /* Generate the authentication tag */ + memcpy(c + mlen, state, ORIBATIDA_256_TAG_SIZE); + return 0; +} + +int oribatida_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[SIMP_256_STATE_SIZE]; + unsigned char mask[ORIBATIDA_256_MASK_SIZE]; + unsigned char domains[ORIBATIDA_NUM_DOMAINS]; + unsigned char block[ORIBATIDA_256_RATE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ORIBATIDA_256_TAG_SIZE) + return -1; + *mlen = clen - ORIBATIDA_256_TAG_SIZE; + + /* Initialize the state and absorb the associated data */ + clen -= ORIBATIDA_256_TAG_SIZE; + oribatida_get_domains(domains, adlen, clen, ORIBATIDA_256_RATE); + oribatida_256_init(state, mask, domains, k, npub, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + while (clen > ORIBATIDA_256_RATE) { + memcpy(block, c, ORIBATIDA_256_RATE); + lw_xor_block(block + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, + mask, ORIBATIDA_256_MASK_SIZE); + lw_xor_block_swap(m, state, block, ORIBATIDA_256_RATE); + memcpy(mask, state + SIMP_256_STATE_SIZE - ORIBATIDA_256_MASK_SIZE, + ORIBATIDA_256_MASK_SIZE); + simp_256_permute(state, 4); + c += ORIBATIDA_256_RATE; + m += ORIBATIDA_256_RATE; + clen -= ORIBATIDA_256_RATE; + } + if (clen == ORIBATIDA_256_RATE) { + memcpy(block, c, ORIBATIDA_256_RATE); + lw_xor_block(block + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, + mask, ORIBATIDA_256_MASK_SIZE); + lw_xor_block_swap(m, state, block, ORIBATIDA_256_RATE); + state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; + simp_256_permute(state, 4); + } else if (clen > 0) { + unsigned temp = (unsigned)clen; + memcpy(block, c, temp); + if (temp > (ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE)) { + lw_xor_block + (block + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, mask, + temp - (ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE)); + } + lw_xor_block_swap(m, state, block, temp); + state[temp] ^= 0x80; /* padding */ + state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; + simp_256_permute(state, 4); + } + c += clen; + + /* Check the authentication tag */ + return aead_check_tag(mtemp, *mlen, state, c, ORIBATIDA_256_TAG_SIZE); +} + +int oribatida_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[SIMP_192_STATE_SIZE]; + unsigned char mask[ORIBATIDA_192_MASK_SIZE]; + unsigned char domains[ORIBATIDA_NUM_DOMAINS]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ORIBATIDA_192_TAG_SIZE; + + /* Initialize the state and absorb the associated data */ + oribatida_get_domains(domains, adlen, mlen, ORIBATIDA_192_RATE); + oribatida_192_init(state, mask, domains, k, npub, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + while (mlen > ORIBATIDA_192_RATE) { + lw_xor_block_2_dest(c, state, m, ORIBATIDA_192_RATE); + lw_xor_block(c + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, + mask, ORIBATIDA_192_MASK_SIZE); + memcpy(mask, state + SIMP_192_STATE_SIZE - ORIBATIDA_192_MASK_SIZE, + ORIBATIDA_192_MASK_SIZE); + simp_192_permute(state, 4); + c += ORIBATIDA_192_RATE; + m += ORIBATIDA_192_RATE; + mlen -= ORIBATIDA_192_RATE; + } + if (mlen == ORIBATIDA_192_RATE) { + lw_xor_block_2_dest(c, state, m, ORIBATIDA_192_RATE); + lw_xor_block(c + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, + mask, ORIBATIDA_192_MASK_SIZE); + state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; + simp_192_permute(state, 4); + } else if (mlen > 0) { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_dest(c, state, m, temp); + if (temp > (ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE)) { + lw_xor_block + (c + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, mask, + temp - (ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE)); + } + state[temp] ^= 0x80; /* padding */ + state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; + simp_192_permute(state, 4); + } + + /* Generate the authentication tag */ + memcpy(c + mlen, state, ORIBATIDA_192_TAG_SIZE); + return 0; +} + +int oribatida_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[SIMP_192_STATE_SIZE]; + unsigned char mask[ORIBATIDA_192_MASK_SIZE]; + unsigned char domains[ORIBATIDA_NUM_DOMAINS]; + unsigned char block[ORIBATIDA_192_RATE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ORIBATIDA_192_TAG_SIZE) + return -1; + *mlen = clen - ORIBATIDA_192_TAG_SIZE; + + /* Initialize the state and absorb the associated data */ + clen -= ORIBATIDA_192_TAG_SIZE; + oribatida_get_domains(domains, adlen, clen, ORIBATIDA_192_RATE); + oribatida_192_init(state, mask, domains, k, npub, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + while (clen > ORIBATIDA_192_RATE) { + memcpy(block, c, ORIBATIDA_192_RATE); + lw_xor_block(block + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, + mask, ORIBATIDA_192_MASK_SIZE); + lw_xor_block_swap(m, state, block, ORIBATIDA_192_RATE); + memcpy(mask, state + SIMP_192_STATE_SIZE - ORIBATIDA_192_MASK_SIZE, + ORIBATIDA_192_MASK_SIZE); + simp_192_permute(state, 4); + c += ORIBATIDA_192_RATE; + m += ORIBATIDA_192_RATE; + clen -= ORIBATIDA_192_RATE; + } + if (clen == ORIBATIDA_192_RATE) { + memcpy(block, c, ORIBATIDA_192_RATE); + lw_xor_block(block + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, + mask, ORIBATIDA_192_MASK_SIZE); + lw_xor_block_swap(m, state, block, ORIBATIDA_192_RATE); + state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; + simp_192_permute(state, 4); + } else if (clen > 0) { + unsigned temp = (unsigned)clen; + memcpy(block, c, temp); + if (temp > (ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE)) { + lw_xor_block + (block + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, mask, + temp - (ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE)); + } + lw_xor_block_swap(m, state, block, temp); + state[temp] ^= 0x80; /* padding */ + state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; + simp_192_permute(state, 4); + } + c += clen; + + /* Check the authentication tag */ + return aead_check_tag(mtemp, *mlen, state, c, ORIBATIDA_192_TAG_SIZE); +} diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/oribatida.h b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/oribatida.h new file mode 100644 index 0000000..dbc374b --- /dev/null +++ b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/oribatida.h @@ -0,0 +1,212 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ORIBATIDA_H +#define LWCRYPTO_ORIBATIDA_H + +#include "aead-common.h" + +/** + * \file oribatida.h + * \brief Oribatida authenticated encryption algorithm. + * + * Oribatida is a family of authenticated encryption algorithms based on the + * SimP-256 and SimP-192 permutations which are built around reduced-round + * variants of the Simon-128-128 and Simon-96-96 block ciphers. + * There are two algorithms in the family: + * + * \li Oribatida-256-64 with a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * built around the SimP-256 permutation. This is the primary member of + * the family. + * \li Oribatida-192-96 with a 128-bit key, a 64-bit nonce, and a 96-bit tag, + * built around the SimP-192 permutation. + * + * References: https://www.isical.ac.in/~lightweight/oribatida/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for Oribatida-256-64. + */ +#define ORIBATIDA_256_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Oribatida-256-64. + */ +#define ORIBATIDA_256_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Oribatida-256-64. + */ +#define ORIBATIDA_256_NONCE_SIZE 16 + +/** + * \brief Size of the key for Oribatida-192-96. + */ +#define ORIBATIDA_192_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Oribatida-192-96. + */ +#define ORIBATIDA_192_TAG_SIZE 12 + +/** + * \brief Size of the nonce for Oribatida-192-96. + */ +#define ORIBATIDA_192_NONCE_SIZE 8 + +/** + * \brief Meta-information block for the Oribatida-256-64 cipher. + */ +extern aead_cipher_t const oribatida_256_cipher; + +/** + * \brief Meta-information block for the Oribatida-192-96 cipher. + */ +extern aead_cipher_t const oribatida_192_cipher; + +/** + * \brief Encrypts and authenticates a packet with Oribatida-256-64. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa oribatida_256_aead_decrypt() + */ +int oribatida_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Oribatida-256-64. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa oribatida_256_aead_encrypt() + */ +int oribatida_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Oribatida-192-96. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 12 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 8 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa oribatida_192_aead_decrypt() + */ +int oribatida_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Oribatida-192-96. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 12 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 8 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa oribatida_192_aead_encrypt() + */ +int oribatida_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/aead-common.c b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/aead-common.h b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/api.h b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/encrypt.c b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/encrypt.c new file mode 100644 index 0000000..fd7d71e --- /dev/null +++ b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "oribatida.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return oribatida_256_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return oribatida_256_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-simp.c b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-simp.c new file mode 100644 index 0000000..4ca50d0 --- /dev/null +++ b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-simp.c @@ -0,0 +1,168 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-simp.h" + +/** + * \brief Number of rounds for the inner block cipher within SimP-256. + */ +#define SIMP_256_ROUNDS 34 + +/** + * \brief Number of rounds for the inner block cipher within SimP-192. + */ +#define SIMP_192_ROUNDS 26 + +/** + * \brief Round constants for each of the rounds in SimP-256 or SimP-192. + * + * Bit i is the round constant for round i, repeated every 62 rounds. + */ +#define SIMP_RC 0x3369F885192C0EF5ULL + +void simp_256_permute(unsigned char state[SIMP_256_STATE_SIZE], unsigned steps) +{ + uint64_t z = SIMP_RC; + uint64_t x0, x1, x2, x3, t0, t1; + unsigned round; + + /* Load the state into local variables */ + x0 = be_load_word64(state); + x1 = be_load_word64(state + 8); + x2 = be_load_word64(state + 16); + x3 = be_load_word64(state + 24); + + /* Perform all steps */ + for (; steps > 0; --steps) { + /* Perform all rounds for this step, two at a time */ + for (round = 0; round < (SIMP_256_ROUNDS / 2); ++round) { + t1 = x3 ^ (leftRotate1_64(x2) & leftRotate8_64(x2)) ^ + leftRotate2_64(x2) ^ x1; + t0 = x1 ^ rightRotate3_64(x0) ^ rightRotate4_64(x0) ^ + 0xFFFFFFFFFFFFFFFCULL ^ (z & 1); + z = (z >> 1) | (z << 61); /* z repeats every 62 rounds */ + x2 = x2 ^ (leftRotate1_64(t1) & leftRotate8_64(t1)) ^ + leftRotate2_64(t1) ^ x0; + x0 = x0 ^ rightRotate3_64(t0) ^ rightRotate4_64(t0) ^ + 0xFFFFFFFFFFFFFFFCULL ^ (z & 1); + x1 = t0; + x3 = t1; + z = (z >> 1) | (z << 61); /* z repeats every 62 rounds */ + } + + /* Swap the words of the state for all steps except the last */ + if (steps > 1) { + t0 = x0; + t1 = x1; + x0 = x2; + x1 = x3; + x2 = t0; + x3 = t1; + } + } + + /* Write the local variables back to the state */ + be_store_word64(state, x0); + be_store_word64(state + 8, x1); + be_store_word64(state + 16, x2); + be_store_word64(state + 24, x3); +} + +/* Load a big-endian 48-bit word from a byte buffer */ +#define be_load_word48(ptr) \ + ((((uint64_t)((ptr)[0])) << 40) | \ + (((uint64_t)((ptr)[1])) << 32) | \ + (((uint64_t)((ptr)[2])) << 24) | \ + (((uint64_t)((ptr)[3])) << 16) | \ + (((uint64_t)((ptr)[4])) << 8) | \ + ((uint64_t)((ptr)[5]))) + +/* Store a big-endian 48-bit word into a byte buffer */ +#define be_store_word48(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 40); \ + (ptr)[1] = (uint8_t)(_x >> 32); \ + (ptr)[2] = (uint8_t)(_x >> 24); \ + (ptr)[3] = (uint8_t)(_x >> 16); \ + (ptr)[4] = (uint8_t)(_x >> 8); \ + (ptr)[5] = (uint8_t)_x; \ + } while (0) + +/* 48-bit rotations with the high bits set to garbage - truncated later */ +#define rightRotate3_48(x) (((x) >> 3) | ((x) << 45)) +#define rightRotate4_48(x) (((x) >> 4) | ((x) << 44)) +#define leftRotate1_48(x) (((x) << 1) | ((x) >> 47)) +#define leftRotate2_48(x) (((x) << 2) | ((x) >> 46)) +#define leftRotate8_48(x) (((x) << 8) | ((x) >> 40)) + +void simp_192_permute(unsigned char state[SIMP_192_STATE_SIZE], unsigned steps) +{ + uint64_t z = SIMP_RC; + uint64_t x0, x1, x2, x3, t0, t1; + unsigned round; + + /* Load the state into local variables */ + x0 = be_load_word48(state); + x1 = be_load_word48(state + 6); + x2 = be_load_word48(state + 12); + x3 = be_load_word48(state + 18); + + /* Perform all steps */ + for (; steps > 0; --steps) { + /* Perform all rounds for this step, two at a time */ + for (round = 0; round < (SIMP_192_ROUNDS / 2); ++round) { + t1 = x3 ^ (leftRotate1_48(x2) & leftRotate8_48(x2)) ^ + leftRotate2_48(x2) ^ x1; + t0 = x1 ^ rightRotate3_48(x0) ^ rightRotate4_48(x0) ^ + 0xFFFFFFFFFFFFFFFCULL ^ (z & 1); + t0 &= 0x0000FFFFFFFFFFFFULL; /* Truncate back to 48 bits */ + t1 &= 0x0000FFFFFFFFFFFFULL; + z = (z >> 1) | (z << 61); /* z repeats every 62 rounds */ + x2 = x2 ^ (leftRotate1_48(t1) & leftRotate8_48(t1)) ^ + leftRotate2_48(t1) ^ x0; + x0 = x0 ^ rightRotate3_48(t0) ^ rightRotate4_48(t0) ^ + 0xFFFFFFFFFFFFFFFCULL ^ (z & 1); + x0 &= 0x0000FFFFFFFFFFFFULL; + x2 &= 0x0000FFFFFFFFFFFFULL; + x1 = t0; + x3 = t1; + z = (z >> 1) | (z << 61); /* z repeats every 62 rounds */ + } + + /* Swap the words of the state for all steps except the last */ + if (steps > 1) { + t0 = x0; + t1 = x1; + x0 = x2; + x1 = x3; + x2 = t0; + x3 = t1; + } + } + + /* Write the local variables back to the state */ + be_store_word48(state, x0); + be_store_word48(state + 6, x1); + be_store_word48(state + 12, x2); + be_store_word48(state + 18, x3); +} diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-simp.h b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-simp.h new file mode 100644 index 0000000..3a95e80 --- /dev/null +++ b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-simp.h @@ -0,0 +1,74 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SIMP_H +#define LW_INTERNAL_SIMP_H + +#include "internal-util.h" + +/** + * \file internal-simp.h + * \brief SimP permutation family. + * + * SimP-256 and SimP-192 are used by the Oribatida submission to + * round 2 of the NIST Lightweight Cryptography Competition. + * The permutations are built around reduced-round variants of the + * Simon-128-128 and Simon-96-96 block ciphers. + * + * References: https://www.isical.ac.in/~lightweight/oribatida/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief State size of the SimP-256 permutation. + */ +#define SIMP_256_STATE_SIZE 32 + +/** + * \brief State size of the SimP-192 permutation. + */ +#define SIMP_192_STATE_SIZE 24 + +/** + * \brief Permutes a state with SimP-256. + * + * \param state State to be permuted. + * \param steps Number of steps to perform (usually 2 or 4). + */ +void simp_256_permute(unsigned char state[SIMP_256_STATE_SIZE], unsigned steps); + +/** + * \brief Permutes a state with SimP-192. + * + * \param state State to be permuted. + * \param steps Number of steps to perform (usually 2 or 4). + */ +void simp_192_permute(unsigned char state[SIMP_192_STATE_SIZE], unsigned steps); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-util.h b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/oribatida.c b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/oribatida.c new file mode 100644 index 0000000..55a3914 --- /dev/null +++ b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/oribatida.c @@ -0,0 +1,480 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "oribatida.h" +#include "internal-simp.h" +#include + +/** + * \brief Rate for processing data for the Oribatida-256-64 state. + */ +#define ORIBATIDA_256_RATE 16 + +/** + * \brief Size of the masking value for Oribatida-256-64. + */ +#define ORIBATIDA_256_MASK_SIZE 8 + +/** + * \brief Rate for processing data for the Oribatida-192-96 state. + */ +#define ORIBATIDA_192_RATE 12 + +/** + * \brief Size of the masking value for Oribatida-192-96. + */ +#define ORIBATIDA_192_MASK_SIZE 12 + +aead_cipher_t const oribatida_256_cipher = { + "Oribatida-256-64", + ORIBATIDA_256_KEY_SIZE, + ORIBATIDA_256_NONCE_SIZE, + ORIBATIDA_256_TAG_SIZE, + AEAD_FLAG_NONE, + oribatida_256_aead_encrypt, + oribatida_256_aead_decrypt +}; + +aead_cipher_t const oribatida_192_cipher = { + "Oribatida-192-96", + ORIBATIDA_192_KEY_SIZE, + ORIBATIDA_192_NONCE_SIZE, + ORIBATIDA_192_TAG_SIZE, + AEAD_FLAG_NONE, + oribatida_192_aead_encrypt, + oribatida_192_aead_decrypt +}; + +/* Definitions for domain separation values */ +#define ORIBATIDA_NUM_DOMAINS 3 +#define ORIBATIDA_DOMAIN_NONCE 0 +#define ORIBATIDA_DOMAIN_AD 1 +#define ORIBATIDA_DOMAIN_MSG 2 + +/** + * \brief Gets the domain separation values to use for different phases + * of the Oribatida encryption process. + * + * \param domains Returns the domain separation values to use. + * \param adlen Length of the associated data. + * \param mlen Length of the plaintext message. + * \param rate Rate of processing message blocks, 12 or 16. + */ +static void oribatida_get_domains + (unsigned char domains[ORIBATIDA_NUM_DOMAINS], + unsigned long long adlen, unsigned long long mlen, unsigned rate) +{ + /* Domain separation value for the nonce */ + if (adlen == 0 && mlen == 0) { + domains[ORIBATIDA_DOMAIN_NONCE] = 9; + } else { + domains[ORIBATIDA_DOMAIN_NONCE] = 5; + } + + /* Domain separation value for associated data processing */ + if (mlen == 0) { + if ((adlen % rate) == 0) + domains[ORIBATIDA_DOMAIN_AD] = 12; + else + domains[ORIBATIDA_DOMAIN_AD] = 14; + } else { + if ((adlen % rate) == 0) + domains[ORIBATIDA_DOMAIN_AD] = 4; + else + domains[ORIBATIDA_DOMAIN_AD] = 6; + } + + /* Domain separation value for message processing */ + if ((mlen % rate) == 0) { + domains[ORIBATIDA_DOMAIN_MSG] = 13; + } else { + domains[ORIBATIDA_DOMAIN_MSG] = 15; + } +} + +/** + * \brief Initializes the Oribatida-256-64 state. + * + * \param state Oribatida-256-64 permutation state. + * \param mask Oribatida-256-64 masking state. + * \param domains Precomputed domain separation values. + * \param k Points to the key. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data. + */ +static void oribatida_256_init + (unsigned char state[SIMP_256_STATE_SIZE], + unsigned char mask[ORIBATIDA_256_MASK_SIZE], + const unsigned char domains[ORIBATIDA_NUM_DOMAINS], + const unsigned char *k, const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned temp; + + /* Initialize the state with the key and nonce */ + memcpy(state, npub, ORIBATIDA_256_NONCE_SIZE); + memcpy(state + ORIBATIDA_256_NONCE_SIZE, k, ORIBATIDA_256_KEY_SIZE); + + /* Use the current state as the mask for zero-length associated data */ + if (adlen == 0) { + memcpy(mask, state + SIMP_256_STATE_SIZE - ORIBATIDA_256_MASK_SIZE, + ORIBATIDA_256_MASK_SIZE); + } + + /* Add the domain separation value for the nonce */ + state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_NONCE]; + + /* Run the permutation for the first time */ + simp_256_permute(state, 4); + + /* If there is no associated data, then we are done */ + if (adlen == 0) + return; + + /* Use the current state as the mask for non-zero length associated data */ + memcpy(mask, state + SIMP_256_STATE_SIZE - ORIBATIDA_256_MASK_SIZE, + ORIBATIDA_256_MASK_SIZE); + + /* Process all associated data blocks except the last */ + while (adlen > ORIBATIDA_256_RATE) { + lw_xor_block(state, ad, ORIBATIDA_256_RATE); + simp_256_permute(state, 2); + ad += ORIBATIDA_256_RATE; + adlen -= ORIBATIDA_256_RATE; + } + + /* Process the final associated data block */ + temp = (unsigned)adlen; + if (temp == ORIBATIDA_256_RATE) { + lw_xor_block(state, ad, ORIBATIDA_256_RATE); + } else { + lw_xor_block(state, ad, temp); + state[temp] ^= 0x80; /* padding */ + } + state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_AD]; + simp_256_permute(state, 4); +} + +/** + * \brief Initializes the Oribatida-192-96 state. + * + * \param state Oribatida-192-96 permutation state. + * \param mask Oribatida-192-96 masking state. + * \param domains Precomputed domain separation values. + * \param k Points to the key. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data. + */ +static void oribatida_192_init + (unsigned char state[SIMP_192_STATE_SIZE], + unsigned char mask[ORIBATIDA_192_MASK_SIZE], + const unsigned char domains[ORIBATIDA_NUM_DOMAINS], + const unsigned char *k, const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned temp; + + /* Initialize the state with the key and nonce */ + memcpy(state, npub, ORIBATIDA_192_NONCE_SIZE); + memcpy(state + ORIBATIDA_192_NONCE_SIZE, k, ORIBATIDA_256_KEY_SIZE); + + /* Use the current state as the mask for zero-length associated data */ + if (adlen == 0) { + memcpy(mask, state + SIMP_192_STATE_SIZE - ORIBATIDA_192_MASK_SIZE, + ORIBATIDA_192_MASK_SIZE); + } + + /* Add the domain separation value for the nonce */ + state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_NONCE]; + + /* Run the permutation for the first time */ + simp_192_permute(state, 4); + + /* If there is no associated data, then we are done */ + if (adlen == 0) + return; + + /* Use the current state as the mask for non-zero length associated data */ + memcpy(mask, state + SIMP_192_STATE_SIZE - ORIBATIDA_192_MASK_SIZE, + ORIBATIDA_192_MASK_SIZE); + + /* Process all associated data blocks except the last */ + while (adlen > ORIBATIDA_192_RATE) { + lw_xor_block(state, ad, ORIBATIDA_192_RATE); + simp_192_permute(state, 2); + ad += ORIBATIDA_192_RATE; + adlen -= ORIBATIDA_192_RATE; + } + + /* Process the final associated data block */ + temp = (unsigned)adlen; + if (temp == ORIBATIDA_192_RATE) { + lw_xor_block(state, ad, ORIBATIDA_192_RATE); + } else { + lw_xor_block(state, ad, temp); + state[temp] ^= 0x80; /* padding */ + } + state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_AD]; + simp_192_permute(state, 4); +} + +int oribatida_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[SIMP_256_STATE_SIZE]; + unsigned char mask[ORIBATIDA_256_MASK_SIZE]; + unsigned char domains[ORIBATIDA_NUM_DOMAINS]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ORIBATIDA_256_TAG_SIZE; + + /* Initialize the state and absorb the associated data */ + oribatida_get_domains(domains, adlen, mlen, ORIBATIDA_256_RATE); + oribatida_256_init(state, mask, domains, k, npub, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + while (mlen > ORIBATIDA_256_RATE) { + lw_xor_block_2_dest(c, state, m, ORIBATIDA_256_RATE); + lw_xor_block(c + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, + mask, ORIBATIDA_256_MASK_SIZE); + memcpy(mask, state + SIMP_256_STATE_SIZE - ORIBATIDA_256_MASK_SIZE, + ORIBATIDA_256_MASK_SIZE); + simp_256_permute(state, 4); + c += ORIBATIDA_256_RATE; + m += ORIBATIDA_256_RATE; + mlen -= ORIBATIDA_256_RATE; + } + if (mlen == ORIBATIDA_256_RATE) { + lw_xor_block_2_dest(c, state, m, ORIBATIDA_256_RATE); + lw_xor_block(c + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, + mask, ORIBATIDA_256_MASK_SIZE); + state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; + simp_256_permute(state, 4); + } else if (mlen > 0) { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_dest(c, state, m, temp); + if (temp > (ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE)) { + lw_xor_block + (c + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, mask, + temp - (ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE)); + } + state[temp] ^= 0x80; /* padding */ + state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; + simp_256_permute(state, 4); + } + + /* Generate the authentication tag */ + memcpy(c + mlen, state, ORIBATIDA_256_TAG_SIZE); + return 0; +} + +int oribatida_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[SIMP_256_STATE_SIZE]; + unsigned char mask[ORIBATIDA_256_MASK_SIZE]; + unsigned char domains[ORIBATIDA_NUM_DOMAINS]; + unsigned char block[ORIBATIDA_256_RATE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ORIBATIDA_256_TAG_SIZE) + return -1; + *mlen = clen - ORIBATIDA_256_TAG_SIZE; + + /* Initialize the state and absorb the associated data */ + clen -= ORIBATIDA_256_TAG_SIZE; + oribatida_get_domains(domains, adlen, clen, ORIBATIDA_256_RATE); + oribatida_256_init(state, mask, domains, k, npub, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + while (clen > ORIBATIDA_256_RATE) { + memcpy(block, c, ORIBATIDA_256_RATE); + lw_xor_block(block + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, + mask, ORIBATIDA_256_MASK_SIZE); + lw_xor_block_swap(m, state, block, ORIBATIDA_256_RATE); + memcpy(mask, state + SIMP_256_STATE_SIZE - ORIBATIDA_256_MASK_SIZE, + ORIBATIDA_256_MASK_SIZE); + simp_256_permute(state, 4); + c += ORIBATIDA_256_RATE; + m += ORIBATIDA_256_RATE; + clen -= ORIBATIDA_256_RATE; + } + if (clen == ORIBATIDA_256_RATE) { + memcpy(block, c, ORIBATIDA_256_RATE); + lw_xor_block(block + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, + mask, ORIBATIDA_256_MASK_SIZE); + lw_xor_block_swap(m, state, block, ORIBATIDA_256_RATE); + state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; + simp_256_permute(state, 4); + } else if (clen > 0) { + unsigned temp = (unsigned)clen; + memcpy(block, c, temp); + if (temp > (ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE)) { + lw_xor_block + (block + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, mask, + temp - (ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE)); + } + lw_xor_block_swap(m, state, block, temp); + state[temp] ^= 0x80; /* padding */ + state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; + simp_256_permute(state, 4); + } + c += clen; + + /* Check the authentication tag */ + return aead_check_tag(mtemp, *mlen, state, c, ORIBATIDA_256_TAG_SIZE); +} + +int oribatida_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[SIMP_192_STATE_SIZE]; + unsigned char mask[ORIBATIDA_192_MASK_SIZE]; + unsigned char domains[ORIBATIDA_NUM_DOMAINS]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ORIBATIDA_192_TAG_SIZE; + + /* Initialize the state and absorb the associated data */ + oribatida_get_domains(domains, adlen, mlen, ORIBATIDA_192_RATE); + oribatida_192_init(state, mask, domains, k, npub, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + while (mlen > ORIBATIDA_192_RATE) { + lw_xor_block_2_dest(c, state, m, ORIBATIDA_192_RATE); + lw_xor_block(c + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, + mask, ORIBATIDA_192_MASK_SIZE); + memcpy(mask, state + SIMP_192_STATE_SIZE - ORIBATIDA_192_MASK_SIZE, + ORIBATIDA_192_MASK_SIZE); + simp_192_permute(state, 4); + c += ORIBATIDA_192_RATE; + m += ORIBATIDA_192_RATE; + mlen -= ORIBATIDA_192_RATE; + } + if (mlen == ORIBATIDA_192_RATE) { + lw_xor_block_2_dest(c, state, m, ORIBATIDA_192_RATE); + lw_xor_block(c + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, + mask, ORIBATIDA_192_MASK_SIZE); + state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; + simp_192_permute(state, 4); + } else if (mlen > 0) { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_dest(c, state, m, temp); + if (temp > (ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE)) { + lw_xor_block + (c + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, mask, + temp - (ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE)); + } + state[temp] ^= 0x80; /* padding */ + state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; + simp_192_permute(state, 4); + } + + /* Generate the authentication tag */ + memcpy(c + mlen, state, ORIBATIDA_192_TAG_SIZE); + return 0; +} + +int oribatida_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[SIMP_192_STATE_SIZE]; + unsigned char mask[ORIBATIDA_192_MASK_SIZE]; + unsigned char domains[ORIBATIDA_NUM_DOMAINS]; + unsigned char block[ORIBATIDA_192_RATE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ORIBATIDA_192_TAG_SIZE) + return -1; + *mlen = clen - ORIBATIDA_192_TAG_SIZE; + + /* Initialize the state and absorb the associated data */ + clen -= ORIBATIDA_192_TAG_SIZE; + oribatida_get_domains(domains, adlen, clen, ORIBATIDA_192_RATE); + oribatida_192_init(state, mask, domains, k, npub, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + while (clen > ORIBATIDA_192_RATE) { + memcpy(block, c, ORIBATIDA_192_RATE); + lw_xor_block(block + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, + mask, ORIBATIDA_192_MASK_SIZE); + lw_xor_block_swap(m, state, block, ORIBATIDA_192_RATE); + memcpy(mask, state + SIMP_192_STATE_SIZE - ORIBATIDA_192_MASK_SIZE, + ORIBATIDA_192_MASK_SIZE); + simp_192_permute(state, 4); + c += ORIBATIDA_192_RATE; + m += ORIBATIDA_192_RATE; + clen -= ORIBATIDA_192_RATE; + } + if (clen == ORIBATIDA_192_RATE) { + memcpy(block, c, ORIBATIDA_192_RATE); + lw_xor_block(block + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, + mask, ORIBATIDA_192_MASK_SIZE); + lw_xor_block_swap(m, state, block, ORIBATIDA_192_RATE); + state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; + simp_192_permute(state, 4); + } else if (clen > 0) { + unsigned temp = (unsigned)clen; + memcpy(block, c, temp); + if (temp > (ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE)) { + lw_xor_block + (block + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, mask, + temp - (ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE)); + } + lw_xor_block_swap(m, state, block, temp); + state[temp] ^= 0x80; /* padding */ + state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; + simp_192_permute(state, 4); + } + c += clen; + + /* Check the authentication tag */ + return aead_check_tag(mtemp, *mlen, state, c, ORIBATIDA_192_TAG_SIZE); +} diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/oribatida.h b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/oribatida.h new file mode 100644 index 0000000..dbc374b --- /dev/null +++ b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/oribatida.h @@ -0,0 +1,212 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ORIBATIDA_H +#define LWCRYPTO_ORIBATIDA_H + +#include "aead-common.h" + +/** + * \file oribatida.h + * \brief Oribatida authenticated encryption algorithm. + * + * Oribatida is a family of authenticated encryption algorithms based on the + * SimP-256 and SimP-192 permutations which are built around reduced-round + * variants of the Simon-128-128 and Simon-96-96 block ciphers. + * There are two algorithms in the family: + * + * \li Oribatida-256-64 with a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * built around the SimP-256 permutation. This is the primary member of + * the family. + * \li Oribatida-192-96 with a 128-bit key, a 64-bit nonce, and a 96-bit tag, + * built around the SimP-192 permutation. + * + * References: https://www.isical.ac.in/~lightweight/oribatida/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for Oribatida-256-64. + */ +#define ORIBATIDA_256_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Oribatida-256-64. + */ +#define ORIBATIDA_256_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Oribatida-256-64. + */ +#define ORIBATIDA_256_NONCE_SIZE 16 + +/** + * \brief Size of the key for Oribatida-192-96. + */ +#define ORIBATIDA_192_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Oribatida-192-96. + */ +#define ORIBATIDA_192_TAG_SIZE 12 + +/** + * \brief Size of the nonce for Oribatida-192-96. + */ +#define ORIBATIDA_192_NONCE_SIZE 8 + +/** + * \brief Meta-information block for the Oribatida-256-64 cipher. + */ +extern aead_cipher_t const oribatida_256_cipher; + +/** + * \brief Meta-information block for the Oribatida-192-96 cipher. + */ +extern aead_cipher_t const oribatida_192_cipher; + +/** + * \brief Encrypts and authenticates a packet with Oribatida-256-64. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa oribatida_256_aead_decrypt() + */ +int oribatida_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Oribatida-256-64. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa oribatida_256_aead_encrypt() + */ +int oribatida_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Oribatida-192-96. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 12 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 8 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa oribatida_192_aead_decrypt() + */ +int oribatida_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Oribatida-192-96. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 12 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 8 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa oribatida_192_aead_encrypt() + */ +int oribatida_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/aead-common.c b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/aead-common.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/api.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/encrypt.c b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/encrypt.c new file mode 100644 index 0000000..a36c2ea --- /dev/null +++ b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "photon-beetle.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return photon_beetle_128_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return photon_beetle_128_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/internal-photon256.c b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/internal-photon256.c new file mode 100644 index 0000000..b8743fe --- /dev/null +++ b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/internal-photon256.c @@ -0,0 +1,479 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-photon256.h" +#include "internal-util.h" + +/** + * \brief Number of rounds in the PHOTON-256 permutation in bit-sliced form. + */ +#define PHOTON256_ROUNDS 12 + +/* Round constants for PHOTON-256 */ +static uint32_t const photon256_rc[PHOTON256_ROUNDS] = { + 0x96d2f0e1, 0xb4f0d2c3, 0xf0b49687, 0x692d0f1e, + 0x5a1e3c2d, 0x3c785a4b, 0xe1a58796, 0x4b0f2d3c, + 0x1e5a7869, 0xa5e1c3d2, 0xd296b4a5, 0x2d694b5a +}; + +/** + * \brief Evaluates the PHOTON-256 S-box in bit-sliced form. + * + * \param x0 Slice with bit 0 of all nibbles. + * \param x1 Slice with bit 1 of all nibbles. + * \param x2 Slice with bit 2 of all nibbles. + * \param x3 Slice with bit 3 of all nibbles. + * + * This bit-sliced S-box implementation is based on the AVR version + * "add_avr8_bitslice_asm" from the PHOTON-Beetle reference code. + */ +#define photon256_sbox(x0, x1, x2, x3) \ + do { \ + x1 ^= x2; \ + x3 ^= (x2 & x1); \ + t1 = x3; \ + x3 = (x3 & x1) ^ x2; \ + t2 = x3; \ + x3 ^= x0; \ + x3 = ~(x3); \ + x2 = x3; \ + t2 |= x0; \ + x0 ^= t1; \ + x1 ^= x0; \ + x2 |= x1; \ + x2 ^= t1; \ + x1 ^= t2; \ + x3 ^= x1; \ + } while (0) + +/** + * \brief Performs a field multiplication on the 8 nibbles in a row. + * + * \param a Field constant to multiply by. + * \param x Bit-sliced form of the row, with bits 0..3 of each nibble + * in bytes 0..3 of the word. + * + * \return a * x packed into the bytes of a word. + */ +static uint32_t photon256_field_multiply(uint8_t a, uint32_t x) +{ + /* For each 4-bit nibble we need to do this: + * + * result = 0; + * for (bit = 0; bit < 4; ++ bit) { + * if ((a & (1 << bit)) != 0) + * result ^= x; + * if ((x & 0x08) != 0) { + * x = (x << 1) ^ 3; + * } else { + * x = (x << 1); + * } + * } + * + * We don't need to worry about constant time for "a" because it is a + * known constant that isn't data-dependent. But we do need to worry + * about constant time for "x" as it is data. + */ + uint32_t result = 0; + uint32_t t; + #define PARALLEL_CONDITIONAL_ADD(bit) \ + do { \ + if ((a) & (1 << (bit))) \ + result ^= x; \ + } while (0) + #define PARALELL_ROTATE() \ + do { \ + t = x >> 24; \ + x = (x << 8) ^ t ^ (t << 8); \ + } while (0) + PARALLEL_CONDITIONAL_ADD(0); + PARALELL_ROTATE(); + PARALLEL_CONDITIONAL_ADD(1); + PARALELL_ROTATE(); + PARALLEL_CONDITIONAL_ADD(2); + PARALELL_ROTATE(); + PARALLEL_CONDITIONAL_ADD(3); + return result; +} + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/** + * \brief Converts a PHOTON-256 state into bit-sliced form. + * + * \param out Points to the converted output. + * \param in Points to the PHOTON-256 state to convert. + */ +static void photon256_to_sliced + (uint32_t out[PHOTON256_STATE_SIZE / 4], + const unsigned char in[PHOTON256_STATE_SIZE]) +{ + /* We first scatter bits 0..3 of the nibbles to bytes 0..3 of the words. + * Then we rearrange the bytes to group all bits N into word N. + * + * Permutation generated with "http://programming.sirrida.de/calcperm.php". + * + * P = [0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 + * 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31] + */ + uint32_t t0, t1, t2, t3; + #define TO_BITSLICED_PERM(x) \ + do { \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x0000ff00, 8); \ + } while (0) + #define FROM_BITSLICED_PERM(x) \ + do { \ + bit_permute_step(x, 0x00aa00aa, 7); \ + bit_permute_step(x, 0x0000cccc, 14); \ + bit_permute_step(x, 0x00f000f0, 4); \ + bit_permute_step(x, 0x0000ff00, 8); \ + } while (0) + t0 = le_load_word32(in); + t1 = le_load_word32(in + 4); + t2 = le_load_word32(in + 8); + t3 = le_load_word32(in + 12); + TO_BITSLICED_PERM(t0); + TO_BITSLICED_PERM(t1); + TO_BITSLICED_PERM(t2); + TO_BITSLICED_PERM(t3); + out[0] = (t0 & 0x000000FFU) | ((t1 << 8) & 0x0000FF00U) | + ((t2 << 16) & 0x00FF0000U) | ((t3 << 24) & 0xFF000000U); + out[1] = ((t0 >> 8) & 0x000000FFU) | (t1 & 0x0000FF00U) | + ((t2 << 8) & 0x00FF0000U) | ((t3 << 16) & 0xFF000000U); + out[2] = ((t0 >> 16) & 0x000000FFU) | ((t1 >> 8) & 0x0000FF00U) | + (t2 & 0x00FF0000U) | ((t3 << 8) & 0xFF000000U); + out[3] = ((t0 >> 24) & 0x000000FFU) | ((t1 >> 16) & 0x0000FF00U) | + ((t2 >> 8) & 0x00FF0000U) | (t3 & 0xFF000000U); + t0 = le_load_word32(in + 16); + t1 = le_load_word32(in + 20); + t2 = le_load_word32(in + 24); + t3 = le_load_word32(in + 28); + TO_BITSLICED_PERM(t0); + TO_BITSLICED_PERM(t1); + TO_BITSLICED_PERM(t2); + TO_BITSLICED_PERM(t3); + out[4] = (t0 & 0x000000FFU) | ((t1 << 8) & 0x0000FF00U) | + ((t2 << 16) & 0x00FF0000U) | ((t3 << 24) & 0xFF000000U); + out[5] = ((t0 >> 8) & 0x000000FFU) | (t1 & 0x0000FF00U) | + ((t2 << 8) & 0x00FF0000U) | ((t3 << 16) & 0xFF000000U); + out[6] = ((t0 >> 16) & 0x000000FFU) | ((t1 >> 8) & 0x0000FF00U) | + (t2 & 0x00FF0000U) | ((t3 << 8) & 0xFF000000U); + out[7] = ((t0 >> 24) & 0x000000FFU) | ((t1 >> 16) & 0x0000FF00U) | + ((t2 >> 8) & 0x00FF0000U) | (t3 & 0xFF000000U); +} + +/** + * \brief Converts a PHOTON-256 state from bit-sliced form. + * + * \param out Points to the converted output. + * \param in Points to the PHOTON-256 state to convert. + */ +static void photon256_from_sliced + (unsigned char out[PHOTON256_STATE_SIZE], + const unsigned char in[PHOTON256_STATE_SIZE]) +{ + /* Do the reverse of photon256_to_sliced() */ + uint32_t x0, x1, x2, x3; + x0 = ((uint32_t)(in[0])) | + (((uint32_t)(in[4])) << 8) | + (((uint32_t)(in[8])) << 16) | + (((uint32_t)(in[12])) << 24); + x1 = ((uint32_t)(in[1])) | + (((uint32_t)(in[5])) << 8) | + (((uint32_t)(in[9])) << 16) | + (((uint32_t)(in[13])) << 24); + x2 = ((uint32_t)(in[2])) | + (((uint32_t)(in[6])) << 8) | + (((uint32_t)(in[10])) << 16) | + (((uint32_t)(in[14])) << 24); + x3 = ((uint32_t)(in[3])) | + (((uint32_t)(in[7])) << 8) | + (((uint32_t)(in[11])) << 16) | + (((uint32_t)(in[15])) << 24); + FROM_BITSLICED_PERM(x0); + FROM_BITSLICED_PERM(x1); + FROM_BITSLICED_PERM(x2); + FROM_BITSLICED_PERM(x3); + le_store_word32(out, x0); + le_store_word32(out + 4, x1); + le_store_word32(out + 8, x2); + le_store_word32(out + 12, x3); + x0 = ((uint32_t)(in[16])) | + (((uint32_t)(in[20])) << 8) | + (((uint32_t)(in[24])) << 16) | + (((uint32_t)(in[28])) << 24); + x1 = ((uint32_t)(in[17])) | + (((uint32_t)(in[21])) << 8) | + (((uint32_t)(in[25])) << 16) | + (((uint32_t)(in[29])) << 24); + x2 = ((uint32_t)(in[18])) | + (((uint32_t)(in[22])) << 8) | + (((uint32_t)(in[26])) << 16) | + (((uint32_t)(in[30])) << 24); + x3 = ((uint32_t)(in[19])) | + (((uint32_t)(in[23])) << 8) | + (((uint32_t)(in[27])) << 16) | + (((uint32_t)(in[31])) << 24); + FROM_BITSLICED_PERM(x0); + FROM_BITSLICED_PERM(x1); + FROM_BITSLICED_PERM(x2); + FROM_BITSLICED_PERM(x3); + le_store_word32(out + 16, x0); + le_store_word32(out + 20, x1); + le_store_word32(out + 24, x2); + le_store_word32(out + 28, x3); +} + +#if defined(LW_UTIL_LITTLE_ENDIAN) +/* Index the bit-sliced state bytes in little-endian byte order */ +#define READ_ROW0() \ + (((uint32_t)(S.bytes[0])) | \ + (((uint32_t)(S.bytes[4])) << 8) | \ + (((uint32_t)(S.bytes[8])) << 16) | \ + (((uint32_t)(S.bytes[12])) << 24)) +#define READ_ROW1() \ + (((uint32_t)(S.bytes[1])) | \ + (((uint32_t)(S.bytes[5])) << 8) | \ + (((uint32_t)(S.bytes[9])) << 16) | \ + (((uint32_t)(S.bytes[13])) << 24)) +#define READ_ROW2() \ + (((uint32_t)(S.bytes[2])) | \ + (((uint32_t)(S.bytes[6])) << 8) | \ + (((uint32_t)(S.bytes[10])) << 16) | \ + (((uint32_t)(S.bytes[14])) << 24)) +#define READ_ROW3() \ + (((uint32_t)(S.bytes[3])) | \ + (((uint32_t)(S.bytes[7])) << 8) | \ + (((uint32_t)(S.bytes[11])) << 16) | \ + (((uint32_t)(S.bytes[15])) << 24)) +#define READ_ROW4() \ + (((uint32_t)(S.bytes[16])) | \ + (((uint32_t)(S.bytes[20])) << 8) | \ + (((uint32_t)(S.bytes[24])) << 16) | \ + (((uint32_t)(S.bytes[28])) << 24)) +#define READ_ROW5() \ + (((uint32_t)(S.bytes[17])) | \ + (((uint32_t)(S.bytes[21])) << 8) | \ + (((uint32_t)(S.bytes[25])) << 16) | \ + (((uint32_t)(S.bytes[29])) << 24)) +#define READ_ROW6() \ + (((uint32_t)(S.bytes[18])) | \ + (((uint32_t)(S.bytes[22])) << 8) | \ + (((uint32_t)(S.bytes[26])) << 16) | \ + (((uint32_t)(S.bytes[30])) << 24)) +#define READ_ROW7() \ + (((uint32_t)(S.bytes[19])) | \ + (((uint32_t)(S.bytes[23])) << 8) | \ + (((uint32_t)(S.bytes[27])) << 16) | \ + (((uint32_t)(S.bytes[31])) << 24)) +#define WRITE_ROW(row, value) \ + do { \ + if ((row) < 4) { \ + S.bytes[(row)] = (uint8_t)(value); \ + S.bytes[(row) + 4] = (uint8_t)((value) >> 8); \ + S.bytes[(row) + 8] = (uint8_t)((value) >> 16); \ + S.bytes[(row) + 12] = (uint8_t)((value) >> 24); \ + } else { \ + S.bytes[(row) + 12] = (uint8_t)(value); \ + S.bytes[(row) + 16] = (uint8_t)((value) >> 8); \ + S.bytes[(row) + 20] = (uint8_t)((value) >> 16); \ + S.bytes[(row) + 24] = (uint8_t)((value) >> 24); \ + } \ + } while (0) +#else +/* Index the bit-sliced state bytes in big-endian byte order */ +#define READ_ROW0() \ + (((uint32_t)(S.bytes[3])) | \ + (((uint32_t)(S.bytes[7])) << 8) | \ + (((uint32_t)(S.bytes[11])) << 16) | \ + (((uint32_t)(S.bytes[15])) << 24)) +#define READ_ROW1() \ + (((uint32_t)(S.bytes[2])) | \ + (((uint32_t)(S.bytes[6])) << 8) | \ + (((uint32_t)(S.bytes[10])) << 16) | \ + (((uint32_t)(S.bytes[14])) << 24)) +#define READ_ROW2() \ + (((uint32_t)(S.bytes[1])) | \ + (((uint32_t)(S.bytes[5])) << 8) | \ + (((uint32_t)(S.bytes[9])) << 16) | \ + (((uint32_t)(S.bytes[13])) << 24)) +#define READ_ROW3() \ + (((uint32_t)(S.bytes[0])) | \ + (((uint32_t)(S.bytes[4])) << 8) | \ + (((uint32_t)(S.bytes[8])) << 16) | \ + (((uint32_t)(S.bytes[12])) << 24)) +#define READ_ROW4() \ + (((uint32_t)(S.bytes[19])) | \ + (((uint32_t)(S.bytes[23])) << 8) | \ + (((uint32_t)(S.bytes[27])) << 16) | \ + (((uint32_t)(S.bytes[31])) << 24)) +#define READ_ROW5() \ + (((uint32_t)(S.bytes[18])) | \ + (((uint32_t)(S.bytes[22])) << 8) | \ + (((uint32_t)(S.bytes[26])) << 16) | \ + (((uint32_t)(S.bytes[30])) << 24)) +#define READ_ROW6() \ + (((uint32_t)(S.bytes[17])) | \ + (((uint32_t)(S.bytes[21])) << 8) | \ + (((uint32_t)(S.bytes[25])) << 16) | \ + (((uint32_t)(S.bytes[29])) << 24)) +#define READ_ROW7() \ + (((uint32_t)(S.bytes[16])) | \ + (((uint32_t)(S.bytes[20])) << 8) | \ + (((uint32_t)(S.bytes[24])) << 16) | \ + (((uint32_t)(S.bytes[28])) << 24)) +#define WRITE_ROW(row, value) \ + do { \ + if ((row) < 4) { \ + S.bytes[3 - (row)] = (uint8_t)(value); \ + S.bytes[7 - (row)] = (uint8_t)((value) >> 8); \ + S.bytes[11 - (row)] = (uint8_t)((value) >> 16); \ + S.bytes[15 - (row)] = (uint8_t)((value) >> 24); \ + } else { \ + S.bytes[20 - (row)] = (uint8_t)(value); \ + S.bytes[24 - (row)] = (uint8_t)((value) >> 8); \ + S.bytes[28 - (row)] = (uint8_t)((value) >> 16); \ + S.bytes[32 - (row)] = (uint8_t)((value) >> 24); \ + } \ + } while (0) +#endif + +void photon256_permute(unsigned char state[PHOTON256_STATE_SIZE]) +{ + union { + uint32_t words[PHOTON256_STATE_SIZE / 4]; + uint8_t bytes[PHOTON256_STATE_SIZE]; + } S; + uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8; + uint8_t round; + + /* Convert the state into bit-sliced form */ + photon256_to_sliced(S.words, state); + + /* Perform all 12 permutation rounds */ + for (round = 0; round < PHOTON256_ROUNDS; ++round) { + /* Add the constants for this round */ + t0 = photon256_rc[round]; + S.words[0] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[1] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[2] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[3] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[4] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[5] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[6] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[7] ^= t0 & 0x01010101U; + + /* Apply the sbox to all nibbles in the state */ + photon256_sbox(S.words[0], S.words[1], S.words[2], S.words[3]); + photon256_sbox(S.words[4], S.words[5], S.words[6], S.words[7]); + + /* Rotate all rows left by the row number. + * + * We do this by applying permutations to the top and bottom words + * to rearrange the bits into the rotated form. Permutations + * generated with "http://programming.sirrida.de/calcperm.php". + * + * P_top = [0 1 2 3 4 5 6 7 15 8 9 10 11 12 13 14 22 23 + * 16 17 18 19 20 21 29 30 31 24 25 26 27 28] + * P_bot = [4 5 6 7 0 1 2 3 11 12 13 14 15 8 9 10 18 19 + * 20 21 22 23 16 17 25 26 27 28 29 30 31 24 + */ + #define TOP_ROTATE_PERM(x) \ + do { \ + t1 = (x); \ + bit_permute_step(t1, 0x07030100, 4); \ + bit_permute_step(t1, 0x22331100, 2); \ + bit_permute_step(t1, 0x55005500, 1); \ + (x) = t1; \ + } while (0) + #define BOTTOM_ROTATE_PERM(x) \ + do { \ + t1 = (x); \ + bit_permute_step(t1, 0x080c0e0f, 4); \ + bit_permute_step(t1, 0x22331100, 2); \ + bit_permute_step(t1, 0x55005500, 1); \ + (x) = t1; \ + } while (0) + TOP_ROTATE_PERM(S.words[0]); + TOP_ROTATE_PERM(S.words[1]); + TOP_ROTATE_PERM(S.words[2]); + TOP_ROTATE_PERM(S.words[3]); + BOTTOM_ROTATE_PERM(S.words[4]); + BOTTOM_ROTATE_PERM(S.words[5]); + BOTTOM_ROTATE_PERM(S.words[6]); + BOTTOM_ROTATE_PERM(S.words[7]); + + /* Mix the columns */ + #define MUL(a, x) (photon256_field_multiply((a), (x))) + t0 = READ_ROW0(); + t1 = READ_ROW1(); + t2 = READ_ROW2(); + t3 = READ_ROW3(); + t4 = READ_ROW4(); + t5 = READ_ROW5(); + t6 = READ_ROW6(); + t7 = READ_ROW7(); + t8 = MUL(0x02, t0) ^ MUL(0x04, t1) ^ MUL(0x02, t2) ^ MUL(0x0b, t3) ^ + MUL(0x02, t4) ^ MUL(0x08, t5) ^ MUL(0x05, t6) ^ MUL(0x06, t7); + WRITE_ROW(0, t8); + t8 = MUL(0x0c, t0) ^ MUL(0x09, t1) ^ MUL(0x08, t2) ^ MUL(0x0d, t3) ^ + MUL(0x07, t4) ^ MUL(0x07, t5) ^ MUL(0x05, t6) ^ MUL(0x02, t7); + WRITE_ROW(1, t8); + t8 = MUL(0x04, t0) ^ MUL(0x04, t1) ^ MUL(0x0d, t2) ^ MUL(0x0d, t3) ^ + MUL(0x09, t4) ^ MUL(0x04, t5) ^ MUL(0x0d, t6) ^ MUL(0x09, t7); + WRITE_ROW(2, t8); + t8 = MUL(0x01, t0) ^ MUL(0x06, t1) ^ MUL(0x05, t2) ^ MUL(0x01, t3) ^ + MUL(0x0c, t4) ^ MUL(0x0d, t5) ^ MUL(0x0f, t6) ^ MUL(0x0e, t7); + WRITE_ROW(3, t8); + t8 = MUL(0x0f, t0) ^ MUL(0x0c, t1) ^ MUL(0x09, t2) ^ MUL(0x0d, t3) ^ + MUL(0x0e, t4) ^ MUL(0x05, t5) ^ MUL(0x0e, t6) ^ MUL(0x0d, t7); + WRITE_ROW(4, t8); + t8 = MUL(0x09, t0) ^ MUL(0x0e, t1) ^ MUL(0x05, t2) ^ MUL(0x0f, t3) ^ + MUL(0x04, t4) ^ MUL(0x0c, t5) ^ MUL(0x09, t6) ^ MUL(0x06, t7); + WRITE_ROW(5, t8); + t8 = MUL(0x0c, t0) ^ MUL(0x02, t1) ^ MUL(0x02, t2) ^ MUL(0x0a, t3) ^ + MUL(0x03, t4) ^ MUL(0x01, t5) ^ MUL(0x01, t6) ^ MUL(0x0e, t7); + WRITE_ROW(6, t8); + t8 = MUL(0x0f, t0) ^ MUL(0x01, t1) ^ MUL(0x0d, t2) ^ MUL(0x0a, t3) ^ + MUL(0x05, t4) ^ MUL(0x0a, t5) ^ MUL(0x02, t6) ^ MUL(0x03, t7); + WRITE_ROW(7, t8); + } + + /* Convert back from bit-sliced form to regular form */ + photon256_from_sliced(state, S.bytes); +} diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/internal-photon256.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/internal-photon256.h new file mode 100644 index 0000000..ce8729a --- /dev/null +++ b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/internal-photon256.h @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_PHOTON256_H +#define LW_INTERNAL_PHOTON256_H + +/** + * \file internal-photon256.h + * \brief Internal implementation of the PHOTON-256 permutation. + * + * Warning: The current implementation of PHOTON-256 is constant-time + * but not constant-cache. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the PHOTON-256 permutation state in bytes. + */ +#define PHOTON256_STATE_SIZE 32 + +/** + * \brief Permutes the PHOTON-256 state. + * + * \param state The state to be permuted. + */ +void photon256_permute(unsigned char state[PHOTON256_STATE_SIZE]); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/internal-util.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/photon-beetle.c b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/photon-beetle.c new file mode 100644 index 0000000..f44bdad --- /dev/null +++ b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/photon-beetle.c @@ -0,0 +1,451 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "photon-beetle.h" +#include "internal-photon256.h" +#include "internal-util.h" +#include + +aead_cipher_t const photon_beetle_128_cipher = { + "PHOTON-Beetle-AEAD-ENC-128", + PHOTON_BEETLE_KEY_SIZE, + PHOTON_BEETLE_NONCE_SIZE, + PHOTON_BEETLE_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + photon_beetle_128_aead_encrypt, + photon_beetle_128_aead_decrypt +}; + +aead_cipher_t const photon_beetle_32_cipher = { + "PHOTON-Beetle-AEAD-ENC-32", + PHOTON_BEETLE_KEY_SIZE, + PHOTON_BEETLE_NONCE_SIZE, + PHOTON_BEETLE_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + photon_beetle_32_aead_encrypt, + photon_beetle_32_aead_decrypt +}; + +aead_hash_algorithm_t const photon_beetle_hash_algorithm = { + "PHOTON-Beetle-HASH", + sizeof(int), + PHOTON_BEETLE_HASH_SIZE, + AEAD_FLAG_NONE, + photon_beetle_hash, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/** + * \brief Rate of operation for PHOTON-Beetle-AEAD-ENC-128. + */ +#define PHOTON_BEETLE_128_RATE 16 + +/** + * \brief Rate of operation for PHOTON-Beetle-AEAD-ENC-32. + */ +#define PHOTON_BEETLE_32_RATE 4 + +/* Shifts a domain constant from the spec to the correct bit position */ +#define DOMAIN(c) ((c) << 5) + +/** + * \brief Processes the associated data for PHOTON-Beetle. + * + * \param state PHOTON-256 permutation state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data, must be non-zero. + * \param rate Rate of absorption for the data. + * \param mempty Non-zero if the message is empty. + */ +static void photon_beetle_process_ad + (unsigned char state[PHOTON256_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen, + unsigned rate, int mempty) +{ + unsigned temp; + + /* Absorb as many full rate blocks as possible */ + while (adlen > rate) { + photon256_permute(state); + lw_xor_block(state, ad, rate); + ad += rate; + adlen -= rate; + } + + /* Pad and absorb the last block */ + temp = (unsigned)adlen; + photon256_permute(state); + lw_xor_block(state, ad, temp); + if (temp < rate) + state[temp] ^= 0x01; /* padding */ + + /* Add the domain constant to finalize associated data processing */ + if (mempty && temp == rate) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(3); + else if (mempty) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(4); + else if (temp == rate) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + else + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); +} + +/** + * \brief Rotates part of the PHOTON-256 state right by one bit. + * + * \param out Output state buffer. + * \param in Input state buffer, must not overlap with \a out. + * \param len Length of the state buffer. + */ +static void photon_beetle_rotate1 + (unsigned char *out, const unsigned char *in, unsigned len) +{ + unsigned posn; + for (posn = 0; posn < (len - 1); ++posn) + out[posn] = (in[posn] >> 1) | (in[posn + 1] << 7); + out[len - 1] = (in[len - 1] >> 1) | (in[0] << 7); +} + +/** + * \brief Encrypts a plaintext block with PHOTON-Beetle. + * + * \param state PHOTON-256 permutation state. + * \param c Points to the ciphertext output buffer. + * \param m Points to the plaintext input buffer. + * \param mlen Length of the message, must be non-zero. + * \param rate Rate of absorption for the data. + * \param adempty Non-zero if the associated data is empty. + */ +static void photon_beetle_encrypt + (unsigned char state[PHOTON256_STATE_SIZE], + unsigned char *c, const unsigned char *m, unsigned long long mlen, + unsigned rate, int adempty) +{ + unsigned char shuffle[PHOTON_BEETLE_128_RATE]; /* Block of max rate size */ + unsigned temp; + + /* Process all plaintext blocks except the last */ + while (mlen > rate) { + photon256_permute(state); + memcpy(shuffle, state + rate / 2, rate / 2); + photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); + lw_xor_block(state, m, rate); + lw_xor_block_2_src(c, m, shuffle, rate); + c += rate; + m += rate; + mlen -= rate; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + photon256_permute(state); + memcpy(shuffle, state + rate / 2, rate / 2); + photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); + if (temp == rate) { + lw_xor_block(state, m, rate); + lw_xor_block_2_src(c, m, shuffle, rate); + } else { + lw_xor_block(state, m, temp); + state[temp] ^= 0x01; /* padding */ + lw_xor_block_2_src(c, m, shuffle, temp); + } + + /* Add the domain constant to finalize message processing */ + if (adempty && temp == rate) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(5); + else if (adempty) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(6); + else if (temp == rate) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + else + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); +} + +/** + * \brief Decrypts a ciphertext block with PHOTON-Beetle. + * + * \param state PHOTON-256 permutation state. + * \param m Points to the plaintext output buffer. + * \param c Points to the ciphertext input buffer. + * \param mlen Length of the message, must be non-zero. + * \param rate Rate of absorption for the data. + * \param adempty Non-zero if the associated data is empty. + */ +static void photon_beetle_decrypt + (unsigned char state[PHOTON256_STATE_SIZE], + unsigned char *m, const unsigned char *c, unsigned long long mlen, + unsigned rate, int adempty) +{ + unsigned char shuffle[PHOTON_BEETLE_128_RATE]; /* Block of max rate size */ + unsigned temp; + + /* Process all plaintext blocks except the last */ + while (mlen > rate) { + photon256_permute(state); + memcpy(shuffle, state + rate / 2, rate / 2); + photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); + lw_xor_block_2_src(m, c, shuffle, rate); + lw_xor_block(state, m, rate); + c += rate; + m += rate; + mlen -= rate; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + photon256_permute(state); + memcpy(shuffle, state + rate / 2, rate / 2); + photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); + if (temp == rate) { + lw_xor_block_2_src(m, c, shuffle, rate); + lw_xor_block(state, m, rate); + } else { + lw_xor_block_2_src(m, c, shuffle, temp); + lw_xor_block(state, m, temp); + state[temp] ^= 0x01; /* padding */ + } + + /* Add the domain constant to finalize message processing */ + if (adempty && temp == rate) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(5); + else if (adempty) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(6); + else if (temp == rate) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + else + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); +} + +int photon_beetle_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + PHOTON_BEETLE_TAG_SIZE; + + /* Initialize the state by concatenating the nonce and the key */ + memcpy(state, npub, 16); + memcpy(state + 16, k, 16); + + /* Process the associated data */ + if (adlen > 0) { + photon_beetle_process_ad + (state, ad, adlen, PHOTON_BEETLE_128_RATE, mlen == 0); + } else if (mlen == 0) { + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + } + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + photon_beetle_encrypt + (state, c, m, mlen, PHOTON_BEETLE_128_RATE, adlen == 0); + } + + /* Generate the authentication tag */ + photon256_permute(state); + memcpy(c + mlen, state, PHOTON_BEETLE_TAG_SIZE); + return 0; +} + +int photon_beetle_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < PHOTON_BEETLE_TAG_SIZE) + return -1; + *mlen = clen - PHOTON_BEETLE_TAG_SIZE; + + /* Initialize the state by concatenating the nonce and the key */ + memcpy(state, npub, 16); + memcpy(state + 16, k, 16); + + /* Process the associated data */ + clen -= PHOTON_BEETLE_TAG_SIZE; + if (adlen > 0) { + photon_beetle_process_ad + (state, ad, adlen, PHOTON_BEETLE_128_RATE, clen == 0); + } else if (clen == 0) { + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + } + + /* Decrypt the ciphertext to produce the plaintext */ + if (clen > 0) { + photon_beetle_decrypt + (state, m, c, clen, PHOTON_BEETLE_128_RATE, adlen == 0); + } + + /* Check the authentication tag */ + photon256_permute(state); + return aead_check_tag(m, clen, state, c + clen, PHOTON_BEETLE_TAG_SIZE); +} + +int photon_beetle_32_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + PHOTON_BEETLE_TAG_SIZE; + + /* Initialize the state by concatenating the nonce and the key */ + memcpy(state, npub, 16); + memcpy(state + 16, k, 16); + + /* Process the associated data */ + if (adlen > 0) { + photon_beetle_process_ad + (state, ad, adlen, PHOTON_BEETLE_32_RATE, mlen == 0); + } else if (mlen == 0) { + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + } + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + photon_beetle_encrypt + (state, c, m, mlen, PHOTON_BEETLE_32_RATE, adlen == 0); + } + + /* Generate the authentication tag */ + photon256_permute(state); + memcpy(c + mlen, state, PHOTON_BEETLE_TAG_SIZE); + return 0; +} + +int photon_beetle_32_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < PHOTON_BEETLE_TAG_SIZE) + return -1; + *mlen = clen - PHOTON_BEETLE_TAG_SIZE; + + /* Initialize the state by concatenating the nonce and the key */ + memcpy(state, npub, 16); + memcpy(state + 16, k, 16); + + /* Process the associated data */ + clen -= PHOTON_BEETLE_TAG_SIZE; + if (adlen > 0) { + photon_beetle_process_ad + (state, ad, adlen, PHOTON_BEETLE_32_RATE, clen == 0); + } else if (clen == 0) { + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + } + + /* Decrypt the ciphertext to produce the plaintext */ + if (clen > 0) { + photon_beetle_decrypt + (state, m, c, clen, PHOTON_BEETLE_32_RATE, adlen == 0); + } + + /* Check the authentication tag */ + photon256_permute(state); + return aead_check_tag(m, clen, state, c + clen, PHOTON_BEETLE_TAG_SIZE); +} + +int photon_beetle_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + unsigned temp; + + /* Absorb the input data */ + if (inlen == 0) { + /* No input data at all */ + memset(state, 0, sizeof(state) - 1); + state[PHOTON256_STATE_SIZE - 1] = DOMAIN(1); + } else if (inlen <= PHOTON_BEETLE_128_RATE) { + /* Only one block of input data, which may require padding */ + temp = (unsigned)inlen; + memcpy(state, in, temp); + memset(state + temp, 0, sizeof(state) - temp - 1); + if (temp < PHOTON_BEETLE_128_RATE) { + state[temp] = 0x01; + state[PHOTON256_STATE_SIZE - 1] = DOMAIN(1); + } else { + state[PHOTON256_STATE_SIZE - 1] = DOMAIN(2); + } + } else { + /* Initialize the state with the first block, then absorb the rest */ + memcpy(state, in, PHOTON_BEETLE_128_RATE); + memset(state + PHOTON_BEETLE_128_RATE, 0, + sizeof(state) - PHOTON_BEETLE_128_RATE); + in += PHOTON_BEETLE_128_RATE; + inlen -= PHOTON_BEETLE_128_RATE; + while (inlen > PHOTON_BEETLE_32_RATE) { + photon256_permute(state); + lw_xor_block(state, in, PHOTON_BEETLE_32_RATE); + in += PHOTON_BEETLE_32_RATE; + inlen -= PHOTON_BEETLE_32_RATE; + } + photon256_permute(state); + temp = (unsigned)inlen; + if (temp == PHOTON_BEETLE_32_RATE) { + lw_xor_block(state, in, PHOTON_BEETLE_32_RATE); + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + } else { + lw_xor_block(state, in, temp); + state[temp] ^= 0x01; + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); + } + } + + /* Generate the output hash */ + photon256_permute(state); + memcpy(out, state, 16); + photon256_permute(state); + memcpy(out + 16, state, 16); + return 0; +} diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/photon-beetle.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/photon-beetle.h new file mode 100644 index 0000000..2d94a7e --- /dev/null +++ b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/photon-beetle.h @@ -0,0 +1,224 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_PHOTON_BEETLE_H +#define LWCRYPTO_PHOTON_BEETLE_H + +#include "aead-common.h" + +/** + * \file photon-beetle.h + * \brief PHOTON-Beetle authenticated encryption algorithm. + * + * PHOTON-Beetle is a family of authenticated encryption algorithms based + * on the PHOTON-256 permutation and using the Beetle sponge mode. + * There are three algorithms in the family: + * + * \li PHOTON-Beetle-AEAD-ENC-128 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag. Data is handled in 16 byte blocks. This is the primary + * member of the family for encryption. + * \li PHOTON-Beetle-AEAD-ENC-32 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag. Data is handled in 4 byte blocks. + * \li PHOTON-Beetle-Hash with a 256-bit hash output. The initial data is + * handled as a 16 byte block, and then the remaining bytes are processed + * in 4 byte blocks. + * + * References: https://www.isical.ac.in/~lightweight/beetle/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for PHOTON-Beetle. + */ +#define PHOTON_BEETLE_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PHOTON-Beetle. + */ +#define PHOTON_BEETLE_TAG_SIZE 16 + +/** + * \brief Size of the nonce for PHOTON-Beetle. + */ +#define PHOTON_BEETLE_NONCE_SIZE 16 + +/** + * \brief Size of the hash output for PHOTON-Beetle-HASH. + */ +#define PHOTON_BEETLE_HASH_SIZE 32 + +/** + * \brief Meta-information block for the PHOTON-Beetle-AEAD-ENC-128 cipher. + */ +extern aead_cipher_t const photon_beetle_128_cipher; + +/** + * \brief Meta-information block for the PHOTON-Beetle-AEAD-ENC-32 cipher. + */ +extern aead_cipher_t const photon_beetle_32_cipher; + +/** + * \brief Meta-information block for the PHOTON-Beetle-HASH algorithm. + */ +extern aead_hash_algorithm_t const photon_beetle_hash_algorithm; + +/** + * \brief Encrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa photon_beetle_128_aead_decrypt() + */ +int photon_beetle_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa photon_beetle_128_aead_encrypt() + */ +int photon_beetle_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-32. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa photon_beetle_32_aead_decrypt() + */ +int photon_beetle_32_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-32. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa photon_beetle_32_aead_encrypt() + */ +int photon_beetle_32_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with PHOTON-Beetle-HASH to + * generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * PHOTON_BEETLE_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int photon_beetle_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/aead-common.c b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/aead-common.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/api.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/encrypt.c b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/encrypt.c new file mode 100644 index 0000000..17af9cd --- /dev/null +++ b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "photon-beetle.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return photon_beetle_32_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return photon_beetle_32_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/internal-photon256.c b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/internal-photon256.c new file mode 100644 index 0000000..b8743fe --- /dev/null +++ b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/internal-photon256.c @@ -0,0 +1,479 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-photon256.h" +#include "internal-util.h" + +/** + * \brief Number of rounds in the PHOTON-256 permutation in bit-sliced form. + */ +#define PHOTON256_ROUNDS 12 + +/* Round constants for PHOTON-256 */ +static uint32_t const photon256_rc[PHOTON256_ROUNDS] = { + 0x96d2f0e1, 0xb4f0d2c3, 0xf0b49687, 0x692d0f1e, + 0x5a1e3c2d, 0x3c785a4b, 0xe1a58796, 0x4b0f2d3c, + 0x1e5a7869, 0xa5e1c3d2, 0xd296b4a5, 0x2d694b5a +}; + +/** + * \brief Evaluates the PHOTON-256 S-box in bit-sliced form. + * + * \param x0 Slice with bit 0 of all nibbles. + * \param x1 Slice with bit 1 of all nibbles. + * \param x2 Slice with bit 2 of all nibbles. + * \param x3 Slice with bit 3 of all nibbles. + * + * This bit-sliced S-box implementation is based on the AVR version + * "add_avr8_bitslice_asm" from the PHOTON-Beetle reference code. + */ +#define photon256_sbox(x0, x1, x2, x3) \ + do { \ + x1 ^= x2; \ + x3 ^= (x2 & x1); \ + t1 = x3; \ + x3 = (x3 & x1) ^ x2; \ + t2 = x3; \ + x3 ^= x0; \ + x3 = ~(x3); \ + x2 = x3; \ + t2 |= x0; \ + x0 ^= t1; \ + x1 ^= x0; \ + x2 |= x1; \ + x2 ^= t1; \ + x1 ^= t2; \ + x3 ^= x1; \ + } while (0) + +/** + * \brief Performs a field multiplication on the 8 nibbles in a row. + * + * \param a Field constant to multiply by. + * \param x Bit-sliced form of the row, with bits 0..3 of each nibble + * in bytes 0..3 of the word. + * + * \return a * x packed into the bytes of a word. + */ +static uint32_t photon256_field_multiply(uint8_t a, uint32_t x) +{ + /* For each 4-bit nibble we need to do this: + * + * result = 0; + * for (bit = 0; bit < 4; ++ bit) { + * if ((a & (1 << bit)) != 0) + * result ^= x; + * if ((x & 0x08) != 0) { + * x = (x << 1) ^ 3; + * } else { + * x = (x << 1); + * } + * } + * + * We don't need to worry about constant time for "a" because it is a + * known constant that isn't data-dependent. But we do need to worry + * about constant time for "x" as it is data. + */ + uint32_t result = 0; + uint32_t t; + #define PARALLEL_CONDITIONAL_ADD(bit) \ + do { \ + if ((a) & (1 << (bit))) \ + result ^= x; \ + } while (0) + #define PARALELL_ROTATE() \ + do { \ + t = x >> 24; \ + x = (x << 8) ^ t ^ (t << 8); \ + } while (0) + PARALLEL_CONDITIONAL_ADD(0); + PARALELL_ROTATE(); + PARALLEL_CONDITIONAL_ADD(1); + PARALELL_ROTATE(); + PARALLEL_CONDITIONAL_ADD(2); + PARALELL_ROTATE(); + PARALLEL_CONDITIONAL_ADD(3); + return result; +} + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/** + * \brief Converts a PHOTON-256 state into bit-sliced form. + * + * \param out Points to the converted output. + * \param in Points to the PHOTON-256 state to convert. + */ +static void photon256_to_sliced + (uint32_t out[PHOTON256_STATE_SIZE / 4], + const unsigned char in[PHOTON256_STATE_SIZE]) +{ + /* We first scatter bits 0..3 of the nibbles to bytes 0..3 of the words. + * Then we rearrange the bytes to group all bits N into word N. + * + * Permutation generated with "http://programming.sirrida.de/calcperm.php". + * + * P = [0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 + * 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31] + */ + uint32_t t0, t1, t2, t3; + #define TO_BITSLICED_PERM(x) \ + do { \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x0000ff00, 8); \ + } while (0) + #define FROM_BITSLICED_PERM(x) \ + do { \ + bit_permute_step(x, 0x00aa00aa, 7); \ + bit_permute_step(x, 0x0000cccc, 14); \ + bit_permute_step(x, 0x00f000f0, 4); \ + bit_permute_step(x, 0x0000ff00, 8); \ + } while (0) + t0 = le_load_word32(in); + t1 = le_load_word32(in + 4); + t2 = le_load_word32(in + 8); + t3 = le_load_word32(in + 12); + TO_BITSLICED_PERM(t0); + TO_BITSLICED_PERM(t1); + TO_BITSLICED_PERM(t2); + TO_BITSLICED_PERM(t3); + out[0] = (t0 & 0x000000FFU) | ((t1 << 8) & 0x0000FF00U) | + ((t2 << 16) & 0x00FF0000U) | ((t3 << 24) & 0xFF000000U); + out[1] = ((t0 >> 8) & 0x000000FFU) | (t1 & 0x0000FF00U) | + ((t2 << 8) & 0x00FF0000U) | ((t3 << 16) & 0xFF000000U); + out[2] = ((t0 >> 16) & 0x000000FFU) | ((t1 >> 8) & 0x0000FF00U) | + (t2 & 0x00FF0000U) | ((t3 << 8) & 0xFF000000U); + out[3] = ((t0 >> 24) & 0x000000FFU) | ((t1 >> 16) & 0x0000FF00U) | + ((t2 >> 8) & 0x00FF0000U) | (t3 & 0xFF000000U); + t0 = le_load_word32(in + 16); + t1 = le_load_word32(in + 20); + t2 = le_load_word32(in + 24); + t3 = le_load_word32(in + 28); + TO_BITSLICED_PERM(t0); + TO_BITSLICED_PERM(t1); + TO_BITSLICED_PERM(t2); + TO_BITSLICED_PERM(t3); + out[4] = (t0 & 0x000000FFU) | ((t1 << 8) & 0x0000FF00U) | + ((t2 << 16) & 0x00FF0000U) | ((t3 << 24) & 0xFF000000U); + out[5] = ((t0 >> 8) & 0x000000FFU) | (t1 & 0x0000FF00U) | + ((t2 << 8) & 0x00FF0000U) | ((t3 << 16) & 0xFF000000U); + out[6] = ((t0 >> 16) & 0x000000FFU) | ((t1 >> 8) & 0x0000FF00U) | + (t2 & 0x00FF0000U) | ((t3 << 8) & 0xFF000000U); + out[7] = ((t0 >> 24) & 0x000000FFU) | ((t1 >> 16) & 0x0000FF00U) | + ((t2 >> 8) & 0x00FF0000U) | (t3 & 0xFF000000U); +} + +/** + * \brief Converts a PHOTON-256 state from bit-sliced form. + * + * \param out Points to the converted output. + * \param in Points to the PHOTON-256 state to convert. + */ +static void photon256_from_sliced + (unsigned char out[PHOTON256_STATE_SIZE], + const unsigned char in[PHOTON256_STATE_SIZE]) +{ + /* Do the reverse of photon256_to_sliced() */ + uint32_t x0, x1, x2, x3; + x0 = ((uint32_t)(in[0])) | + (((uint32_t)(in[4])) << 8) | + (((uint32_t)(in[8])) << 16) | + (((uint32_t)(in[12])) << 24); + x1 = ((uint32_t)(in[1])) | + (((uint32_t)(in[5])) << 8) | + (((uint32_t)(in[9])) << 16) | + (((uint32_t)(in[13])) << 24); + x2 = ((uint32_t)(in[2])) | + (((uint32_t)(in[6])) << 8) | + (((uint32_t)(in[10])) << 16) | + (((uint32_t)(in[14])) << 24); + x3 = ((uint32_t)(in[3])) | + (((uint32_t)(in[7])) << 8) | + (((uint32_t)(in[11])) << 16) | + (((uint32_t)(in[15])) << 24); + FROM_BITSLICED_PERM(x0); + FROM_BITSLICED_PERM(x1); + FROM_BITSLICED_PERM(x2); + FROM_BITSLICED_PERM(x3); + le_store_word32(out, x0); + le_store_word32(out + 4, x1); + le_store_word32(out + 8, x2); + le_store_word32(out + 12, x3); + x0 = ((uint32_t)(in[16])) | + (((uint32_t)(in[20])) << 8) | + (((uint32_t)(in[24])) << 16) | + (((uint32_t)(in[28])) << 24); + x1 = ((uint32_t)(in[17])) | + (((uint32_t)(in[21])) << 8) | + (((uint32_t)(in[25])) << 16) | + (((uint32_t)(in[29])) << 24); + x2 = ((uint32_t)(in[18])) | + (((uint32_t)(in[22])) << 8) | + (((uint32_t)(in[26])) << 16) | + (((uint32_t)(in[30])) << 24); + x3 = ((uint32_t)(in[19])) | + (((uint32_t)(in[23])) << 8) | + (((uint32_t)(in[27])) << 16) | + (((uint32_t)(in[31])) << 24); + FROM_BITSLICED_PERM(x0); + FROM_BITSLICED_PERM(x1); + FROM_BITSLICED_PERM(x2); + FROM_BITSLICED_PERM(x3); + le_store_word32(out + 16, x0); + le_store_word32(out + 20, x1); + le_store_word32(out + 24, x2); + le_store_word32(out + 28, x3); +} + +#if defined(LW_UTIL_LITTLE_ENDIAN) +/* Index the bit-sliced state bytes in little-endian byte order */ +#define READ_ROW0() \ + (((uint32_t)(S.bytes[0])) | \ + (((uint32_t)(S.bytes[4])) << 8) | \ + (((uint32_t)(S.bytes[8])) << 16) | \ + (((uint32_t)(S.bytes[12])) << 24)) +#define READ_ROW1() \ + (((uint32_t)(S.bytes[1])) | \ + (((uint32_t)(S.bytes[5])) << 8) | \ + (((uint32_t)(S.bytes[9])) << 16) | \ + (((uint32_t)(S.bytes[13])) << 24)) +#define READ_ROW2() \ + (((uint32_t)(S.bytes[2])) | \ + (((uint32_t)(S.bytes[6])) << 8) | \ + (((uint32_t)(S.bytes[10])) << 16) | \ + (((uint32_t)(S.bytes[14])) << 24)) +#define READ_ROW3() \ + (((uint32_t)(S.bytes[3])) | \ + (((uint32_t)(S.bytes[7])) << 8) | \ + (((uint32_t)(S.bytes[11])) << 16) | \ + (((uint32_t)(S.bytes[15])) << 24)) +#define READ_ROW4() \ + (((uint32_t)(S.bytes[16])) | \ + (((uint32_t)(S.bytes[20])) << 8) | \ + (((uint32_t)(S.bytes[24])) << 16) | \ + (((uint32_t)(S.bytes[28])) << 24)) +#define READ_ROW5() \ + (((uint32_t)(S.bytes[17])) | \ + (((uint32_t)(S.bytes[21])) << 8) | \ + (((uint32_t)(S.bytes[25])) << 16) | \ + (((uint32_t)(S.bytes[29])) << 24)) +#define READ_ROW6() \ + (((uint32_t)(S.bytes[18])) | \ + (((uint32_t)(S.bytes[22])) << 8) | \ + (((uint32_t)(S.bytes[26])) << 16) | \ + (((uint32_t)(S.bytes[30])) << 24)) +#define READ_ROW7() \ + (((uint32_t)(S.bytes[19])) | \ + (((uint32_t)(S.bytes[23])) << 8) | \ + (((uint32_t)(S.bytes[27])) << 16) | \ + (((uint32_t)(S.bytes[31])) << 24)) +#define WRITE_ROW(row, value) \ + do { \ + if ((row) < 4) { \ + S.bytes[(row)] = (uint8_t)(value); \ + S.bytes[(row) + 4] = (uint8_t)((value) >> 8); \ + S.bytes[(row) + 8] = (uint8_t)((value) >> 16); \ + S.bytes[(row) + 12] = (uint8_t)((value) >> 24); \ + } else { \ + S.bytes[(row) + 12] = (uint8_t)(value); \ + S.bytes[(row) + 16] = (uint8_t)((value) >> 8); \ + S.bytes[(row) + 20] = (uint8_t)((value) >> 16); \ + S.bytes[(row) + 24] = (uint8_t)((value) >> 24); \ + } \ + } while (0) +#else +/* Index the bit-sliced state bytes in big-endian byte order */ +#define READ_ROW0() \ + (((uint32_t)(S.bytes[3])) | \ + (((uint32_t)(S.bytes[7])) << 8) | \ + (((uint32_t)(S.bytes[11])) << 16) | \ + (((uint32_t)(S.bytes[15])) << 24)) +#define READ_ROW1() \ + (((uint32_t)(S.bytes[2])) | \ + (((uint32_t)(S.bytes[6])) << 8) | \ + (((uint32_t)(S.bytes[10])) << 16) | \ + (((uint32_t)(S.bytes[14])) << 24)) +#define READ_ROW2() \ + (((uint32_t)(S.bytes[1])) | \ + (((uint32_t)(S.bytes[5])) << 8) | \ + (((uint32_t)(S.bytes[9])) << 16) | \ + (((uint32_t)(S.bytes[13])) << 24)) +#define READ_ROW3() \ + (((uint32_t)(S.bytes[0])) | \ + (((uint32_t)(S.bytes[4])) << 8) | \ + (((uint32_t)(S.bytes[8])) << 16) | \ + (((uint32_t)(S.bytes[12])) << 24)) +#define READ_ROW4() \ + (((uint32_t)(S.bytes[19])) | \ + (((uint32_t)(S.bytes[23])) << 8) | \ + (((uint32_t)(S.bytes[27])) << 16) | \ + (((uint32_t)(S.bytes[31])) << 24)) +#define READ_ROW5() \ + (((uint32_t)(S.bytes[18])) | \ + (((uint32_t)(S.bytes[22])) << 8) | \ + (((uint32_t)(S.bytes[26])) << 16) | \ + (((uint32_t)(S.bytes[30])) << 24)) +#define READ_ROW6() \ + (((uint32_t)(S.bytes[17])) | \ + (((uint32_t)(S.bytes[21])) << 8) | \ + (((uint32_t)(S.bytes[25])) << 16) | \ + (((uint32_t)(S.bytes[29])) << 24)) +#define READ_ROW7() \ + (((uint32_t)(S.bytes[16])) | \ + (((uint32_t)(S.bytes[20])) << 8) | \ + (((uint32_t)(S.bytes[24])) << 16) | \ + (((uint32_t)(S.bytes[28])) << 24)) +#define WRITE_ROW(row, value) \ + do { \ + if ((row) < 4) { \ + S.bytes[3 - (row)] = (uint8_t)(value); \ + S.bytes[7 - (row)] = (uint8_t)((value) >> 8); \ + S.bytes[11 - (row)] = (uint8_t)((value) >> 16); \ + S.bytes[15 - (row)] = (uint8_t)((value) >> 24); \ + } else { \ + S.bytes[20 - (row)] = (uint8_t)(value); \ + S.bytes[24 - (row)] = (uint8_t)((value) >> 8); \ + S.bytes[28 - (row)] = (uint8_t)((value) >> 16); \ + S.bytes[32 - (row)] = (uint8_t)((value) >> 24); \ + } \ + } while (0) +#endif + +void photon256_permute(unsigned char state[PHOTON256_STATE_SIZE]) +{ + union { + uint32_t words[PHOTON256_STATE_SIZE / 4]; + uint8_t bytes[PHOTON256_STATE_SIZE]; + } S; + uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8; + uint8_t round; + + /* Convert the state into bit-sliced form */ + photon256_to_sliced(S.words, state); + + /* Perform all 12 permutation rounds */ + for (round = 0; round < PHOTON256_ROUNDS; ++round) { + /* Add the constants for this round */ + t0 = photon256_rc[round]; + S.words[0] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[1] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[2] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[3] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[4] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[5] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[6] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[7] ^= t0 & 0x01010101U; + + /* Apply the sbox to all nibbles in the state */ + photon256_sbox(S.words[0], S.words[1], S.words[2], S.words[3]); + photon256_sbox(S.words[4], S.words[5], S.words[6], S.words[7]); + + /* Rotate all rows left by the row number. + * + * We do this by applying permutations to the top and bottom words + * to rearrange the bits into the rotated form. Permutations + * generated with "http://programming.sirrida.de/calcperm.php". + * + * P_top = [0 1 2 3 4 5 6 7 15 8 9 10 11 12 13 14 22 23 + * 16 17 18 19 20 21 29 30 31 24 25 26 27 28] + * P_bot = [4 5 6 7 0 1 2 3 11 12 13 14 15 8 9 10 18 19 + * 20 21 22 23 16 17 25 26 27 28 29 30 31 24 + */ + #define TOP_ROTATE_PERM(x) \ + do { \ + t1 = (x); \ + bit_permute_step(t1, 0x07030100, 4); \ + bit_permute_step(t1, 0x22331100, 2); \ + bit_permute_step(t1, 0x55005500, 1); \ + (x) = t1; \ + } while (0) + #define BOTTOM_ROTATE_PERM(x) \ + do { \ + t1 = (x); \ + bit_permute_step(t1, 0x080c0e0f, 4); \ + bit_permute_step(t1, 0x22331100, 2); \ + bit_permute_step(t1, 0x55005500, 1); \ + (x) = t1; \ + } while (0) + TOP_ROTATE_PERM(S.words[0]); + TOP_ROTATE_PERM(S.words[1]); + TOP_ROTATE_PERM(S.words[2]); + TOP_ROTATE_PERM(S.words[3]); + BOTTOM_ROTATE_PERM(S.words[4]); + BOTTOM_ROTATE_PERM(S.words[5]); + BOTTOM_ROTATE_PERM(S.words[6]); + BOTTOM_ROTATE_PERM(S.words[7]); + + /* Mix the columns */ + #define MUL(a, x) (photon256_field_multiply((a), (x))) + t0 = READ_ROW0(); + t1 = READ_ROW1(); + t2 = READ_ROW2(); + t3 = READ_ROW3(); + t4 = READ_ROW4(); + t5 = READ_ROW5(); + t6 = READ_ROW6(); + t7 = READ_ROW7(); + t8 = MUL(0x02, t0) ^ MUL(0x04, t1) ^ MUL(0x02, t2) ^ MUL(0x0b, t3) ^ + MUL(0x02, t4) ^ MUL(0x08, t5) ^ MUL(0x05, t6) ^ MUL(0x06, t7); + WRITE_ROW(0, t8); + t8 = MUL(0x0c, t0) ^ MUL(0x09, t1) ^ MUL(0x08, t2) ^ MUL(0x0d, t3) ^ + MUL(0x07, t4) ^ MUL(0x07, t5) ^ MUL(0x05, t6) ^ MUL(0x02, t7); + WRITE_ROW(1, t8); + t8 = MUL(0x04, t0) ^ MUL(0x04, t1) ^ MUL(0x0d, t2) ^ MUL(0x0d, t3) ^ + MUL(0x09, t4) ^ MUL(0x04, t5) ^ MUL(0x0d, t6) ^ MUL(0x09, t7); + WRITE_ROW(2, t8); + t8 = MUL(0x01, t0) ^ MUL(0x06, t1) ^ MUL(0x05, t2) ^ MUL(0x01, t3) ^ + MUL(0x0c, t4) ^ MUL(0x0d, t5) ^ MUL(0x0f, t6) ^ MUL(0x0e, t7); + WRITE_ROW(3, t8); + t8 = MUL(0x0f, t0) ^ MUL(0x0c, t1) ^ MUL(0x09, t2) ^ MUL(0x0d, t3) ^ + MUL(0x0e, t4) ^ MUL(0x05, t5) ^ MUL(0x0e, t6) ^ MUL(0x0d, t7); + WRITE_ROW(4, t8); + t8 = MUL(0x09, t0) ^ MUL(0x0e, t1) ^ MUL(0x05, t2) ^ MUL(0x0f, t3) ^ + MUL(0x04, t4) ^ MUL(0x0c, t5) ^ MUL(0x09, t6) ^ MUL(0x06, t7); + WRITE_ROW(5, t8); + t8 = MUL(0x0c, t0) ^ MUL(0x02, t1) ^ MUL(0x02, t2) ^ MUL(0x0a, t3) ^ + MUL(0x03, t4) ^ MUL(0x01, t5) ^ MUL(0x01, t6) ^ MUL(0x0e, t7); + WRITE_ROW(6, t8); + t8 = MUL(0x0f, t0) ^ MUL(0x01, t1) ^ MUL(0x0d, t2) ^ MUL(0x0a, t3) ^ + MUL(0x05, t4) ^ MUL(0x0a, t5) ^ MUL(0x02, t6) ^ MUL(0x03, t7); + WRITE_ROW(7, t8); + } + + /* Convert back from bit-sliced form to regular form */ + photon256_from_sliced(state, S.bytes); +} diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/internal-photon256.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/internal-photon256.h new file mode 100644 index 0000000..ce8729a --- /dev/null +++ b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/internal-photon256.h @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_PHOTON256_H +#define LW_INTERNAL_PHOTON256_H + +/** + * \file internal-photon256.h + * \brief Internal implementation of the PHOTON-256 permutation. + * + * Warning: The current implementation of PHOTON-256 is constant-time + * but not constant-cache. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the PHOTON-256 permutation state in bytes. + */ +#define PHOTON256_STATE_SIZE 32 + +/** + * \brief Permutes the PHOTON-256 state. + * + * \param state The state to be permuted. + */ +void photon256_permute(unsigned char state[PHOTON256_STATE_SIZE]); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/internal-util.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/photon-beetle.c b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/photon-beetle.c new file mode 100644 index 0000000..f44bdad --- /dev/null +++ b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/photon-beetle.c @@ -0,0 +1,451 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "photon-beetle.h" +#include "internal-photon256.h" +#include "internal-util.h" +#include + +aead_cipher_t const photon_beetle_128_cipher = { + "PHOTON-Beetle-AEAD-ENC-128", + PHOTON_BEETLE_KEY_SIZE, + PHOTON_BEETLE_NONCE_SIZE, + PHOTON_BEETLE_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + photon_beetle_128_aead_encrypt, + photon_beetle_128_aead_decrypt +}; + +aead_cipher_t const photon_beetle_32_cipher = { + "PHOTON-Beetle-AEAD-ENC-32", + PHOTON_BEETLE_KEY_SIZE, + PHOTON_BEETLE_NONCE_SIZE, + PHOTON_BEETLE_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + photon_beetle_32_aead_encrypt, + photon_beetle_32_aead_decrypt +}; + +aead_hash_algorithm_t const photon_beetle_hash_algorithm = { + "PHOTON-Beetle-HASH", + sizeof(int), + PHOTON_BEETLE_HASH_SIZE, + AEAD_FLAG_NONE, + photon_beetle_hash, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/** + * \brief Rate of operation for PHOTON-Beetle-AEAD-ENC-128. + */ +#define PHOTON_BEETLE_128_RATE 16 + +/** + * \brief Rate of operation for PHOTON-Beetle-AEAD-ENC-32. + */ +#define PHOTON_BEETLE_32_RATE 4 + +/* Shifts a domain constant from the spec to the correct bit position */ +#define DOMAIN(c) ((c) << 5) + +/** + * \brief Processes the associated data for PHOTON-Beetle. + * + * \param state PHOTON-256 permutation state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data, must be non-zero. + * \param rate Rate of absorption for the data. + * \param mempty Non-zero if the message is empty. + */ +static void photon_beetle_process_ad + (unsigned char state[PHOTON256_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen, + unsigned rate, int mempty) +{ + unsigned temp; + + /* Absorb as many full rate blocks as possible */ + while (adlen > rate) { + photon256_permute(state); + lw_xor_block(state, ad, rate); + ad += rate; + adlen -= rate; + } + + /* Pad and absorb the last block */ + temp = (unsigned)adlen; + photon256_permute(state); + lw_xor_block(state, ad, temp); + if (temp < rate) + state[temp] ^= 0x01; /* padding */ + + /* Add the domain constant to finalize associated data processing */ + if (mempty && temp == rate) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(3); + else if (mempty) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(4); + else if (temp == rate) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + else + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); +} + +/** + * \brief Rotates part of the PHOTON-256 state right by one bit. + * + * \param out Output state buffer. + * \param in Input state buffer, must not overlap with \a out. + * \param len Length of the state buffer. + */ +static void photon_beetle_rotate1 + (unsigned char *out, const unsigned char *in, unsigned len) +{ + unsigned posn; + for (posn = 0; posn < (len - 1); ++posn) + out[posn] = (in[posn] >> 1) | (in[posn + 1] << 7); + out[len - 1] = (in[len - 1] >> 1) | (in[0] << 7); +} + +/** + * \brief Encrypts a plaintext block with PHOTON-Beetle. + * + * \param state PHOTON-256 permutation state. + * \param c Points to the ciphertext output buffer. + * \param m Points to the plaintext input buffer. + * \param mlen Length of the message, must be non-zero. + * \param rate Rate of absorption for the data. + * \param adempty Non-zero if the associated data is empty. + */ +static void photon_beetle_encrypt + (unsigned char state[PHOTON256_STATE_SIZE], + unsigned char *c, const unsigned char *m, unsigned long long mlen, + unsigned rate, int adempty) +{ + unsigned char shuffle[PHOTON_BEETLE_128_RATE]; /* Block of max rate size */ + unsigned temp; + + /* Process all plaintext blocks except the last */ + while (mlen > rate) { + photon256_permute(state); + memcpy(shuffle, state + rate / 2, rate / 2); + photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); + lw_xor_block(state, m, rate); + lw_xor_block_2_src(c, m, shuffle, rate); + c += rate; + m += rate; + mlen -= rate; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + photon256_permute(state); + memcpy(shuffle, state + rate / 2, rate / 2); + photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); + if (temp == rate) { + lw_xor_block(state, m, rate); + lw_xor_block_2_src(c, m, shuffle, rate); + } else { + lw_xor_block(state, m, temp); + state[temp] ^= 0x01; /* padding */ + lw_xor_block_2_src(c, m, shuffle, temp); + } + + /* Add the domain constant to finalize message processing */ + if (adempty && temp == rate) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(5); + else if (adempty) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(6); + else if (temp == rate) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + else + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); +} + +/** + * \brief Decrypts a ciphertext block with PHOTON-Beetle. + * + * \param state PHOTON-256 permutation state. + * \param m Points to the plaintext output buffer. + * \param c Points to the ciphertext input buffer. + * \param mlen Length of the message, must be non-zero. + * \param rate Rate of absorption for the data. + * \param adempty Non-zero if the associated data is empty. + */ +static void photon_beetle_decrypt + (unsigned char state[PHOTON256_STATE_SIZE], + unsigned char *m, const unsigned char *c, unsigned long long mlen, + unsigned rate, int adempty) +{ + unsigned char shuffle[PHOTON_BEETLE_128_RATE]; /* Block of max rate size */ + unsigned temp; + + /* Process all plaintext blocks except the last */ + while (mlen > rate) { + photon256_permute(state); + memcpy(shuffle, state + rate / 2, rate / 2); + photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); + lw_xor_block_2_src(m, c, shuffle, rate); + lw_xor_block(state, m, rate); + c += rate; + m += rate; + mlen -= rate; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + photon256_permute(state); + memcpy(shuffle, state + rate / 2, rate / 2); + photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); + if (temp == rate) { + lw_xor_block_2_src(m, c, shuffle, rate); + lw_xor_block(state, m, rate); + } else { + lw_xor_block_2_src(m, c, shuffle, temp); + lw_xor_block(state, m, temp); + state[temp] ^= 0x01; /* padding */ + } + + /* Add the domain constant to finalize message processing */ + if (adempty && temp == rate) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(5); + else if (adempty) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(6); + else if (temp == rate) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + else + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); +} + +int photon_beetle_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + PHOTON_BEETLE_TAG_SIZE; + + /* Initialize the state by concatenating the nonce and the key */ + memcpy(state, npub, 16); + memcpy(state + 16, k, 16); + + /* Process the associated data */ + if (adlen > 0) { + photon_beetle_process_ad + (state, ad, adlen, PHOTON_BEETLE_128_RATE, mlen == 0); + } else if (mlen == 0) { + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + } + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + photon_beetle_encrypt + (state, c, m, mlen, PHOTON_BEETLE_128_RATE, adlen == 0); + } + + /* Generate the authentication tag */ + photon256_permute(state); + memcpy(c + mlen, state, PHOTON_BEETLE_TAG_SIZE); + return 0; +} + +int photon_beetle_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < PHOTON_BEETLE_TAG_SIZE) + return -1; + *mlen = clen - PHOTON_BEETLE_TAG_SIZE; + + /* Initialize the state by concatenating the nonce and the key */ + memcpy(state, npub, 16); + memcpy(state + 16, k, 16); + + /* Process the associated data */ + clen -= PHOTON_BEETLE_TAG_SIZE; + if (adlen > 0) { + photon_beetle_process_ad + (state, ad, adlen, PHOTON_BEETLE_128_RATE, clen == 0); + } else if (clen == 0) { + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + } + + /* Decrypt the ciphertext to produce the plaintext */ + if (clen > 0) { + photon_beetle_decrypt + (state, m, c, clen, PHOTON_BEETLE_128_RATE, adlen == 0); + } + + /* Check the authentication tag */ + photon256_permute(state); + return aead_check_tag(m, clen, state, c + clen, PHOTON_BEETLE_TAG_SIZE); +} + +int photon_beetle_32_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + PHOTON_BEETLE_TAG_SIZE; + + /* Initialize the state by concatenating the nonce and the key */ + memcpy(state, npub, 16); + memcpy(state + 16, k, 16); + + /* Process the associated data */ + if (adlen > 0) { + photon_beetle_process_ad + (state, ad, adlen, PHOTON_BEETLE_32_RATE, mlen == 0); + } else if (mlen == 0) { + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + } + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + photon_beetle_encrypt + (state, c, m, mlen, PHOTON_BEETLE_32_RATE, adlen == 0); + } + + /* Generate the authentication tag */ + photon256_permute(state); + memcpy(c + mlen, state, PHOTON_BEETLE_TAG_SIZE); + return 0; +} + +int photon_beetle_32_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < PHOTON_BEETLE_TAG_SIZE) + return -1; + *mlen = clen - PHOTON_BEETLE_TAG_SIZE; + + /* Initialize the state by concatenating the nonce and the key */ + memcpy(state, npub, 16); + memcpy(state + 16, k, 16); + + /* Process the associated data */ + clen -= PHOTON_BEETLE_TAG_SIZE; + if (adlen > 0) { + photon_beetle_process_ad + (state, ad, adlen, PHOTON_BEETLE_32_RATE, clen == 0); + } else if (clen == 0) { + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + } + + /* Decrypt the ciphertext to produce the plaintext */ + if (clen > 0) { + photon_beetle_decrypt + (state, m, c, clen, PHOTON_BEETLE_32_RATE, adlen == 0); + } + + /* Check the authentication tag */ + photon256_permute(state); + return aead_check_tag(m, clen, state, c + clen, PHOTON_BEETLE_TAG_SIZE); +} + +int photon_beetle_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + unsigned temp; + + /* Absorb the input data */ + if (inlen == 0) { + /* No input data at all */ + memset(state, 0, sizeof(state) - 1); + state[PHOTON256_STATE_SIZE - 1] = DOMAIN(1); + } else if (inlen <= PHOTON_BEETLE_128_RATE) { + /* Only one block of input data, which may require padding */ + temp = (unsigned)inlen; + memcpy(state, in, temp); + memset(state + temp, 0, sizeof(state) - temp - 1); + if (temp < PHOTON_BEETLE_128_RATE) { + state[temp] = 0x01; + state[PHOTON256_STATE_SIZE - 1] = DOMAIN(1); + } else { + state[PHOTON256_STATE_SIZE - 1] = DOMAIN(2); + } + } else { + /* Initialize the state with the first block, then absorb the rest */ + memcpy(state, in, PHOTON_BEETLE_128_RATE); + memset(state + PHOTON_BEETLE_128_RATE, 0, + sizeof(state) - PHOTON_BEETLE_128_RATE); + in += PHOTON_BEETLE_128_RATE; + inlen -= PHOTON_BEETLE_128_RATE; + while (inlen > PHOTON_BEETLE_32_RATE) { + photon256_permute(state); + lw_xor_block(state, in, PHOTON_BEETLE_32_RATE); + in += PHOTON_BEETLE_32_RATE; + inlen -= PHOTON_BEETLE_32_RATE; + } + photon256_permute(state); + temp = (unsigned)inlen; + if (temp == PHOTON_BEETLE_32_RATE) { + lw_xor_block(state, in, PHOTON_BEETLE_32_RATE); + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + } else { + lw_xor_block(state, in, temp); + state[temp] ^= 0x01; + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); + } + } + + /* Generate the output hash */ + photon256_permute(state); + memcpy(out, state, 16); + photon256_permute(state); + memcpy(out + 16, state, 16); + return 0; +} diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/photon-beetle.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/photon-beetle.h new file mode 100644 index 0000000..2d94a7e --- /dev/null +++ b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/photon-beetle.h @@ -0,0 +1,224 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_PHOTON_BEETLE_H +#define LWCRYPTO_PHOTON_BEETLE_H + +#include "aead-common.h" + +/** + * \file photon-beetle.h + * \brief PHOTON-Beetle authenticated encryption algorithm. + * + * PHOTON-Beetle is a family of authenticated encryption algorithms based + * on the PHOTON-256 permutation and using the Beetle sponge mode. + * There are three algorithms in the family: + * + * \li PHOTON-Beetle-AEAD-ENC-128 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag. Data is handled in 16 byte blocks. This is the primary + * member of the family for encryption. + * \li PHOTON-Beetle-AEAD-ENC-32 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag. Data is handled in 4 byte blocks. + * \li PHOTON-Beetle-Hash with a 256-bit hash output. The initial data is + * handled as a 16 byte block, and then the remaining bytes are processed + * in 4 byte blocks. + * + * References: https://www.isical.ac.in/~lightweight/beetle/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for PHOTON-Beetle. + */ +#define PHOTON_BEETLE_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for PHOTON-Beetle. + */ +#define PHOTON_BEETLE_TAG_SIZE 16 + +/** + * \brief Size of the nonce for PHOTON-Beetle. + */ +#define PHOTON_BEETLE_NONCE_SIZE 16 + +/** + * \brief Size of the hash output for PHOTON-Beetle-HASH. + */ +#define PHOTON_BEETLE_HASH_SIZE 32 + +/** + * \brief Meta-information block for the PHOTON-Beetle-AEAD-ENC-128 cipher. + */ +extern aead_cipher_t const photon_beetle_128_cipher; + +/** + * \brief Meta-information block for the PHOTON-Beetle-AEAD-ENC-32 cipher. + */ +extern aead_cipher_t const photon_beetle_32_cipher; + +/** + * \brief Meta-information block for the PHOTON-Beetle-HASH algorithm. + */ +extern aead_hash_algorithm_t const photon_beetle_hash_algorithm; + +/** + * \brief Encrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa photon_beetle_128_aead_decrypt() + */ +int photon_beetle_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa photon_beetle_128_aead_encrypt() + */ +int photon_beetle_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-32. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa photon_beetle_32_aead_decrypt() + */ +int photon_beetle_32_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-32. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa photon_beetle_32_aead_encrypt() + */ +int photon_beetle_32_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with PHOTON-Beetle-HASH to + * generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * PHOTON_BEETLE_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int photon_beetle_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/aead-common.c b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/aead-common.h b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/api.h b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/api.h new file mode 100644 index 0000000..c3c0a27 --- /dev/null +++ b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 12 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/encrypt.c b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/encrypt.c new file mode 100644 index 0000000..a63877d --- /dev/null +++ b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "pyjamask.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return pyjamask_128_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return pyjamask_128_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-ocb.h b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-ocb.h new file mode 100644 index 0000000..de544ba --- /dev/null +++ b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-ocb.h @@ -0,0 +1,335 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_OCB_H +#define LW_INTERNAL_OCB_H + +#include "internal-util.h" +#include + +/* We expect a number of macros to be defined before this file + * is included to configure the underlying block cipher: + * + * OCB_ALG_NAME Name of the algorithm that is using OCB mode. + * OCB_BLOCK_SIZE Size of the block for the underlying cipher in bytes. + * OCB_NONCE_SIZE Size of the nonce which must be < OCB_BLOCK_SIZE. + * OCB_TAG_SIZE Size of the authentication tag. + * OCB_KEY_SCHEDULE Type for the key schedule. + * OCB_SETUP_KEY Name of the key schedule setup function. + * OCB_ENCRYPT_BLOCK Name of the block cipher ECB encrypt function. + * OCB_DECRYPT_BLOCK Name of the block cipher ECB decrypt function. + * OCB_DOUBLE_L Name of the function to double L (optional). + */ +#if defined(OCB_ENCRYPT_BLOCK) + +/** + * \file internal-ocb.h + * \brief Internal implementation of the OCB block cipher mode. + * + * Note that OCB is covered by patents so it may not be usable in all + * applications. Open source applications should be covered, but for + * others you will need to contact the patent authors to find out + * if you can use it or if a paid license is required. + * + * License information: https://web.cs.ucdavis.edu/~rogaway/ocb/license.htm + * + * References: https://tools.ietf.org/html/rfc7253 + */ + +#define OCB_CONCAT_INNER(name,suffix) name##suffix +#define OCB_CONCAT(name,suffix) OCB_CONCAT_INNER(name,suffix) + +#if !defined(OCB_DOUBLE_L) + +#define OCB_DOUBLE_L OCB_CONCAT(OCB_ALG_NAME,_double_l) + +/* Double a value in GF(128) - default implementation */ +static void OCB_DOUBLE_L(unsigned char out[16], const unsigned char in[16]) +{ + unsigned index; + unsigned char mask = (unsigned char)(((signed char)in[0]) >> 7); + for (index = 0; index < 15; ++index) + out[index] = (in[index] << 1) | (in[index + 1] >> 7); + out[15] = (in[15] << 1) ^ (mask & 0x87); +} + +#endif + +/* State information for OCB functions */ +#define OCB_STATE OCB_CONCAT(OCB_ALG_NAME,_state_t) +typedef struct +{ + OCB_KEY_SCHEDULE ks; + unsigned char Lstar[OCB_BLOCK_SIZE]; + unsigned char Ldollar[OCB_BLOCK_SIZE]; + unsigned char L0[OCB_BLOCK_SIZE]; + unsigned char L1[OCB_BLOCK_SIZE]; + +} OCB_STATE; + +/* Initializes the OCB state from the key and nonce */ +static void OCB_CONCAT(OCB_ALG_NAME,_init) + (OCB_STATE *state, const unsigned char *k, const unsigned char *nonce, + unsigned char offset[OCB_BLOCK_SIZE]) +{ + unsigned bottom; + + /* Set up the key schedule */ + OCB_SETUP_KEY(&(state->ks), k); + + /* Derive the values of L*, L$, L0, and L1 */ + memset(state->Lstar, 0, sizeof(state->Lstar)); + OCB_ENCRYPT_BLOCK(&(state->ks), state->Lstar, state->Lstar); + OCB_DOUBLE_L(state->Ldollar, state->Lstar); + OCB_DOUBLE_L(state->L0, state->Ldollar); + OCB_DOUBLE_L(state->L1, state->L0); + + /* Derive the initial offset from the nonce */ + memset(offset, 0, OCB_BLOCK_SIZE); + memcpy(offset + OCB_BLOCK_SIZE - OCB_NONCE_SIZE, nonce, OCB_NONCE_SIZE); + offset[0] = ((OCB_TAG_SIZE * 8) & 0x7F) << 1; + offset[OCB_BLOCK_SIZE - OCB_NONCE_SIZE - 1] |= 0x01; + bottom = offset[OCB_BLOCK_SIZE - 1] & 0x3F; + offset[OCB_BLOCK_SIZE - 1] &= 0xC0; + { + unsigned index; + unsigned byte_posn = bottom / 8; +#if OCB_BLOCK_SIZE == 16 + /* Standard OCB with a 128-bit block */ + unsigned char stretch[24]; + OCB_ENCRYPT_BLOCK(&(state->ks), stretch, offset); + memcpy(stretch + 16, stretch + 1, 8); + lw_xor_block(stretch + 16, stretch, 8); +#elif OCB_BLOCK_SIZE == 12 + /* 96-bit block handling from the Pyjamask specification */ + unsigned char stretch[20]; + OCB_ENCRYPT_BLOCK(&(state->ks), stretch, offset); + for (index = 0; index < 8; ++index) { + stretch[index + 12] = + (stretch[index + 1] << 1) | (stretch[index + 2] >> 7); + } + lw_xor_block(stretch + 12, stretch, 8); +#else + unsigned char stretch[OCB_BLOCK_SIZE + 8] = {0}; + #error "unsupported block size for OCB mode" +#endif + bottom %= 8; + if (bottom != 0) { + for (index = 0; index < OCB_BLOCK_SIZE; ++index) { + offset[index] = + (stretch[index + byte_posn] << bottom) | + (stretch[index + byte_posn + 1] >> (8 - bottom)); + } + } else { + memcpy(offset, stretch + byte_posn, OCB_BLOCK_SIZE); + } + } +} + +/* Calculate L_{ntz(i)} when the last two bits of i are zero */ +static void OCB_CONCAT(OCB_ALG_NAME,_calculate_L) + (OCB_STATE *state, unsigned char L[OCB_BLOCK_SIZE], unsigned long long i) +{ + OCB_DOUBLE_L(L, state->L1); + i >>= 2; + while ((i & 1) == 0) { + OCB_DOUBLE_L(L, L); + i >>= 1; + } +} + +/* Process associated data with OCB */ +static void OCB_CONCAT(OCB_ALG_NAME,_process_ad) + (OCB_STATE *state, unsigned char tag[OCB_BLOCK_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char offset[OCB_BLOCK_SIZE]; + unsigned char block[OCB_BLOCK_SIZE]; + unsigned long long block_number; + + /* Process all full blocks */ + memset(offset, 0, sizeof(offset)); + block_number = 1; + while (adlen >= OCB_BLOCK_SIZE) { + if (block_number & 1) { + lw_xor_block(offset, state->L0, OCB_BLOCK_SIZE); + } else if ((block_number & 3) == 2) { + lw_xor_block(offset, state->L1, OCB_BLOCK_SIZE); + } else { + OCB_CONCAT(OCB_ALG_NAME,_calculate_L)(state, block, block_number); + lw_xor_block(offset, block, OCB_BLOCK_SIZE); + } + lw_xor_block_2_src(block, offset, ad, OCB_BLOCK_SIZE); + OCB_ENCRYPT_BLOCK(&(state->ks), block, block); + lw_xor_block(tag, block, OCB_BLOCK_SIZE); + ad += OCB_BLOCK_SIZE; + adlen -= OCB_BLOCK_SIZE; + ++block_number; + } + + /* Pad and process the last partial block */ + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(offset, state->Lstar, OCB_BLOCK_SIZE); + lw_xor_block(offset, ad, temp); + offset[temp] ^= 0x80; + OCB_ENCRYPT_BLOCK(&(state->ks), block, offset); + lw_xor_block(tag, block, OCB_BLOCK_SIZE); + } +} + +int OCB_CONCAT(OCB_ALG_NAME,_aead_encrypt) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + OCB_STATE state; + unsigned char offset[OCB_BLOCK_SIZE]; + unsigned char sum[OCB_BLOCK_SIZE]; + unsigned char block[OCB_BLOCK_SIZE]; + unsigned long long block_number; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + OCB_TAG_SIZE; + + /* Initialize the OCB state */ + OCB_CONCAT(OCB_ALG_NAME,_init)(&state, k, npub, offset); + + /* Process all plaintext blocks except the last */ + memset(sum, 0, sizeof(sum)); + block_number = 1; + while (mlen >= OCB_BLOCK_SIZE) { + if (block_number & 1) { + lw_xor_block(offset, state.L0, OCB_BLOCK_SIZE); + } else if ((block_number & 3) == 2) { + lw_xor_block(offset, state.L1, OCB_BLOCK_SIZE); + } else { + OCB_CONCAT(OCB_ALG_NAME,_calculate_L)(&state, block, block_number); + lw_xor_block(offset, block, OCB_BLOCK_SIZE); + } + lw_xor_block(sum, m, OCB_BLOCK_SIZE); + lw_xor_block_2_src(block, offset, m, OCB_BLOCK_SIZE); + OCB_ENCRYPT_BLOCK(&(state.ks), block, block); + lw_xor_block_2_src(c, block, offset, OCB_BLOCK_SIZE); + c += OCB_BLOCK_SIZE; + m += OCB_BLOCK_SIZE; + mlen -= OCB_BLOCK_SIZE; + ++block_number; + } + + /* Pad and process the last plaintext block */ + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + lw_xor_block(offset, state.Lstar, OCB_BLOCK_SIZE); + OCB_ENCRYPT_BLOCK(&(state.ks), block, offset); + lw_xor_block_2_src(c, block, m, temp); + c += temp; + } + + /* Finalize the encryption phase */ + lw_xor_block(sum, offset, OCB_BLOCK_SIZE); + lw_xor_block(sum, state.Ldollar, OCB_BLOCK_SIZE); + OCB_ENCRYPT_BLOCK(&(state.ks), sum, sum); + + /* Process the associated data and compute the final authentication tag */ + OCB_CONCAT(OCB_ALG_NAME,_process_ad)(&state, sum, ad, adlen); + memcpy(c, sum, OCB_TAG_SIZE); + return 0; +} + +int OCB_CONCAT(OCB_ALG_NAME,_aead_decrypt) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + OCB_STATE state; + unsigned char *mtemp = m; + unsigned char offset[OCB_BLOCK_SIZE]; + unsigned char sum[OCB_BLOCK_SIZE]; + unsigned char block[OCB_BLOCK_SIZE]; + unsigned long long block_number; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < OCB_TAG_SIZE) + return -1; + *mlen = clen - OCB_TAG_SIZE; + + /* Initialize the OCB state */ + OCB_CONCAT(OCB_ALG_NAME,_init)(&state, k, npub, offset); + + /* Process all ciphertext blocks except the last */ + memset(sum, 0, sizeof(sum)); + block_number = 1; + clen -= OCB_TAG_SIZE; + while (clen >= OCB_BLOCK_SIZE) { + if (block_number & 1) { + lw_xor_block(offset, state.L0, OCB_BLOCK_SIZE); + } else if ((block_number & 3) == 2) { + lw_xor_block(offset, state.L1, OCB_BLOCK_SIZE); + } else { + OCB_CONCAT(OCB_ALG_NAME,_calculate_L)(&state, block, block_number); + lw_xor_block(offset, block, OCB_BLOCK_SIZE); + } + lw_xor_block_2_src(block, offset, c, OCB_BLOCK_SIZE); + OCB_DECRYPT_BLOCK(&(state.ks), block, block); + lw_xor_block_2_src(m, block, offset, OCB_BLOCK_SIZE); + lw_xor_block(sum, m, OCB_BLOCK_SIZE); + c += OCB_BLOCK_SIZE; + m += OCB_BLOCK_SIZE; + clen -= OCB_BLOCK_SIZE; + ++block_number; + } + + /* Pad and process the last ciphertext block */ + if (clen > 0) { + unsigned temp = (unsigned)clen; + lw_xor_block(offset, state.Lstar, OCB_BLOCK_SIZE); + OCB_ENCRYPT_BLOCK(&(state.ks), block, offset); + lw_xor_block_2_src(m, block, c, temp); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + c += temp; + } + + /* Finalize the decryption phase */ + lw_xor_block(sum, offset, OCB_BLOCK_SIZE); + lw_xor_block(sum, state.Ldollar, OCB_BLOCK_SIZE); + OCB_ENCRYPT_BLOCK(&(state.ks), sum, sum); + + /* Process the associated data and check the final authentication tag */ + OCB_CONCAT(OCB_ALG_NAME,_process_ad)(&state, sum, ad, adlen); + return aead_check_tag(mtemp, *mlen, sum, c, OCB_TAG_SIZE); +} + +#endif /* OCB_ENCRYPT_BLOCK */ + +#endif /* LW_INTERNAL_OCB_H */ diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-pyjamask.c b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-pyjamask.c new file mode 100644 index 0000000..f3a5655 --- /dev/null +++ b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-pyjamask.c @@ -0,0 +1,305 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-pyjamask.h" +#include "internal-util.h" + +/** + * \brief Performs a circulant binary matrix multiplication. + * + * \param x The matrix. + * \param y The vector to multiply with the matrix. + * + * \return The vector result of multiplying x by y. + */ +STATIC_INLINE uint32_t pyjamask_matrix_multiply(uint32_t x, uint32_t y) +{ + uint32_t result = 0; + int bit; + for (bit = 31; bit >= 0; --bit) { +#if defined(ESP32) + /* This version has slightly better performance on ESP32 */ + y = leftRotate1(y); + result ^= x & -(y & 1); + x = rightRotate1(x); +#else + result ^= x & -((y >> bit) & 1); + x = rightRotate1(x); +#endif + } + return result; +} + +void pyjamask_setup_key(pyjamask_key_schedule_t *ks, const unsigned char *key) +{ + uint32_t *rk = ks->k; + uint32_t k0, k1, k2, k3; + uint32_t temp; + uint8_t round; + + /* Load the words of the key */ + k0 = be_load_word32(key); + k1 = be_load_word32(key + 4); + k2 = be_load_word32(key + 8); + k3 = be_load_word32(key + 12); + + /* The first round key is the same as the key itself */ + rk[0] = k0; + rk[1] = k1; + rk[2] = k2; + rk[3] = k3; + rk += 4; + + /* Derive the round keys for all of the other rounds */ + for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk += 4) { + /* Mix the columns */ + temp = k0 ^ k1 ^ k2 ^ k3; + k0 ^= temp; + k1 ^= temp; + k2 ^= temp; + k3 ^= temp; + + /* Mix the rows and add the round constants. Note that the Pyjamask + * specification says that k1/k2/k3 should be rotated left by 8, 15, + * and 18 bits. But the reference code actually rotates the words + * right. And the test vectors in the specification match up with + * right rotations, not left. We match the reference code here */ + k0 = pyjamask_matrix_multiply(0xb881b9caU, k0) ^ 0x00000080U ^ round; + k1 = rightRotate8(k1) ^ 0x00006a00U; + k2 = rightRotate15(k2) ^ 0x003f0000U; + k3 = rightRotate18(k3) ^ 0x24000000U; + + /* Write the round key to the schedule */ + rk[0] = k0; + rk[1] = k1; + rk[2] = k2; + rk[3] = k3; + } +} + +void pyjamask_128_encrypt + (const pyjamask_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + const uint32_t *rk = ks->k; + uint32_t s0, s1, s2, s3; + uint8_t round; + + /* Load the plaintext from the input buffer */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk += 4) { + /* Add the round key to the state */ + s0 ^= rk[0]; + s1 ^= rk[1]; + s2 ^= rk[2]; + s3 ^= rk[3]; + + /* Apply the 128-bit Pyjamask sbox */ + s0 ^= s3; + s3 ^= s0 & s1; + s0 ^= s1 & s2; + s1 ^= s2 & s3; + s2 ^= s0 & s3; + s2 ^= s1; + s1 ^= s0; + s3 = ~s3; + s2 ^= s3; + s3 ^= s2; + s2 ^= s3; + + /* Mix the rows of the state */ + s0 = pyjamask_matrix_multiply(0xa3861085U, s0); + s1 = pyjamask_matrix_multiply(0x63417021U, s1); + s2 = pyjamask_matrix_multiply(0x692cf280U, s2); + s3 = pyjamask_matrix_multiply(0x48a54813U, s3); + } + + /* Mix in the key one last time */ + s0 ^= rk[0]; + s1 ^= rk[1]; + s2 ^= rk[2]; + s3 ^= rk[3]; + + /* Write the ciphertext to the output buffer */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +void pyjamask_128_decrypt + (const pyjamask_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + const uint32_t *rk = ks->k + 4 * PYJAMASK_ROUNDS; + uint32_t s0, s1, s2, s3; + uint8_t round; + + /* Load the ciphertext from the input buffer */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Mix in the last round key */ + s0 ^= rk[0]; + s1 ^= rk[1]; + s2 ^= rk[2]; + s3 ^= rk[3]; + rk -= 4; + + /* Perform all decryption rounds */ + for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk -= 4) { + /* Inverse mix of the rows in the state */ + s0 = pyjamask_matrix_multiply(0x2037a121U, s0); + s1 = pyjamask_matrix_multiply(0x108ff2a0U, s1); + s2 = pyjamask_matrix_multiply(0x9054d8c0U, s2); + s3 = pyjamask_matrix_multiply(0x3354b117U, s3); + + /* Apply the inverse of the 128-bit Pyjamask sbox */ + s2 ^= s3; + s3 ^= s2; + s2 ^= s3; + s3 = ~s3; + s1 ^= s0; + s2 ^= s1; + s2 ^= s0 & s3; + s1 ^= s2 & s3; + s0 ^= s1 & s2; + s3 ^= s0 & s1; + s0 ^= s3; + + /* Add the round key to the state */ + s0 ^= rk[0]; + s1 ^= rk[1]; + s2 ^= rk[2]; + s3 ^= rk[3]; + } + + /* Write the plaintext to the output buffer */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +void pyjamask_96_encrypt + (const pyjamask_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + const uint32_t *rk = ks->k; + uint32_t s0, s1, s2; + uint8_t round; + + /* Load the plaintext from the input buffer */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + + /* Perform all encryption rounds */ + for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk += 4) { + /* Add the round key to the state */ + s0 ^= rk[0]; + s1 ^= rk[1]; + s2 ^= rk[2]; + + /* Apply the 96-bit Pyjamask sbox */ + s0 ^= s1; + s1 ^= s2; + s2 ^= s0 & s1; + s0 ^= s1 & s2; + s1 ^= s0 & s2; + s2 ^= s0; + s2 = ~s2; + s1 ^= s0; + s0 ^= s1; + + /* Mix the rows of the state */ + s0 = pyjamask_matrix_multiply(0xa3861085U, s0); + s1 = pyjamask_matrix_multiply(0x63417021U, s1); + s2 = pyjamask_matrix_multiply(0x692cf280U, s2); + } + + /* Mix in the key one last time */ + s0 ^= rk[0]; + s1 ^= rk[1]; + s2 ^= rk[2]; + + /* Write the ciphertext to the output buffer */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); +} + +void pyjamask_96_decrypt + (const pyjamask_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + const uint32_t *rk = ks->k + 4 * PYJAMASK_ROUNDS; + uint32_t s0, s1, s2; + uint8_t round; + + /* Load the plaintext from the input buffer */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + + /* Mix in the last round key */ + s0 ^= rk[0]; + s1 ^= rk[1]; + s2 ^= rk[2]; + rk -= 4; + + /* Perform all encryption rounds */ + for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk -= 4) { + /* Inverse mix of the rows in the state */ + s0 = pyjamask_matrix_multiply(0x2037a121U, s0); + s1 = pyjamask_matrix_multiply(0x108ff2a0U, s1); + s2 = pyjamask_matrix_multiply(0x9054d8c0U, s2); + + /* Apply the inverse of the 96-bit Pyjamask sbox */ + s0 ^= s1; + s1 ^= s0; + s2 = ~s2; + s2 ^= s0; + s1 ^= s0 & s2; + s0 ^= s1 & s2; + s2 ^= s0 & s1; + s1 ^= s2; + s0 ^= s1; + + /* Add the round key to the state */ + s0 ^= rk[0]; + s1 ^= rk[1]; + s2 ^= rk[2]; + } + + /* Write the ciphertext to the output buffer */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); +} diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-pyjamask.h b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-pyjamask.h new file mode 100644 index 0000000..3fd93a7 --- /dev/null +++ b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-pyjamask.h @@ -0,0 +1,215 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_PYJAMASK_H +#define LW_INTERNAL_PYJAMASK_H + +#include "internal-util.h" + +/** + * \file internal-pyjamask.h + * \brief Pyjamask block cipher. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Number of rounds in the Pyjamask block cipher. + */ +#define PYJAMASK_ROUNDS 14 + +/** + * \brief Number of parallel states for masked operation. + */ +#define PYJAMASK_MASKING_ORDER 4 + +/** + * \brief Structure of the key schedule for Pyjamask block ciphers. + */ +typedef struct +{ + uint32_t k[(PYJAMASK_ROUNDS + 1) * 4]; /**< Words of the key schedule */ + +} pyjamask_key_schedule_t; + +/** + * \brief Structure of the key schedule for masked Pyjamask block ciphers. + */ +typedef struct +{ + /** Words of the key schedule */ + uint32_t k[PYJAMASK_MASKING_ORDER * (PYJAMASK_ROUNDS + 1) * 4]; + +} pyjamask_masked_key_schedule_t; + +/** + * \brief Sets up the key schedule for the Pyjamask block cipher. + * + * \param ks The key schedule on output. + * \param key The 16 bytes of the key on input. + */ +void pyjamask_setup_key(pyjamask_key_schedule_t *ks, const unsigned char *key); + +/** + * \brief Encrypts a 128-bit block with Pyjamask-128. + * + * \param ks Points to the key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * \sa pyjamask_128_decrypt() + */ +void pyjamask_128_encrypt + (const pyjamask_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with Pyjamask-128. + * + * \param ks Points to the key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + * + * \sa pyjamask_128_encrypt() + */ +void pyjamask_128_decrypt + (const pyjamask_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 96-bit block with Pyjamask-96. + * + * \param ks Points to the key schedule. + * \param output Output buffer which must be at least 12 bytes in length. + * \param input Input buffer which must be at least 12 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * \sa pyjamask_96_decrypt() + */ +void pyjamask_96_encrypt + (const pyjamask_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 96-bit block with Pyjamask-96. + * + * \param ks Points to the key schedule. + * \param output Output buffer which must be at least 12 bytes in length. + * \param input Input buffer which must be at least 12 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + * + * \sa pyjamask_96_encrypt() + */ +void pyjamask_96_decrypt + (const pyjamask_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Sets up the key schedule for the masked Pyjamask block cipher. + * + * \param ks The key schedule on output. + * \param key The 16 bytes of the key on input. + */ +void pyjamask_masked_setup_key + (pyjamask_masked_key_schedule_t *ks, const unsigned char *key); + +/** + * \brief Encrypts a 128-bit block with Pyjamask-128 in masked mode. + * + * \param ks Points to the key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * \sa pyjamask_masked_128_decrypt() + */ +void pyjamask_masked_128_encrypt + (const pyjamask_masked_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with Pyjamask-128 in masked mode. + * + * \param ks Points to the key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + * + * \sa pyjamask_masked_128_encrypt() + */ +void pyjamask_masked_128_decrypt + (const pyjamask_masked_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 96-bit block with Pyjamask-96 in masked mode. + * + * \param ks Points to the key schedule. + * \param output Output buffer which must be at least 12 bytes in length. + * \param input Input buffer which must be at least 12 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * \sa pyjamask_masked_96_decrypt() + */ +void pyjamask_masked_96_encrypt + (const pyjamask_masked_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 96-bit block with Pyjamask-96 in masked mode. + * + * \param ks Points to the key schedule. + * \param output Output buffer which must be at least 12 bytes in length. + * \param input Input buffer which must be at least 12 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + * + * \sa pyjamask_masked_96_encrypt() + */ +void pyjamask_masked_96_decrypt + (const pyjamask_masked_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-util.h b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/pyjamask-128.c b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/pyjamask-128.c new file mode 100644 index 0000000..a70a32f --- /dev/null +++ b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/pyjamask-128.c @@ -0,0 +1,44 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "pyjamask.h" +#include "internal-pyjamask.h" + +aead_cipher_t const pyjamask_128_cipher = { + "Pyjamask-128-AEAD", + PYJAMASK_128_KEY_SIZE, + PYJAMASK_128_NONCE_SIZE, + PYJAMASK_128_TAG_SIZE, + AEAD_FLAG_NONE, + pyjamask_128_aead_encrypt, + pyjamask_128_aead_decrypt +}; + +#define OCB_ALG_NAME pyjamask_128 +#define OCB_BLOCK_SIZE 16 +#define OCB_NONCE_SIZE PYJAMASK_128_NONCE_SIZE +#define OCB_TAG_SIZE PYJAMASK_128_TAG_SIZE +#define OCB_KEY_SCHEDULE pyjamask_key_schedule_t +#define OCB_SETUP_KEY pyjamask_setup_key +#define OCB_ENCRYPT_BLOCK pyjamask_128_encrypt +#define OCB_DECRYPT_BLOCK pyjamask_128_decrypt +#include "internal-ocb.h" diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/pyjamask.h b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/pyjamask.h new file mode 100644 index 0000000..23ec744 --- /dev/null +++ b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/pyjamask.h @@ -0,0 +1,335 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_PYJAMASK_H +#define LWCRYPTO_PYJAMASK_H + +#include "aead-common.h" + +/** + * \file pyjamask.h + * \brief Pyjamask authenticated encryption algorithm. + * + * Pyjamask AEAD is a family of authenticated encryption algorithms that are + * built around the Pyjamask-128 and Pyjamask-96 block ciphers in OCB mode. + * Pyjamask-128-AEAD has a 128-bit key, a 96-bit nonce, and a 128-bit + * authentication tag. Pyjamask-96-AEAD has a 128-bit key, a 64-bit nonce, + * and a 96-bit authentication tag. + * + * References: https://pyjamask-cipher.github.io/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for Pyjamask-128-AEAD. + */ +#define PYJAMASK_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Pyjamask-128-AEAD. + */ +#define PYJAMASK_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Pyjamask-128-AEAD. + */ +#define PYJAMASK_128_NONCE_SIZE 12 + +/** + * \brief Size of the key for Pyjamask-96-AEAD. + */ +#define PYJAMASK_96_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Pyjamask-96-AEAD. + */ +#define PYJAMASK_96_TAG_SIZE 12 + +/** + * \brief Size of the nonce for Pyjamask-96-AEAD. + */ +#define PYJAMASK_96_NONCE_SIZE 8 + +/** + * \brief Meta-information block for the Pyjamask-128-AEAD cipher. + */ +extern aead_cipher_t const pyjamask_128_cipher; + +/** + * \brief Meta-information block for the Pyjamask-96-AEAD cipher. + */ +extern aead_cipher_t const pyjamask_96_cipher; + +/** + * \brief Meta-information block for the masked Pyjamask-128-AEAD cipher. + */ +extern aead_cipher_t const pyjamask_masked_128_cipher; + +/** + * \brief Meta-information block for the masked Pyjamask-96-AEAD cipher. + */ +extern aead_cipher_t const pyjamask_masked_96_cipher; + +/** + * \brief Encrypts and authenticates a packet with Pyjamask-128-AEAD. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa pyjamask_128_aead_decrypt() + */ +int pyjamask_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Pyjamask-128-AEAD. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa pyjamask_128_aead_encrypt() + */ +int pyjamask_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Pyjamask-96-AEAD. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 12 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 8 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa pyjamask_96_aead_decrypt() + */ +int pyjamask_96_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Pyjamask-96-AEAD. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 12 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 8 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa pyjamask_96_aead_encrypt() + */ +int pyjamask_96_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with masked Pyjamask-128-AEAD. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa pyjamask_masked_128_aead_decrypt() + */ +int pyjamask_masked_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with masked Pyjamask-128-AEAD. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa pyjamask_masked_128_aead_encrypt() + */ +int pyjamask_masked_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with masked Pyjamask-96-AEAD. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 12 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 8 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa pyjamask_masked_96_aead_decrypt() + */ +int pyjamask_masked_96_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with masked Pyjamask-96-AEAD. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 12 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 8 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa pyjamask_masked_96_aead_encrypt() + */ +int pyjamask_masked_96_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/aead-common.c b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/aead-common.h b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/api.h b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/api.h new file mode 100644 index 0000000..bd8cdcb --- /dev/null +++ b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 8 +#define CRYPTO_ABYTES 12 +#define CRYPTO_NOOVERLAP 1 diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/encrypt.c b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/encrypt.c new file mode 100644 index 0000000..f09b0ed --- /dev/null +++ b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "pyjamask.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return pyjamask_96_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return pyjamask_96_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-ocb.h b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-ocb.h new file mode 100644 index 0000000..de544ba --- /dev/null +++ b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-ocb.h @@ -0,0 +1,335 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_OCB_H +#define LW_INTERNAL_OCB_H + +#include "internal-util.h" +#include + +/* We expect a number of macros to be defined before this file + * is included to configure the underlying block cipher: + * + * OCB_ALG_NAME Name of the algorithm that is using OCB mode. + * OCB_BLOCK_SIZE Size of the block for the underlying cipher in bytes. + * OCB_NONCE_SIZE Size of the nonce which must be < OCB_BLOCK_SIZE. + * OCB_TAG_SIZE Size of the authentication tag. + * OCB_KEY_SCHEDULE Type for the key schedule. + * OCB_SETUP_KEY Name of the key schedule setup function. + * OCB_ENCRYPT_BLOCK Name of the block cipher ECB encrypt function. + * OCB_DECRYPT_BLOCK Name of the block cipher ECB decrypt function. + * OCB_DOUBLE_L Name of the function to double L (optional). + */ +#if defined(OCB_ENCRYPT_BLOCK) + +/** + * \file internal-ocb.h + * \brief Internal implementation of the OCB block cipher mode. + * + * Note that OCB is covered by patents so it may not be usable in all + * applications. Open source applications should be covered, but for + * others you will need to contact the patent authors to find out + * if you can use it or if a paid license is required. + * + * License information: https://web.cs.ucdavis.edu/~rogaway/ocb/license.htm + * + * References: https://tools.ietf.org/html/rfc7253 + */ + +#define OCB_CONCAT_INNER(name,suffix) name##suffix +#define OCB_CONCAT(name,suffix) OCB_CONCAT_INNER(name,suffix) + +#if !defined(OCB_DOUBLE_L) + +#define OCB_DOUBLE_L OCB_CONCAT(OCB_ALG_NAME,_double_l) + +/* Double a value in GF(128) - default implementation */ +static void OCB_DOUBLE_L(unsigned char out[16], const unsigned char in[16]) +{ + unsigned index; + unsigned char mask = (unsigned char)(((signed char)in[0]) >> 7); + for (index = 0; index < 15; ++index) + out[index] = (in[index] << 1) | (in[index + 1] >> 7); + out[15] = (in[15] << 1) ^ (mask & 0x87); +} + +#endif + +/* State information for OCB functions */ +#define OCB_STATE OCB_CONCAT(OCB_ALG_NAME,_state_t) +typedef struct +{ + OCB_KEY_SCHEDULE ks; + unsigned char Lstar[OCB_BLOCK_SIZE]; + unsigned char Ldollar[OCB_BLOCK_SIZE]; + unsigned char L0[OCB_BLOCK_SIZE]; + unsigned char L1[OCB_BLOCK_SIZE]; + +} OCB_STATE; + +/* Initializes the OCB state from the key and nonce */ +static void OCB_CONCAT(OCB_ALG_NAME,_init) + (OCB_STATE *state, const unsigned char *k, const unsigned char *nonce, + unsigned char offset[OCB_BLOCK_SIZE]) +{ + unsigned bottom; + + /* Set up the key schedule */ + OCB_SETUP_KEY(&(state->ks), k); + + /* Derive the values of L*, L$, L0, and L1 */ + memset(state->Lstar, 0, sizeof(state->Lstar)); + OCB_ENCRYPT_BLOCK(&(state->ks), state->Lstar, state->Lstar); + OCB_DOUBLE_L(state->Ldollar, state->Lstar); + OCB_DOUBLE_L(state->L0, state->Ldollar); + OCB_DOUBLE_L(state->L1, state->L0); + + /* Derive the initial offset from the nonce */ + memset(offset, 0, OCB_BLOCK_SIZE); + memcpy(offset + OCB_BLOCK_SIZE - OCB_NONCE_SIZE, nonce, OCB_NONCE_SIZE); + offset[0] = ((OCB_TAG_SIZE * 8) & 0x7F) << 1; + offset[OCB_BLOCK_SIZE - OCB_NONCE_SIZE - 1] |= 0x01; + bottom = offset[OCB_BLOCK_SIZE - 1] & 0x3F; + offset[OCB_BLOCK_SIZE - 1] &= 0xC0; + { + unsigned index; + unsigned byte_posn = bottom / 8; +#if OCB_BLOCK_SIZE == 16 + /* Standard OCB with a 128-bit block */ + unsigned char stretch[24]; + OCB_ENCRYPT_BLOCK(&(state->ks), stretch, offset); + memcpy(stretch + 16, stretch + 1, 8); + lw_xor_block(stretch + 16, stretch, 8); +#elif OCB_BLOCK_SIZE == 12 + /* 96-bit block handling from the Pyjamask specification */ + unsigned char stretch[20]; + OCB_ENCRYPT_BLOCK(&(state->ks), stretch, offset); + for (index = 0; index < 8; ++index) { + stretch[index + 12] = + (stretch[index + 1] << 1) | (stretch[index + 2] >> 7); + } + lw_xor_block(stretch + 12, stretch, 8); +#else + unsigned char stretch[OCB_BLOCK_SIZE + 8] = {0}; + #error "unsupported block size for OCB mode" +#endif + bottom %= 8; + if (bottom != 0) { + for (index = 0; index < OCB_BLOCK_SIZE; ++index) { + offset[index] = + (stretch[index + byte_posn] << bottom) | + (stretch[index + byte_posn + 1] >> (8 - bottom)); + } + } else { + memcpy(offset, stretch + byte_posn, OCB_BLOCK_SIZE); + } + } +} + +/* Calculate L_{ntz(i)} when the last two bits of i are zero */ +static void OCB_CONCAT(OCB_ALG_NAME,_calculate_L) + (OCB_STATE *state, unsigned char L[OCB_BLOCK_SIZE], unsigned long long i) +{ + OCB_DOUBLE_L(L, state->L1); + i >>= 2; + while ((i & 1) == 0) { + OCB_DOUBLE_L(L, L); + i >>= 1; + } +} + +/* Process associated data with OCB */ +static void OCB_CONCAT(OCB_ALG_NAME,_process_ad) + (OCB_STATE *state, unsigned char tag[OCB_BLOCK_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char offset[OCB_BLOCK_SIZE]; + unsigned char block[OCB_BLOCK_SIZE]; + unsigned long long block_number; + + /* Process all full blocks */ + memset(offset, 0, sizeof(offset)); + block_number = 1; + while (adlen >= OCB_BLOCK_SIZE) { + if (block_number & 1) { + lw_xor_block(offset, state->L0, OCB_BLOCK_SIZE); + } else if ((block_number & 3) == 2) { + lw_xor_block(offset, state->L1, OCB_BLOCK_SIZE); + } else { + OCB_CONCAT(OCB_ALG_NAME,_calculate_L)(state, block, block_number); + lw_xor_block(offset, block, OCB_BLOCK_SIZE); + } + lw_xor_block_2_src(block, offset, ad, OCB_BLOCK_SIZE); + OCB_ENCRYPT_BLOCK(&(state->ks), block, block); + lw_xor_block(tag, block, OCB_BLOCK_SIZE); + ad += OCB_BLOCK_SIZE; + adlen -= OCB_BLOCK_SIZE; + ++block_number; + } + + /* Pad and process the last partial block */ + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(offset, state->Lstar, OCB_BLOCK_SIZE); + lw_xor_block(offset, ad, temp); + offset[temp] ^= 0x80; + OCB_ENCRYPT_BLOCK(&(state->ks), block, offset); + lw_xor_block(tag, block, OCB_BLOCK_SIZE); + } +} + +int OCB_CONCAT(OCB_ALG_NAME,_aead_encrypt) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + OCB_STATE state; + unsigned char offset[OCB_BLOCK_SIZE]; + unsigned char sum[OCB_BLOCK_SIZE]; + unsigned char block[OCB_BLOCK_SIZE]; + unsigned long long block_number; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + OCB_TAG_SIZE; + + /* Initialize the OCB state */ + OCB_CONCAT(OCB_ALG_NAME,_init)(&state, k, npub, offset); + + /* Process all plaintext blocks except the last */ + memset(sum, 0, sizeof(sum)); + block_number = 1; + while (mlen >= OCB_BLOCK_SIZE) { + if (block_number & 1) { + lw_xor_block(offset, state.L0, OCB_BLOCK_SIZE); + } else if ((block_number & 3) == 2) { + lw_xor_block(offset, state.L1, OCB_BLOCK_SIZE); + } else { + OCB_CONCAT(OCB_ALG_NAME,_calculate_L)(&state, block, block_number); + lw_xor_block(offset, block, OCB_BLOCK_SIZE); + } + lw_xor_block(sum, m, OCB_BLOCK_SIZE); + lw_xor_block_2_src(block, offset, m, OCB_BLOCK_SIZE); + OCB_ENCRYPT_BLOCK(&(state.ks), block, block); + lw_xor_block_2_src(c, block, offset, OCB_BLOCK_SIZE); + c += OCB_BLOCK_SIZE; + m += OCB_BLOCK_SIZE; + mlen -= OCB_BLOCK_SIZE; + ++block_number; + } + + /* Pad and process the last plaintext block */ + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + lw_xor_block(offset, state.Lstar, OCB_BLOCK_SIZE); + OCB_ENCRYPT_BLOCK(&(state.ks), block, offset); + lw_xor_block_2_src(c, block, m, temp); + c += temp; + } + + /* Finalize the encryption phase */ + lw_xor_block(sum, offset, OCB_BLOCK_SIZE); + lw_xor_block(sum, state.Ldollar, OCB_BLOCK_SIZE); + OCB_ENCRYPT_BLOCK(&(state.ks), sum, sum); + + /* Process the associated data and compute the final authentication tag */ + OCB_CONCAT(OCB_ALG_NAME,_process_ad)(&state, sum, ad, adlen); + memcpy(c, sum, OCB_TAG_SIZE); + return 0; +} + +int OCB_CONCAT(OCB_ALG_NAME,_aead_decrypt) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + OCB_STATE state; + unsigned char *mtemp = m; + unsigned char offset[OCB_BLOCK_SIZE]; + unsigned char sum[OCB_BLOCK_SIZE]; + unsigned char block[OCB_BLOCK_SIZE]; + unsigned long long block_number; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < OCB_TAG_SIZE) + return -1; + *mlen = clen - OCB_TAG_SIZE; + + /* Initialize the OCB state */ + OCB_CONCAT(OCB_ALG_NAME,_init)(&state, k, npub, offset); + + /* Process all ciphertext blocks except the last */ + memset(sum, 0, sizeof(sum)); + block_number = 1; + clen -= OCB_TAG_SIZE; + while (clen >= OCB_BLOCK_SIZE) { + if (block_number & 1) { + lw_xor_block(offset, state.L0, OCB_BLOCK_SIZE); + } else if ((block_number & 3) == 2) { + lw_xor_block(offset, state.L1, OCB_BLOCK_SIZE); + } else { + OCB_CONCAT(OCB_ALG_NAME,_calculate_L)(&state, block, block_number); + lw_xor_block(offset, block, OCB_BLOCK_SIZE); + } + lw_xor_block_2_src(block, offset, c, OCB_BLOCK_SIZE); + OCB_DECRYPT_BLOCK(&(state.ks), block, block); + lw_xor_block_2_src(m, block, offset, OCB_BLOCK_SIZE); + lw_xor_block(sum, m, OCB_BLOCK_SIZE); + c += OCB_BLOCK_SIZE; + m += OCB_BLOCK_SIZE; + clen -= OCB_BLOCK_SIZE; + ++block_number; + } + + /* Pad and process the last ciphertext block */ + if (clen > 0) { + unsigned temp = (unsigned)clen; + lw_xor_block(offset, state.Lstar, OCB_BLOCK_SIZE); + OCB_ENCRYPT_BLOCK(&(state.ks), block, offset); + lw_xor_block_2_src(m, block, c, temp); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + c += temp; + } + + /* Finalize the decryption phase */ + lw_xor_block(sum, offset, OCB_BLOCK_SIZE); + lw_xor_block(sum, state.Ldollar, OCB_BLOCK_SIZE); + OCB_ENCRYPT_BLOCK(&(state.ks), sum, sum); + + /* Process the associated data and check the final authentication tag */ + OCB_CONCAT(OCB_ALG_NAME,_process_ad)(&state, sum, ad, adlen); + return aead_check_tag(mtemp, *mlen, sum, c, OCB_TAG_SIZE); +} + +#endif /* OCB_ENCRYPT_BLOCK */ + +#endif /* LW_INTERNAL_OCB_H */ diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-pyjamask.c b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-pyjamask.c new file mode 100644 index 0000000..f3a5655 --- /dev/null +++ b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-pyjamask.c @@ -0,0 +1,305 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-pyjamask.h" +#include "internal-util.h" + +/** + * \brief Performs a circulant binary matrix multiplication. + * + * \param x The matrix. + * \param y The vector to multiply with the matrix. + * + * \return The vector result of multiplying x by y. + */ +STATIC_INLINE uint32_t pyjamask_matrix_multiply(uint32_t x, uint32_t y) +{ + uint32_t result = 0; + int bit; + for (bit = 31; bit >= 0; --bit) { +#if defined(ESP32) + /* This version has slightly better performance on ESP32 */ + y = leftRotate1(y); + result ^= x & -(y & 1); + x = rightRotate1(x); +#else + result ^= x & -((y >> bit) & 1); + x = rightRotate1(x); +#endif + } + return result; +} + +void pyjamask_setup_key(pyjamask_key_schedule_t *ks, const unsigned char *key) +{ + uint32_t *rk = ks->k; + uint32_t k0, k1, k2, k3; + uint32_t temp; + uint8_t round; + + /* Load the words of the key */ + k0 = be_load_word32(key); + k1 = be_load_word32(key + 4); + k2 = be_load_word32(key + 8); + k3 = be_load_word32(key + 12); + + /* The first round key is the same as the key itself */ + rk[0] = k0; + rk[1] = k1; + rk[2] = k2; + rk[3] = k3; + rk += 4; + + /* Derive the round keys for all of the other rounds */ + for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk += 4) { + /* Mix the columns */ + temp = k0 ^ k1 ^ k2 ^ k3; + k0 ^= temp; + k1 ^= temp; + k2 ^= temp; + k3 ^= temp; + + /* Mix the rows and add the round constants. Note that the Pyjamask + * specification says that k1/k2/k3 should be rotated left by 8, 15, + * and 18 bits. But the reference code actually rotates the words + * right. And the test vectors in the specification match up with + * right rotations, not left. We match the reference code here */ + k0 = pyjamask_matrix_multiply(0xb881b9caU, k0) ^ 0x00000080U ^ round; + k1 = rightRotate8(k1) ^ 0x00006a00U; + k2 = rightRotate15(k2) ^ 0x003f0000U; + k3 = rightRotate18(k3) ^ 0x24000000U; + + /* Write the round key to the schedule */ + rk[0] = k0; + rk[1] = k1; + rk[2] = k2; + rk[3] = k3; + } +} + +void pyjamask_128_encrypt + (const pyjamask_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + const uint32_t *rk = ks->k; + uint32_t s0, s1, s2, s3; + uint8_t round; + + /* Load the plaintext from the input buffer */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk += 4) { + /* Add the round key to the state */ + s0 ^= rk[0]; + s1 ^= rk[1]; + s2 ^= rk[2]; + s3 ^= rk[3]; + + /* Apply the 128-bit Pyjamask sbox */ + s0 ^= s3; + s3 ^= s0 & s1; + s0 ^= s1 & s2; + s1 ^= s2 & s3; + s2 ^= s0 & s3; + s2 ^= s1; + s1 ^= s0; + s3 = ~s3; + s2 ^= s3; + s3 ^= s2; + s2 ^= s3; + + /* Mix the rows of the state */ + s0 = pyjamask_matrix_multiply(0xa3861085U, s0); + s1 = pyjamask_matrix_multiply(0x63417021U, s1); + s2 = pyjamask_matrix_multiply(0x692cf280U, s2); + s3 = pyjamask_matrix_multiply(0x48a54813U, s3); + } + + /* Mix in the key one last time */ + s0 ^= rk[0]; + s1 ^= rk[1]; + s2 ^= rk[2]; + s3 ^= rk[3]; + + /* Write the ciphertext to the output buffer */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +void pyjamask_128_decrypt + (const pyjamask_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + const uint32_t *rk = ks->k + 4 * PYJAMASK_ROUNDS; + uint32_t s0, s1, s2, s3; + uint8_t round; + + /* Load the ciphertext from the input buffer */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Mix in the last round key */ + s0 ^= rk[0]; + s1 ^= rk[1]; + s2 ^= rk[2]; + s3 ^= rk[3]; + rk -= 4; + + /* Perform all decryption rounds */ + for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk -= 4) { + /* Inverse mix of the rows in the state */ + s0 = pyjamask_matrix_multiply(0x2037a121U, s0); + s1 = pyjamask_matrix_multiply(0x108ff2a0U, s1); + s2 = pyjamask_matrix_multiply(0x9054d8c0U, s2); + s3 = pyjamask_matrix_multiply(0x3354b117U, s3); + + /* Apply the inverse of the 128-bit Pyjamask sbox */ + s2 ^= s3; + s3 ^= s2; + s2 ^= s3; + s3 = ~s3; + s1 ^= s0; + s2 ^= s1; + s2 ^= s0 & s3; + s1 ^= s2 & s3; + s0 ^= s1 & s2; + s3 ^= s0 & s1; + s0 ^= s3; + + /* Add the round key to the state */ + s0 ^= rk[0]; + s1 ^= rk[1]; + s2 ^= rk[2]; + s3 ^= rk[3]; + } + + /* Write the plaintext to the output buffer */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +void pyjamask_96_encrypt + (const pyjamask_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + const uint32_t *rk = ks->k; + uint32_t s0, s1, s2; + uint8_t round; + + /* Load the plaintext from the input buffer */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + + /* Perform all encryption rounds */ + for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk += 4) { + /* Add the round key to the state */ + s0 ^= rk[0]; + s1 ^= rk[1]; + s2 ^= rk[2]; + + /* Apply the 96-bit Pyjamask sbox */ + s0 ^= s1; + s1 ^= s2; + s2 ^= s0 & s1; + s0 ^= s1 & s2; + s1 ^= s0 & s2; + s2 ^= s0; + s2 = ~s2; + s1 ^= s0; + s0 ^= s1; + + /* Mix the rows of the state */ + s0 = pyjamask_matrix_multiply(0xa3861085U, s0); + s1 = pyjamask_matrix_multiply(0x63417021U, s1); + s2 = pyjamask_matrix_multiply(0x692cf280U, s2); + } + + /* Mix in the key one last time */ + s0 ^= rk[0]; + s1 ^= rk[1]; + s2 ^= rk[2]; + + /* Write the ciphertext to the output buffer */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); +} + +void pyjamask_96_decrypt + (const pyjamask_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + const uint32_t *rk = ks->k + 4 * PYJAMASK_ROUNDS; + uint32_t s0, s1, s2; + uint8_t round; + + /* Load the plaintext from the input buffer */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + + /* Mix in the last round key */ + s0 ^= rk[0]; + s1 ^= rk[1]; + s2 ^= rk[2]; + rk -= 4; + + /* Perform all encryption rounds */ + for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk -= 4) { + /* Inverse mix of the rows in the state */ + s0 = pyjamask_matrix_multiply(0x2037a121U, s0); + s1 = pyjamask_matrix_multiply(0x108ff2a0U, s1); + s2 = pyjamask_matrix_multiply(0x9054d8c0U, s2); + + /* Apply the inverse of the 96-bit Pyjamask sbox */ + s0 ^= s1; + s1 ^= s0; + s2 = ~s2; + s2 ^= s0; + s1 ^= s0 & s2; + s0 ^= s1 & s2; + s2 ^= s0 & s1; + s1 ^= s2; + s0 ^= s1; + + /* Add the round key to the state */ + s0 ^= rk[0]; + s1 ^= rk[1]; + s2 ^= rk[2]; + } + + /* Write the ciphertext to the output buffer */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); +} diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-pyjamask.h b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-pyjamask.h new file mode 100644 index 0000000..3fd93a7 --- /dev/null +++ b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-pyjamask.h @@ -0,0 +1,215 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_PYJAMASK_H +#define LW_INTERNAL_PYJAMASK_H + +#include "internal-util.h" + +/** + * \file internal-pyjamask.h + * \brief Pyjamask block cipher. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Number of rounds in the Pyjamask block cipher. + */ +#define PYJAMASK_ROUNDS 14 + +/** + * \brief Number of parallel states for masked operation. + */ +#define PYJAMASK_MASKING_ORDER 4 + +/** + * \brief Structure of the key schedule for Pyjamask block ciphers. + */ +typedef struct +{ + uint32_t k[(PYJAMASK_ROUNDS + 1) * 4]; /**< Words of the key schedule */ + +} pyjamask_key_schedule_t; + +/** + * \brief Structure of the key schedule for masked Pyjamask block ciphers. + */ +typedef struct +{ + /** Words of the key schedule */ + uint32_t k[PYJAMASK_MASKING_ORDER * (PYJAMASK_ROUNDS + 1) * 4]; + +} pyjamask_masked_key_schedule_t; + +/** + * \brief Sets up the key schedule for the Pyjamask block cipher. + * + * \param ks The key schedule on output. + * \param key The 16 bytes of the key on input. + */ +void pyjamask_setup_key(pyjamask_key_schedule_t *ks, const unsigned char *key); + +/** + * \brief Encrypts a 128-bit block with Pyjamask-128. + * + * \param ks Points to the key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * \sa pyjamask_128_decrypt() + */ +void pyjamask_128_encrypt + (const pyjamask_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with Pyjamask-128. + * + * \param ks Points to the key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + * + * \sa pyjamask_128_encrypt() + */ +void pyjamask_128_decrypt + (const pyjamask_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 96-bit block with Pyjamask-96. + * + * \param ks Points to the key schedule. + * \param output Output buffer which must be at least 12 bytes in length. + * \param input Input buffer which must be at least 12 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * \sa pyjamask_96_decrypt() + */ +void pyjamask_96_encrypt + (const pyjamask_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 96-bit block with Pyjamask-96. + * + * \param ks Points to the key schedule. + * \param output Output buffer which must be at least 12 bytes in length. + * \param input Input buffer which must be at least 12 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + * + * \sa pyjamask_96_encrypt() + */ +void pyjamask_96_decrypt + (const pyjamask_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Sets up the key schedule for the masked Pyjamask block cipher. + * + * \param ks The key schedule on output. + * \param key The 16 bytes of the key on input. + */ +void pyjamask_masked_setup_key + (pyjamask_masked_key_schedule_t *ks, const unsigned char *key); + +/** + * \brief Encrypts a 128-bit block with Pyjamask-128 in masked mode. + * + * \param ks Points to the key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * \sa pyjamask_masked_128_decrypt() + */ +void pyjamask_masked_128_encrypt + (const pyjamask_masked_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with Pyjamask-128 in masked mode. + * + * \param ks Points to the key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + * + * \sa pyjamask_masked_128_encrypt() + */ +void pyjamask_masked_128_decrypt + (const pyjamask_masked_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 96-bit block with Pyjamask-96 in masked mode. + * + * \param ks Points to the key schedule. + * \param output Output buffer which must be at least 12 bytes in length. + * \param input Input buffer which must be at least 12 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * \sa pyjamask_masked_96_decrypt() + */ +void pyjamask_masked_96_encrypt + (const pyjamask_masked_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 96-bit block with Pyjamask-96 in masked mode. + * + * \param ks Points to the key schedule. + * \param output Output buffer which must be at least 12 bytes in length. + * \param input Input buffer which must be at least 12 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + * + * \sa pyjamask_masked_96_encrypt() + */ +void pyjamask_masked_96_decrypt + (const pyjamask_masked_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-util.h b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/pyjamask-96.c b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/pyjamask-96.c new file mode 100644 index 0000000..3361699 --- /dev/null +++ b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/pyjamask-96.c @@ -0,0 +1,57 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "pyjamask.h" +#include "internal-pyjamask.h" + +aead_cipher_t const pyjamask_96_cipher = { + "Pyjamask-96-AEAD", + PYJAMASK_96_KEY_SIZE, + PYJAMASK_96_NONCE_SIZE, + PYJAMASK_96_TAG_SIZE, + AEAD_FLAG_NONE, + pyjamask_96_aead_encrypt, + pyjamask_96_aead_decrypt +}; + +/* Double a value in GF(96) */ +static void pyjamask_96_double_l + (unsigned char out[12], const unsigned char in[12]) +{ + unsigned index; + unsigned char mask = (unsigned char)(((signed char)in[0]) >> 7); + for (index = 0; index < 11; ++index) + out[index] = (in[index] << 1) | (in[index + 1] >> 7); + out[11] = (in[11] << 1) ^ (mask & 0x41); + out[10] ^= (mask & 0x06); +} + +#define OCB_ALG_NAME pyjamask_96 +#define OCB_BLOCK_SIZE 12 +#define OCB_NONCE_SIZE PYJAMASK_96_NONCE_SIZE +#define OCB_TAG_SIZE PYJAMASK_96_TAG_SIZE +#define OCB_KEY_SCHEDULE pyjamask_key_schedule_t +#define OCB_SETUP_KEY pyjamask_setup_key +#define OCB_ENCRYPT_BLOCK pyjamask_96_encrypt +#define OCB_DECRYPT_BLOCK pyjamask_96_decrypt +#define OCB_DOUBLE_L pyjamask_96_double_l +#include "internal-ocb.h" diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/pyjamask.h b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/pyjamask.h new file mode 100644 index 0000000..23ec744 --- /dev/null +++ b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/pyjamask.h @@ -0,0 +1,335 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_PYJAMASK_H +#define LWCRYPTO_PYJAMASK_H + +#include "aead-common.h" + +/** + * \file pyjamask.h + * \brief Pyjamask authenticated encryption algorithm. + * + * Pyjamask AEAD is a family of authenticated encryption algorithms that are + * built around the Pyjamask-128 and Pyjamask-96 block ciphers in OCB mode. + * Pyjamask-128-AEAD has a 128-bit key, a 96-bit nonce, and a 128-bit + * authentication tag. Pyjamask-96-AEAD has a 128-bit key, a 64-bit nonce, + * and a 96-bit authentication tag. + * + * References: https://pyjamask-cipher.github.io/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for Pyjamask-128-AEAD. + */ +#define PYJAMASK_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Pyjamask-128-AEAD. + */ +#define PYJAMASK_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Pyjamask-128-AEAD. + */ +#define PYJAMASK_128_NONCE_SIZE 12 + +/** + * \brief Size of the key for Pyjamask-96-AEAD. + */ +#define PYJAMASK_96_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Pyjamask-96-AEAD. + */ +#define PYJAMASK_96_TAG_SIZE 12 + +/** + * \brief Size of the nonce for Pyjamask-96-AEAD. + */ +#define PYJAMASK_96_NONCE_SIZE 8 + +/** + * \brief Meta-information block for the Pyjamask-128-AEAD cipher. + */ +extern aead_cipher_t const pyjamask_128_cipher; + +/** + * \brief Meta-information block for the Pyjamask-96-AEAD cipher. + */ +extern aead_cipher_t const pyjamask_96_cipher; + +/** + * \brief Meta-information block for the masked Pyjamask-128-AEAD cipher. + */ +extern aead_cipher_t const pyjamask_masked_128_cipher; + +/** + * \brief Meta-information block for the masked Pyjamask-96-AEAD cipher. + */ +extern aead_cipher_t const pyjamask_masked_96_cipher; + +/** + * \brief Encrypts and authenticates a packet with Pyjamask-128-AEAD. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa pyjamask_128_aead_decrypt() + */ +int pyjamask_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Pyjamask-128-AEAD. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa pyjamask_128_aead_encrypt() + */ +int pyjamask_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Pyjamask-96-AEAD. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 12 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 8 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa pyjamask_96_aead_decrypt() + */ +int pyjamask_96_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Pyjamask-96-AEAD. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 12 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 8 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa pyjamask_96_aead_encrypt() + */ +int pyjamask_96_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with masked Pyjamask-128-AEAD. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa pyjamask_masked_128_aead_decrypt() + */ +int pyjamask_masked_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with masked Pyjamask-128-AEAD. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa pyjamask_masked_128_aead_encrypt() + */ +int pyjamask_masked_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with masked Pyjamask-96-AEAD. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 12 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 8 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa pyjamask_masked_96_aead_decrypt() + */ +int pyjamask_masked_96_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with masked Pyjamask-96-AEAD. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 12 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 8 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa pyjamask_masked_96_aead_encrypt() + */ +int pyjamask_masked_96_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusm1v12/rhys/aead-common.c b/romulus/Implementations/crypto_aead/romulusm1v12/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1v12/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/romulus/Implementations/crypto_aead/romulusm1v12/rhys/aead-common.h b/romulus/Implementations/crypto_aead/romulusm1v12/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1v12/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusm1v12/rhys/api.h b/romulus/Implementations/crypto_aead/romulusm1v12/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1v12/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/romulus/Implementations/crypto_aead/romulusm1v12/rhys/encrypt.c b/romulus/Implementations/crypto_aead/romulusm1v12/rhys/encrypt.c new file mode 100644 index 0000000..f13a728 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1v12/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "romulus.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return romulus_m1_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return romulus_m1_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/romulus/Implementations/crypto_aead/romulusm1v12/rhys/internal-skinny128.c b/romulus/Implementations/crypto_aead/romulusm1v12/rhys/internal-skinny128.c new file mode 100644 index 0000000..65ba4ed --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1v12/rhys/internal-skinny128.c @@ -0,0 +1,811 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-skinny128.h" +#include "internal-skinnyutil.h" +#include "internal-util.h" +#include + +STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) +{ + /* This function is used to fast-forward the TK1 tweak value + * to the value at the end of the key schedule for decryption. + * + * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 + * with 48 rounds does not need any fast forwarding applied. + * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds + * are equivalent to applying the permutation 8 times: + * + * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] + */ + uint32_t row0 = tk[0]; + uint32_t row1 = tk[1]; + uint32_t row2 = tk[2]; + uint32_t row3 = tk[3]; + tk[0] = ((row1 >> 8) & 0x0000FFFFU) | + ((row0 >> 8) & 0x00FF0000U) | + ((row0 << 8) & 0xFF000000U); + tk[1] = ((row1 >> 24) & 0x000000FFU) | + ((row0 << 8) & 0x00FFFF00U) | + ((row1 << 24) & 0xFF000000U); + tk[2] = ((row3 >> 8) & 0x0000FFFFU) | + ((row2 >> 8) & 0x00FF0000U) | + ((row2 << 8) & 0xFF000000U); + tk[3] = ((row3 >> 24) & 0x000000FFU) | + ((row2 << 8) & 0x00FFFF00U) | + ((row3 << 24) & 0xFF000000U); +} + +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 32 && key_len != 48)) + return 0; + + /* Set the initial states of TK1, TK2, and TK3 */ + if (key_len == 32) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + TK3[0] = le_load_word32(key + 16); + TK3[1] = le_load_word32(key + 20); + TK3[2] = le_load_word32(key + 24); + TK3[3] = le_load_word32(key + 28); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + } + + /* Set up the key schedule using TK2 and TK3. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); + + /* Permute TK2 and TK3 for the next round */ + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + + /* Apply the LFSR's to TK2 and TK3 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + return 1; +} + +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Permute TK1 to fast-forward it to the end of the key schedule */ + skinny128_fast_forward_tk(TK1); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + TK2[0] = le_load_word32(tk2); + TK2[1] = le_load_word32(tk2 + 4); + TK2[2] = le_load_word32(tk2 + 8); + TK2[3] = le_load_word32(tk2 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; + s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 16 && key_len != 32)) + return 0; + + /* Set the initial states of TK1 and TK2 */ + if (key_len == 16) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + } + + /* Set up the key schedule using TK2. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ (rc >> 4); + + /* Permute TK2 for the next round */ + skinny128_permute_tk(TK2); + + /* Apply the LFSR to TK2 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + return 1; +} + +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1. + * There is no need to fast-forward TK1 because the value at + * the end of the key schedule is the same as at the start */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK1[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || key_len != 16) + return 0; + + /* Set the initial state of TK1 */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + + /* Set up the key schedule using TK1 */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK1[0] ^ (rc & 0x0F); + schedule[1] = TK1[1] ^ (rc >> 4); + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + return 1; +} + +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} diff --git a/romulus/Implementations/crypto_aead/romulusm1v12/rhys/internal-skinny128.h b/romulus/Implementations/crypto_aead/romulusm1v12/rhys/internal-skinny128.h new file mode 100644 index 0000000..76b34f5 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1v12/rhys/internal-skinny128.h @@ -0,0 +1,315 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNY128_H +#define LW_INTERNAL_SKINNY128_H + +/** + * \file internal-skinny128.h + * \brief SKINNY-128 block cipher family. + * + * References: https://eprint.iacr.org/2016/660.pdf, + * https://sites.google.com/site/skinnycipher/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a block for SKINNY-128 block ciphers. + */ +#define SKINNY_128_BLOCK_SIZE 16 + +/** + * \brief Number of rounds for SKINNY-128-384. + */ +#define SKINNY_128_384_ROUNDS 56 + +/** + * \brief Structure of the key schedule for SKINNY-128-384. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_384_ROUNDS * 2]; + +} skinny_128_384_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 32 or 48, + * where 32 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly + * provided TK2 value. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tk2 TK2 value that should be updated on the fly. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when both TK1 and TK2 change from block to block. + * When the key is initialized with skinny_128_384_init(), the TK2 part of + * the key value should be set to zero. + */ +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and a + * fully specified tweakey value. + * + * \param key Points to the 384-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-384 but + * more memory-efficient. + */ +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-256. + */ +#define SKINNY_128_256_ROUNDS 48 + +/** + * \brief Structure of the key schedule for SKINNY-128-256. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_256_ROUNDS * 2]; + +} skinny_128_256_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16 or 32, + * where 16 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256 and a + * fully specified tweakey value. + * + * \param key Points to the 256-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-256 but + * more memory-efficient. + */ +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-128. + */ +#define SKINNY_128_128_ROUNDS 40 + +/** + * \brief Structure of the key schedule for SKINNY-128-128. + */ +typedef struct +{ + /** Words of the key schedule */ + uint32_t k[SKINNY_128_128_ROUNDS * 2]; + +} skinny_128_128_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-128. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusm1v12/rhys/internal-skinnyutil.h b/romulus/Implementations/crypto_aead/romulusm1v12/rhys/internal-skinnyutil.h new file mode 100644 index 0000000..83136cb --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1v12/rhys/internal-skinnyutil.h @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNYUTIL_H +#define LW_INTERNAL_SKINNYUTIL_H + +/** + * \file internal-skinnyutil.h + * \brief Utilities to help implement SKINNY and its variants. + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond skinnyutil */ + +/* Utilities for implementing SKINNY-128 */ + +#define skinny128_LFSR2(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ + (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ + } while (0) + + +#define skinny128_LFSR3(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ + (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) +#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) + +#define skinny128_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint32_t row2 = tk[2]; \ + uint32_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 16) | (row3 >> 16); \ + tk[0] = ((row2 >> 8) & 0x000000FFU) | \ + ((row2 << 16) & 0x00FF0000U) | \ + ( row3 & 0xFF00FF00U); \ + tk[1] = ((row2 >> 16) & 0x000000FFU) | \ + (row2 & 0xFF000000U) | \ + ((row3 << 8) & 0x0000FF00U) | \ + ( row3 & 0x00FF0000U); \ + } while (0) + +#define skinny128_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint32_t row0 = tk[0]; \ + uint32_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 >> 16) & 0x000000FFU) | \ + ((row0 << 8) & 0x0000FF00U) | \ + ((row1 << 16) & 0x00FF0000U) | \ + ( row1 & 0xFF000000U); \ + tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ + ((row0 << 16) & 0xFF000000U) | \ + ((row1 >> 16) & 0x000000FFU) | \ + ((row1 << 8) & 0x00FF0000U); \ + } while (0) + +/* + * Apply the SKINNY sbox. The original version from the specification is + * equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE(x) + * ((((x) & 0x01010101U) << 2) | + * (((x) & 0x06060606U) << 5) | + * (((x) & 0x20202020U) >> 5) | + * (((x) & 0xC8C8C8C8U) >> 2) | + * (((x) & 0x10101010U) >> 1)) + * + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * return SBOX_SWAP(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ + y = (((x >> 5) & (x << 1)) & 0x04040404U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ + x = ((x & 0x08080808U) << 1) | \ + ((x & 0x32323232U) << 2) | \ + ((x & 0x01010101U) << 5) | \ + ((x & 0x80808080U) >> 6) | \ + ((x & 0x40404040U) >> 4) | \ + ((x & 0x04040404U) >> 2); \ +} while (0) + +/* + * Apply the inverse of the SKINNY sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE_INV(x) + * ((((x) & 0x08080808U) << 1) | + * (((x) & 0x32323232U) << 2) | + * (((x) & 0x01010101U) << 5) | + * (((x) & 0xC0C0C0C0U) >> 5) | + * (((x) & 0x04040404U) >> 2)) + * + * x = SBOX_SWAP(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_inv_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ + x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ + y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ + x = ((x & 0x01010101U) << 2) | \ + ((x & 0x04040404U) << 4) | \ + ((x & 0x02020202U) << 6) | \ + ((x & 0x20202020U) >> 5) | \ + ((x & 0xC8C8C8C8U) >> 2) | \ + ((x & 0x10101010U) >> 1); \ +} while (0) + +/* Utilities for implementing SKINNY-64 */ + +#define skinny64_LFSR2(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ + } while (0) + +#define skinny64_LFSR3(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) +#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) + +#define skinny64_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint16_t row2 = tk[2]; \ + uint16_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 8) | (row3 >> 8); \ + tk[0] = ((row2 << 4) & 0xF000U) | \ + ((row2 >> 8) & 0x00F0U) | \ + ( row3 & 0x0F0FU); \ + tk[1] = ((row2 << 8) & 0xF000U) | \ + ((row3 >> 4) & 0x0F00U) | \ + ( row3 & 0x00F0U) | \ + ( row2 & 0x000FU); \ + } while (0) + +#define skinny64_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint16_t row0 = tk[0]; \ + uint16_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 << 8) & 0xF000U) | \ + ((row0 >> 4) & 0x0F00U) | \ + ((row1 >> 8) & 0x00F0U) | \ + ( row1 & 0x000FU); \ + tk[3] = ((row1 << 8) & 0xF000U) | \ + ((row0 << 8) & 0x0F00U) | \ + ((row1 >> 4) & 0x00F0U) | \ + ((row0 >> 8) & 0x000FU); \ + } while (0) + +/* + * Apply the SKINNY-64 sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT(x) + * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_SHIFT steps to be performed with one final rotation. + * This reduces the number of required shift operations from 14 to 10. + * + * We can further reduce the number of NOT operations from 4 to 2 + * using the technique from https://github.com/kste/skinny_avx to + * convert NOR-XOR operations into AND-XOR operations by converting + * the S-box into its NOT-inverse. + */ +#define skinny64_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ + x = ~x; \ + x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ +} while (0) + +/* + * Apply the inverse of the SKINNY-64 sbox. The original version + * from the specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT_INV(x) + * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * return SBOX_MIX(x); + */ +#define skinny64_inv_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = ~x; \ + x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ +} while (0) + +/** @endcond */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusm1v12/rhys/internal-util.h b/romulus/Implementations/crypto_aead/romulusm1v12/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1v12/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusm1v12/rhys/romulus.c b/romulus/Implementations/crypto_aead/romulusm1v12/rhys/romulus.c new file mode 100644 index 0000000..be1c0fa --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1v12/rhys/romulus.c @@ -0,0 +1,1963 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "romulus.h" +#include "internal-skinny128.h" +#include "internal-util.h" +#include + +aead_cipher_t const romulus_n1_cipher = { + "Romulus-N1", + ROMULUS_KEY_SIZE, + ROMULUS1_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n1_aead_encrypt, + romulus_n1_aead_decrypt +}; + +aead_cipher_t const romulus_n2_cipher = { + "Romulus-N2", + ROMULUS_KEY_SIZE, + ROMULUS2_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n2_aead_encrypt, + romulus_n2_aead_decrypt +}; + +aead_cipher_t const romulus_n3_cipher = { + "Romulus-N3", + ROMULUS_KEY_SIZE, + ROMULUS3_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n3_aead_encrypt, + romulus_n3_aead_decrypt +}; + +aead_cipher_t const romulus_m1_cipher = { + "Romulus-M1", + ROMULUS_KEY_SIZE, + ROMULUS1_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m1_aead_encrypt, + romulus_m1_aead_decrypt +}; + +aead_cipher_t const romulus_m2_cipher = { + "Romulus-M2", + ROMULUS_KEY_SIZE, + ROMULUS2_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m2_aead_encrypt, + romulus_m2_aead_decrypt +}; + +aead_cipher_t const romulus_m3_cipher = { + "Romulus-M3", + ROMULUS_KEY_SIZE, + ROMULUS3_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m3_aead_encrypt, + romulus_m3_aead_decrypt +}; + +/** + * \brief Limit on the number of bytes of message or associated data (128Mb). + * + * Romulus-N1 and Romulus-M1 use a 56-bit block counter which allows for + * payloads well into the petabyte range. It is unlikely that an embedded + * device will have that much memory to store a contiguous packet! + * + * Romulus-N2 and Romulus-M2 use a 48-bit block counter but the upper + * 24 bits are difficult to modify in the key schedule. So we only + * update the low 24 bits and leave the high 24 bits fixed. + * + * Romulus-N3 and Romulus-M3 use a 24-bit block counter. + * + * For all algorithms, we limit the block counter to 2^23 so that the block + * counter can never exceed 2^24 - 1. + */ +#define ROMULUS_DATA_LIMIT \ + ((unsigned long long)((1ULL << 23) * SKINNY_128_BLOCK_SIZE)) + +/** + * \brief Initializes the key schedule for Romulus-N1 or Romulus-M1. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 16 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus1_init + (skinny_128_384_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + unsigned char TK[32]; + if (npub) + memcpy(TK, npub, 16); + else + memset(TK, 0, 16); + memcpy(TK + 16, k, 16); + skinny_128_384_init(ks, TK, sizeof(TK)); + ks->TK1[0] = 0x01; /* Initialize the 56-bit LFSR counter */ +} + +/** + * \brief Initializes the key schedule for Romulus-N2 or Romulus-M2. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 12 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus2_init + (skinny_128_384_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + unsigned char TK[32]; + memcpy(TK, k, 16); + memset(TK + 16, 0, 16); + TK[16] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ + skinny_128_384_init(ks, TK, sizeof(TK)); + ks->TK1[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ + if (npub) + memcpy(ks->TK1 + 4, npub, 12); +} + +/** + * \brief Initializes the key schedule for Romulus-N3 or Romulus-M3. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 12 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus3_init + (skinny_128_256_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + skinny_128_256_init(ks, k, 16); + ks->TK1[0] = 0x01; /* Initialize the 24-bit LFSR counter */ + if (npub) + memcpy(ks->TK1 + 4, npub, 12); +} + +/** + * \brief Sets the domain separation value for Romulus-N1 and M1. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus1_set_domain(ks, domain) ((ks)->TK1[7] = (domain)) + +/** + * \brief Sets the domain separation value for Romulus-N2 and M2. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus2_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) + +/** + * \brief Sets the domain separation value for Romulus-N3 and M3. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus3_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) + +/** + * \brief Updates the 56-bit LFSR block counter for Romulus-N1 and M1. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + */ +STATIC_INLINE void romulus1_update_counter(uint8_t TK1[16]) +{ + uint8_t mask = (uint8_t)(((int8_t)(TK1[6])) >> 7); + TK1[6] = (TK1[6] << 1) | (TK1[5] >> 7); + TK1[5] = (TK1[5] << 1) | (TK1[4] >> 7); + TK1[4] = (TK1[4] << 1) | (TK1[3] >> 7); + TK1[3] = (TK1[3] << 1) | (TK1[2] >> 7); + TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); + TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); + TK1[0] = (TK1[0] << 1) ^ (mask & 0x95); +} + +/** + * \brief Updates the 24-bit LFSR block counter for Romulus-N2 or M2. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + * + * For Romulus-N2 and Romulus-M2 this will only update the low 24 bits of + * the 48-bit LFSR. The high 24 bits are fixed due to ROMULUS_DATA_LIMIT. + */ +STATIC_INLINE void romulus2_update_counter(uint8_t TK1[16]) +{ + uint8_t mask = (uint8_t)(((int8_t)(TK1[2])) >> 7); + TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); + TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); + TK1[0] = (TK1[0] << 1) ^ (mask & 0x1B); +} + +/** + * \brief Updates the 24-bit LFSR block counter for Romulus-N3 or M3. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + */ +#define romulus3_update_counter(TK1) romulus2_update_counter((TK1)) + +/** + * \brief Process the asssociated data for Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n1_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x1A); + skinny_128_384_encrypt_tk2(ks, S, S, npub); + return; + } + + /* Process all double blocks except the last */ + romulus1_set_domain(ks, 0x08); + while (adlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + ad += 32; + adlen -= 32; + } + + /* Pad and process the left-over blocks */ + romulus1_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 32) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x18); + } else if (temp > 16) { + /* Left-over partial double block */ + unsigned char pad[16]; + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(pad, ad + 16, temp); + memset(pad + temp, 0, 15 - temp); + pad[15] = temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x1A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus1_set_domain(ks, 0x18); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus1_set_domain(ks, 0x1A); + } + skinny_128_384_encrypt_tk2(ks, S, S, npub); +} + +/** + * \brief Process the asssociated data for Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n2_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x5A); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all double blocks except the last */ + romulus2_set_domain(ks, 0x48); + while (adlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Pad and process the left-over blocks */ + romulus2_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 28) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x58); + } else if (temp > 16) { + /* Left-over partial double block */ + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp); + ks->TK1[15] = temp; + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x5A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus2_set_domain(ks, 0x58); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus2_set_domain(ks, 0x5A); + } + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Process the asssociated data for Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n3_process_ad + (skinny_128_256_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x9A); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all double blocks except the last */ + romulus3_set_domain(ks, 0x88); + while (adlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Pad and process the left-over blocks */ + romulus3_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 28) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x98); + } else if (temp > 16) { + /* Left-over partial double block */ + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp); + ks->TK1[15] = temp; + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x9A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus3_set_domain(ks, 0x98); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus3_set_domain(ks, 0x9A); + } + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Determine the domain separation value to use on the last + * block of the associated data processing. + * + * \param adlen Length of the associated data in bytes. + * \param mlen Length of the message in bytes. + * \param t Size of the second half of a double block; 12 or 16. + * + * \return The domain separation bits to use to finalize the last block. + */ +static uint8_t romulus_m_final_ad_domain + (unsigned long long adlen, unsigned long long mlen, unsigned t) +{ + uint8_t domain = 0; + unsigned split = 16U; + unsigned leftover; + + /* Determine which domain bits we need based on the length of the ad */ + if (adlen == 0) { + /* No associated data, so only 1 block with padding */ + domain ^= 0x02; + split = t; + } else { + /* Even or odd associated data length? */ + leftover = (unsigned)(adlen % (16U + t)); + if (leftover == 0) { + /* Even with a full double block at the end */ + domain ^= 0x08; + } else if (leftover < split) { + /* Odd with a partial single block at the end */ + domain ^= 0x02; + split = t; + } else if (leftover > split) { + /* Even with a partial double block at the end */ + domain ^= 0x0A; + } else { + /* Odd with a full single block at the end */ + split = t; + } + } + + /* Determine which domain bits we need based on the length of the message */ + if (mlen == 0) { + /* No message, so only 1 block with padding */ + domain ^= 0x01; + } else { + /* Even or odd message length? */ + leftover = (unsigned)(mlen % (16U + t)); + if (leftover == 0) { + /* Even with a full double block at the end */ + domain ^= 0x04; + } else if (leftover < split) { + /* Odd with a partial single block at the end */ + domain ^= 0x01; + } else if (leftover > split) { + /* Even with a partial double block at the end */ + domain ^= 0x05; + } + } + return domain; +} + +/** + * \brief Process the asssociated data for Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m1_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char pad[16]; + uint8_t final_domain = 0x30; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 16); + + /* Process all associated data double blocks except the last */ + romulus1_set_domain(ks, 0x28); + while (adlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + ad += 32; + adlen -= 32; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 32) { + /* Last associated data double block is full */ + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(pad, ad + 16, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + romulus1_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus1_set_domain(ks, 0x2C); + romulus1_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 16) { + skinny_128_384_encrypt_tk2(ks, S, S, m); + romulus1_update_counter(ks->TK1); + m += 16; + mlen -= 16; + } else if (mlen == 16) { + skinny_128_384_encrypt_tk2(ks, S, S, m); + m += 16; + mlen -= 16; + } else { + temp = (unsigned)mlen; + memcpy(pad, m, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus1_set_domain(ks, 0x2C); + while (mlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + skinny_128_384_encrypt_tk2(ks, S, S, m + 16); + romulus1_update_counter(ks->TK1); + m += 32; + mlen -= 32; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 32) { + /* Last message double block is full */ + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + skinny_128_384_encrypt_tk2(ks, S, S, m + 16); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(pad, m + 16, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus1_set_domain(ks, final_domain); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt_tk2(ks, S, S, npub); +} + +/** + * \brief Process the asssociated data for Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m2_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + uint8_t final_domain = 0x70; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); + + /* Process all associated data double blocks except the last */ + romulus2_set_domain(ks, 0x68); + while (adlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 28) { + /* Last associated data double block is full */ + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus2_set_domain(ks, 0x6C); + romulus2_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + m += 12; + mlen -= 12; + } else if (mlen == 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_384_encrypt(ks, S, S); + m += 12; + mlen -= 12; + } else { + temp = (unsigned)mlen; + memcpy(ks->TK1 + 4, m, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus2_set_domain(ks, 0x6C); + while (mlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + m += 28; + mlen -= 28; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 28) { + /* Last message double block is full */ + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_384_encrypt(ks, S, S); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus2_set_domain(ks, final_domain); + romulus2_update_counter(ks->TK1); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Process the asssociated data for Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m3_process_ad + (skinny_128_256_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + uint8_t final_domain = 0xB0; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); + + /* Process all associated data double blocks except the last */ + romulus3_set_domain(ks, 0xA8); + while (adlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 28) { + /* Last associated data double block is full */ + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus3_set_domain(ks, 0xAC); + romulus3_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + m += 12; + mlen -= 12; + } else if (mlen == 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_256_encrypt(ks, S, S); + m += 12; + mlen -= 12; + } else { + temp = (unsigned)mlen; + memcpy(ks->TK1 + 4, m, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus3_set_domain(ks, 0xAC); + while (mlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + m += 28; + mlen -= 28; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 28) { + /* Last message double block is full */ + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_256_encrypt(ks, S, S); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus3_set_domain(ks, final_domain); + romulus3_update_counter(ks->TK1); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Applies the Romulus rho function. + * + * \param S The rolling Romulus state. + * \param C Ciphertext message output block. + * \param M Plaintext message input block. + */ +STATIC_INLINE void romulus_rho + (unsigned char S[16], unsigned char C[16], const unsigned char M[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + unsigned char m = M[index]; + S[index] ^= m; + C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + } +} + +/** + * \brief Applies the inverse of the Romulus rho function. + * + * \param S The rolling Romulus state. + * \param M Plaintext message output block. + * \param C Ciphertext message input block. + */ +STATIC_INLINE void romulus_rho_inverse + (unsigned char S[16], unsigned char M[16], const unsigned char C[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + S[index] ^= m; + M[index] = m; + } +} + +/** + * \brief Applies the Romulus rho function to a short block. + * + * \param S The rolling Romulus state. + * \param C Ciphertext message output block. + * \param M Plaintext message input block. + * \param len Length of the short block, must be less than 16. + */ +STATIC_INLINE void romulus_rho_short + (unsigned char S[16], unsigned char C[16], + const unsigned char M[16], unsigned len) +{ + unsigned index; + for (index = 0; index < len; ++index) { + unsigned char s = S[index]; + unsigned char m = M[index]; + S[index] ^= m; + C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + } + S[15] ^= (unsigned char)len; /* Padding */ +} + +/** + * \brief Applies the inverse of the Romulus rho function to a short block. + * + * \param S The rolling Romulus state. + * \param M Plaintext message output block. + * \param C Ciphertext message input block. + * \param len Length of the short block, must be less than 16. + */ +STATIC_INLINE void romulus_rho_inverse_short + (unsigned char S[16], unsigned char M[16], + const unsigned char C[16], unsigned len) +{ + unsigned index; + for (index = 0; index < len; ++index) { + unsigned char s = S[index]; + unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + S[index] ^= m; + M[index] = m; + } + S[15] ^= (unsigned char)len; /* Padding */ +} + +/** + * \brief Encrypts a plaintext message with Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n1_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x15); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus1_set_domain(ks, 0x04); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus1_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus1_set_domain(ks, 0x15); + } else { + romulus_rho(S, c, m); + romulus1_set_domain(ks, 0x14); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n1_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x15); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus1_set_domain(ks, 0x04); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus1_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus1_set_domain(ks, 0x15); + } else { + romulus_rho_inverse(S, m, c); + romulus1_set_domain(ks, 0x14); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n2_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x55); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus2_set_domain(ks, 0x44); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus2_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus2_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus2_set_domain(ks, 0x55); + } else { + romulus_rho(S, c, m); + romulus2_set_domain(ks, 0x54); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n2_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x55); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus2_set_domain(ks, 0x44); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus2_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus2_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus2_set_domain(ks, 0x55); + } else { + romulus_rho_inverse(S, m, c); + romulus2_set_domain(ks, 0x54); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n3_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x95); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus3_set_domain(ks, 0x84); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus3_update_counter(ks->TK1); + skinny_128_256_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus3_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus3_set_domain(ks, 0x95); + } else { + romulus_rho(S, c, m); + romulus3_set_domain(ks, 0x94); + } + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n3_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x95); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus3_set_domain(ks, 0x84); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus3_update_counter(ks->TK1); + skinny_128_256_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus3_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus3_set_domain(ks, 0x95); + } else { + romulus_rho_inverse(S, m, c); + romulus3_set_domain(ks, 0x94); + } + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m1_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus1_set_domain(ks, 0x24); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus1_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m1_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus1_set_domain(ks, 0x24); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus1_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m2_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus2_set_domain(ks, 0x64); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus2_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m2_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus2_set_domain(ks, 0x64); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus2_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m3_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus3_set_domain(ks, 0xA4); + while (mlen > 16) { + skinny_128_256_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus3_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_256_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m3_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus3_set_domain(ks, 0xA4); + while (mlen > 16) { + skinny_128_256_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus3_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_256_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Generates the authentication tag from the rolling Romulus state. + * + * \param T Buffer to receive the generated tag; can be the same as S. + * \param S The rolling Romulus state. + */ +STATIC_INLINE void romulus_generate_tag + (unsigned char T[16], const unsigned char S[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + T[index] = (s >> 1) ^ (s & 0x80) ^ (s << 7); + } +} + +int romulus_n1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n1_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n1_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n1_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n1_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_n2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n2_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n2_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n2_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n2_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_n3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n3_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n3_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n3_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n3_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m1_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m1_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m2_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m2_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m3_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m3_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} diff --git a/romulus/Implementations/crypto_aead/romulusm1v12/rhys/romulus.h b/romulus/Implementations/crypto_aead/romulusm1v12/rhys/romulus.h new file mode 100644 index 0000000..e6da29d --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1v12/rhys/romulus.h @@ -0,0 +1,476 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ROMULUS_H +#define LWCRYPTO_ROMULUS_H + +#include "aead-common.h" + +/** + * \file romulus.h + * \brief Romulus authenticated encryption algorithm family. + * + * Romulus is a family of authenticated encryption algorithms that + * are built around the SKINNY-128 tweakable block cipher. There + * are six members in the family: + * + * \li Romulus-N1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. This is the + * primary member of the family. + * \li Romulus-N2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-N3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * \li Romulus-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-M3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * + * The Romulus-M variants are resistant to nonce reuse as long as the + * combination of the associated data and plaintext is unique. If the + * same associated data and plaintext are reused under the same nonce, + * then the scheme will leak that the same plaintext has been sent for a + * second time but will not reveal the plaintext itself. + * + * References: https://romulusae.github.io/romulus/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all Romulus family members. + */ +#define ROMULUS_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for all Romulus family members. + */ +#define ROMULUS_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Romulus-N1 and Romulus-M1. + */ +#define ROMULUS1_NONCE_SIZE 16 + +/** + * \brief Size of the nonce for Romulus-N2 and Romulus-M2. + */ +#define ROMULUS2_NONCE_SIZE 12 + +/** + * \brief Size of the nonce for Romulus-N3 and Romulus-M3. + */ +#define ROMULUS3_NONCE_SIZE 12 + +/** + * \brief Meta-information block for the Romulus-N1 cipher. + */ +extern aead_cipher_t const romulus_n1_cipher; + +/** + * \brief Meta-information block for the Romulus-N2 cipher. + */ +extern aead_cipher_t const romulus_n2_cipher; + +/** + * \brief Meta-information block for the Romulus-N3 cipher. + */ +extern aead_cipher_t const romulus_n3_cipher; + +/** + * \brief Meta-information block for the Romulus-M1 cipher. + */ +extern aead_cipher_t const romulus_m1_cipher; + +/** + * \brief Meta-information block for the Romulus-M2 cipher. + */ +extern aead_cipher_t const romulus_m2_cipher; + +/** + * \brief Meta-information block for the Romulus-M3 cipher. + */ +extern aead_cipher_t const romulus_m3_cipher; + +/** + * \brief Encrypts and authenticates a packet with Romulus-N1. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_n1_aead_decrypt() + */ +int romulus_n1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-N1. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_n1_aead_encrypt() + */ +int romulus_n1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-N2. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_n2_aead_decrypt() + */ +int romulus_n2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-N2. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_n2_aead_encrypt() + */ +int romulus_n2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-N3. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_n3_aead_decrypt() + */ +int romulus_n3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-N3. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_n3_aead_encrypt() + */ +int romulus_n3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-M1. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_m1_aead_decrypt() + */ +int romulus_m1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-M1. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_m1_aead_encrypt() + */ +int romulus_m1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-M2. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_m2_aead_decrypt() + */ +int romulus_m2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-M2. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_m2_aead_encrypt() + */ +int romulus_m2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-M3. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_m3_aead_decrypt() + */ +int romulus_m3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-M3. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_m3_aead_encrypt() + */ +int romulus_m3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusm2v12/rhys/aead-common.c b/romulus/Implementations/crypto_aead/romulusm2v12/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm2v12/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/romulus/Implementations/crypto_aead/romulusm2v12/rhys/aead-common.h b/romulus/Implementations/crypto_aead/romulusm2v12/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm2v12/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusm2v12/rhys/api.h b/romulus/Implementations/crypto_aead/romulusm2v12/rhys/api.h new file mode 100644 index 0000000..c3c0a27 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm2v12/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 12 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/romulus/Implementations/crypto_aead/romulusm2v12/rhys/encrypt.c b/romulus/Implementations/crypto_aead/romulusm2v12/rhys/encrypt.c new file mode 100644 index 0000000..520d992 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm2v12/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "romulus.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return romulus_m2_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return romulus_m2_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/romulus/Implementations/crypto_aead/romulusm2v12/rhys/internal-skinny128.c b/romulus/Implementations/crypto_aead/romulusm2v12/rhys/internal-skinny128.c new file mode 100644 index 0000000..65ba4ed --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm2v12/rhys/internal-skinny128.c @@ -0,0 +1,811 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-skinny128.h" +#include "internal-skinnyutil.h" +#include "internal-util.h" +#include + +STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) +{ + /* This function is used to fast-forward the TK1 tweak value + * to the value at the end of the key schedule for decryption. + * + * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 + * with 48 rounds does not need any fast forwarding applied. + * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds + * are equivalent to applying the permutation 8 times: + * + * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] + */ + uint32_t row0 = tk[0]; + uint32_t row1 = tk[1]; + uint32_t row2 = tk[2]; + uint32_t row3 = tk[3]; + tk[0] = ((row1 >> 8) & 0x0000FFFFU) | + ((row0 >> 8) & 0x00FF0000U) | + ((row0 << 8) & 0xFF000000U); + tk[1] = ((row1 >> 24) & 0x000000FFU) | + ((row0 << 8) & 0x00FFFF00U) | + ((row1 << 24) & 0xFF000000U); + tk[2] = ((row3 >> 8) & 0x0000FFFFU) | + ((row2 >> 8) & 0x00FF0000U) | + ((row2 << 8) & 0xFF000000U); + tk[3] = ((row3 >> 24) & 0x000000FFU) | + ((row2 << 8) & 0x00FFFF00U) | + ((row3 << 24) & 0xFF000000U); +} + +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 32 && key_len != 48)) + return 0; + + /* Set the initial states of TK1, TK2, and TK3 */ + if (key_len == 32) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + TK3[0] = le_load_word32(key + 16); + TK3[1] = le_load_word32(key + 20); + TK3[2] = le_load_word32(key + 24); + TK3[3] = le_load_word32(key + 28); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + } + + /* Set up the key schedule using TK2 and TK3. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); + + /* Permute TK2 and TK3 for the next round */ + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + + /* Apply the LFSR's to TK2 and TK3 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + return 1; +} + +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Permute TK1 to fast-forward it to the end of the key schedule */ + skinny128_fast_forward_tk(TK1); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + TK2[0] = le_load_word32(tk2); + TK2[1] = le_load_word32(tk2 + 4); + TK2[2] = le_load_word32(tk2 + 8); + TK2[3] = le_load_word32(tk2 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; + s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 16 && key_len != 32)) + return 0; + + /* Set the initial states of TK1 and TK2 */ + if (key_len == 16) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + } + + /* Set up the key schedule using TK2. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ (rc >> 4); + + /* Permute TK2 for the next round */ + skinny128_permute_tk(TK2); + + /* Apply the LFSR to TK2 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + return 1; +} + +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1. + * There is no need to fast-forward TK1 because the value at + * the end of the key schedule is the same as at the start */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK1[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || key_len != 16) + return 0; + + /* Set the initial state of TK1 */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + + /* Set up the key schedule using TK1 */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK1[0] ^ (rc & 0x0F); + schedule[1] = TK1[1] ^ (rc >> 4); + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + return 1; +} + +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} diff --git a/romulus/Implementations/crypto_aead/romulusm2v12/rhys/internal-skinny128.h b/romulus/Implementations/crypto_aead/romulusm2v12/rhys/internal-skinny128.h new file mode 100644 index 0000000..76b34f5 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm2v12/rhys/internal-skinny128.h @@ -0,0 +1,315 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNY128_H +#define LW_INTERNAL_SKINNY128_H + +/** + * \file internal-skinny128.h + * \brief SKINNY-128 block cipher family. + * + * References: https://eprint.iacr.org/2016/660.pdf, + * https://sites.google.com/site/skinnycipher/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a block for SKINNY-128 block ciphers. + */ +#define SKINNY_128_BLOCK_SIZE 16 + +/** + * \brief Number of rounds for SKINNY-128-384. + */ +#define SKINNY_128_384_ROUNDS 56 + +/** + * \brief Structure of the key schedule for SKINNY-128-384. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_384_ROUNDS * 2]; + +} skinny_128_384_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 32 or 48, + * where 32 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly + * provided TK2 value. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tk2 TK2 value that should be updated on the fly. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when both TK1 and TK2 change from block to block. + * When the key is initialized with skinny_128_384_init(), the TK2 part of + * the key value should be set to zero. + */ +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and a + * fully specified tweakey value. + * + * \param key Points to the 384-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-384 but + * more memory-efficient. + */ +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-256. + */ +#define SKINNY_128_256_ROUNDS 48 + +/** + * \brief Structure of the key schedule for SKINNY-128-256. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_256_ROUNDS * 2]; + +} skinny_128_256_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16 or 32, + * where 16 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256 and a + * fully specified tweakey value. + * + * \param key Points to the 256-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-256 but + * more memory-efficient. + */ +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-128. + */ +#define SKINNY_128_128_ROUNDS 40 + +/** + * \brief Structure of the key schedule for SKINNY-128-128. + */ +typedef struct +{ + /** Words of the key schedule */ + uint32_t k[SKINNY_128_128_ROUNDS * 2]; + +} skinny_128_128_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-128. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusm2v12/rhys/internal-skinnyutil.h b/romulus/Implementations/crypto_aead/romulusm2v12/rhys/internal-skinnyutil.h new file mode 100644 index 0000000..83136cb --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm2v12/rhys/internal-skinnyutil.h @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNYUTIL_H +#define LW_INTERNAL_SKINNYUTIL_H + +/** + * \file internal-skinnyutil.h + * \brief Utilities to help implement SKINNY and its variants. + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond skinnyutil */ + +/* Utilities for implementing SKINNY-128 */ + +#define skinny128_LFSR2(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ + (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ + } while (0) + + +#define skinny128_LFSR3(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ + (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) +#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) + +#define skinny128_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint32_t row2 = tk[2]; \ + uint32_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 16) | (row3 >> 16); \ + tk[0] = ((row2 >> 8) & 0x000000FFU) | \ + ((row2 << 16) & 0x00FF0000U) | \ + ( row3 & 0xFF00FF00U); \ + tk[1] = ((row2 >> 16) & 0x000000FFU) | \ + (row2 & 0xFF000000U) | \ + ((row3 << 8) & 0x0000FF00U) | \ + ( row3 & 0x00FF0000U); \ + } while (0) + +#define skinny128_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint32_t row0 = tk[0]; \ + uint32_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 >> 16) & 0x000000FFU) | \ + ((row0 << 8) & 0x0000FF00U) | \ + ((row1 << 16) & 0x00FF0000U) | \ + ( row1 & 0xFF000000U); \ + tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ + ((row0 << 16) & 0xFF000000U) | \ + ((row1 >> 16) & 0x000000FFU) | \ + ((row1 << 8) & 0x00FF0000U); \ + } while (0) + +/* + * Apply the SKINNY sbox. The original version from the specification is + * equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE(x) + * ((((x) & 0x01010101U) << 2) | + * (((x) & 0x06060606U) << 5) | + * (((x) & 0x20202020U) >> 5) | + * (((x) & 0xC8C8C8C8U) >> 2) | + * (((x) & 0x10101010U) >> 1)) + * + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * return SBOX_SWAP(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ + y = (((x >> 5) & (x << 1)) & 0x04040404U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ + x = ((x & 0x08080808U) << 1) | \ + ((x & 0x32323232U) << 2) | \ + ((x & 0x01010101U) << 5) | \ + ((x & 0x80808080U) >> 6) | \ + ((x & 0x40404040U) >> 4) | \ + ((x & 0x04040404U) >> 2); \ +} while (0) + +/* + * Apply the inverse of the SKINNY sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE_INV(x) + * ((((x) & 0x08080808U) << 1) | + * (((x) & 0x32323232U) << 2) | + * (((x) & 0x01010101U) << 5) | + * (((x) & 0xC0C0C0C0U) >> 5) | + * (((x) & 0x04040404U) >> 2)) + * + * x = SBOX_SWAP(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_inv_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ + x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ + y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ + x = ((x & 0x01010101U) << 2) | \ + ((x & 0x04040404U) << 4) | \ + ((x & 0x02020202U) << 6) | \ + ((x & 0x20202020U) >> 5) | \ + ((x & 0xC8C8C8C8U) >> 2) | \ + ((x & 0x10101010U) >> 1); \ +} while (0) + +/* Utilities for implementing SKINNY-64 */ + +#define skinny64_LFSR2(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ + } while (0) + +#define skinny64_LFSR3(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) +#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) + +#define skinny64_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint16_t row2 = tk[2]; \ + uint16_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 8) | (row3 >> 8); \ + tk[0] = ((row2 << 4) & 0xF000U) | \ + ((row2 >> 8) & 0x00F0U) | \ + ( row3 & 0x0F0FU); \ + tk[1] = ((row2 << 8) & 0xF000U) | \ + ((row3 >> 4) & 0x0F00U) | \ + ( row3 & 0x00F0U) | \ + ( row2 & 0x000FU); \ + } while (0) + +#define skinny64_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint16_t row0 = tk[0]; \ + uint16_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 << 8) & 0xF000U) | \ + ((row0 >> 4) & 0x0F00U) | \ + ((row1 >> 8) & 0x00F0U) | \ + ( row1 & 0x000FU); \ + tk[3] = ((row1 << 8) & 0xF000U) | \ + ((row0 << 8) & 0x0F00U) | \ + ((row1 >> 4) & 0x00F0U) | \ + ((row0 >> 8) & 0x000FU); \ + } while (0) + +/* + * Apply the SKINNY-64 sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT(x) + * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_SHIFT steps to be performed with one final rotation. + * This reduces the number of required shift operations from 14 to 10. + * + * We can further reduce the number of NOT operations from 4 to 2 + * using the technique from https://github.com/kste/skinny_avx to + * convert NOR-XOR operations into AND-XOR operations by converting + * the S-box into its NOT-inverse. + */ +#define skinny64_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ + x = ~x; \ + x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ +} while (0) + +/* + * Apply the inverse of the SKINNY-64 sbox. The original version + * from the specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT_INV(x) + * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * return SBOX_MIX(x); + */ +#define skinny64_inv_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = ~x; \ + x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ +} while (0) + +/** @endcond */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusm2v12/rhys/internal-util.h b/romulus/Implementations/crypto_aead/romulusm2v12/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm2v12/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusm2v12/rhys/romulus.c b/romulus/Implementations/crypto_aead/romulusm2v12/rhys/romulus.c new file mode 100644 index 0000000..be1c0fa --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm2v12/rhys/romulus.c @@ -0,0 +1,1963 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "romulus.h" +#include "internal-skinny128.h" +#include "internal-util.h" +#include + +aead_cipher_t const romulus_n1_cipher = { + "Romulus-N1", + ROMULUS_KEY_SIZE, + ROMULUS1_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n1_aead_encrypt, + romulus_n1_aead_decrypt +}; + +aead_cipher_t const romulus_n2_cipher = { + "Romulus-N2", + ROMULUS_KEY_SIZE, + ROMULUS2_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n2_aead_encrypt, + romulus_n2_aead_decrypt +}; + +aead_cipher_t const romulus_n3_cipher = { + "Romulus-N3", + ROMULUS_KEY_SIZE, + ROMULUS3_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n3_aead_encrypt, + romulus_n3_aead_decrypt +}; + +aead_cipher_t const romulus_m1_cipher = { + "Romulus-M1", + ROMULUS_KEY_SIZE, + ROMULUS1_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m1_aead_encrypt, + romulus_m1_aead_decrypt +}; + +aead_cipher_t const romulus_m2_cipher = { + "Romulus-M2", + ROMULUS_KEY_SIZE, + ROMULUS2_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m2_aead_encrypt, + romulus_m2_aead_decrypt +}; + +aead_cipher_t const romulus_m3_cipher = { + "Romulus-M3", + ROMULUS_KEY_SIZE, + ROMULUS3_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m3_aead_encrypt, + romulus_m3_aead_decrypt +}; + +/** + * \brief Limit on the number of bytes of message or associated data (128Mb). + * + * Romulus-N1 and Romulus-M1 use a 56-bit block counter which allows for + * payloads well into the petabyte range. It is unlikely that an embedded + * device will have that much memory to store a contiguous packet! + * + * Romulus-N2 and Romulus-M2 use a 48-bit block counter but the upper + * 24 bits are difficult to modify in the key schedule. So we only + * update the low 24 bits and leave the high 24 bits fixed. + * + * Romulus-N3 and Romulus-M3 use a 24-bit block counter. + * + * For all algorithms, we limit the block counter to 2^23 so that the block + * counter can never exceed 2^24 - 1. + */ +#define ROMULUS_DATA_LIMIT \ + ((unsigned long long)((1ULL << 23) * SKINNY_128_BLOCK_SIZE)) + +/** + * \brief Initializes the key schedule for Romulus-N1 or Romulus-M1. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 16 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus1_init + (skinny_128_384_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + unsigned char TK[32]; + if (npub) + memcpy(TK, npub, 16); + else + memset(TK, 0, 16); + memcpy(TK + 16, k, 16); + skinny_128_384_init(ks, TK, sizeof(TK)); + ks->TK1[0] = 0x01; /* Initialize the 56-bit LFSR counter */ +} + +/** + * \brief Initializes the key schedule for Romulus-N2 or Romulus-M2. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 12 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus2_init + (skinny_128_384_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + unsigned char TK[32]; + memcpy(TK, k, 16); + memset(TK + 16, 0, 16); + TK[16] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ + skinny_128_384_init(ks, TK, sizeof(TK)); + ks->TK1[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ + if (npub) + memcpy(ks->TK1 + 4, npub, 12); +} + +/** + * \brief Initializes the key schedule for Romulus-N3 or Romulus-M3. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 12 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus3_init + (skinny_128_256_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + skinny_128_256_init(ks, k, 16); + ks->TK1[0] = 0x01; /* Initialize the 24-bit LFSR counter */ + if (npub) + memcpy(ks->TK1 + 4, npub, 12); +} + +/** + * \brief Sets the domain separation value for Romulus-N1 and M1. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus1_set_domain(ks, domain) ((ks)->TK1[7] = (domain)) + +/** + * \brief Sets the domain separation value for Romulus-N2 and M2. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus2_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) + +/** + * \brief Sets the domain separation value for Romulus-N3 and M3. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus3_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) + +/** + * \brief Updates the 56-bit LFSR block counter for Romulus-N1 and M1. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + */ +STATIC_INLINE void romulus1_update_counter(uint8_t TK1[16]) +{ + uint8_t mask = (uint8_t)(((int8_t)(TK1[6])) >> 7); + TK1[6] = (TK1[6] << 1) | (TK1[5] >> 7); + TK1[5] = (TK1[5] << 1) | (TK1[4] >> 7); + TK1[4] = (TK1[4] << 1) | (TK1[3] >> 7); + TK1[3] = (TK1[3] << 1) | (TK1[2] >> 7); + TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); + TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); + TK1[0] = (TK1[0] << 1) ^ (mask & 0x95); +} + +/** + * \brief Updates the 24-bit LFSR block counter for Romulus-N2 or M2. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + * + * For Romulus-N2 and Romulus-M2 this will only update the low 24 bits of + * the 48-bit LFSR. The high 24 bits are fixed due to ROMULUS_DATA_LIMIT. + */ +STATIC_INLINE void romulus2_update_counter(uint8_t TK1[16]) +{ + uint8_t mask = (uint8_t)(((int8_t)(TK1[2])) >> 7); + TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); + TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); + TK1[0] = (TK1[0] << 1) ^ (mask & 0x1B); +} + +/** + * \brief Updates the 24-bit LFSR block counter for Romulus-N3 or M3. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + */ +#define romulus3_update_counter(TK1) romulus2_update_counter((TK1)) + +/** + * \brief Process the asssociated data for Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n1_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x1A); + skinny_128_384_encrypt_tk2(ks, S, S, npub); + return; + } + + /* Process all double blocks except the last */ + romulus1_set_domain(ks, 0x08); + while (adlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + ad += 32; + adlen -= 32; + } + + /* Pad and process the left-over blocks */ + romulus1_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 32) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x18); + } else if (temp > 16) { + /* Left-over partial double block */ + unsigned char pad[16]; + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(pad, ad + 16, temp); + memset(pad + temp, 0, 15 - temp); + pad[15] = temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x1A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus1_set_domain(ks, 0x18); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus1_set_domain(ks, 0x1A); + } + skinny_128_384_encrypt_tk2(ks, S, S, npub); +} + +/** + * \brief Process the asssociated data for Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n2_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x5A); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all double blocks except the last */ + romulus2_set_domain(ks, 0x48); + while (adlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Pad and process the left-over blocks */ + romulus2_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 28) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x58); + } else if (temp > 16) { + /* Left-over partial double block */ + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp); + ks->TK1[15] = temp; + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x5A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus2_set_domain(ks, 0x58); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus2_set_domain(ks, 0x5A); + } + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Process the asssociated data for Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n3_process_ad + (skinny_128_256_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x9A); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all double blocks except the last */ + romulus3_set_domain(ks, 0x88); + while (adlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Pad and process the left-over blocks */ + romulus3_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 28) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x98); + } else if (temp > 16) { + /* Left-over partial double block */ + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp); + ks->TK1[15] = temp; + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x9A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus3_set_domain(ks, 0x98); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus3_set_domain(ks, 0x9A); + } + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Determine the domain separation value to use on the last + * block of the associated data processing. + * + * \param adlen Length of the associated data in bytes. + * \param mlen Length of the message in bytes. + * \param t Size of the second half of a double block; 12 or 16. + * + * \return The domain separation bits to use to finalize the last block. + */ +static uint8_t romulus_m_final_ad_domain + (unsigned long long adlen, unsigned long long mlen, unsigned t) +{ + uint8_t domain = 0; + unsigned split = 16U; + unsigned leftover; + + /* Determine which domain bits we need based on the length of the ad */ + if (adlen == 0) { + /* No associated data, so only 1 block with padding */ + domain ^= 0x02; + split = t; + } else { + /* Even or odd associated data length? */ + leftover = (unsigned)(adlen % (16U + t)); + if (leftover == 0) { + /* Even with a full double block at the end */ + domain ^= 0x08; + } else if (leftover < split) { + /* Odd with a partial single block at the end */ + domain ^= 0x02; + split = t; + } else if (leftover > split) { + /* Even with a partial double block at the end */ + domain ^= 0x0A; + } else { + /* Odd with a full single block at the end */ + split = t; + } + } + + /* Determine which domain bits we need based on the length of the message */ + if (mlen == 0) { + /* No message, so only 1 block with padding */ + domain ^= 0x01; + } else { + /* Even or odd message length? */ + leftover = (unsigned)(mlen % (16U + t)); + if (leftover == 0) { + /* Even with a full double block at the end */ + domain ^= 0x04; + } else if (leftover < split) { + /* Odd with a partial single block at the end */ + domain ^= 0x01; + } else if (leftover > split) { + /* Even with a partial double block at the end */ + domain ^= 0x05; + } + } + return domain; +} + +/** + * \brief Process the asssociated data for Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m1_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char pad[16]; + uint8_t final_domain = 0x30; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 16); + + /* Process all associated data double blocks except the last */ + romulus1_set_domain(ks, 0x28); + while (adlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + ad += 32; + adlen -= 32; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 32) { + /* Last associated data double block is full */ + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(pad, ad + 16, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + romulus1_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus1_set_domain(ks, 0x2C); + romulus1_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 16) { + skinny_128_384_encrypt_tk2(ks, S, S, m); + romulus1_update_counter(ks->TK1); + m += 16; + mlen -= 16; + } else if (mlen == 16) { + skinny_128_384_encrypt_tk2(ks, S, S, m); + m += 16; + mlen -= 16; + } else { + temp = (unsigned)mlen; + memcpy(pad, m, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus1_set_domain(ks, 0x2C); + while (mlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + skinny_128_384_encrypt_tk2(ks, S, S, m + 16); + romulus1_update_counter(ks->TK1); + m += 32; + mlen -= 32; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 32) { + /* Last message double block is full */ + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + skinny_128_384_encrypt_tk2(ks, S, S, m + 16); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(pad, m + 16, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus1_set_domain(ks, final_domain); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt_tk2(ks, S, S, npub); +} + +/** + * \brief Process the asssociated data for Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m2_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + uint8_t final_domain = 0x70; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); + + /* Process all associated data double blocks except the last */ + romulus2_set_domain(ks, 0x68); + while (adlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 28) { + /* Last associated data double block is full */ + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus2_set_domain(ks, 0x6C); + romulus2_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + m += 12; + mlen -= 12; + } else if (mlen == 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_384_encrypt(ks, S, S); + m += 12; + mlen -= 12; + } else { + temp = (unsigned)mlen; + memcpy(ks->TK1 + 4, m, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus2_set_domain(ks, 0x6C); + while (mlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + m += 28; + mlen -= 28; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 28) { + /* Last message double block is full */ + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_384_encrypt(ks, S, S); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus2_set_domain(ks, final_domain); + romulus2_update_counter(ks->TK1); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Process the asssociated data for Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m3_process_ad + (skinny_128_256_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + uint8_t final_domain = 0xB0; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); + + /* Process all associated data double blocks except the last */ + romulus3_set_domain(ks, 0xA8); + while (adlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 28) { + /* Last associated data double block is full */ + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus3_set_domain(ks, 0xAC); + romulus3_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + m += 12; + mlen -= 12; + } else if (mlen == 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_256_encrypt(ks, S, S); + m += 12; + mlen -= 12; + } else { + temp = (unsigned)mlen; + memcpy(ks->TK1 + 4, m, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus3_set_domain(ks, 0xAC); + while (mlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + m += 28; + mlen -= 28; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 28) { + /* Last message double block is full */ + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_256_encrypt(ks, S, S); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus3_set_domain(ks, final_domain); + romulus3_update_counter(ks->TK1); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Applies the Romulus rho function. + * + * \param S The rolling Romulus state. + * \param C Ciphertext message output block. + * \param M Plaintext message input block. + */ +STATIC_INLINE void romulus_rho + (unsigned char S[16], unsigned char C[16], const unsigned char M[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + unsigned char m = M[index]; + S[index] ^= m; + C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + } +} + +/** + * \brief Applies the inverse of the Romulus rho function. + * + * \param S The rolling Romulus state. + * \param M Plaintext message output block. + * \param C Ciphertext message input block. + */ +STATIC_INLINE void romulus_rho_inverse + (unsigned char S[16], unsigned char M[16], const unsigned char C[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + S[index] ^= m; + M[index] = m; + } +} + +/** + * \brief Applies the Romulus rho function to a short block. + * + * \param S The rolling Romulus state. + * \param C Ciphertext message output block. + * \param M Plaintext message input block. + * \param len Length of the short block, must be less than 16. + */ +STATIC_INLINE void romulus_rho_short + (unsigned char S[16], unsigned char C[16], + const unsigned char M[16], unsigned len) +{ + unsigned index; + for (index = 0; index < len; ++index) { + unsigned char s = S[index]; + unsigned char m = M[index]; + S[index] ^= m; + C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + } + S[15] ^= (unsigned char)len; /* Padding */ +} + +/** + * \brief Applies the inverse of the Romulus rho function to a short block. + * + * \param S The rolling Romulus state. + * \param M Plaintext message output block. + * \param C Ciphertext message input block. + * \param len Length of the short block, must be less than 16. + */ +STATIC_INLINE void romulus_rho_inverse_short + (unsigned char S[16], unsigned char M[16], + const unsigned char C[16], unsigned len) +{ + unsigned index; + for (index = 0; index < len; ++index) { + unsigned char s = S[index]; + unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + S[index] ^= m; + M[index] = m; + } + S[15] ^= (unsigned char)len; /* Padding */ +} + +/** + * \brief Encrypts a plaintext message with Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n1_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x15); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus1_set_domain(ks, 0x04); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus1_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus1_set_domain(ks, 0x15); + } else { + romulus_rho(S, c, m); + romulus1_set_domain(ks, 0x14); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n1_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x15); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus1_set_domain(ks, 0x04); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus1_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus1_set_domain(ks, 0x15); + } else { + romulus_rho_inverse(S, m, c); + romulus1_set_domain(ks, 0x14); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n2_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x55); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus2_set_domain(ks, 0x44); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus2_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus2_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus2_set_domain(ks, 0x55); + } else { + romulus_rho(S, c, m); + romulus2_set_domain(ks, 0x54); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n2_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x55); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus2_set_domain(ks, 0x44); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus2_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus2_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus2_set_domain(ks, 0x55); + } else { + romulus_rho_inverse(S, m, c); + romulus2_set_domain(ks, 0x54); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n3_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x95); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus3_set_domain(ks, 0x84); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus3_update_counter(ks->TK1); + skinny_128_256_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus3_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus3_set_domain(ks, 0x95); + } else { + romulus_rho(S, c, m); + romulus3_set_domain(ks, 0x94); + } + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n3_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x95); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus3_set_domain(ks, 0x84); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus3_update_counter(ks->TK1); + skinny_128_256_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus3_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus3_set_domain(ks, 0x95); + } else { + romulus_rho_inverse(S, m, c); + romulus3_set_domain(ks, 0x94); + } + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m1_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus1_set_domain(ks, 0x24); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus1_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m1_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus1_set_domain(ks, 0x24); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus1_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m2_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus2_set_domain(ks, 0x64); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus2_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m2_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus2_set_domain(ks, 0x64); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus2_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m3_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus3_set_domain(ks, 0xA4); + while (mlen > 16) { + skinny_128_256_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus3_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_256_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m3_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus3_set_domain(ks, 0xA4); + while (mlen > 16) { + skinny_128_256_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus3_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_256_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Generates the authentication tag from the rolling Romulus state. + * + * \param T Buffer to receive the generated tag; can be the same as S. + * \param S The rolling Romulus state. + */ +STATIC_INLINE void romulus_generate_tag + (unsigned char T[16], const unsigned char S[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + T[index] = (s >> 1) ^ (s & 0x80) ^ (s << 7); + } +} + +int romulus_n1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n1_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n1_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n1_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n1_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_n2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n2_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n2_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n2_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n2_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_n3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n3_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n3_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n3_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n3_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m1_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m1_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m2_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m2_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m3_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m3_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} diff --git a/romulus/Implementations/crypto_aead/romulusm2v12/rhys/romulus.h b/romulus/Implementations/crypto_aead/romulusm2v12/rhys/romulus.h new file mode 100644 index 0000000..e6da29d --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm2v12/rhys/romulus.h @@ -0,0 +1,476 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ROMULUS_H +#define LWCRYPTO_ROMULUS_H + +#include "aead-common.h" + +/** + * \file romulus.h + * \brief Romulus authenticated encryption algorithm family. + * + * Romulus is a family of authenticated encryption algorithms that + * are built around the SKINNY-128 tweakable block cipher. There + * are six members in the family: + * + * \li Romulus-N1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. This is the + * primary member of the family. + * \li Romulus-N2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-N3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * \li Romulus-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-M3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * + * The Romulus-M variants are resistant to nonce reuse as long as the + * combination of the associated data and plaintext is unique. If the + * same associated data and plaintext are reused under the same nonce, + * then the scheme will leak that the same plaintext has been sent for a + * second time but will not reveal the plaintext itself. + * + * References: https://romulusae.github.io/romulus/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all Romulus family members. + */ +#define ROMULUS_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for all Romulus family members. + */ +#define ROMULUS_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Romulus-N1 and Romulus-M1. + */ +#define ROMULUS1_NONCE_SIZE 16 + +/** + * \brief Size of the nonce for Romulus-N2 and Romulus-M2. + */ +#define ROMULUS2_NONCE_SIZE 12 + +/** + * \brief Size of the nonce for Romulus-N3 and Romulus-M3. + */ +#define ROMULUS3_NONCE_SIZE 12 + +/** + * \brief Meta-information block for the Romulus-N1 cipher. + */ +extern aead_cipher_t const romulus_n1_cipher; + +/** + * \brief Meta-information block for the Romulus-N2 cipher. + */ +extern aead_cipher_t const romulus_n2_cipher; + +/** + * \brief Meta-information block for the Romulus-N3 cipher. + */ +extern aead_cipher_t const romulus_n3_cipher; + +/** + * \brief Meta-information block for the Romulus-M1 cipher. + */ +extern aead_cipher_t const romulus_m1_cipher; + +/** + * \brief Meta-information block for the Romulus-M2 cipher. + */ +extern aead_cipher_t const romulus_m2_cipher; + +/** + * \brief Meta-information block for the Romulus-M3 cipher. + */ +extern aead_cipher_t const romulus_m3_cipher; + +/** + * \brief Encrypts and authenticates a packet with Romulus-N1. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_n1_aead_decrypt() + */ +int romulus_n1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-N1. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_n1_aead_encrypt() + */ +int romulus_n1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-N2. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_n2_aead_decrypt() + */ +int romulus_n2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-N2. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_n2_aead_encrypt() + */ +int romulus_n2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-N3. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_n3_aead_decrypt() + */ +int romulus_n3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-N3. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_n3_aead_encrypt() + */ +int romulus_n3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-M1. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_m1_aead_decrypt() + */ +int romulus_m1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-M1. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_m1_aead_encrypt() + */ +int romulus_m1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-M2. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_m2_aead_decrypt() + */ +int romulus_m2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-M2. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_m2_aead_encrypt() + */ +int romulus_m2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-M3. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_m3_aead_decrypt() + */ +int romulus_m3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-M3. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_m3_aead_encrypt() + */ +int romulus_m3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusm3v12/rhys/aead-common.c b/romulus/Implementations/crypto_aead/romulusm3v12/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm3v12/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/romulus/Implementations/crypto_aead/romulusm3v12/rhys/aead-common.h b/romulus/Implementations/crypto_aead/romulusm3v12/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm3v12/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusm3v12/rhys/api.h b/romulus/Implementations/crypto_aead/romulusm3v12/rhys/api.h new file mode 100644 index 0000000..c3c0a27 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm3v12/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 12 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/romulus/Implementations/crypto_aead/romulusm3v12/rhys/encrypt.c b/romulus/Implementations/crypto_aead/romulusm3v12/rhys/encrypt.c new file mode 100644 index 0000000..7e0c676 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm3v12/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "romulus.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return romulus_m3_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return romulus_m3_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/romulus/Implementations/crypto_aead/romulusm3v12/rhys/internal-skinny128.c b/romulus/Implementations/crypto_aead/romulusm3v12/rhys/internal-skinny128.c new file mode 100644 index 0000000..65ba4ed --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm3v12/rhys/internal-skinny128.c @@ -0,0 +1,811 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-skinny128.h" +#include "internal-skinnyutil.h" +#include "internal-util.h" +#include + +STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) +{ + /* This function is used to fast-forward the TK1 tweak value + * to the value at the end of the key schedule for decryption. + * + * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 + * with 48 rounds does not need any fast forwarding applied. + * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds + * are equivalent to applying the permutation 8 times: + * + * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] + */ + uint32_t row0 = tk[0]; + uint32_t row1 = tk[1]; + uint32_t row2 = tk[2]; + uint32_t row3 = tk[3]; + tk[0] = ((row1 >> 8) & 0x0000FFFFU) | + ((row0 >> 8) & 0x00FF0000U) | + ((row0 << 8) & 0xFF000000U); + tk[1] = ((row1 >> 24) & 0x000000FFU) | + ((row0 << 8) & 0x00FFFF00U) | + ((row1 << 24) & 0xFF000000U); + tk[2] = ((row3 >> 8) & 0x0000FFFFU) | + ((row2 >> 8) & 0x00FF0000U) | + ((row2 << 8) & 0xFF000000U); + tk[3] = ((row3 >> 24) & 0x000000FFU) | + ((row2 << 8) & 0x00FFFF00U) | + ((row3 << 24) & 0xFF000000U); +} + +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 32 && key_len != 48)) + return 0; + + /* Set the initial states of TK1, TK2, and TK3 */ + if (key_len == 32) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + TK3[0] = le_load_word32(key + 16); + TK3[1] = le_load_word32(key + 20); + TK3[2] = le_load_word32(key + 24); + TK3[3] = le_load_word32(key + 28); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + } + + /* Set up the key schedule using TK2 and TK3. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); + + /* Permute TK2 and TK3 for the next round */ + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + + /* Apply the LFSR's to TK2 and TK3 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + return 1; +} + +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Permute TK1 to fast-forward it to the end of the key schedule */ + skinny128_fast_forward_tk(TK1); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + TK2[0] = le_load_word32(tk2); + TK2[1] = le_load_word32(tk2 + 4); + TK2[2] = le_load_word32(tk2 + 8); + TK2[3] = le_load_word32(tk2 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; + s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 16 && key_len != 32)) + return 0; + + /* Set the initial states of TK1 and TK2 */ + if (key_len == 16) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + } + + /* Set up the key schedule using TK2. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ (rc >> 4); + + /* Permute TK2 for the next round */ + skinny128_permute_tk(TK2); + + /* Apply the LFSR to TK2 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + return 1; +} + +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1. + * There is no need to fast-forward TK1 because the value at + * the end of the key schedule is the same as at the start */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK1[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || key_len != 16) + return 0; + + /* Set the initial state of TK1 */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + + /* Set up the key schedule using TK1 */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK1[0] ^ (rc & 0x0F); + schedule[1] = TK1[1] ^ (rc >> 4); + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + return 1; +} + +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} diff --git a/romulus/Implementations/crypto_aead/romulusm3v12/rhys/internal-skinny128.h b/romulus/Implementations/crypto_aead/romulusm3v12/rhys/internal-skinny128.h new file mode 100644 index 0000000..76b34f5 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm3v12/rhys/internal-skinny128.h @@ -0,0 +1,315 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNY128_H +#define LW_INTERNAL_SKINNY128_H + +/** + * \file internal-skinny128.h + * \brief SKINNY-128 block cipher family. + * + * References: https://eprint.iacr.org/2016/660.pdf, + * https://sites.google.com/site/skinnycipher/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a block for SKINNY-128 block ciphers. + */ +#define SKINNY_128_BLOCK_SIZE 16 + +/** + * \brief Number of rounds for SKINNY-128-384. + */ +#define SKINNY_128_384_ROUNDS 56 + +/** + * \brief Structure of the key schedule for SKINNY-128-384. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_384_ROUNDS * 2]; + +} skinny_128_384_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 32 or 48, + * where 32 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly + * provided TK2 value. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tk2 TK2 value that should be updated on the fly. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when both TK1 and TK2 change from block to block. + * When the key is initialized with skinny_128_384_init(), the TK2 part of + * the key value should be set to zero. + */ +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and a + * fully specified tweakey value. + * + * \param key Points to the 384-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-384 but + * more memory-efficient. + */ +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-256. + */ +#define SKINNY_128_256_ROUNDS 48 + +/** + * \brief Structure of the key schedule for SKINNY-128-256. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_256_ROUNDS * 2]; + +} skinny_128_256_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16 or 32, + * where 16 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256 and a + * fully specified tweakey value. + * + * \param key Points to the 256-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-256 but + * more memory-efficient. + */ +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-128. + */ +#define SKINNY_128_128_ROUNDS 40 + +/** + * \brief Structure of the key schedule for SKINNY-128-128. + */ +typedef struct +{ + /** Words of the key schedule */ + uint32_t k[SKINNY_128_128_ROUNDS * 2]; + +} skinny_128_128_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-128. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusm3v12/rhys/internal-skinnyutil.h b/romulus/Implementations/crypto_aead/romulusm3v12/rhys/internal-skinnyutil.h new file mode 100644 index 0000000..83136cb --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm3v12/rhys/internal-skinnyutil.h @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNYUTIL_H +#define LW_INTERNAL_SKINNYUTIL_H + +/** + * \file internal-skinnyutil.h + * \brief Utilities to help implement SKINNY and its variants. + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond skinnyutil */ + +/* Utilities for implementing SKINNY-128 */ + +#define skinny128_LFSR2(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ + (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ + } while (0) + + +#define skinny128_LFSR3(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ + (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) +#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) + +#define skinny128_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint32_t row2 = tk[2]; \ + uint32_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 16) | (row3 >> 16); \ + tk[0] = ((row2 >> 8) & 0x000000FFU) | \ + ((row2 << 16) & 0x00FF0000U) | \ + ( row3 & 0xFF00FF00U); \ + tk[1] = ((row2 >> 16) & 0x000000FFU) | \ + (row2 & 0xFF000000U) | \ + ((row3 << 8) & 0x0000FF00U) | \ + ( row3 & 0x00FF0000U); \ + } while (0) + +#define skinny128_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint32_t row0 = tk[0]; \ + uint32_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 >> 16) & 0x000000FFU) | \ + ((row0 << 8) & 0x0000FF00U) | \ + ((row1 << 16) & 0x00FF0000U) | \ + ( row1 & 0xFF000000U); \ + tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ + ((row0 << 16) & 0xFF000000U) | \ + ((row1 >> 16) & 0x000000FFU) | \ + ((row1 << 8) & 0x00FF0000U); \ + } while (0) + +/* + * Apply the SKINNY sbox. The original version from the specification is + * equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE(x) + * ((((x) & 0x01010101U) << 2) | + * (((x) & 0x06060606U) << 5) | + * (((x) & 0x20202020U) >> 5) | + * (((x) & 0xC8C8C8C8U) >> 2) | + * (((x) & 0x10101010U) >> 1)) + * + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * return SBOX_SWAP(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ + y = (((x >> 5) & (x << 1)) & 0x04040404U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ + x = ((x & 0x08080808U) << 1) | \ + ((x & 0x32323232U) << 2) | \ + ((x & 0x01010101U) << 5) | \ + ((x & 0x80808080U) >> 6) | \ + ((x & 0x40404040U) >> 4) | \ + ((x & 0x04040404U) >> 2); \ +} while (0) + +/* + * Apply the inverse of the SKINNY sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE_INV(x) + * ((((x) & 0x08080808U) << 1) | + * (((x) & 0x32323232U) << 2) | + * (((x) & 0x01010101U) << 5) | + * (((x) & 0xC0C0C0C0U) >> 5) | + * (((x) & 0x04040404U) >> 2)) + * + * x = SBOX_SWAP(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_inv_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ + x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ + y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ + x = ((x & 0x01010101U) << 2) | \ + ((x & 0x04040404U) << 4) | \ + ((x & 0x02020202U) << 6) | \ + ((x & 0x20202020U) >> 5) | \ + ((x & 0xC8C8C8C8U) >> 2) | \ + ((x & 0x10101010U) >> 1); \ +} while (0) + +/* Utilities for implementing SKINNY-64 */ + +#define skinny64_LFSR2(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ + } while (0) + +#define skinny64_LFSR3(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) +#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) + +#define skinny64_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint16_t row2 = tk[2]; \ + uint16_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 8) | (row3 >> 8); \ + tk[0] = ((row2 << 4) & 0xF000U) | \ + ((row2 >> 8) & 0x00F0U) | \ + ( row3 & 0x0F0FU); \ + tk[1] = ((row2 << 8) & 0xF000U) | \ + ((row3 >> 4) & 0x0F00U) | \ + ( row3 & 0x00F0U) | \ + ( row2 & 0x000FU); \ + } while (0) + +#define skinny64_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint16_t row0 = tk[0]; \ + uint16_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 << 8) & 0xF000U) | \ + ((row0 >> 4) & 0x0F00U) | \ + ((row1 >> 8) & 0x00F0U) | \ + ( row1 & 0x000FU); \ + tk[3] = ((row1 << 8) & 0xF000U) | \ + ((row0 << 8) & 0x0F00U) | \ + ((row1 >> 4) & 0x00F0U) | \ + ((row0 >> 8) & 0x000FU); \ + } while (0) + +/* + * Apply the SKINNY-64 sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT(x) + * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_SHIFT steps to be performed with one final rotation. + * This reduces the number of required shift operations from 14 to 10. + * + * We can further reduce the number of NOT operations from 4 to 2 + * using the technique from https://github.com/kste/skinny_avx to + * convert NOR-XOR operations into AND-XOR operations by converting + * the S-box into its NOT-inverse. + */ +#define skinny64_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ + x = ~x; \ + x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ +} while (0) + +/* + * Apply the inverse of the SKINNY-64 sbox. The original version + * from the specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT_INV(x) + * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * return SBOX_MIX(x); + */ +#define skinny64_inv_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = ~x; \ + x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ +} while (0) + +/** @endcond */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusm3v12/rhys/internal-util.h b/romulus/Implementations/crypto_aead/romulusm3v12/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm3v12/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusm3v12/rhys/romulus.c b/romulus/Implementations/crypto_aead/romulusm3v12/rhys/romulus.c new file mode 100644 index 0000000..be1c0fa --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm3v12/rhys/romulus.c @@ -0,0 +1,1963 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "romulus.h" +#include "internal-skinny128.h" +#include "internal-util.h" +#include + +aead_cipher_t const romulus_n1_cipher = { + "Romulus-N1", + ROMULUS_KEY_SIZE, + ROMULUS1_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n1_aead_encrypt, + romulus_n1_aead_decrypt +}; + +aead_cipher_t const romulus_n2_cipher = { + "Romulus-N2", + ROMULUS_KEY_SIZE, + ROMULUS2_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n2_aead_encrypt, + romulus_n2_aead_decrypt +}; + +aead_cipher_t const romulus_n3_cipher = { + "Romulus-N3", + ROMULUS_KEY_SIZE, + ROMULUS3_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n3_aead_encrypt, + romulus_n3_aead_decrypt +}; + +aead_cipher_t const romulus_m1_cipher = { + "Romulus-M1", + ROMULUS_KEY_SIZE, + ROMULUS1_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m1_aead_encrypt, + romulus_m1_aead_decrypt +}; + +aead_cipher_t const romulus_m2_cipher = { + "Romulus-M2", + ROMULUS_KEY_SIZE, + ROMULUS2_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m2_aead_encrypt, + romulus_m2_aead_decrypt +}; + +aead_cipher_t const romulus_m3_cipher = { + "Romulus-M3", + ROMULUS_KEY_SIZE, + ROMULUS3_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m3_aead_encrypt, + romulus_m3_aead_decrypt +}; + +/** + * \brief Limit on the number of bytes of message or associated data (128Mb). + * + * Romulus-N1 and Romulus-M1 use a 56-bit block counter which allows for + * payloads well into the petabyte range. It is unlikely that an embedded + * device will have that much memory to store a contiguous packet! + * + * Romulus-N2 and Romulus-M2 use a 48-bit block counter but the upper + * 24 bits are difficult to modify in the key schedule. So we only + * update the low 24 bits and leave the high 24 bits fixed. + * + * Romulus-N3 and Romulus-M3 use a 24-bit block counter. + * + * For all algorithms, we limit the block counter to 2^23 so that the block + * counter can never exceed 2^24 - 1. + */ +#define ROMULUS_DATA_LIMIT \ + ((unsigned long long)((1ULL << 23) * SKINNY_128_BLOCK_SIZE)) + +/** + * \brief Initializes the key schedule for Romulus-N1 or Romulus-M1. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 16 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus1_init + (skinny_128_384_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + unsigned char TK[32]; + if (npub) + memcpy(TK, npub, 16); + else + memset(TK, 0, 16); + memcpy(TK + 16, k, 16); + skinny_128_384_init(ks, TK, sizeof(TK)); + ks->TK1[0] = 0x01; /* Initialize the 56-bit LFSR counter */ +} + +/** + * \brief Initializes the key schedule for Romulus-N2 or Romulus-M2. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 12 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus2_init + (skinny_128_384_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + unsigned char TK[32]; + memcpy(TK, k, 16); + memset(TK + 16, 0, 16); + TK[16] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ + skinny_128_384_init(ks, TK, sizeof(TK)); + ks->TK1[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ + if (npub) + memcpy(ks->TK1 + 4, npub, 12); +} + +/** + * \brief Initializes the key schedule for Romulus-N3 or Romulus-M3. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 12 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus3_init + (skinny_128_256_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + skinny_128_256_init(ks, k, 16); + ks->TK1[0] = 0x01; /* Initialize the 24-bit LFSR counter */ + if (npub) + memcpy(ks->TK1 + 4, npub, 12); +} + +/** + * \brief Sets the domain separation value for Romulus-N1 and M1. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus1_set_domain(ks, domain) ((ks)->TK1[7] = (domain)) + +/** + * \brief Sets the domain separation value for Romulus-N2 and M2. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus2_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) + +/** + * \brief Sets the domain separation value for Romulus-N3 and M3. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus3_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) + +/** + * \brief Updates the 56-bit LFSR block counter for Romulus-N1 and M1. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + */ +STATIC_INLINE void romulus1_update_counter(uint8_t TK1[16]) +{ + uint8_t mask = (uint8_t)(((int8_t)(TK1[6])) >> 7); + TK1[6] = (TK1[6] << 1) | (TK1[5] >> 7); + TK1[5] = (TK1[5] << 1) | (TK1[4] >> 7); + TK1[4] = (TK1[4] << 1) | (TK1[3] >> 7); + TK1[3] = (TK1[3] << 1) | (TK1[2] >> 7); + TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); + TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); + TK1[0] = (TK1[0] << 1) ^ (mask & 0x95); +} + +/** + * \brief Updates the 24-bit LFSR block counter for Romulus-N2 or M2. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + * + * For Romulus-N2 and Romulus-M2 this will only update the low 24 bits of + * the 48-bit LFSR. The high 24 bits are fixed due to ROMULUS_DATA_LIMIT. + */ +STATIC_INLINE void romulus2_update_counter(uint8_t TK1[16]) +{ + uint8_t mask = (uint8_t)(((int8_t)(TK1[2])) >> 7); + TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); + TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); + TK1[0] = (TK1[0] << 1) ^ (mask & 0x1B); +} + +/** + * \brief Updates the 24-bit LFSR block counter for Romulus-N3 or M3. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + */ +#define romulus3_update_counter(TK1) romulus2_update_counter((TK1)) + +/** + * \brief Process the asssociated data for Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n1_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x1A); + skinny_128_384_encrypt_tk2(ks, S, S, npub); + return; + } + + /* Process all double blocks except the last */ + romulus1_set_domain(ks, 0x08); + while (adlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + ad += 32; + adlen -= 32; + } + + /* Pad and process the left-over blocks */ + romulus1_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 32) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x18); + } else if (temp > 16) { + /* Left-over partial double block */ + unsigned char pad[16]; + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(pad, ad + 16, temp); + memset(pad + temp, 0, 15 - temp); + pad[15] = temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x1A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus1_set_domain(ks, 0x18); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus1_set_domain(ks, 0x1A); + } + skinny_128_384_encrypt_tk2(ks, S, S, npub); +} + +/** + * \brief Process the asssociated data for Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n2_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x5A); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all double blocks except the last */ + romulus2_set_domain(ks, 0x48); + while (adlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Pad and process the left-over blocks */ + romulus2_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 28) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x58); + } else if (temp > 16) { + /* Left-over partial double block */ + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp); + ks->TK1[15] = temp; + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x5A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus2_set_domain(ks, 0x58); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus2_set_domain(ks, 0x5A); + } + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Process the asssociated data for Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n3_process_ad + (skinny_128_256_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x9A); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all double blocks except the last */ + romulus3_set_domain(ks, 0x88); + while (adlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Pad and process the left-over blocks */ + romulus3_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 28) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x98); + } else if (temp > 16) { + /* Left-over partial double block */ + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp); + ks->TK1[15] = temp; + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x9A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus3_set_domain(ks, 0x98); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus3_set_domain(ks, 0x9A); + } + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Determine the domain separation value to use on the last + * block of the associated data processing. + * + * \param adlen Length of the associated data in bytes. + * \param mlen Length of the message in bytes. + * \param t Size of the second half of a double block; 12 or 16. + * + * \return The domain separation bits to use to finalize the last block. + */ +static uint8_t romulus_m_final_ad_domain + (unsigned long long adlen, unsigned long long mlen, unsigned t) +{ + uint8_t domain = 0; + unsigned split = 16U; + unsigned leftover; + + /* Determine which domain bits we need based on the length of the ad */ + if (adlen == 0) { + /* No associated data, so only 1 block with padding */ + domain ^= 0x02; + split = t; + } else { + /* Even or odd associated data length? */ + leftover = (unsigned)(adlen % (16U + t)); + if (leftover == 0) { + /* Even with a full double block at the end */ + domain ^= 0x08; + } else if (leftover < split) { + /* Odd with a partial single block at the end */ + domain ^= 0x02; + split = t; + } else if (leftover > split) { + /* Even with a partial double block at the end */ + domain ^= 0x0A; + } else { + /* Odd with a full single block at the end */ + split = t; + } + } + + /* Determine which domain bits we need based on the length of the message */ + if (mlen == 0) { + /* No message, so only 1 block with padding */ + domain ^= 0x01; + } else { + /* Even or odd message length? */ + leftover = (unsigned)(mlen % (16U + t)); + if (leftover == 0) { + /* Even with a full double block at the end */ + domain ^= 0x04; + } else if (leftover < split) { + /* Odd with a partial single block at the end */ + domain ^= 0x01; + } else if (leftover > split) { + /* Even with a partial double block at the end */ + domain ^= 0x05; + } + } + return domain; +} + +/** + * \brief Process the asssociated data for Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m1_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char pad[16]; + uint8_t final_domain = 0x30; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 16); + + /* Process all associated data double blocks except the last */ + romulus1_set_domain(ks, 0x28); + while (adlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + ad += 32; + adlen -= 32; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 32) { + /* Last associated data double block is full */ + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(pad, ad + 16, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + romulus1_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus1_set_domain(ks, 0x2C); + romulus1_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 16) { + skinny_128_384_encrypt_tk2(ks, S, S, m); + romulus1_update_counter(ks->TK1); + m += 16; + mlen -= 16; + } else if (mlen == 16) { + skinny_128_384_encrypt_tk2(ks, S, S, m); + m += 16; + mlen -= 16; + } else { + temp = (unsigned)mlen; + memcpy(pad, m, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus1_set_domain(ks, 0x2C); + while (mlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + skinny_128_384_encrypt_tk2(ks, S, S, m + 16); + romulus1_update_counter(ks->TK1); + m += 32; + mlen -= 32; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 32) { + /* Last message double block is full */ + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + skinny_128_384_encrypt_tk2(ks, S, S, m + 16); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(pad, m + 16, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus1_set_domain(ks, final_domain); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt_tk2(ks, S, S, npub); +} + +/** + * \brief Process the asssociated data for Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m2_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + uint8_t final_domain = 0x70; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); + + /* Process all associated data double blocks except the last */ + romulus2_set_domain(ks, 0x68); + while (adlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 28) { + /* Last associated data double block is full */ + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus2_set_domain(ks, 0x6C); + romulus2_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + m += 12; + mlen -= 12; + } else if (mlen == 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_384_encrypt(ks, S, S); + m += 12; + mlen -= 12; + } else { + temp = (unsigned)mlen; + memcpy(ks->TK1 + 4, m, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus2_set_domain(ks, 0x6C); + while (mlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + m += 28; + mlen -= 28; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 28) { + /* Last message double block is full */ + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_384_encrypt(ks, S, S); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus2_set_domain(ks, final_domain); + romulus2_update_counter(ks->TK1); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Process the asssociated data for Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m3_process_ad + (skinny_128_256_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + uint8_t final_domain = 0xB0; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); + + /* Process all associated data double blocks except the last */ + romulus3_set_domain(ks, 0xA8); + while (adlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 28) { + /* Last associated data double block is full */ + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus3_set_domain(ks, 0xAC); + romulus3_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + m += 12; + mlen -= 12; + } else if (mlen == 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_256_encrypt(ks, S, S); + m += 12; + mlen -= 12; + } else { + temp = (unsigned)mlen; + memcpy(ks->TK1 + 4, m, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus3_set_domain(ks, 0xAC); + while (mlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + m += 28; + mlen -= 28; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 28) { + /* Last message double block is full */ + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_256_encrypt(ks, S, S); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus3_set_domain(ks, final_domain); + romulus3_update_counter(ks->TK1); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Applies the Romulus rho function. + * + * \param S The rolling Romulus state. + * \param C Ciphertext message output block. + * \param M Plaintext message input block. + */ +STATIC_INLINE void romulus_rho + (unsigned char S[16], unsigned char C[16], const unsigned char M[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + unsigned char m = M[index]; + S[index] ^= m; + C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + } +} + +/** + * \brief Applies the inverse of the Romulus rho function. + * + * \param S The rolling Romulus state. + * \param M Plaintext message output block. + * \param C Ciphertext message input block. + */ +STATIC_INLINE void romulus_rho_inverse + (unsigned char S[16], unsigned char M[16], const unsigned char C[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + S[index] ^= m; + M[index] = m; + } +} + +/** + * \brief Applies the Romulus rho function to a short block. + * + * \param S The rolling Romulus state. + * \param C Ciphertext message output block. + * \param M Plaintext message input block. + * \param len Length of the short block, must be less than 16. + */ +STATIC_INLINE void romulus_rho_short + (unsigned char S[16], unsigned char C[16], + const unsigned char M[16], unsigned len) +{ + unsigned index; + for (index = 0; index < len; ++index) { + unsigned char s = S[index]; + unsigned char m = M[index]; + S[index] ^= m; + C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + } + S[15] ^= (unsigned char)len; /* Padding */ +} + +/** + * \brief Applies the inverse of the Romulus rho function to a short block. + * + * \param S The rolling Romulus state. + * \param M Plaintext message output block. + * \param C Ciphertext message input block. + * \param len Length of the short block, must be less than 16. + */ +STATIC_INLINE void romulus_rho_inverse_short + (unsigned char S[16], unsigned char M[16], + const unsigned char C[16], unsigned len) +{ + unsigned index; + for (index = 0; index < len; ++index) { + unsigned char s = S[index]; + unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + S[index] ^= m; + M[index] = m; + } + S[15] ^= (unsigned char)len; /* Padding */ +} + +/** + * \brief Encrypts a plaintext message with Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n1_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x15); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus1_set_domain(ks, 0x04); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus1_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus1_set_domain(ks, 0x15); + } else { + romulus_rho(S, c, m); + romulus1_set_domain(ks, 0x14); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n1_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x15); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus1_set_domain(ks, 0x04); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus1_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus1_set_domain(ks, 0x15); + } else { + romulus_rho_inverse(S, m, c); + romulus1_set_domain(ks, 0x14); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n2_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x55); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus2_set_domain(ks, 0x44); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus2_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus2_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus2_set_domain(ks, 0x55); + } else { + romulus_rho(S, c, m); + romulus2_set_domain(ks, 0x54); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n2_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x55); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus2_set_domain(ks, 0x44); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus2_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus2_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus2_set_domain(ks, 0x55); + } else { + romulus_rho_inverse(S, m, c); + romulus2_set_domain(ks, 0x54); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n3_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x95); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus3_set_domain(ks, 0x84); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus3_update_counter(ks->TK1); + skinny_128_256_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus3_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus3_set_domain(ks, 0x95); + } else { + romulus_rho(S, c, m); + romulus3_set_domain(ks, 0x94); + } + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n3_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x95); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus3_set_domain(ks, 0x84); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus3_update_counter(ks->TK1); + skinny_128_256_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus3_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus3_set_domain(ks, 0x95); + } else { + romulus_rho_inverse(S, m, c); + romulus3_set_domain(ks, 0x94); + } + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m1_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus1_set_domain(ks, 0x24); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus1_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m1_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus1_set_domain(ks, 0x24); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus1_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m2_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus2_set_domain(ks, 0x64); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus2_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m2_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus2_set_domain(ks, 0x64); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus2_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m3_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus3_set_domain(ks, 0xA4); + while (mlen > 16) { + skinny_128_256_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus3_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_256_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m3_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus3_set_domain(ks, 0xA4); + while (mlen > 16) { + skinny_128_256_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus3_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_256_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Generates the authentication tag from the rolling Romulus state. + * + * \param T Buffer to receive the generated tag; can be the same as S. + * \param S The rolling Romulus state. + */ +STATIC_INLINE void romulus_generate_tag + (unsigned char T[16], const unsigned char S[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + T[index] = (s >> 1) ^ (s & 0x80) ^ (s << 7); + } +} + +int romulus_n1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n1_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n1_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n1_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n1_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_n2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n2_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n2_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n2_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n2_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_n3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n3_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n3_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n3_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n3_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m1_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m1_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m2_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m2_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m3_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m3_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} diff --git a/romulus/Implementations/crypto_aead/romulusm3v12/rhys/romulus.h b/romulus/Implementations/crypto_aead/romulusm3v12/rhys/romulus.h new file mode 100644 index 0000000..e6da29d --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm3v12/rhys/romulus.h @@ -0,0 +1,476 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ROMULUS_H +#define LWCRYPTO_ROMULUS_H + +#include "aead-common.h" + +/** + * \file romulus.h + * \brief Romulus authenticated encryption algorithm family. + * + * Romulus is a family of authenticated encryption algorithms that + * are built around the SKINNY-128 tweakable block cipher. There + * are six members in the family: + * + * \li Romulus-N1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. This is the + * primary member of the family. + * \li Romulus-N2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-N3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * \li Romulus-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-M3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * + * The Romulus-M variants are resistant to nonce reuse as long as the + * combination of the associated data and plaintext is unique. If the + * same associated data and plaintext are reused under the same nonce, + * then the scheme will leak that the same plaintext has been sent for a + * second time but will not reveal the plaintext itself. + * + * References: https://romulusae.github.io/romulus/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all Romulus family members. + */ +#define ROMULUS_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for all Romulus family members. + */ +#define ROMULUS_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Romulus-N1 and Romulus-M1. + */ +#define ROMULUS1_NONCE_SIZE 16 + +/** + * \brief Size of the nonce for Romulus-N2 and Romulus-M2. + */ +#define ROMULUS2_NONCE_SIZE 12 + +/** + * \brief Size of the nonce for Romulus-N3 and Romulus-M3. + */ +#define ROMULUS3_NONCE_SIZE 12 + +/** + * \brief Meta-information block for the Romulus-N1 cipher. + */ +extern aead_cipher_t const romulus_n1_cipher; + +/** + * \brief Meta-information block for the Romulus-N2 cipher. + */ +extern aead_cipher_t const romulus_n2_cipher; + +/** + * \brief Meta-information block for the Romulus-N3 cipher. + */ +extern aead_cipher_t const romulus_n3_cipher; + +/** + * \brief Meta-information block for the Romulus-M1 cipher. + */ +extern aead_cipher_t const romulus_m1_cipher; + +/** + * \brief Meta-information block for the Romulus-M2 cipher. + */ +extern aead_cipher_t const romulus_m2_cipher; + +/** + * \brief Meta-information block for the Romulus-M3 cipher. + */ +extern aead_cipher_t const romulus_m3_cipher; + +/** + * \brief Encrypts and authenticates a packet with Romulus-N1. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_n1_aead_decrypt() + */ +int romulus_n1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-N1. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_n1_aead_encrypt() + */ +int romulus_n1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-N2. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_n2_aead_decrypt() + */ +int romulus_n2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-N2. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_n2_aead_encrypt() + */ +int romulus_n2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-N3. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_n3_aead_decrypt() + */ +int romulus_n3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-N3. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_n3_aead_encrypt() + */ +int romulus_n3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-M1. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_m1_aead_decrypt() + */ +int romulus_m1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-M1. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_m1_aead_encrypt() + */ +int romulus_m1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-M2. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_m2_aead_decrypt() + */ +int romulus_m2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-M2. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_m2_aead_encrypt() + */ +int romulus_m2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-M3. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_m3_aead_decrypt() + */ +int romulus_m3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-M3. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_m3_aead_encrypt() + */ +int romulus_m3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusn1v12/rhys/aead-common.c b/romulus/Implementations/crypto_aead/romulusn1v12/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1v12/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/romulus/Implementations/crypto_aead/romulusn1v12/rhys/aead-common.h b/romulus/Implementations/crypto_aead/romulusn1v12/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1v12/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusn1v12/rhys/api.h b/romulus/Implementations/crypto_aead/romulusn1v12/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1v12/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/romulus/Implementations/crypto_aead/romulusn1v12/rhys/encrypt.c b/romulus/Implementations/crypto_aead/romulusn1v12/rhys/encrypt.c new file mode 100644 index 0000000..444a0c6 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1v12/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "romulus.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return romulus_n1_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return romulus_n1_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/romulus/Implementations/crypto_aead/romulusn1v12/rhys/internal-skinny128.c b/romulus/Implementations/crypto_aead/romulusn1v12/rhys/internal-skinny128.c new file mode 100644 index 0000000..65ba4ed --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1v12/rhys/internal-skinny128.c @@ -0,0 +1,811 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-skinny128.h" +#include "internal-skinnyutil.h" +#include "internal-util.h" +#include + +STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) +{ + /* This function is used to fast-forward the TK1 tweak value + * to the value at the end of the key schedule for decryption. + * + * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 + * with 48 rounds does not need any fast forwarding applied. + * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds + * are equivalent to applying the permutation 8 times: + * + * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] + */ + uint32_t row0 = tk[0]; + uint32_t row1 = tk[1]; + uint32_t row2 = tk[2]; + uint32_t row3 = tk[3]; + tk[0] = ((row1 >> 8) & 0x0000FFFFU) | + ((row0 >> 8) & 0x00FF0000U) | + ((row0 << 8) & 0xFF000000U); + tk[1] = ((row1 >> 24) & 0x000000FFU) | + ((row0 << 8) & 0x00FFFF00U) | + ((row1 << 24) & 0xFF000000U); + tk[2] = ((row3 >> 8) & 0x0000FFFFU) | + ((row2 >> 8) & 0x00FF0000U) | + ((row2 << 8) & 0xFF000000U); + tk[3] = ((row3 >> 24) & 0x000000FFU) | + ((row2 << 8) & 0x00FFFF00U) | + ((row3 << 24) & 0xFF000000U); +} + +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 32 && key_len != 48)) + return 0; + + /* Set the initial states of TK1, TK2, and TK3 */ + if (key_len == 32) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + TK3[0] = le_load_word32(key + 16); + TK3[1] = le_load_word32(key + 20); + TK3[2] = le_load_word32(key + 24); + TK3[3] = le_load_word32(key + 28); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + } + + /* Set up the key schedule using TK2 and TK3. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); + + /* Permute TK2 and TK3 for the next round */ + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + + /* Apply the LFSR's to TK2 and TK3 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + return 1; +} + +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Permute TK1 to fast-forward it to the end of the key schedule */ + skinny128_fast_forward_tk(TK1); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + TK2[0] = le_load_word32(tk2); + TK2[1] = le_load_word32(tk2 + 4); + TK2[2] = le_load_word32(tk2 + 8); + TK2[3] = le_load_word32(tk2 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; + s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 16 && key_len != 32)) + return 0; + + /* Set the initial states of TK1 and TK2 */ + if (key_len == 16) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + } + + /* Set up the key schedule using TK2. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ (rc >> 4); + + /* Permute TK2 for the next round */ + skinny128_permute_tk(TK2); + + /* Apply the LFSR to TK2 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + return 1; +} + +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1. + * There is no need to fast-forward TK1 because the value at + * the end of the key schedule is the same as at the start */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK1[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || key_len != 16) + return 0; + + /* Set the initial state of TK1 */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + + /* Set up the key schedule using TK1 */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK1[0] ^ (rc & 0x0F); + schedule[1] = TK1[1] ^ (rc >> 4); + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + return 1; +} + +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} diff --git a/romulus/Implementations/crypto_aead/romulusn1v12/rhys/internal-skinny128.h b/romulus/Implementations/crypto_aead/romulusn1v12/rhys/internal-skinny128.h new file mode 100644 index 0000000..76b34f5 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1v12/rhys/internal-skinny128.h @@ -0,0 +1,315 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNY128_H +#define LW_INTERNAL_SKINNY128_H + +/** + * \file internal-skinny128.h + * \brief SKINNY-128 block cipher family. + * + * References: https://eprint.iacr.org/2016/660.pdf, + * https://sites.google.com/site/skinnycipher/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a block for SKINNY-128 block ciphers. + */ +#define SKINNY_128_BLOCK_SIZE 16 + +/** + * \brief Number of rounds for SKINNY-128-384. + */ +#define SKINNY_128_384_ROUNDS 56 + +/** + * \brief Structure of the key schedule for SKINNY-128-384. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_384_ROUNDS * 2]; + +} skinny_128_384_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 32 or 48, + * where 32 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly + * provided TK2 value. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tk2 TK2 value that should be updated on the fly. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when both TK1 and TK2 change from block to block. + * When the key is initialized with skinny_128_384_init(), the TK2 part of + * the key value should be set to zero. + */ +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and a + * fully specified tweakey value. + * + * \param key Points to the 384-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-384 but + * more memory-efficient. + */ +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-256. + */ +#define SKINNY_128_256_ROUNDS 48 + +/** + * \brief Structure of the key schedule for SKINNY-128-256. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_256_ROUNDS * 2]; + +} skinny_128_256_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16 or 32, + * where 16 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256 and a + * fully specified tweakey value. + * + * \param key Points to the 256-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-256 but + * more memory-efficient. + */ +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-128. + */ +#define SKINNY_128_128_ROUNDS 40 + +/** + * \brief Structure of the key schedule for SKINNY-128-128. + */ +typedef struct +{ + /** Words of the key schedule */ + uint32_t k[SKINNY_128_128_ROUNDS * 2]; + +} skinny_128_128_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-128. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusn1v12/rhys/internal-skinnyutil.h b/romulus/Implementations/crypto_aead/romulusn1v12/rhys/internal-skinnyutil.h new file mode 100644 index 0000000..83136cb --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1v12/rhys/internal-skinnyutil.h @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNYUTIL_H +#define LW_INTERNAL_SKINNYUTIL_H + +/** + * \file internal-skinnyutil.h + * \brief Utilities to help implement SKINNY and its variants. + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond skinnyutil */ + +/* Utilities for implementing SKINNY-128 */ + +#define skinny128_LFSR2(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ + (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ + } while (0) + + +#define skinny128_LFSR3(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ + (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) +#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) + +#define skinny128_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint32_t row2 = tk[2]; \ + uint32_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 16) | (row3 >> 16); \ + tk[0] = ((row2 >> 8) & 0x000000FFU) | \ + ((row2 << 16) & 0x00FF0000U) | \ + ( row3 & 0xFF00FF00U); \ + tk[1] = ((row2 >> 16) & 0x000000FFU) | \ + (row2 & 0xFF000000U) | \ + ((row3 << 8) & 0x0000FF00U) | \ + ( row3 & 0x00FF0000U); \ + } while (0) + +#define skinny128_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint32_t row0 = tk[0]; \ + uint32_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 >> 16) & 0x000000FFU) | \ + ((row0 << 8) & 0x0000FF00U) | \ + ((row1 << 16) & 0x00FF0000U) | \ + ( row1 & 0xFF000000U); \ + tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ + ((row0 << 16) & 0xFF000000U) | \ + ((row1 >> 16) & 0x000000FFU) | \ + ((row1 << 8) & 0x00FF0000U); \ + } while (0) + +/* + * Apply the SKINNY sbox. The original version from the specification is + * equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE(x) + * ((((x) & 0x01010101U) << 2) | + * (((x) & 0x06060606U) << 5) | + * (((x) & 0x20202020U) >> 5) | + * (((x) & 0xC8C8C8C8U) >> 2) | + * (((x) & 0x10101010U) >> 1)) + * + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * return SBOX_SWAP(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ + y = (((x >> 5) & (x << 1)) & 0x04040404U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ + x = ((x & 0x08080808U) << 1) | \ + ((x & 0x32323232U) << 2) | \ + ((x & 0x01010101U) << 5) | \ + ((x & 0x80808080U) >> 6) | \ + ((x & 0x40404040U) >> 4) | \ + ((x & 0x04040404U) >> 2); \ +} while (0) + +/* + * Apply the inverse of the SKINNY sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE_INV(x) + * ((((x) & 0x08080808U) << 1) | + * (((x) & 0x32323232U) << 2) | + * (((x) & 0x01010101U) << 5) | + * (((x) & 0xC0C0C0C0U) >> 5) | + * (((x) & 0x04040404U) >> 2)) + * + * x = SBOX_SWAP(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_inv_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ + x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ + y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ + x = ((x & 0x01010101U) << 2) | \ + ((x & 0x04040404U) << 4) | \ + ((x & 0x02020202U) << 6) | \ + ((x & 0x20202020U) >> 5) | \ + ((x & 0xC8C8C8C8U) >> 2) | \ + ((x & 0x10101010U) >> 1); \ +} while (0) + +/* Utilities for implementing SKINNY-64 */ + +#define skinny64_LFSR2(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ + } while (0) + +#define skinny64_LFSR3(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) +#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) + +#define skinny64_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint16_t row2 = tk[2]; \ + uint16_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 8) | (row3 >> 8); \ + tk[0] = ((row2 << 4) & 0xF000U) | \ + ((row2 >> 8) & 0x00F0U) | \ + ( row3 & 0x0F0FU); \ + tk[1] = ((row2 << 8) & 0xF000U) | \ + ((row3 >> 4) & 0x0F00U) | \ + ( row3 & 0x00F0U) | \ + ( row2 & 0x000FU); \ + } while (0) + +#define skinny64_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint16_t row0 = tk[0]; \ + uint16_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 << 8) & 0xF000U) | \ + ((row0 >> 4) & 0x0F00U) | \ + ((row1 >> 8) & 0x00F0U) | \ + ( row1 & 0x000FU); \ + tk[3] = ((row1 << 8) & 0xF000U) | \ + ((row0 << 8) & 0x0F00U) | \ + ((row1 >> 4) & 0x00F0U) | \ + ((row0 >> 8) & 0x000FU); \ + } while (0) + +/* + * Apply the SKINNY-64 sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT(x) + * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_SHIFT steps to be performed with one final rotation. + * This reduces the number of required shift operations from 14 to 10. + * + * We can further reduce the number of NOT operations from 4 to 2 + * using the technique from https://github.com/kste/skinny_avx to + * convert NOR-XOR operations into AND-XOR operations by converting + * the S-box into its NOT-inverse. + */ +#define skinny64_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ + x = ~x; \ + x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ +} while (0) + +/* + * Apply the inverse of the SKINNY-64 sbox. The original version + * from the specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT_INV(x) + * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * return SBOX_MIX(x); + */ +#define skinny64_inv_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = ~x; \ + x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ +} while (0) + +/** @endcond */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusn1v12/rhys/internal-util.h b/romulus/Implementations/crypto_aead/romulusn1v12/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1v12/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusn1v12/rhys/romulus.c b/romulus/Implementations/crypto_aead/romulusn1v12/rhys/romulus.c new file mode 100644 index 0000000..be1c0fa --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1v12/rhys/romulus.c @@ -0,0 +1,1963 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "romulus.h" +#include "internal-skinny128.h" +#include "internal-util.h" +#include + +aead_cipher_t const romulus_n1_cipher = { + "Romulus-N1", + ROMULUS_KEY_SIZE, + ROMULUS1_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n1_aead_encrypt, + romulus_n1_aead_decrypt +}; + +aead_cipher_t const romulus_n2_cipher = { + "Romulus-N2", + ROMULUS_KEY_SIZE, + ROMULUS2_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n2_aead_encrypt, + romulus_n2_aead_decrypt +}; + +aead_cipher_t const romulus_n3_cipher = { + "Romulus-N3", + ROMULUS_KEY_SIZE, + ROMULUS3_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n3_aead_encrypt, + romulus_n3_aead_decrypt +}; + +aead_cipher_t const romulus_m1_cipher = { + "Romulus-M1", + ROMULUS_KEY_SIZE, + ROMULUS1_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m1_aead_encrypt, + romulus_m1_aead_decrypt +}; + +aead_cipher_t const romulus_m2_cipher = { + "Romulus-M2", + ROMULUS_KEY_SIZE, + ROMULUS2_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m2_aead_encrypt, + romulus_m2_aead_decrypt +}; + +aead_cipher_t const romulus_m3_cipher = { + "Romulus-M3", + ROMULUS_KEY_SIZE, + ROMULUS3_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m3_aead_encrypt, + romulus_m3_aead_decrypt +}; + +/** + * \brief Limit on the number of bytes of message or associated data (128Mb). + * + * Romulus-N1 and Romulus-M1 use a 56-bit block counter which allows for + * payloads well into the petabyte range. It is unlikely that an embedded + * device will have that much memory to store a contiguous packet! + * + * Romulus-N2 and Romulus-M2 use a 48-bit block counter but the upper + * 24 bits are difficult to modify in the key schedule. So we only + * update the low 24 bits and leave the high 24 bits fixed. + * + * Romulus-N3 and Romulus-M3 use a 24-bit block counter. + * + * For all algorithms, we limit the block counter to 2^23 so that the block + * counter can never exceed 2^24 - 1. + */ +#define ROMULUS_DATA_LIMIT \ + ((unsigned long long)((1ULL << 23) * SKINNY_128_BLOCK_SIZE)) + +/** + * \brief Initializes the key schedule for Romulus-N1 or Romulus-M1. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 16 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus1_init + (skinny_128_384_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + unsigned char TK[32]; + if (npub) + memcpy(TK, npub, 16); + else + memset(TK, 0, 16); + memcpy(TK + 16, k, 16); + skinny_128_384_init(ks, TK, sizeof(TK)); + ks->TK1[0] = 0x01; /* Initialize the 56-bit LFSR counter */ +} + +/** + * \brief Initializes the key schedule for Romulus-N2 or Romulus-M2. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 12 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus2_init + (skinny_128_384_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + unsigned char TK[32]; + memcpy(TK, k, 16); + memset(TK + 16, 0, 16); + TK[16] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ + skinny_128_384_init(ks, TK, sizeof(TK)); + ks->TK1[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ + if (npub) + memcpy(ks->TK1 + 4, npub, 12); +} + +/** + * \brief Initializes the key schedule for Romulus-N3 or Romulus-M3. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 12 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus3_init + (skinny_128_256_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + skinny_128_256_init(ks, k, 16); + ks->TK1[0] = 0x01; /* Initialize the 24-bit LFSR counter */ + if (npub) + memcpy(ks->TK1 + 4, npub, 12); +} + +/** + * \brief Sets the domain separation value for Romulus-N1 and M1. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus1_set_domain(ks, domain) ((ks)->TK1[7] = (domain)) + +/** + * \brief Sets the domain separation value for Romulus-N2 and M2. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus2_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) + +/** + * \brief Sets the domain separation value for Romulus-N3 and M3. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus3_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) + +/** + * \brief Updates the 56-bit LFSR block counter for Romulus-N1 and M1. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + */ +STATIC_INLINE void romulus1_update_counter(uint8_t TK1[16]) +{ + uint8_t mask = (uint8_t)(((int8_t)(TK1[6])) >> 7); + TK1[6] = (TK1[6] << 1) | (TK1[5] >> 7); + TK1[5] = (TK1[5] << 1) | (TK1[4] >> 7); + TK1[4] = (TK1[4] << 1) | (TK1[3] >> 7); + TK1[3] = (TK1[3] << 1) | (TK1[2] >> 7); + TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); + TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); + TK1[0] = (TK1[0] << 1) ^ (mask & 0x95); +} + +/** + * \brief Updates the 24-bit LFSR block counter for Romulus-N2 or M2. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + * + * For Romulus-N2 and Romulus-M2 this will only update the low 24 bits of + * the 48-bit LFSR. The high 24 bits are fixed due to ROMULUS_DATA_LIMIT. + */ +STATIC_INLINE void romulus2_update_counter(uint8_t TK1[16]) +{ + uint8_t mask = (uint8_t)(((int8_t)(TK1[2])) >> 7); + TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); + TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); + TK1[0] = (TK1[0] << 1) ^ (mask & 0x1B); +} + +/** + * \brief Updates the 24-bit LFSR block counter for Romulus-N3 or M3. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + */ +#define romulus3_update_counter(TK1) romulus2_update_counter((TK1)) + +/** + * \brief Process the asssociated data for Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n1_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x1A); + skinny_128_384_encrypt_tk2(ks, S, S, npub); + return; + } + + /* Process all double blocks except the last */ + romulus1_set_domain(ks, 0x08); + while (adlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + ad += 32; + adlen -= 32; + } + + /* Pad and process the left-over blocks */ + romulus1_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 32) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x18); + } else if (temp > 16) { + /* Left-over partial double block */ + unsigned char pad[16]; + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(pad, ad + 16, temp); + memset(pad + temp, 0, 15 - temp); + pad[15] = temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x1A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus1_set_domain(ks, 0x18); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus1_set_domain(ks, 0x1A); + } + skinny_128_384_encrypt_tk2(ks, S, S, npub); +} + +/** + * \brief Process the asssociated data for Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n2_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x5A); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all double blocks except the last */ + romulus2_set_domain(ks, 0x48); + while (adlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Pad and process the left-over blocks */ + romulus2_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 28) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x58); + } else if (temp > 16) { + /* Left-over partial double block */ + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp); + ks->TK1[15] = temp; + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x5A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus2_set_domain(ks, 0x58); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus2_set_domain(ks, 0x5A); + } + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Process the asssociated data for Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n3_process_ad + (skinny_128_256_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x9A); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all double blocks except the last */ + romulus3_set_domain(ks, 0x88); + while (adlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Pad and process the left-over blocks */ + romulus3_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 28) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x98); + } else if (temp > 16) { + /* Left-over partial double block */ + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp); + ks->TK1[15] = temp; + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x9A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus3_set_domain(ks, 0x98); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus3_set_domain(ks, 0x9A); + } + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Determine the domain separation value to use on the last + * block of the associated data processing. + * + * \param adlen Length of the associated data in bytes. + * \param mlen Length of the message in bytes. + * \param t Size of the second half of a double block; 12 or 16. + * + * \return The domain separation bits to use to finalize the last block. + */ +static uint8_t romulus_m_final_ad_domain + (unsigned long long adlen, unsigned long long mlen, unsigned t) +{ + uint8_t domain = 0; + unsigned split = 16U; + unsigned leftover; + + /* Determine which domain bits we need based on the length of the ad */ + if (adlen == 0) { + /* No associated data, so only 1 block with padding */ + domain ^= 0x02; + split = t; + } else { + /* Even or odd associated data length? */ + leftover = (unsigned)(adlen % (16U + t)); + if (leftover == 0) { + /* Even with a full double block at the end */ + domain ^= 0x08; + } else if (leftover < split) { + /* Odd with a partial single block at the end */ + domain ^= 0x02; + split = t; + } else if (leftover > split) { + /* Even with a partial double block at the end */ + domain ^= 0x0A; + } else { + /* Odd with a full single block at the end */ + split = t; + } + } + + /* Determine which domain bits we need based on the length of the message */ + if (mlen == 0) { + /* No message, so only 1 block with padding */ + domain ^= 0x01; + } else { + /* Even or odd message length? */ + leftover = (unsigned)(mlen % (16U + t)); + if (leftover == 0) { + /* Even with a full double block at the end */ + domain ^= 0x04; + } else if (leftover < split) { + /* Odd with a partial single block at the end */ + domain ^= 0x01; + } else if (leftover > split) { + /* Even with a partial double block at the end */ + domain ^= 0x05; + } + } + return domain; +} + +/** + * \brief Process the asssociated data for Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m1_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char pad[16]; + uint8_t final_domain = 0x30; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 16); + + /* Process all associated data double blocks except the last */ + romulus1_set_domain(ks, 0x28); + while (adlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + ad += 32; + adlen -= 32; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 32) { + /* Last associated data double block is full */ + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(pad, ad + 16, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + romulus1_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus1_set_domain(ks, 0x2C); + romulus1_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 16) { + skinny_128_384_encrypt_tk2(ks, S, S, m); + romulus1_update_counter(ks->TK1); + m += 16; + mlen -= 16; + } else if (mlen == 16) { + skinny_128_384_encrypt_tk2(ks, S, S, m); + m += 16; + mlen -= 16; + } else { + temp = (unsigned)mlen; + memcpy(pad, m, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus1_set_domain(ks, 0x2C); + while (mlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + skinny_128_384_encrypt_tk2(ks, S, S, m + 16); + romulus1_update_counter(ks->TK1); + m += 32; + mlen -= 32; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 32) { + /* Last message double block is full */ + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + skinny_128_384_encrypt_tk2(ks, S, S, m + 16); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(pad, m + 16, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus1_set_domain(ks, final_domain); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt_tk2(ks, S, S, npub); +} + +/** + * \brief Process the asssociated data for Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m2_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + uint8_t final_domain = 0x70; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); + + /* Process all associated data double blocks except the last */ + romulus2_set_domain(ks, 0x68); + while (adlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 28) { + /* Last associated data double block is full */ + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus2_set_domain(ks, 0x6C); + romulus2_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + m += 12; + mlen -= 12; + } else if (mlen == 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_384_encrypt(ks, S, S); + m += 12; + mlen -= 12; + } else { + temp = (unsigned)mlen; + memcpy(ks->TK1 + 4, m, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus2_set_domain(ks, 0x6C); + while (mlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + m += 28; + mlen -= 28; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 28) { + /* Last message double block is full */ + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_384_encrypt(ks, S, S); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus2_set_domain(ks, final_domain); + romulus2_update_counter(ks->TK1); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Process the asssociated data for Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m3_process_ad + (skinny_128_256_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + uint8_t final_domain = 0xB0; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); + + /* Process all associated data double blocks except the last */ + romulus3_set_domain(ks, 0xA8); + while (adlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 28) { + /* Last associated data double block is full */ + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus3_set_domain(ks, 0xAC); + romulus3_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + m += 12; + mlen -= 12; + } else if (mlen == 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_256_encrypt(ks, S, S); + m += 12; + mlen -= 12; + } else { + temp = (unsigned)mlen; + memcpy(ks->TK1 + 4, m, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus3_set_domain(ks, 0xAC); + while (mlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + m += 28; + mlen -= 28; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 28) { + /* Last message double block is full */ + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_256_encrypt(ks, S, S); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus3_set_domain(ks, final_domain); + romulus3_update_counter(ks->TK1); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Applies the Romulus rho function. + * + * \param S The rolling Romulus state. + * \param C Ciphertext message output block. + * \param M Plaintext message input block. + */ +STATIC_INLINE void romulus_rho + (unsigned char S[16], unsigned char C[16], const unsigned char M[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + unsigned char m = M[index]; + S[index] ^= m; + C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + } +} + +/** + * \brief Applies the inverse of the Romulus rho function. + * + * \param S The rolling Romulus state. + * \param M Plaintext message output block. + * \param C Ciphertext message input block. + */ +STATIC_INLINE void romulus_rho_inverse + (unsigned char S[16], unsigned char M[16], const unsigned char C[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + S[index] ^= m; + M[index] = m; + } +} + +/** + * \brief Applies the Romulus rho function to a short block. + * + * \param S The rolling Romulus state. + * \param C Ciphertext message output block. + * \param M Plaintext message input block. + * \param len Length of the short block, must be less than 16. + */ +STATIC_INLINE void romulus_rho_short + (unsigned char S[16], unsigned char C[16], + const unsigned char M[16], unsigned len) +{ + unsigned index; + for (index = 0; index < len; ++index) { + unsigned char s = S[index]; + unsigned char m = M[index]; + S[index] ^= m; + C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + } + S[15] ^= (unsigned char)len; /* Padding */ +} + +/** + * \brief Applies the inverse of the Romulus rho function to a short block. + * + * \param S The rolling Romulus state. + * \param M Plaintext message output block. + * \param C Ciphertext message input block. + * \param len Length of the short block, must be less than 16. + */ +STATIC_INLINE void romulus_rho_inverse_short + (unsigned char S[16], unsigned char M[16], + const unsigned char C[16], unsigned len) +{ + unsigned index; + for (index = 0; index < len; ++index) { + unsigned char s = S[index]; + unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + S[index] ^= m; + M[index] = m; + } + S[15] ^= (unsigned char)len; /* Padding */ +} + +/** + * \brief Encrypts a plaintext message with Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n1_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x15); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus1_set_domain(ks, 0x04); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus1_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus1_set_domain(ks, 0x15); + } else { + romulus_rho(S, c, m); + romulus1_set_domain(ks, 0x14); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n1_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x15); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus1_set_domain(ks, 0x04); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus1_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus1_set_domain(ks, 0x15); + } else { + romulus_rho_inverse(S, m, c); + romulus1_set_domain(ks, 0x14); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n2_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x55); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus2_set_domain(ks, 0x44); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus2_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus2_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus2_set_domain(ks, 0x55); + } else { + romulus_rho(S, c, m); + romulus2_set_domain(ks, 0x54); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n2_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x55); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus2_set_domain(ks, 0x44); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus2_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus2_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus2_set_domain(ks, 0x55); + } else { + romulus_rho_inverse(S, m, c); + romulus2_set_domain(ks, 0x54); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n3_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x95); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus3_set_domain(ks, 0x84); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus3_update_counter(ks->TK1); + skinny_128_256_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus3_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus3_set_domain(ks, 0x95); + } else { + romulus_rho(S, c, m); + romulus3_set_domain(ks, 0x94); + } + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n3_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x95); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus3_set_domain(ks, 0x84); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus3_update_counter(ks->TK1); + skinny_128_256_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus3_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus3_set_domain(ks, 0x95); + } else { + romulus_rho_inverse(S, m, c); + romulus3_set_domain(ks, 0x94); + } + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m1_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus1_set_domain(ks, 0x24); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus1_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m1_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus1_set_domain(ks, 0x24); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus1_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m2_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus2_set_domain(ks, 0x64); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus2_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m2_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus2_set_domain(ks, 0x64); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus2_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m3_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus3_set_domain(ks, 0xA4); + while (mlen > 16) { + skinny_128_256_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus3_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_256_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m3_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus3_set_domain(ks, 0xA4); + while (mlen > 16) { + skinny_128_256_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus3_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_256_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Generates the authentication tag from the rolling Romulus state. + * + * \param T Buffer to receive the generated tag; can be the same as S. + * \param S The rolling Romulus state. + */ +STATIC_INLINE void romulus_generate_tag + (unsigned char T[16], const unsigned char S[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + T[index] = (s >> 1) ^ (s & 0x80) ^ (s << 7); + } +} + +int romulus_n1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n1_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n1_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n1_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n1_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_n2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n2_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n2_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n2_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n2_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_n3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n3_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n3_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n3_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n3_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m1_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m1_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m2_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m2_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m3_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m3_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} diff --git a/romulus/Implementations/crypto_aead/romulusn1v12/rhys/romulus.h b/romulus/Implementations/crypto_aead/romulusn1v12/rhys/romulus.h new file mode 100644 index 0000000..e6da29d --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1v12/rhys/romulus.h @@ -0,0 +1,476 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ROMULUS_H +#define LWCRYPTO_ROMULUS_H + +#include "aead-common.h" + +/** + * \file romulus.h + * \brief Romulus authenticated encryption algorithm family. + * + * Romulus is a family of authenticated encryption algorithms that + * are built around the SKINNY-128 tweakable block cipher. There + * are six members in the family: + * + * \li Romulus-N1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. This is the + * primary member of the family. + * \li Romulus-N2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-N3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * \li Romulus-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-M3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * + * The Romulus-M variants are resistant to nonce reuse as long as the + * combination of the associated data and plaintext is unique. If the + * same associated data and plaintext are reused under the same nonce, + * then the scheme will leak that the same plaintext has been sent for a + * second time but will not reveal the plaintext itself. + * + * References: https://romulusae.github.io/romulus/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all Romulus family members. + */ +#define ROMULUS_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for all Romulus family members. + */ +#define ROMULUS_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Romulus-N1 and Romulus-M1. + */ +#define ROMULUS1_NONCE_SIZE 16 + +/** + * \brief Size of the nonce for Romulus-N2 and Romulus-M2. + */ +#define ROMULUS2_NONCE_SIZE 12 + +/** + * \brief Size of the nonce for Romulus-N3 and Romulus-M3. + */ +#define ROMULUS3_NONCE_SIZE 12 + +/** + * \brief Meta-information block for the Romulus-N1 cipher. + */ +extern aead_cipher_t const romulus_n1_cipher; + +/** + * \brief Meta-information block for the Romulus-N2 cipher. + */ +extern aead_cipher_t const romulus_n2_cipher; + +/** + * \brief Meta-information block for the Romulus-N3 cipher. + */ +extern aead_cipher_t const romulus_n3_cipher; + +/** + * \brief Meta-information block for the Romulus-M1 cipher. + */ +extern aead_cipher_t const romulus_m1_cipher; + +/** + * \brief Meta-information block for the Romulus-M2 cipher. + */ +extern aead_cipher_t const romulus_m2_cipher; + +/** + * \brief Meta-information block for the Romulus-M3 cipher. + */ +extern aead_cipher_t const romulus_m3_cipher; + +/** + * \brief Encrypts and authenticates a packet with Romulus-N1. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_n1_aead_decrypt() + */ +int romulus_n1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-N1. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_n1_aead_encrypt() + */ +int romulus_n1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-N2. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_n2_aead_decrypt() + */ +int romulus_n2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-N2. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_n2_aead_encrypt() + */ +int romulus_n2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-N3. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_n3_aead_decrypt() + */ +int romulus_n3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-N3. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_n3_aead_encrypt() + */ +int romulus_n3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-M1. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_m1_aead_decrypt() + */ +int romulus_m1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-M1. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_m1_aead_encrypt() + */ +int romulus_m1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-M2. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_m2_aead_decrypt() + */ +int romulus_m2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-M2. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_m2_aead_encrypt() + */ +int romulus_m2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-M3. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_m3_aead_decrypt() + */ +int romulus_m3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-M3. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_m3_aead_encrypt() + */ +int romulus_m3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusn2v12/rhys/aead-common.c b/romulus/Implementations/crypto_aead/romulusn2v12/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn2v12/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/romulus/Implementations/crypto_aead/romulusn2v12/rhys/aead-common.h b/romulus/Implementations/crypto_aead/romulusn2v12/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn2v12/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusn2v12/rhys/api.h b/romulus/Implementations/crypto_aead/romulusn2v12/rhys/api.h new file mode 100644 index 0000000..c3c0a27 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn2v12/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 12 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/romulus/Implementations/crypto_aead/romulusn2v12/rhys/encrypt.c b/romulus/Implementations/crypto_aead/romulusn2v12/rhys/encrypt.c new file mode 100644 index 0000000..275a53c --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn2v12/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "romulus.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return romulus_n2_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return romulus_n2_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/romulus/Implementations/crypto_aead/romulusn2v12/rhys/internal-skinny128.c b/romulus/Implementations/crypto_aead/romulusn2v12/rhys/internal-skinny128.c new file mode 100644 index 0000000..65ba4ed --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn2v12/rhys/internal-skinny128.c @@ -0,0 +1,811 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-skinny128.h" +#include "internal-skinnyutil.h" +#include "internal-util.h" +#include + +STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) +{ + /* This function is used to fast-forward the TK1 tweak value + * to the value at the end of the key schedule for decryption. + * + * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 + * with 48 rounds does not need any fast forwarding applied. + * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds + * are equivalent to applying the permutation 8 times: + * + * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] + */ + uint32_t row0 = tk[0]; + uint32_t row1 = tk[1]; + uint32_t row2 = tk[2]; + uint32_t row3 = tk[3]; + tk[0] = ((row1 >> 8) & 0x0000FFFFU) | + ((row0 >> 8) & 0x00FF0000U) | + ((row0 << 8) & 0xFF000000U); + tk[1] = ((row1 >> 24) & 0x000000FFU) | + ((row0 << 8) & 0x00FFFF00U) | + ((row1 << 24) & 0xFF000000U); + tk[2] = ((row3 >> 8) & 0x0000FFFFU) | + ((row2 >> 8) & 0x00FF0000U) | + ((row2 << 8) & 0xFF000000U); + tk[3] = ((row3 >> 24) & 0x000000FFU) | + ((row2 << 8) & 0x00FFFF00U) | + ((row3 << 24) & 0xFF000000U); +} + +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 32 && key_len != 48)) + return 0; + + /* Set the initial states of TK1, TK2, and TK3 */ + if (key_len == 32) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + TK3[0] = le_load_word32(key + 16); + TK3[1] = le_load_word32(key + 20); + TK3[2] = le_load_word32(key + 24); + TK3[3] = le_load_word32(key + 28); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + } + + /* Set up the key schedule using TK2 and TK3. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); + + /* Permute TK2 and TK3 for the next round */ + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + + /* Apply the LFSR's to TK2 and TK3 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + return 1; +} + +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Permute TK1 to fast-forward it to the end of the key schedule */ + skinny128_fast_forward_tk(TK1); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + TK2[0] = le_load_word32(tk2); + TK2[1] = le_load_word32(tk2 + 4); + TK2[2] = le_load_word32(tk2 + 8); + TK2[3] = le_load_word32(tk2 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; + s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 16 && key_len != 32)) + return 0; + + /* Set the initial states of TK1 and TK2 */ + if (key_len == 16) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + } + + /* Set up the key schedule using TK2. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ (rc >> 4); + + /* Permute TK2 for the next round */ + skinny128_permute_tk(TK2); + + /* Apply the LFSR to TK2 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + return 1; +} + +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1. + * There is no need to fast-forward TK1 because the value at + * the end of the key schedule is the same as at the start */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK1[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || key_len != 16) + return 0; + + /* Set the initial state of TK1 */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + + /* Set up the key schedule using TK1 */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK1[0] ^ (rc & 0x0F); + schedule[1] = TK1[1] ^ (rc >> 4); + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + return 1; +} + +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} diff --git a/romulus/Implementations/crypto_aead/romulusn2v12/rhys/internal-skinny128.h b/romulus/Implementations/crypto_aead/romulusn2v12/rhys/internal-skinny128.h new file mode 100644 index 0000000..76b34f5 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn2v12/rhys/internal-skinny128.h @@ -0,0 +1,315 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNY128_H +#define LW_INTERNAL_SKINNY128_H + +/** + * \file internal-skinny128.h + * \brief SKINNY-128 block cipher family. + * + * References: https://eprint.iacr.org/2016/660.pdf, + * https://sites.google.com/site/skinnycipher/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a block for SKINNY-128 block ciphers. + */ +#define SKINNY_128_BLOCK_SIZE 16 + +/** + * \brief Number of rounds for SKINNY-128-384. + */ +#define SKINNY_128_384_ROUNDS 56 + +/** + * \brief Structure of the key schedule for SKINNY-128-384. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_384_ROUNDS * 2]; + +} skinny_128_384_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 32 or 48, + * where 32 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly + * provided TK2 value. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tk2 TK2 value that should be updated on the fly. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when both TK1 and TK2 change from block to block. + * When the key is initialized with skinny_128_384_init(), the TK2 part of + * the key value should be set to zero. + */ +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and a + * fully specified tweakey value. + * + * \param key Points to the 384-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-384 but + * more memory-efficient. + */ +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-256. + */ +#define SKINNY_128_256_ROUNDS 48 + +/** + * \brief Structure of the key schedule for SKINNY-128-256. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_256_ROUNDS * 2]; + +} skinny_128_256_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16 or 32, + * where 16 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256 and a + * fully specified tweakey value. + * + * \param key Points to the 256-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-256 but + * more memory-efficient. + */ +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-128. + */ +#define SKINNY_128_128_ROUNDS 40 + +/** + * \brief Structure of the key schedule for SKINNY-128-128. + */ +typedef struct +{ + /** Words of the key schedule */ + uint32_t k[SKINNY_128_128_ROUNDS * 2]; + +} skinny_128_128_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-128. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusn2v12/rhys/internal-skinnyutil.h b/romulus/Implementations/crypto_aead/romulusn2v12/rhys/internal-skinnyutil.h new file mode 100644 index 0000000..83136cb --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn2v12/rhys/internal-skinnyutil.h @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNYUTIL_H +#define LW_INTERNAL_SKINNYUTIL_H + +/** + * \file internal-skinnyutil.h + * \brief Utilities to help implement SKINNY and its variants. + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond skinnyutil */ + +/* Utilities for implementing SKINNY-128 */ + +#define skinny128_LFSR2(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ + (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ + } while (0) + + +#define skinny128_LFSR3(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ + (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) +#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) + +#define skinny128_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint32_t row2 = tk[2]; \ + uint32_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 16) | (row3 >> 16); \ + tk[0] = ((row2 >> 8) & 0x000000FFU) | \ + ((row2 << 16) & 0x00FF0000U) | \ + ( row3 & 0xFF00FF00U); \ + tk[1] = ((row2 >> 16) & 0x000000FFU) | \ + (row2 & 0xFF000000U) | \ + ((row3 << 8) & 0x0000FF00U) | \ + ( row3 & 0x00FF0000U); \ + } while (0) + +#define skinny128_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint32_t row0 = tk[0]; \ + uint32_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 >> 16) & 0x000000FFU) | \ + ((row0 << 8) & 0x0000FF00U) | \ + ((row1 << 16) & 0x00FF0000U) | \ + ( row1 & 0xFF000000U); \ + tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ + ((row0 << 16) & 0xFF000000U) | \ + ((row1 >> 16) & 0x000000FFU) | \ + ((row1 << 8) & 0x00FF0000U); \ + } while (0) + +/* + * Apply the SKINNY sbox. The original version from the specification is + * equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE(x) + * ((((x) & 0x01010101U) << 2) | + * (((x) & 0x06060606U) << 5) | + * (((x) & 0x20202020U) >> 5) | + * (((x) & 0xC8C8C8C8U) >> 2) | + * (((x) & 0x10101010U) >> 1)) + * + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * return SBOX_SWAP(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ + y = (((x >> 5) & (x << 1)) & 0x04040404U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ + x = ((x & 0x08080808U) << 1) | \ + ((x & 0x32323232U) << 2) | \ + ((x & 0x01010101U) << 5) | \ + ((x & 0x80808080U) >> 6) | \ + ((x & 0x40404040U) >> 4) | \ + ((x & 0x04040404U) >> 2); \ +} while (0) + +/* + * Apply the inverse of the SKINNY sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE_INV(x) + * ((((x) & 0x08080808U) << 1) | + * (((x) & 0x32323232U) << 2) | + * (((x) & 0x01010101U) << 5) | + * (((x) & 0xC0C0C0C0U) >> 5) | + * (((x) & 0x04040404U) >> 2)) + * + * x = SBOX_SWAP(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_inv_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ + x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ + y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ + x = ((x & 0x01010101U) << 2) | \ + ((x & 0x04040404U) << 4) | \ + ((x & 0x02020202U) << 6) | \ + ((x & 0x20202020U) >> 5) | \ + ((x & 0xC8C8C8C8U) >> 2) | \ + ((x & 0x10101010U) >> 1); \ +} while (0) + +/* Utilities for implementing SKINNY-64 */ + +#define skinny64_LFSR2(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ + } while (0) + +#define skinny64_LFSR3(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) +#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) + +#define skinny64_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint16_t row2 = tk[2]; \ + uint16_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 8) | (row3 >> 8); \ + tk[0] = ((row2 << 4) & 0xF000U) | \ + ((row2 >> 8) & 0x00F0U) | \ + ( row3 & 0x0F0FU); \ + tk[1] = ((row2 << 8) & 0xF000U) | \ + ((row3 >> 4) & 0x0F00U) | \ + ( row3 & 0x00F0U) | \ + ( row2 & 0x000FU); \ + } while (0) + +#define skinny64_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint16_t row0 = tk[0]; \ + uint16_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 << 8) & 0xF000U) | \ + ((row0 >> 4) & 0x0F00U) | \ + ((row1 >> 8) & 0x00F0U) | \ + ( row1 & 0x000FU); \ + tk[3] = ((row1 << 8) & 0xF000U) | \ + ((row0 << 8) & 0x0F00U) | \ + ((row1 >> 4) & 0x00F0U) | \ + ((row0 >> 8) & 0x000FU); \ + } while (0) + +/* + * Apply the SKINNY-64 sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT(x) + * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_SHIFT steps to be performed with one final rotation. + * This reduces the number of required shift operations from 14 to 10. + * + * We can further reduce the number of NOT operations from 4 to 2 + * using the technique from https://github.com/kste/skinny_avx to + * convert NOR-XOR operations into AND-XOR operations by converting + * the S-box into its NOT-inverse. + */ +#define skinny64_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ + x = ~x; \ + x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ +} while (0) + +/* + * Apply the inverse of the SKINNY-64 sbox. The original version + * from the specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT_INV(x) + * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * return SBOX_MIX(x); + */ +#define skinny64_inv_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = ~x; \ + x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ +} while (0) + +/** @endcond */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusn2v12/rhys/internal-util.h b/romulus/Implementations/crypto_aead/romulusn2v12/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn2v12/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusn2v12/rhys/romulus.c b/romulus/Implementations/crypto_aead/romulusn2v12/rhys/romulus.c new file mode 100644 index 0000000..be1c0fa --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn2v12/rhys/romulus.c @@ -0,0 +1,1963 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "romulus.h" +#include "internal-skinny128.h" +#include "internal-util.h" +#include + +aead_cipher_t const romulus_n1_cipher = { + "Romulus-N1", + ROMULUS_KEY_SIZE, + ROMULUS1_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n1_aead_encrypt, + romulus_n1_aead_decrypt +}; + +aead_cipher_t const romulus_n2_cipher = { + "Romulus-N2", + ROMULUS_KEY_SIZE, + ROMULUS2_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n2_aead_encrypt, + romulus_n2_aead_decrypt +}; + +aead_cipher_t const romulus_n3_cipher = { + "Romulus-N3", + ROMULUS_KEY_SIZE, + ROMULUS3_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n3_aead_encrypt, + romulus_n3_aead_decrypt +}; + +aead_cipher_t const romulus_m1_cipher = { + "Romulus-M1", + ROMULUS_KEY_SIZE, + ROMULUS1_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m1_aead_encrypt, + romulus_m1_aead_decrypt +}; + +aead_cipher_t const romulus_m2_cipher = { + "Romulus-M2", + ROMULUS_KEY_SIZE, + ROMULUS2_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m2_aead_encrypt, + romulus_m2_aead_decrypt +}; + +aead_cipher_t const romulus_m3_cipher = { + "Romulus-M3", + ROMULUS_KEY_SIZE, + ROMULUS3_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m3_aead_encrypt, + romulus_m3_aead_decrypt +}; + +/** + * \brief Limit on the number of bytes of message or associated data (128Mb). + * + * Romulus-N1 and Romulus-M1 use a 56-bit block counter which allows for + * payloads well into the petabyte range. It is unlikely that an embedded + * device will have that much memory to store a contiguous packet! + * + * Romulus-N2 and Romulus-M2 use a 48-bit block counter but the upper + * 24 bits are difficult to modify in the key schedule. So we only + * update the low 24 bits and leave the high 24 bits fixed. + * + * Romulus-N3 and Romulus-M3 use a 24-bit block counter. + * + * For all algorithms, we limit the block counter to 2^23 so that the block + * counter can never exceed 2^24 - 1. + */ +#define ROMULUS_DATA_LIMIT \ + ((unsigned long long)((1ULL << 23) * SKINNY_128_BLOCK_SIZE)) + +/** + * \brief Initializes the key schedule for Romulus-N1 or Romulus-M1. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 16 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus1_init + (skinny_128_384_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + unsigned char TK[32]; + if (npub) + memcpy(TK, npub, 16); + else + memset(TK, 0, 16); + memcpy(TK + 16, k, 16); + skinny_128_384_init(ks, TK, sizeof(TK)); + ks->TK1[0] = 0x01; /* Initialize the 56-bit LFSR counter */ +} + +/** + * \brief Initializes the key schedule for Romulus-N2 or Romulus-M2. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 12 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus2_init + (skinny_128_384_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + unsigned char TK[32]; + memcpy(TK, k, 16); + memset(TK + 16, 0, 16); + TK[16] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ + skinny_128_384_init(ks, TK, sizeof(TK)); + ks->TK1[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ + if (npub) + memcpy(ks->TK1 + 4, npub, 12); +} + +/** + * \brief Initializes the key schedule for Romulus-N3 or Romulus-M3. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 12 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus3_init + (skinny_128_256_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + skinny_128_256_init(ks, k, 16); + ks->TK1[0] = 0x01; /* Initialize the 24-bit LFSR counter */ + if (npub) + memcpy(ks->TK1 + 4, npub, 12); +} + +/** + * \brief Sets the domain separation value for Romulus-N1 and M1. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus1_set_domain(ks, domain) ((ks)->TK1[7] = (domain)) + +/** + * \brief Sets the domain separation value for Romulus-N2 and M2. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus2_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) + +/** + * \brief Sets the domain separation value for Romulus-N3 and M3. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus3_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) + +/** + * \brief Updates the 56-bit LFSR block counter for Romulus-N1 and M1. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + */ +STATIC_INLINE void romulus1_update_counter(uint8_t TK1[16]) +{ + uint8_t mask = (uint8_t)(((int8_t)(TK1[6])) >> 7); + TK1[6] = (TK1[6] << 1) | (TK1[5] >> 7); + TK1[5] = (TK1[5] << 1) | (TK1[4] >> 7); + TK1[4] = (TK1[4] << 1) | (TK1[3] >> 7); + TK1[3] = (TK1[3] << 1) | (TK1[2] >> 7); + TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); + TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); + TK1[0] = (TK1[0] << 1) ^ (mask & 0x95); +} + +/** + * \brief Updates the 24-bit LFSR block counter for Romulus-N2 or M2. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + * + * For Romulus-N2 and Romulus-M2 this will only update the low 24 bits of + * the 48-bit LFSR. The high 24 bits are fixed due to ROMULUS_DATA_LIMIT. + */ +STATIC_INLINE void romulus2_update_counter(uint8_t TK1[16]) +{ + uint8_t mask = (uint8_t)(((int8_t)(TK1[2])) >> 7); + TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); + TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); + TK1[0] = (TK1[0] << 1) ^ (mask & 0x1B); +} + +/** + * \brief Updates the 24-bit LFSR block counter for Romulus-N3 or M3. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + */ +#define romulus3_update_counter(TK1) romulus2_update_counter((TK1)) + +/** + * \brief Process the asssociated data for Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n1_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x1A); + skinny_128_384_encrypt_tk2(ks, S, S, npub); + return; + } + + /* Process all double blocks except the last */ + romulus1_set_domain(ks, 0x08); + while (adlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + ad += 32; + adlen -= 32; + } + + /* Pad and process the left-over blocks */ + romulus1_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 32) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x18); + } else if (temp > 16) { + /* Left-over partial double block */ + unsigned char pad[16]; + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(pad, ad + 16, temp); + memset(pad + temp, 0, 15 - temp); + pad[15] = temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x1A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus1_set_domain(ks, 0x18); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus1_set_domain(ks, 0x1A); + } + skinny_128_384_encrypt_tk2(ks, S, S, npub); +} + +/** + * \brief Process the asssociated data for Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n2_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x5A); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all double blocks except the last */ + romulus2_set_domain(ks, 0x48); + while (adlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Pad and process the left-over blocks */ + romulus2_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 28) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x58); + } else if (temp > 16) { + /* Left-over partial double block */ + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp); + ks->TK1[15] = temp; + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x5A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus2_set_domain(ks, 0x58); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus2_set_domain(ks, 0x5A); + } + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Process the asssociated data for Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n3_process_ad + (skinny_128_256_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x9A); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all double blocks except the last */ + romulus3_set_domain(ks, 0x88); + while (adlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Pad and process the left-over blocks */ + romulus3_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 28) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x98); + } else if (temp > 16) { + /* Left-over partial double block */ + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp); + ks->TK1[15] = temp; + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x9A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus3_set_domain(ks, 0x98); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus3_set_domain(ks, 0x9A); + } + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Determine the domain separation value to use on the last + * block of the associated data processing. + * + * \param adlen Length of the associated data in bytes. + * \param mlen Length of the message in bytes. + * \param t Size of the second half of a double block; 12 or 16. + * + * \return The domain separation bits to use to finalize the last block. + */ +static uint8_t romulus_m_final_ad_domain + (unsigned long long adlen, unsigned long long mlen, unsigned t) +{ + uint8_t domain = 0; + unsigned split = 16U; + unsigned leftover; + + /* Determine which domain bits we need based on the length of the ad */ + if (adlen == 0) { + /* No associated data, so only 1 block with padding */ + domain ^= 0x02; + split = t; + } else { + /* Even or odd associated data length? */ + leftover = (unsigned)(adlen % (16U + t)); + if (leftover == 0) { + /* Even with a full double block at the end */ + domain ^= 0x08; + } else if (leftover < split) { + /* Odd with a partial single block at the end */ + domain ^= 0x02; + split = t; + } else if (leftover > split) { + /* Even with a partial double block at the end */ + domain ^= 0x0A; + } else { + /* Odd with a full single block at the end */ + split = t; + } + } + + /* Determine which domain bits we need based on the length of the message */ + if (mlen == 0) { + /* No message, so only 1 block with padding */ + domain ^= 0x01; + } else { + /* Even or odd message length? */ + leftover = (unsigned)(mlen % (16U + t)); + if (leftover == 0) { + /* Even with a full double block at the end */ + domain ^= 0x04; + } else if (leftover < split) { + /* Odd with a partial single block at the end */ + domain ^= 0x01; + } else if (leftover > split) { + /* Even with a partial double block at the end */ + domain ^= 0x05; + } + } + return domain; +} + +/** + * \brief Process the asssociated data for Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m1_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char pad[16]; + uint8_t final_domain = 0x30; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 16); + + /* Process all associated data double blocks except the last */ + romulus1_set_domain(ks, 0x28); + while (adlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + ad += 32; + adlen -= 32; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 32) { + /* Last associated data double block is full */ + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(pad, ad + 16, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + romulus1_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus1_set_domain(ks, 0x2C); + romulus1_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 16) { + skinny_128_384_encrypt_tk2(ks, S, S, m); + romulus1_update_counter(ks->TK1); + m += 16; + mlen -= 16; + } else if (mlen == 16) { + skinny_128_384_encrypt_tk2(ks, S, S, m); + m += 16; + mlen -= 16; + } else { + temp = (unsigned)mlen; + memcpy(pad, m, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus1_set_domain(ks, 0x2C); + while (mlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + skinny_128_384_encrypt_tk2(ks, S, S, m + 16); + romulus1_update_counter(ks->TK1); + m += 32; + mlen -= 32; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 32) { + /* Last message double block is full */ + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + skinny_128_384_encrypt_tk2(ks, S, S, m + 16); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(pad, m + 16, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus1_set_domain(ks, final_domain); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt_tk2(ks, S, S, npub); +} + +/** + * \brief Process the asssociated data for Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m2_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + uint8_t final_domain = 0x70; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); + + /* Process all associated data double blocks except the last */ + romulus2_set_domain(ks, 0x68); + while (adlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 28) { + /* Last associated data double block is full */ + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus2_set_domain(ks, 0x6C); + romulus2_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + m += 12; + mlen -= 12; + } else if (mlen == 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_384_encrypt(ks, S, S); + m += 12; + mlen -= 12; + } else { + temp = (unsigned)mlen; + memcpy(ks->TK1 + 4, m, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus2_set_domain(ks, 0x6C); + while (mlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + m += 28; + mlen -= 28; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 28) { + /* Last message double block is full */ + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_384_encrypt(ks, S, S); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus2_set_domain(ks, final_domain); + romulus2_update_counter(ks->TK1); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Process the asssociated data for Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m3_process_ad + (skinny_128_256_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + uint8_t final_domain = 0xB0; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); + + /* Process all associated data double blocks except the last */ + romulus3_set_domain(ks, 0xA8); + while (adlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 28) { + /* Last associated data double block is full */ + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus3_set_domain(ks, 0xAC); + romulus3_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + m += 12; + mlen -= 12; + } else if (mlen == 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_256_encrypt(ks, S, S); + m += 12; + mlen -= 12; + } else { + temp = (unsigned)mlen; + memcpy(ks->TK1 + 4, m, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus3_set_domain(ks, 0xAC); + while (mlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + m += 28; + mlen -= 28; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 28) { + /* Last message double block is full */ + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_256_encrypt(ks, S, S); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus3_set_domain(ks, final_domain); + romulus3_update_counter(ks->TK1); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Applies the Romulus rho function. + * + * \param S The rolling Romulus state. + * \param C Ciphertext message output block. + * \param M Plaintext message input block. + */ +STATIC_INLINE void romulus_rho + (unsigned char S[16], unsigned char C[16], const unsigned char M[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + unsigned char m = M[index]; + S[index] ^= m; + C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + } +} + +/** + * \brief Applies the inverse of the Romulus rho function. + * + * \param S The rolling Romulus state. + * \param M Plaintext message output block. + * \param C Ciphertext message input block. + */ +STATIC_INLINE void romulus_rho_inverse + (unsigned char S[16], unsigned char M[16], const unsigned char C[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + S[index] ^= m; + M[index] = m; + } +} + +/** + * \brief Applies the Romulus rho function to a short block. + * + * \param S The rolling Romulus state. + * \param C Ciphertext message output block. + * \param M Plaintext message input block. + * \param len Length of the short block, must be less than 16. + */ +STATIC_INLINE void romulus_rho_short + (unsigned char S[16], unsigned char C[16], + const unsigned char M[16], unsigned len) +{ + unsigned index; + for (index = 0; index < len; ++index) { + unsigned char s = S[index]; + unsigned char m = M[index]; + S[index] ^= m; + C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + } + S[15] ^= (unsigned char)len; /* Padding */ +} + +/** + * \brief Applies the inverse of the Romulus rho function to a short block. + * + * \param S The rolling Romulus state. + * \param M Plaintext message output block. + * \param C Ciphertext message input block. + * \param len Length of the short block, must be less than 16. + */ +STATIC_INLINE void romulus_rho_inverse_short + (unsigned char S[16], unsigned char M[16], + const unsigned char C[16], unsigned len) +{ + unsigned index; + for (index = 0; index < len; ++index) { + unsigned char s = S[index]; + unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + S[index] ^= m; + M[index] = m; + } + S[15] ^= (unsigned char)len; /* Padding */ +} + +/** + * \brief Encrypts a plaintext message with Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n1_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x15); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus1_set_domain(ks, 0x04); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus1_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus1_set_domain(ks, 0x15); + } else { + romulus_rho(S, c, m); + romulus1_set_domain(ks, 0x14); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n1_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x15); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus1_set_domain(ks, 0x04); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus1_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus1_set_domain(ks, 0x15); + } else { + romulus_rho_inverse(S, m, c); + romulus1_set_domain(ks, 0x14); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n2_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x55); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus2_set_domain(ks, 0x44); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus2_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus2_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus2_set_domain(ks, 0x55); + } else { + romulus_rho(S, c, m); + romulus2_set_domain(ks, 0x54); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n2_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x55); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus2_set_domain(ks, 0x44); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus2_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus2_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus2_set_domain(ks, 0x55); + } else { + romulus_rho_inverse(S, m, c); + romulus2_set_domain(ks, 0x54); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n3_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x95); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus3_set_domain(ks, 0x84); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus3_update_counter(ks->TK1); + skinny_128_256_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus3_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus3_set_domain(ks, 0x95); + } else { + romulus_rho(S, c, m); + romulus3_set_domain(ks, 0x94); + } + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n3_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x95); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus3_set_domain(ks, 0x84); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus3_update_counter(ks->TK1); + skinny_128_256_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus3_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus3_set_domain(ks, 0x95); + } else { + romulus_rho_inverse(S, m, c); + romulus3_set_domain(ks, 0x94); + } + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m1_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus1_set_domain(ks, 0x24); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus1_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m1_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus1_set_domain(ks, 0x24); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus1_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m2_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus2_set_domain(ks, 0x64); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus2_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m2_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus2_set_domain(ks, 0x64); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus2_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m3_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus3_set_domain(ks, 0xA4); + while (mlen > 16) { + skinny_128_256_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus3_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_256_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m3_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus3_set_domain(ks, 0xA4); + while (mlen > 16) { + skinny_128_256_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus3_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_256_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Generates the authentication tag from the rolling Romulus state. + * + * \param T Buffer to receive the generated tag; can be the same as S. + * \param S The rolling Romulus state. + */ +STATIC_INLINE void romulus_generate_tag + (unsigned char T[16], const unsigned char S[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + T[index] = (s >> 1) ^ (s & 0x80) ^ (s << 7); + } +} + +int romulus_n1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n1_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n1_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n1_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n1_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_n2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n2_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n2_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n2_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n2_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_n3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n3_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n3_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n3_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n3_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m1_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m1_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m2_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m2_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m3_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m3_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} diff --git a/romulus/Implementations/crypto_aead/romulusn2v12/rhys/romulus.h b/romulus/Implementations/crypto_aead/romulusn2v12/rhys/romulus.h new file mode 100644 index 0000000..e6da29d --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn2v12/rhys/romulus.h @@ -0,0 +1,476 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ROMULUS_H +#define LWCRYPTO_ROMULUS_H + +#include "aead-common.h" + +/** + * \file romulus.h + * \brief Romulus authenticated encryption algorithm family. + * + * Romulus is a family of authenticated encryption algorithms that + * are built around the SKINNY-128 tweakable block cipher. There + * are six members in the family: + * + * \li Romulus-N1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. This is the + * primary member of the family. + * \li Romulus-N2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-N3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * \li Romulus-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-M3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * + * The Romulus-M variants are resistant to nonce reuse as long as the + * combination of the associated data and plaintext is unique. If the + * same associated data and plaintext are reused under the same nonce, + * then the scheme will leak that the same plaintext has been sent for a + * second time but will not reveal the plaintext itself. + * + * References: https://romulusae.github.io/romulus/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all Romulus family members. + */ +#define ROMULUS_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for all Romulus family members. + */ +#define ROMULUS_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Romulus-N1 and Romulus-M1. + */ +#define ROMULUS1_NONCE_SIZE 16 + +/** + * \brief Size of the nonce for Romulus-N2 and Romulus-M2. + */ +#define ROMULUS2_NONCE_SIZE 12 + +/** + * \brief Size of the nonce for Romulus-N3 and Romulus-M3. + */ +#define ROMULUS3_NONCE_SIZE 12 + +/** + * \brief Meta-information block for the Romulus-N1 cipher. + */ +extern aead_cipher_t const romulus_n1_cipher; + +/** + * \brief Meta-information block for the Romulus-N2 cipher. + */ +extern aead_cipher_t const romulus_n2_cipher; + +/** + * \brief Meta-information block for the Romulus-N3 cipher. + */ +extern aead_cipher_t const romulus_n3_cipher; + +/** + * \brief Meta-information block for the Romulus-M1 cipher. + */ +extern aead_cipher_t const romulus_m1_cipher; + +/** + * \brief Meta-information block for the Romulus-M2 cipher. + */ +extern aead_cipher_t const romulus_m2_cipher; + +/** + * \brief Meta-information block for the Romulus-M3 cipher. + */ +extern aead_cipher_t const romulus_m3_cipher; + +/** + * \brief Encrypts and authenticates a packet with Romulus-N1. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_n1_aead_decrypt() + */ +int romulus_n1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-N1. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_n1_aead_encrypt() + */ +int romulus_n1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-N2. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_n2_aead_decrypt() + */ +int romulus_n2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-N2. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_n2_aead_encrypt() + */ +int romulus_n2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-N3. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_n3_aead_decrypt() + */ +int romulus_n3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-N3. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_n3_aead_encrypt() + */ +int romulus_n3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-M1. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_m1_aead_decrypt() + */ +int romulus_m1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-M1. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_m1_aead_encrypt() + */ +int romulus_m1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-M2. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_m2_aead_decrypt() + */ +int romulus_m2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-M2. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_m2_aead_encrypt() + */ +int romulus_m2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-M3. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_m3_aead_decrypt() + */ +int romulus_m3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-M3. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_m3_aead_encrypt() + */ +int romulus_m3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusn3v12/rhys/aead-common.c b/romulus/Implementations/crypto_aead/romulusn3v12/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn3v12/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/romulus/Implementations/crypto_aead/romulusn3v12/rhys/aead-common.h b/romulus/Implementations/crypto_aead/romulusn3v12/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn3v12/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusn3v12/rhys/api.h b/romulus/Implementations/crypto_aead/romulusn3v12/rhys/api.h new file mode 100644 index 0000000..c3c0a27 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn3v12/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 12 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/romulus/Implementations/crypto_aead/romulusn3v12/rhys/encrypt.c b/romulus/Implementations/crypto_aead/romulusn3v12/rhys/encrypt.c new file mode 100644 index 0000000..a522291 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn3v12/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "romulus.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return romulus_n3_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return romulus_n3_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/romulus/Implementations/crypto_aead/romulusn3v12/rhys/internal-skinny128.c b/romulus/Implementations/crypto_aead/romulusn3v12/rhys/internal-skinny128.c new file mode 100644 index 0000000..65ba4ed --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn3v12/rhys/internal-skinny128.c @@ -0,0 +1,811 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-skinny128.h" +#include "internal-skinnyutil.h" +#include "internal-util.h" +#include + +STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) +{ + /* This function is used to fast-forward the TK1 tweak value + * to the value at the end of the key schedule for decryption. + * + * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 + * with 48 rounds does not need any fast forwarding applied. + * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds + * are equivalent to applying the permutation 8 times: + * + * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] + */ + uint32_t row0 = tk[0]; + uint32_t row1 = tk[1]; + uint32_t row2 = tk[2]; + uint32_t row3 = tk[3]; + tk[0] = ((row1 >> 8) & 0x0000FFFFU) | + ((row0 >> 8) & 0x00FF0000U) | + ((row0 << 8) & 0xFF000000U); + tk[1] = ((row1 >> 24) & 0x000000FFU) | + ((row0 << 8) & 0x00FFFF00U) | + ((row1 << 24) & 0xFF000000U); + tk[2] = ((row3 >> 8) & 0x0000FFFFU) | + ((row2 >> 8) & 0x00FF0000U) | + ((row2 << 8) & 0xFF000000U); + tk[3] = ((row3 >> 24) & 0x000000FFU) | + ((row2 << 8) & 0x00FFFF00U) | + ((row3 << 24) & 0xFF000000U); +} + +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 32 && key_len != 48)) + return 0; + + /* Set the initial states of TK1, TK2, and TK3 */ + if (key_len == 32) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + TK3[0] = le_load_word32(key + 16); + TK3[1] = le_load_word32(key + 20); + TK3[2] = le_load_word32(key + 24); + TK3[3] = le_load_word32(key + 28); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + } + + /* Set up the key schedule using TK2 and TK3. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); + + /* Permute TK2 and TK3 for the next round */ + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + + /* Apply the LFSR's to TK2 and TK3 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + return 1; +} + +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Permute TK1 to fast-forward it to the end of the key schedule */ + skinny128_fast_forward_tk(TK1); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + TK2[0] = le_load_word32(tk2); + TK2[1] = le_load_word32(tk2 + 4); + TK2[2] = le_load_word32(tk2 + 8); + TK2[3] = le_load_word32(tk2 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; + s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 16 && key_len != 32)) + return 0; + + /* Set the initial states of TK1 and TK2 */ + if (key_len == 16) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + } + + /* Set up the key schedule using TK2. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ (rc >> 4); + + /* Permute TK2 for the next round */ + skinny128_permute_tk(TK2); + + /* Apply the LFSR to TK2 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + return 1; +} + +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1. + * There is no need to fast-forward TK1 because the value at + * the end of the key schedule is the same as at the start */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK1[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || key_len != 16) + return 0; + + /* Set the initial state of TK1 */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + + /* Set up the key schedule using TK1 */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK1[0] ^ (rc & 0x0F); + schedule[1] = TK1[1] ^ (rc >> 4); + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + return 1; +} + +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} diff --git a/romulus/Implementations/crypto_aead/romulusn3v12/rhys/internal-skinny128.h b/romulus/Implementations/crypto_aead/romulusn3v12/rhys/internal-skinny128.h new file mode 100644 index 0000000..76b34f5 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn3v12/rhys/internal-skinny128.h @@ -0,0 +1,315 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNY128_H +#define LW_INTERNAL_SKINNY128_H + +/** + * \file internal-skinny128.h + * \brief SKINNY-128 block cipher family. + * + * References: https://eprint.iacr.org/2016/660.pdf, + * https://sites.google.com/site/skinnycipher/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a block for SKINNY-128 block ciphers. + */ +#define SKINNY_128_BLOCK_SIZE 16 + +/** + * \brief Number of rounds for SKINNY-128-384. + */ +#define SKINNY_128_384_ROUNDS 56 + +/** + * \brief Structure of the key schedule for SKINNY-128-384. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_384_ROUNDS * 2]; + +} skinny_128_384_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 32 or 48, + * where 32 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly + * provided TK2 value. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tk2 TK2 value that should be updated on the fly. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when both TK1 and TK2 change from block to block. + * When the key is initialized with skinny_128_384_init(), the TK2 part of + * the key value should be set to zero. + */ +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and a + * fully specified tweakey value. + * + * \param key Points to the 384-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-384 but + * more memory-efficient. + */ +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-256. + */ +#define SKINNY_128_256_ROUNDS 48 + +/** + * \brief Structure of the key schedule for SKINNY-128-256. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_256_ROUNDS * 2]; + +} skinny_128_256_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16 or 32, + * where 16 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256 and a + * fully specified tweakey value. + * + * \param key Points to the 256-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-256 but + * more memory-efficient. + */ +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-128. + */ +#define SKINNY_128_128_ROUNDS 40 + +/** + * \brief Structure of the key schedule for SKINNY-128-128. + */ +typedef struct +{ + /** Words of the key schedule */ + uint32_t k[SKINNY_128_128_ROUNDS * 2]; + +} skinny_128_128_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-128. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusn3v12/rhys/internal-skinnyutil.h b/romulus/Implementations/crypto_aead/romulusn3v12/rhys/internal-skinnyutil.h new file mode 100644 index 0000000..83136cb --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn3v12/rhys/internal-skinnyutil.h @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNYUTIL_H +#define LW_INTERNAL_SKINNYUTIL_H + +/** + * \file internal-skinnyutil.h + * \brief Utilities to help implement SKINNY and its variants. + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond skinnyutil */ + +/* Utilities for implementing SKINNY-128 */ + +#define skinny128_LFSR2(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ + (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ + } while (0) + + +#define skinny128_LFSR3(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ + (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) +#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) + +#define skinny128_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint32_t row2 = tk[2]; \ + uint32_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 16) | (row3 >> 16); \ + tk[0] = ((row2 >> 8) & 0x000000FFU) | \ + ((row2 << 16) & 0x00FF0000U) | \ + ( row3 & 0xFF00FF00U); \ + tk[1] = ((row2 >> 16) & 0x000000FFU) | \ + (row2 & 0xFF000000U) | \ + ((row3 << 8) & 0x0000FF00U) | \ + ( row3 & 0x00FF0000U); \ + } while (0) + +#define skinny128_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint32_t row0 = tk[0]; \ + uint32_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 >> 16) & 0x000000FFU) | \ + ((row0 << 8) & 0x0000FF00U) | \ + ((row1 << 16) & 0x00FF0000U) | \ + ( row1 & 0xFF000000U); \ + tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ + ((row0 << 16) & 0xFF000000U) | \ + ((row1 >> 16) & 0x000000FFU) | \ + ((row1 << 8) & 0x00FF0000U); \ + } while (0) + +/* + * Apply the SKINNY sbox. The original version from the specification is + * equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE(x) + * ((((x) & 0x01010101U) << 2) | + * (((x) & 0x06060606U) << 5) | + * (((x) & 0x20202020U) >> 5) | + * (((x) & 0xC8C8C8C8U) >> 2) | + * (((x) & 0x10101010U) >> 1)) + * + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * return SBOX_SWAP(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ + y = (((x >> 5) & (x << 1)) & 0x04040404U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ + x = ((x & 0x08080808U) << 1) | \ + ((x & 0x32323232U) << 2) | \ + ((x & 0x01010101U) << 5) | \ + ((x & 0x80808080U) >> 6) | \ + ((x & 0x40404040U) >> 4) | \ + ((x & 0x04040404U) >> 2); \ +} while (0) + +/* + * Apply the inverse of the SKINNY sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE_INV(x) + * ((((x) & 0x08080808U) << 1) | + * (((x) & 0x32323232U) << 2) | + * (((x) & 0x01010101U) << 5) | + * (((x) & 0xC0C0C0C0U) >> 5) | + * (((x) & 0x04040404U) >> 2)) + * + * x = SBOX_SWAP(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_inv_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ + x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ + y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ + x = ((x & 0x01010101U) << 2) | \ + ((x & 0x04040404U) << 4) | \ + ((x & 0x02020202U) << 6) | \ + ((x & 0x20202020U) >> 5) | \ + ((x & 0xC8C8C8C8U) >> 2) | \ + ((x & 0x10101010U) >> 1); \ +} while (0) + +/* Utilities for implementing SKINNY-64 */ + +#define skinny64_LFSR2(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ + } while (0) + +#define skinny64_LFSR3(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) +#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) + +#define skinny64_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint16_t row2 = tk[2]; \ + uint16_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 8) | (row3 >> 8); \ + tk[0] = ((row2 << 4) & 0xF000U) | \ + ((row2 >> 8) & 0x00F0U) | \ + ( row3 & 0x0F0FU); \ + tk[1] = ((row2 << 8) & 0xF000U) | \ + ((row3 >> 4) & 0x0F00U) | \ + ( row3 & 0x00F0U) | \ + ( row2 & 0x000FU); \ + } while (0) + +#define skinny64_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint16_t row0 = tk[0]; \ + uint16_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 << 8) & 0xF000U) | \ + ((row0 >> 4) & 0x0F00U) | \ + ((row1 >> 8) & 0x00F0U) | \ + ( row1 & 0x000FU); \ + tk[3] = ((row1 << 8) & 0xF000U) | \ + ((row0 << 8) & 0x0F00U) | \ + ((row1 >> 4) & 0x00F0U) | \ + ((row0 >> 8) & 0x000FU); \ + } while (0) + +/* + * Apply the SKINNY-64 sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT(x) + * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_SHIFT steps to be performed with one final rotation. + * This reduces the number of required shift operations from 14 to 10. + * + * We can further reduce the number of NOT operations from 4 to 2 + * using the technique from https://github.com/kste/skinny_avx to + * convert NOR-XOR operations into AND-XOR operations by converting + * the S-box into its NOT-inverse. + */ +#define skinny64_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ + x = ~x; \ + x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ +} while (0) + +/* + * Apply the inverse of the SKINNY-64 sbox. The original version + * from the specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT_INV(x) + * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * return SBOX_MIX(x); + */ +#define skinny64_inv_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = ~x; \ + x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ +} while (0) + +/** @endcond */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusn3v12/rhys/internal-util.h b/romulus/Implementations/crypto_aead/romulusn3v12/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn3v12/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusn3v12/rhys/romulus.c b/romulus/Implementations/crypto_aead/romulusn3v12/rhys/romulus.c new file mode 100644 index 0000000..be1c0fa --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn3v12/rhys/romulus.c @@ -0,0 +1,1963 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "romulus.h" +#include "internal-skinny128.h" +#include "internal-util.h" +#include + +aead_cipher_t const romulus_n1_cipher = { + "Romulus-N1", + ROMULUS_KEY_SIZE, + ROMULUS1_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n1_aead_encrypt, + romulus_n1_aead_decrypt +}; + +aead_cipher_t const romulus_n2_cipher = { + "Romulus-N2", + ROMULUS_KEY_SIZE, + ROMULUS2_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n2_aead_encrypt, + romulus_n2_aead_decrypt +}; + +aead_cipher_t const romulus_n3_cipher = { + "Romulus-N3", + ROMULUS_KEY_SIZE, + ROMULUS3_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n3_aead_encrypt, + romulus_n3_aead_decrypt +}; + +aead_cipher_t const romulus_m1_cipher = { + "Romulus-M1", + ROMULUS_KEY_SIZE, + ROMULUS1_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m1_aead_encrypt, + romulus_m1_aead_decrypt +}; + +aead_cipher_t const romulus_m2_cipher = { + "Romulus-M2", + ROMULUS_KEY_SIZE, + ROMULUS2_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m2_aead_encrypt, + romulus_m2_aead_decrypt +}; + +aead_cipher_t const romulus_m3_cipher = { + "Romulus-M3", + ROMULUS_KEY_SIZE, + ROMULUS3_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m3_aead_encrypt, + romulus_m3_aead_decrypt +}; + +/** + * \brief Limit on the number of bytes of message or associated data (128Mb). + * + * Romulus-N1 and Romulus-M1 use a 56-bit block counter which allows for + * payloads well into the petabyte range. It is unlikely that an embedded + * device will have that much memory to store a contiguous packet! + * + * Romulus-N2 and Romulus-M2 use a 48-bit block counter but the upper + * 24 bits are difficult to modify in the key schedule. So we only + * update the low 24 bits and leave the high 24 bits fixed. + * + * Romulus-N3 and Romulus-M3 use a 24-bit block counter. + * + * For all algorithms, we limit the block counter to 2^23 so that the block + * counter can never exceed 2^24 - 1. + */ +#define ROMULUS_DATA_LIMIT \ + ((unsigned long long)((1ULL << 23) * SKINNY_128_BLOCK_SIZE)) + +/** + * \brief Initializes the key schedule for Romulus-N1 or Romulus-M1. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 16 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus1_init + (skinny_128_384_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + unsigned char TK[32]; + if (npub) + memcpy(TK, npub, 16); + else + memset(TK, 0, 16); + memcpy(TK + 16, k, 16); + skinny_128_384_init(ks, TK, sizeof(TK)); + ks->TK1[0] = 0x01; /* Initialize the 56-bit LFSR counter */ +} + +/** + * \brief Initializes the key schedule for Romulus-N2 or Romulus-M2. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 12 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus2_init + (skinny_128_384_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + unsigned char TK[32]; + memcpy(TK, k, 16); + memset(TK + 16, 0, 16); + TK[16] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ + skinny_128_384_init(ks, TK, sizeof(TK)); + ks->TK1[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ + if (npub) + memcpy(ks->TK1 + 4, npub, 12); +} + +/** + * \brief Initializes the key schedule for Romulus-N3 or Romulus-M3. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 12 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus3_init + (skinny_128_256_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + skinny_128_256_init(ks, k, 16); + ks->TK1[0] = 0x01; /* Initialize the 24-bit LFSR counter */ + if (npub) + memcpy(ks->TK1 + 4, npub, 12); +} + +/** + * \brief Sets the domain separation value for Romulus-N1 and M1. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus1_set_domain(ks, domain) ((ks)->TK1[7] = (domain)) + +/** + * \brief Sets the domain separation value for Romulus-N2 and M2. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus2_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) + +/** + * \brief Sets the domain separation value for Romulus-N3 and M3. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus3_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) + +/** + * \brief Updates the 56-bit LFSR block counter for Romulus-N1 and M1. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + */ +STATIC_INLINE void romulus1_update_counter(uint8_t TK1[16]) +{ + uint8_t mask = (uint8_t)(((int8_t)(TK1[6])) >> 7); + TK1[6] = (TK1[6] << 1) | (TK1[5] >> 7); + TK1[5] = (TK1[5] << 1) | (TK1[4] >> 7); + TK1[4] = (TK1[4] << 1) | (TK1[3] >> 7); + TK1[3] = (TK1[3] << 1) | (TK1[2] >> 7); + TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); + TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); + TK1[0] = (TK1[0] << 1) ^ (mask & 0x95); +} + +/** + * \brief Updates the 24-bit LFSR block counter for Romulus-N2 or M2. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + * + * For Romulus-N2 and Romulus-M2 this will only update the low 24 bits of + * the 48-bit LFSR. The high 24 bits are fixed due to ROMULUS_DATA_LIMIT. + */ +STATIC_INLINE void romulus2_update_counter(uint8_t TK1[16]) +{ + uint8_t mask = (uint8_t)(((int8_t)(TK1[2])) >> 7); + TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); + TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); + TK1[0] = (TK1[0] << 1) ^ (mask & 0x1B); +} + +/** + * \brief Updates the 24-bit LFSR block counter for Romulus-N3 or M3. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + */ +#define romulus3_update_counter(TK1) romulus2_update_counter((TK1)) + +/** + * \brief Process the asssociated data for Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n1_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x1A); + skinny_128_384_encrypt_tk2(ks, S, S, npub); + return; + } + + /* Process all double blocks except the last */ + romulus1_set_domain(ks, 0x08); + while (adlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + ad += 32; + adlen -= 32; + } + + /* Pad and process the left-over blocks */ + romulus1_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 32) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x18); + } else if (temp > 16) { + /* Left-over partial double block */ + unsigned char pad[16]; + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(pad, ad + 16, temp); + memset(pad + temp, 0, 15 - temp); + pad[15] = temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x1A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus1_set_domain(ks, 0x18); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus1_set_domain(ks, 0x1A); + } + skinny_128_384_encrypt_tk2(ks, S, S, npub); +} + +/** + * \brief Process the asssociated data for Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n2_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x5A); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all double blocks except the last */ + romulus2_set_domain(ks, 0x48); + while (adlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Pad and process the left-over blocks */ + romulus2_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 28) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x58); + } else if (temp > 16) { + /* Left-over partial double block */ + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp); + ks->TK1[15] = temp; + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x5A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus2_set_domain(ks, 0x58); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus2_set_domain(ks, 0x5A); + } + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Process the asssociated data for Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n3_process_ad + (skinny_128_256_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x9A); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all double blocks except the last */ + romulus3_set_domain(ks, 0x88); + while (adlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Pad and process the left-over blocks */ + romulus3_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 28) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x98); + } else if (temp > 16) { + /* Left-over partial double block */ + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp); + ks->TK1[15] = temp; + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x9A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus3_set_domain(ks, 0x98); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus3_set_domain(ks, 0x9A); + } + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Determine the domain separation value to use on the last + * block of the associated data processing. + * + * \param adlen Length of the associated data in bytes. + * \param mlen Length of the message in bytes. + * \param t Size of the second half of a double block; 12 or 16. + * + * \return The domain separation bits to use to finalize the last block. + */ +static uint8_t romulus_m_final_ad_domain + (unsigned long long adlen, unsigned long long mlen, unsigned t) +{ + uint8_t domain = 0; + unsigned split = 16U; + unsigned leftover; + + /* Determine which domain bits we need based on the length of the ad */ + if (adlen == 0) { + /* No associated data, so only 1 block with padding */ + domain ^= 0x02; + split = t; + } else { + /* Even or odd associated data length? */ + leftover = (unsigned)(adlen % (16U + t)); + if (leftover == 0) { + /* Even with a full double block at the end */ + domain ^= 0x08; + } else if (leftover < split) { + /* Odd with a partial single block at the end */ + domain ^= 0x02; + split = t; + } else if (leftover > split) { + /* Even with a partial double block at the end */ + domain ^= 0x0A; + } else { + /* Odd with a full single block at the end */ + split = t; + } + } + + /* Determine which domain bits we need based on the length of the message */ + if (mlen == 0) { + /* No message, so only 1 block with padding */ + domain ^= 0x01; + } else { + /* Even or odd message length? */ + leftover = (unsigned)(mlen % (16U + t)); + if (leftover == 0) { + /* Even with a full double block at the end */ + domain ^= 0x04; + } else if (leftover < split) { + /* Odd with a partial single block at the end */ + domain ^= 0x01; + } else if (leftover > split) { + /* Even with a partial double block at the end */ + domain ^= 0x05; + } + } + return domain; +} + +/** + * \brief Process the asssociated data for Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m1_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char pad[16]; + uint8_t final_domain = 0x30; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 16); + + /* Process all associated data double blocks except the last */ + romulus1_set_domain(ks, 0x28); + while (adlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + ad += 32; + adlen -= 32; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 32) { + /* Last associated data double block is full */ + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(pad, ad + 16, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + romulus1_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus1_set_domain(ks, 0x2C); + romulus1_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 16) { + skinny_128_384_encrypt_tk2(ks, S, S, m); + romulus1_update_counter(ks->TK1); + m += 16; + mlen -= 16; + } else if (mlen == 16) { + skinny_128_384_encrypt_tk2(ks, S, S, m); + m += 16; + mlen -= 16; + } else { + temp = (unsigned)mlen; + memcpy(pad, m, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus1_set_domain(ks, 0x2C); + while (mlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + skinny_128_384_encrypt_tk2(ks, S, S, m + 16); + romulus1_update_counter(ks->TK1); + m += 32; + mlen -= 32; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 32) { + /* Last message double block is full */ + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + skinny_128_384_encrypt_tk2(ks, S, S, m + 16); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(pad, m + 16, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus1_set_domain(ks, final_domain); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt_tk2(ks, S, S, npub); +} + +/** + * \brief Process the asssociated data for Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m2_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + uint8_t final_domain = 0x70; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); + + /* Process all associated data double blocks except the last */ + romulus2_set_domain(ks, 0x68); + while (adlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 28) { + /* Last associated data double block is full */ + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus2_set_domain(ks, 0x6C); + romulus2_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + m += 12; + mlen -= 12; + } else if (mlen == 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_384_encrypt(ks, S, S); + m += 12; + mlen -= 12; + } else { + temp = (unsigned)mlen; + memcpy(ks->TK1 + 4, m, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus2_set_domain(ks, 0x6C); + while (mlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + m += 28; + mlen -= 28; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 28) { + /* Last message double block is full */ + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_384_encrypt(ks, S, S); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus2_set_domain(ks, final_domain); + romulus2_update_counter(ks->TK1); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Process the asssociated data for Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m3_process_ad + (skinny_128_256_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + uint8_t final_domain = 0xB0; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); + + /* Process all associated data double blocks except the last */ + romulus3_set_domain(ks, 0xA8); + while (adlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 28) { + /* Last associated data double block is full */ + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus3_set_domain(ks, 0xAC); + romulus3_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + m += 12; + mlen -= 12; + } else if (mlen == 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_256_encrypt(ks, S, S); + m += 12; + mlen -= 12; + } else { + temp = (unsigned)mlen; + memcpy(ks->TK1 + 4, m, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus3_set_domain(ks, 0xAC); + while (mlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + m += 28; + mlen -= 28; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 28) { + /* Last message double block is full */ + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_256_encrypt(ks, S, S); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus3_set_domain(ks, final_domain); + romulus3_update_counter(ks->TK1); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Applies the Romulus rho function. + * + * \param S The rolling Romulus state. + * \param C Ciphertext message output block. + * \param M Plaintext message input block. + */ +STATIC_INLINE void romulus_rho + (unsigned char S[16], unsigned char C[16], const unsigned char M[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + unsigned char m = M[index]; + S[index] ^= m; + C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + } +} + +/** + * \brief Applies the inverse of the Romulus rho function. + * + * \param S The rolling Romulus state. + * \param M Plaintext message output block. + * \param C Ciphertext message input block. + */ +STATIC_INLINE void romulus_rho_inverse + (unsigned char S[16], unsigned char M[16], const unsigned char C[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + S[index] ^= m; + M[index] = m; + } +} + +/** + * \brief Applies the Romulus rho function to a short block. + * + * \param S The rolling Romulus state. + * \param C Ciphertext message output block. + * \param M Plaintext message input block. + * \param len Length of the short block, must be less than 16. + */ +STATIC_INLINE void romulus_rho_short + (unsigned char S[16], unsigned char C[16], + const unsigned char M[16], unsigned len) +{ + unsigned index; + for (index = 0; index < len; ++index) { + unsigned char s = S[index]; + unsigned char m = M[index]; + S[index] ^= m; + C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + } + S[15] ^= (unsigned char)len; /* Padding */ +} + +/** + * \brief Applies the inverse of the Romulus rho function to a short block. + * + * \param S The rolling Romulus state. + * \param M Plaintext message output block. + * \param C Ciphertext message input block. + * \param len Length of the short block, must be less than 16. + */ +STATIC_INLINE void romulus_rho_inverse_short + (unsigned char S[16], unsigned char M[16], + const unsigned char C[16], unsigned len) +{ + unsigned index; + for (index = 0; index < len; ++index) { + unsigned char s = S[index]; + unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + S[index] ^= m; + M[index] = m; + } + S[15] ^= (unsigned char)len; /* Padding */ +} + +/** + * \brief Encrypts a plaintext message with Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n1_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x15); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus1_set_domain(ks, 0x04); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus1_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus1_set_domain(ks, 0x15); + } else { + romulus_rho(S, c, m); + romulus1_set_domain(ks, 0x14); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n1_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x15); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus1_set_domain(ks, 0x04); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus1_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus1_set_domain(ks, 0x15); + } else { + romulus_rho_inverse(S, m, c); + romulus1_set_domain(ks, 0x14); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n2_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x55); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus2_set_domain(ks, 0x44); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus2_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus2_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus2_set_domain(ks, 0x55); + } else { + romulus_rho(S, c, m); + romulus2_set_domain(ks, 0x54); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n2_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x55); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus2_set_domain(ks, 0x44); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus2_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus2_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus2_set_domain(ks, 0x55); + } else { + romulus_rho_inverse(S, m, c); + romulus2_set_domain(ks, 0x54); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n3_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x95); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus3_set_domain(ks, 0x84); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus3_update_counter(ks->TK1); + skinny_128_256_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus3_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus3_set_domain(ks, 0x95); + } else { + romulus_rho(S, c, m); + romulus3_set_domain(ks, 0x94); + } + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n3_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x95); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus3_set_domain(ks, 0x84); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus3_update_counter(ks->TK1); + skinny_128_256_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus3_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus3_set_domain(ks, 0x95); + } else { + romulus_rho_inverse(S, m, c); + romulus3_set_domain(ks, 0x94); + } + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m1_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus1_set_domain(ks, 0x24); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus1_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m1_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus1_set_domain(ks, 0x24); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus1_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m2_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus2_set_domain(ks, 0x64); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus2_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m2_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus2_set_domain(ks, 0x64); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus2_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m3_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus3_set_domain(ks, 0xA4); + while (mlen > 16) { + skinny_128_256_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus3_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_256_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m3_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus3_set_domain(ks, 0xA4); + while (mlen > 16) { + skinny_128_256_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus3_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_256_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Generates the authentication tag from the rolling Romulus state. + * + * \param T Buffer to receive the generated tag; can be the same as S. + * \param S The rolling Romulus state. + */ +STATIC_INLINE void romulus_generate_tag + (unsigned char T[16], const unsigned char S[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + T[index] = (s >> 1) ^ (s & 0x80) ^ (s << 7); + } +} + +int romulus_n1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n1_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n1_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n1_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n1_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_n2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n2_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n2_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n2_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n2_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_n3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n3_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n3_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n3_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n3_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m1_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m1_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m2_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m2_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m3_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m3_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} diff --git a/romulus/Implementations/crypto_aead/romulusn3v12/rhys/romulus.h b/romulus/Implementations/crypto_aead/romulusn3v12/rhys/romulus.h new file mode 100644 index 0000000..e6da29d --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn3v12/rhys/romulus.h @@ -0,0 +1,476 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_ROMULUS_H +#define LWCRYPTO_ROMULUS_H + +#include "aead-common.h" + +/** + * \file romulus.h + * \brief Romulus authenticated encryption algorithm family. + * + * Romulus is a family of authenticated encryption algorithms that + * are built around the SKINNY-128 tweakable block cipher. There + * are six members in the family: + * + * \li Romulus-N1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. This is the + * primary member of the family. + * \li Romulus-N2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-N3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * \li Romulus-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-M3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * + * The Romulus-M variants are resistant to nonce reuse as long as the + * combination of the associated data and plaintext is unique. If the + * same associated data and plaintext are reused under the same nonce, + * then the scheme will leak that the same plaintext has been sent for a + * second time but will not reveal the plaintext itself. + * + * References: https://romulusae.github.io/romulus/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all Romulus family members. + */ +#define ROMULUS_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for all Romulus family members. + */ +#define ROMULUS_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Romulus-N1 and Romulus-M1. + */ +#define ROMULUS1_NONCE_SIZE 16 + +/** + * \brief Size of the nonce for Romulus-N2 and Romulus-M2. + */ +#define ROMULUS2_NONCE_SIZE 12 + +/** + * \brief Size of the nonce for Romulus-N3 and Romulus-M3. + */ +#define ROMULUS3_NONCE_SIZE 12 + +/** + * \brief Meta-information block for the Romulus-N1 cipher. + */ +extern aead_cipher_t const romulus_n1_cipher; + +/** + * \brief Meta-information block for the Romulus-N2 cipher. + */ +extern aead_cipher_t const romulus_n2_cipher; + +/** + * \brief Meta-information block for the Romulus-N3 cipher. + */ +extern aead_cipher_t const romulus_n3_cipher; + +/** + * \brief Meta-information block for the Romulus-M1 cipher. + */ +extern aead_cipher_t const romulus_m1_cipher; + +/** + * \brief Meta-information block for the Romulus-M2 cipher. + */ +extern aead_cipher_t const romulus_m2_cipher; + +/** + * \brief Meta-information block for the Romulus-M3 cipher. + */ +extern aead_cipher_t const romulus_m3_cipher; + +/** + * \brief Encrypts and authenticates a packet with Romulus-N1. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_n1_aead_decrypt() + */ +int romulus_n1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-N1. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_n1_aead_encrypt() + */ +int romulus_n1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-N2. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_n2_aead_decrypt() + */ +int romulus_n2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-N2. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_n2_aead_encrypt() + */ +int romulus_n2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-N3. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_n3_aead_decrypt() + */ +int romulus_n3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-N3. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_n3_aead_encrypt() + */ +int romulus_n3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-M1. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_m1_aead_decrypt() + */ +int romulus_m1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-M1. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_m1_aead_encrypt() + */ +int romulus_m1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-M2. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_m2_aead_decrypt() + */ +int romulus_m2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-M2. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_m2_aead_encrypt() + */ +int romulus_m2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Romulus-M3. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa romulus_m3_aead_decrypt() + */ +int romulus_m3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Romulus-M3. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa romulus_m3_aead_encrypt() + */ +int romulus_m3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/aead-common.c b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/aead-common.h b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/api.h b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/api.h new file mode 100644 index 0000000..75fabd7 --- /dev/null +++ b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 32 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 32 +#define CRYPTO_NOOVERLAP 1 diff --git a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/encrypt.c b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/encrypt.c new file mode 100644 index 0000000..9ce5559 --- /dev/null +++ b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "saturnin.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return saturnin_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return saturnin_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/internal-util.h b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/saturnin.c b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/saturnin.c new file mode 100644 index 0000000..734fc69 --- /dev/null +++ b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/saturnin.c @@ -0,0 +1,781 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "saturnin.h" +#include "internal-util.h" +#include + +aead_cipher_t const saturnin_cipher = { + "SATURNIN-CTR-Cascade", + SATURNIN_KEY_SIZE, + SATURNIN_NONCE_SIZE, + SATURNIN_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + saturnin_aead_encrypt, + saturnin_aead_decrypt +}; + +aead_cipher_t const saturnin_short_cipher = { + "SATURNIN-Short", + SATURNIN_KEY_SIZE, + SATURNIN_NONCE_SIZE, + SATURNIN_TAG_SIZE, + AEAD_FLAG_NONE, + saturnin_short_aead_encrypt, + saturnin_short_aead_decrypt +}; + +aead_hash_algorithm_t const saturnin_hash_algorithm = { + "SATURNIN-Hash", + sizeof(saturnin_hash_state_t), + SATURNIN_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + saturnin_hash, + (aead_hash_init_t)saturnin_hash_init, + (aead_hash_update_t)saturnin_hash_update, + (aead_hash_finalize_t)saturnin_hash_finalize, + 0, /* absorb */ + 0 /* squeeze */ +}; + +/* Round constant tables for various combinations of rounds and domain_sep */ +static uint32_t const RC_10_1[] = { + 0x4eb026c2, 0x90595303, 0xaa8fe632, 0xfe928a92, 0x4115a419, + 0x93539532, 0x5db1cc4e, 0x541515ca, 0xbd1f55a8, 0x5a6e1a0d +}; +static uint32_t const RC_10_2[] = { + 0x4e4526b5, 0xa3565ff0, 0x0f8f20d8, 0x0b54bee1, 0x7d1a6c9d, + 0x17a6280a, 0xaa46c986, 0xc1199062, 0x182c5cde, 0xa00d53fe +}; +static uint32_t const RC_10_3[] = { + 0x4e162698, 0xb2535ba1, 0x6c8f9d65, 0x5816ad30, 0x691fd4fa, + 0x6bf5bcf9, 0xf8eb3525, 0xb21decfa, 0x7b3da417, 0xf62c94b4 +}; +static uint32_t const RC_10_4[] = { + 0x4faf265b, 0xc5484616, 0x45dcad21, 0xe08bd607, 0x0504fdb8, + 0x1e1f5257, 0x45fbc216, 0xeb529b1f, 0x52194e32, 0x5498c018 +}; +static uint32_t const RC_10_5[] = { + 0x4ffc2676, 0xd44d4247, 0x26dc109c, 0xb3c9c5d6, 0x110145df, + 0x624cc6a4, 0x17563eb5, 0x9856e787, 0x3108b6fb, 0x02b90752 +}; +static uint32_t const RC_10_6[] = { + 0x4f092601, 0xe7424eb4, 0x83dcd676, 0x460ff1a5, 0x2d0e8d5b, + 0xe6b97b9c, 0xe0a13b7d, 0x0d5a622f, 0x943bbf8d, 0xf8da4ea1 +}; +static uint32_t const RC_16_7[] = { + 0x3fba180c, 0x563ab9ab, 0x125ea5ef, 0x859da26c, 0xb8cf779b, + 0x7d4de793, 0x07efb49f, 0x8d525306, 0x1e08e6ab, 0x41729f87, + 0x8c4aef0a, 0x4aa0c9a7, 0xd93a95ef, 0xbb00d2af, 0xb62c5bf0, + 0x386d94d8 +}; +static uint32_t const RC_16_8[] = { + 0x3c9b19a7, 0xa9098694, 0x23f878da, 0xa7b647d3, 0x74fc9d78, + 0xeacaae11, 0x2f31a677, 0x4cc8c054, 0x2f51ca05, 0x5268f195, + 0x4f5b8a2b, 0xf614b4ac, 0xf1d95401, 0x764d2568, 0x6a493611, + 0x8eef9c3e +}; + +/* Rotate the 4-bit nibbles within a 16-bit word left */ +#define leftRotate4_N(a, mask1, bits1, mask2, bits2) \ + do { \ + uint32_t _temp = (a); \ + (a) = ((_temp & (mask1)) << (bits1)) | \ + ((_temp & ((mask1) ^ (uint32_t)0xFFFFU)) >> (4 - (bits1))) | \ + ((_temp & (((uint32_t)(mask2)) << 16)) << (bits2)) | \ + ((_temp & (((uint32_t)((mask2)) << 16) ^ 0xFFFF0000U)) >> (4 - (bits2))); \ + } while (0) + +/* Rotate 16-bit subwords left */ +#define leftRotate16_N(a, mask1, bits1, mask2, bits2) \ + do { \ + uint32_t _temp = (a); \ + (a) = ((_temp & (mask1)) << (bits1)) | \ + ((_temp & ((mask1) ^ (uint32_t)0xFFFFU)) >> (16 - (bits1))) | \ + ((_temp & (((uint32_t)(mask2)) << 16)) << (bits2)) | \ + ((_temp & (((uint32_t)((mask2)) << 16) ^ 0xFFFF0000U)) >> (16 - (bits2))); \ + } while (0) + +/* XOR the SATURNIN state with the key */ +#define saturnin_xor_key() \ + do { \ + for (index = 0; index < 8; ++index) \ + S[index] ^= K[index]; \ + } while (0) + +/* XOR the SATURNIN state with a rotated version of the key */ +#define saturnin_xor_key_rotated() \ + do { \ + for (index = 0; index < 8; ++index) \ + S[index] ^= K[index + 8]; \ + } while (0) + +/* Apply an SBOX layer for SATURNIN - definition from the specification */ +#define S_LAYER(a, b, c, d) \ + do { \ + (a) ^= (b) & (c); \ + (b) ^= (a) | (d); \ + (d) ^= (b) | (c); \ + (c) ^= (b) & (d); \ + (b) ^= (a) | (c); \ + (a) ^= (b) | (d); \ + } while (0) + +/* Apply an SBOX layer for SATURNIN in reverse */ +#define S_LAYER_INVERSE(a, b, c, d) \ + do { \ + (a) ^= (b) | (d); \ + (b) ^= (a) | (c); \ + (c) ^= (b) & (d); \ + (d) ^= (b) | (c); \ + (b) ^= (a) | (d); \ + (a) ^= (b) & (c); \ + } while (0) + +/** + * \brief Applies the SBOX to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_sbox(uint32_t S[8]) +{ + uint32_t a, b, c, d; + + /* PI_0 on the first half of the state */ + a = S[0]; b = S[1]; c = S[2]; d = S[3]; + S_LAYER(a, b, c, d); + S[0] = b; S[1] = c; S[2] = d; S[3] = a; + + /* PI_1 on the second half of the state */ + a = S[4]; b = S[5]; c = S[6]; d = S[7]; + S_LAYER(a, b, c, d); + S[4] = d; S[5] = b; S[6] = a; S[7] = c; +} + +/** + * \brief Applies the inverse of the SBOX to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_sbox_inverse(uint32_t S[8]) +{ + uint32_t a, b, c, d; + + /* PI_0 on the first half of the state */ + b = S[0]; c = S[1]; d = S[2]; a = S[3]; + S_LAYER_INVERSE(a, b, c, d); + S[0] = a; S[1] = b; S[2] = c; S[3] = d; + + /* PI_1 on the second half of the state */ + d = S[4]; b = S[5]; a = S[6]; c = S[7]; + S_LAYER_INVERSE(a, b, c, d); + S[4] = a; S[5] = b; S[6] = c; S[7] = d; +} + +/** + * \brief Applies the MDS matrix to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_mds(uint32_t S[8]) +{ + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t tmp; + + /* Load the state into temporary working variables */ + x0 = S[0]; x1 = S[1]; x2 = S[2]; x3 = S[3]; + x4 = S[4]; x5 = S[5]; x6 = S[6]; x7 = S[7]; + + /* Apply the MDS matrix to the state */ + #define SWAP(a) (((a) << 16) | ((a) >> 16)) + #define MUL(x0, x1, x2, x3, tmp) \ + do { \ + tmp = x0; x0 = x1; x1 = x2; x2 = x3; x3 = tmp ^ x0; \ + } while (0) + x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; + MUL(x4, x5, x6, x7, tmp); + x4 ^= SWAP(x0); x5 ^= SWAP(x1); + x6 ^= SWAP(x2); x7 ^= SWAP(x3); + MUL(x0, x1, x2, x3, tmp); + MUL(x0, x1, x2, x3, tmp); + x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; + x4 ^= SWAP(x0); x5 ^= SWAP(x1); + x6 ^= SWAP(x2); x7 ^= SWAP(x3); + + /* Store the temporary working variables back into the state */ + S[0] = x0; S[1] = x1; S[2] = x2; S[3] = x3; + S[4] = x4; S[5] = x5; S[6] = x6; S[7] = x7; +} + +/** + * \brief Applies the inverse of the MDS matrix to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_mds_inverse(uint32_t S[8]) +{ + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t tmp; + + /* Load the state into temporary working variables */ + x0 = S[0]; x1 = S[1]; x2 = S[2]; x3 = S[3]; + x4 = S[4]; x5 = S[5]; x6 = S[6]; x7 = S[7]; + + /* Apply the inverse of the MDS matrix to the state */ + #define MULINV(x0, x1, x2, x3, tmp) \ + do { \ + tmp = x3; x3 = x2; x2 = x1; x1 = x0; x0 = x1 ^ tmp; \ + } while (0) + x6 ^= SWAP(x2); x7 ^= SWAP(x3); + x4 ^= SWAP(x0); x5 ^= SWAP(x1); + x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; + MULINV(x0, x1, x2, x3, tmp); + MULINV(x0, x1, x2, x3, tmp); + x6 ^= SWAP(x2); x7 ^= SWAP(x3); + x4 ^= SWAP(x0); x5 ^= SWAP(x1); + MULINV(x4, x5, x6, x7, tmp); + x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; + + /* Store the temporary working variables back into the state */ + S[0] = x0; S[1] = x1; S[2] = x2; S[3] = x3; + S[4] = x4; S[5] = x5; S[6] = x6; S[7] = x7; +} + +/** + * \brief Applies the slice permutation to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_slice(uint32_t S[8]) +{ + leftRotate4_N(S[0], 0xFFFFU, 0, 0x3333, 2); + leftRotate4_N(S[1], 0xFFFFU, 0, 0x3333, 2); + leftRotate4_N(S[2], 0xFFFFU, 0, 0x3333, 2); + leftRotate4_N(S[3], 0xFFFFU, 0, 0x3333, 2); + + leftRotate4_N(S[4], 0x7777U, 1, 0x1111, 3); + leftRotate4_N(S[5], 0x7777U, 1, 0x1111, 3); + leftRotate4_N(S[6], 0x7777U, 1, 0x1111, 3); + leftRotate4_N(S[7], 0x7777U, 1, 0x1111, 3); +} + +/** + * \brief Applies the inverse of the slice permutation to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_slice_inverse(uint32_t S[8]) +{ + leftRotate4_N(S[0], 0xFFFFU, 0, 0x3333, 2); + leftRotate4_N(S[1], 0xFFFFU, 0, 0x3333, 2); + leftRotate4_N(S[2], 0xFFFFU, 0, 0x3333, 2); + leftRotate4_N(S[3], 0xFFFFU, 0, 0x3333, 2); + + leftRotate4_N(S[4], 0x1111U, 3, 0x7777, 1); + leftRotate4_N(S[5], 0x1111U, 3, 0x7777, 1); + leftRotate4_N(S[6], 0x1111U, 3, 0x7777, 1); + leftRotate4_N(S[7], 0x1111U, 3, 0x7777, 1); +} + +/** + * \brief Applies the sheet permutation to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_sheet(uint32_t S[8]) +{ + leftRotate16_N(S[0], 0xFFFFU, 0, 0x00FF, 8); + leftRotate16_N(S[1], 0xFFFFU, 0, 0x00FF, 8); + leftRotate16_N(S[2], 0xFFFFU, 0, 0x00FF, 8); + leftRotate16_N(S[3], 0xFFFFU, 0, 0x00FF, 8); + + leftRotate16_N(S[4], 0x0FFFU, 4, 0x000F, 12); + leftRotate16_N(S[5], 0x0FFFU, 4, 0x000F, 12); + leftRotate16_N(S[6], 0x0FFFU, 4, 0x000F, 12); + leftRotate16_N(S[7], 0x0FFFU, 4, 0x000F, 12); +} + +/** + * \brief Applies the inverse of the sheet permutation to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_sheet_inverse(uint32_t S[8]) +{ + leftRotate16_N(S[0], 0xFFFFU, 0, 0x00FF, 8); + leftRotate16_N(S[1], 0xFFFFU, 0, 0x00FF, 8); + leftRotate16_N(S[2], 0xFFFFU, 0, 0x00FF, 8); + leftRotate16_N(S[3], 0xFFFFU, 0, 0x00FF, 8); + + leftRotate16_N(S[4], 0x000FU, 12, 0x0FFF, 4); + leftRotate16_N(S[5], 0x000FU, 12, 0x0FFF, 4); + leftRotate16_N(S[6], 0x000FU, 12, 0x0FFF, 4); + leftRotate16_N(S[7], 0x000FU, 12, 0x0FFF, 4); +} + +/** + * \brief Encrypts a 256-bit block with the SATURNIN block cipher. + * + * \param output Ciphertext output block, 32 bytes. + * \param input Plaintext input block, 32 bytes. + * \param key Points to the 32 byte key for the block cipher. + * \param rounds Number of rounds to perform. + * \param RC Round constants to use for domain separation. + * + * The \a input and \a output buffers can be the same. + * + * \sa saturnin_block_decrypt() + */ +static void saturnin_block_encrypt + (unsigned char *output, const unsigned char *input, + const unsigned char *key, unsigned rounds, const uint32_t *RC) +{ + uint32_t K[16]; + uint32_t S[8]; + uint32_t temp; + unsigned index; + + /* Unpack the key and the input block */ + for (index = 0; index < 16; index += 2) { + temp = ((uint32_t)(key[index])) | + (((uint32_t)(key[index + 1])) << 8) | + (((uint32_t)(key[index + 16])) << 16) | + (((uint32_t)(key[index + 17])) << 24); + K[index / 2] = temp; + K[8 + (index / 2)] = ((temp & 0x001F001FU) << 11) | + ((temp >> 5) & 0x07FF07FFU); + S[index / 2] = ((uint32_t)(input[index])) | + (((uint32_t)(input[index + 1])) << 8) | + (((uint32_t)(input[index + 16])) << 16) | + (((uint32_t)(input[index + 17])) << 24); + } + + /* XOR the key into the state */ + saturnin_xor_key(); + + /* Perform all encryption rounds */ + for (; rounds > 0; rounds -= 2, RC += 2) { + saturnin_sbox(S); + saturnin_mds(S); + saturnin_sbox(S); + saturnin_slice(S); + saturnin_mds(S); + saturnin_slice_inverse(S); + S[0] ^= RC[0]; + saturnin_xor_key_rotated(); + + saturnin_sbox(S); + saturnin_mds(S); + saturnin_sbox(S); + saturnin_sheet(S); + saturnin_mds(S); + saturnin_sheet_inverse(S); + S[0] ^= RC[1]; + saturnin_xor_key(); + } + + /* Encode the state into the output block */ + for (index = 0; index < 16; index += 2) { + temp = S[index / 2]; + output[index] = (uint8_t)temp; + output[index + 1] = (uint8_t)(temp >> 8); + output[index + 16] = (uint8_t)(temp >> 16); + output[index + 17] = (uint8_t)(temp >> 24); + } +} + +/** + * \brief Decrypts a 256-bit block with the SATURNIN block cipher. + * + * \param output Plaintext output block, 32 bytes. + * \param input Ciphertext input block, 32 bytes. + * \param key Points to the 32 byte key for the block cipher. + * \param rounds Number of rounds to perform. + * \param RC Round constants to use for domain separation. + * + * The \a input and \a output buffers can be the same. + * + * \sa saturnin_block_encrypt() + */ +static void saturnin_block_decrypt + (unsigned char *output, const unsigned char *input, + const unsigned char *key, unsigned rounds, const uint32_t *RC) +{ + uint32_t K[16]; + uint32_t S[8]; + uint32_t temp; + unsigned index; + + /* Unpack the key and the input block */ + for (index = 0; index < 16; index += 2) { + temp = ((uint32_t)(key[index])) | + (((uint32_t)(key[index + 1])) << 8) | + (((uint32_t)(key[index + 16])) << 16) | + (((uint32_t)(key[index + 17])) << 24); + K[index / 2] = temp; + K[8 + (index / 2)] = ((temp & 0x001F001FU) << 11) | + ((temp >> 5) & 0x07FF07FFU); + S[index / 2] = ((uint32_t)(input[index])) | + (((uint32_t)(input[index + 1])) << 8) | + (((uint32_t)(input[index + 16])) << 16) | + (((uint32_t)(input[index + 17])) << 24); + } + + /* Perform all decryption rounds */ + RC += rounds - 2; + for (; rounds > 0; rounds -= 2, RC -= 2) { + saturnin_xor_key(); + S[0] ^= RC[1]; + saturnin_sheet(S); + saturnin_mds_inverse(S); + saturnin_sheet_inverse(S); + saturnin_sbox_inverse(S); + saturnin_mds_inverse(S); + saturnin_sbox_inverse(S); + + saturnin_xor_key_rotated(); + S[0] ^= RC[0]; + saturnin_slice(S); + saturnin_mds_inverse(S); + saturnin_slice_inverse(S); + saturnin_sbox_inverse(S); + saturnin_mds_inverse(S); + saturnin_sbox_inverse(S); + } + + /* XOR the key into the state */ + saturnin_xor_key(); + + /* Encode the state into the output block */ + for (index = 0; index < 16; index += 2) { + temp = S[index / 2]; + output[index] = (uint8_t)temp; + output[index + 1] = (uint8_t)(temp >> 8); + output[index + 16] = (uint8_t)(temp >> 16); + output[index + 17] = (uint8_t)(temp >> 24); + } +} + +/** + * \brief Encrypts a 256-bit block with the SATURNIN block cipher and + * then XOR's itself to generate a new key. + * + * \param block Block to be encrypted and then XOR'ed with itself. + * \param key Points to the 32 byte key for the block cipher. + * \param rounds Number of rounds to perform. + * \param RC Round constants to use for domain separation. + */ +void saturnin_block_encrypt_xor + (const unsigned char *block, unsigned char *key, + unsigned rounds, const uint32_t *RC) +{ + unsigned char temp[32]; + saturnin_block_encrypt(temp, block, key, rounds, RC); + lw_xor_block_2_src(key, block, temp, 32); +} + +/** + * \brief Encrypts (or decrypts) a data packet in CTR mode. + * + * \param c Output ciphertext buffer. + * \param m Input plaintext buffer. + * \param mlen Length of the plaintext in bytes. + * \param k Points to the 32-byte key. + * \param block Points to the pre-formatted nonce block. + */ +static void saturnin_ctr_encrypt + (unsigned char *c, const unsigned char *m, unsigned long long mlen, + const unsigned char *k, unsigned char *block) +{ + /* Note: Specification requires a 95-bit counter but we only use 32-bit. + * This limits the maximum packet size to 128Gb. That should be OK */ + uint32_t counter = 1; + unsigned char out[32]; + while (mlen >= 32) { + be_store_word32(block + 28, counter); + saturnin_block_encrypt(out, block, k, 10, RC_10_1); + lw_xor_block_2_src(c, out, m, 32); + c += 32; + m += 32; + mlen -= 32; + ++counter; + } + if (mlen > 0) { + be_store_word32(block + 28, counter); + saturnin_block_encrypt(out, block, k, 10, RC_10_1); + lw_xor_block_2_src(c, out, m, (unsigned)mlen); + } +} + +/** + * \brief Pads an authenticates a message. + * + * \param tag Points to the authentication tag. + * \param block Temporary block of 32 bytes from the caller. + * \param m Points to the message to be authenticated. + * \param mlen Length of the message to be authenticated in bytes. + * \param rounds Number of rounds to perform. + * \param RC1 Round constants to use for domain separation on full blocks. + * \param RC2 Round constants to use for domain separation on the last block. + */ +static void saturnin_authenticate + (unsigned char *tag, unsigned char *block, + const unsigned char *m, unsigned long long mlen, + unsigned rounds, const uint32_t *RC1, const uint32_t *RC2) +{ + unsigned temp; + while (mlen >= 32) { + saturnin_block_encrypt_xor(m, tag, rounds, RC1); + m += 32; + mlen -= 32; + } + temp = (unsigned)mlen; + memcpy(block, m, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, 31 - temp); + saturnin_block_encrypt_xor(block, tag, rounds, RC2); +} + +int saturnin_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char block[32]; + unsigned char *tag; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SATURNIN_TAG_SIZE; + + /* Format the input block from the padded nonce */ + memcpy(block, npub, 16); + block[16] = 0x80; + memset(block + 17, 0, 15); + + /* Encrypt the plaintext in counter mode to produce the ciphertext */ + saturnin_ctr_encrypt(c, m, mlen, k, block); + + /* Set the counter back to zero and then encrypt the nonce */ + tag = c + mlen; + memcpy(tag, k, 32); + memset(block + 17, 0, 15); + saturnin_block_encrypt_xor(block, tag, 10, RC_10_2); + + /* Authenticate the associated data and the ciphertext */ + saturnin_authenticate(tag, block, ad, adlen, 10, RC_10_2, RC_10_3); + saturnin_authenticate(tag, block, c, mlen, 10, RC_10_4, RC_10_5); + return 0; +} + +int saturnin_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char block[32]; + unsigned char tag[32]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SATURNIN_TAG_SIZE) + return -1; + *mlen = clen - SATURNIN_TAG_SIZE; + + /* Format the input block from the padded nonce */ + memcpy(block, npub, 16); + block[16] = 0x80; + memset(block + 17, 0, 15); + + /* Encrypt the nonce to initialize the authentication phase */ + memcpy(tag, k, 32); + saturnin_block_encrypt_xor(block, tag, 10, RC_10_2); + + /* Authenticate the associated data and the ciphertext */ + saturnin_authenticate(tag, block, ad, adlen, 10, RC_10_2, RC_10_3); + saturnin_authenticate(tag, block, c, *mlen, 10, RC_10_4, RC_10_5); + + /* Decrypt the ciphertext in counter mode to produce the plaintext */ + memcpy(block, npub, 16); + block[16] = 0x80; + memset(block + 17, 0, 15); + saturnin_ctr_encrypt(m, c, *mlen, k, block); + + /* Check the authentication tag at the end of the message */ + return aead_check_tag + (m, *mlen, tag, c + *mlen, SATURNIN_TAG_SIZE); +} + +int saturnin_short_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char block[32]; + unsigned temp; + (void)nsec; + (void)ad; + + /* Validate the parameters: no associated data allowed and m <= 15 bytes */ + if (adlen > 0 || mlen > 15) + return -2; + + /* Format the input block from the nonce and plaintext */ + temp = (unsigned)mlen; + memcpy(block, npub, 16); + memcpy(block + 16, m, temp); + block[16 + temp] = 0x80; /* Padding */ + memset(block + 17 + temp, 0, 15 - temp); + + /* Encrypt the input block to produce the output ciphertext */ + saturnin_block_encrypt(c, block, k, 10, RC_10_6); + *clen = 32; + return 0; +} + +int saturnin_short_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char block[32]; + unsigned check1, check2, len; + int index, result; + (void)nsec; + (void)ad; + + /* Validate the parameters: no associated data and c is always 32 bytes */ + if (adlen > 0) + return -2; + if (clen != 32) + return -1; + + /* Decrypt the ciphertext block */ + saturnin_block_decrypt(block, c, k, 10, RC_10_6); + + /* Verify that the output block starts with the nonce and that it is + * padded correctly. We need to do this very carefully to avoid leaking + * any information that could be used in a padding oracle attack. Use the + * same algorithm as the reference implementation of SATURNIN-Short */ + check1 = 0; + for (index = 0; index < 16; ++index) + check1 |= npub[index] ^ block[index]; + check2 = 0xFF; + len = 0; + for (index = 15; index >= 0; --index) { + unsigned temp = block[16 + index]; + unsigned temp2 = check2 & -(1 - (((temp ^ 0x80) + 0xFF) >> 8)); + len |= temp2 & (unsigned)index; + check2 &= ~temp2; + check1 |= check2 & ((temp + 0xFF) >> 8); + } + check1 |= check2; + + /* At this point, check1 is zero if the nonce and plaintext are good, + * or non-zero if there was an error in the decrypted data */ + result = (((int)check1) - 1) >> 8; + + /* The "result" is -1 if the data is good or zero if the data is invalid. + * Copy either the plaintext or zeroes to the output buffer. We assume + * that the output buffer has space for up to 15 bytes. This may return + * some of the padding to the caller but as long as they restrict + * themselves to the first *mlen bytes then it shouldn't be a problem */ + for (index = 0; index < 15; ++index) + m[index] = block[16 + index] & result; + *mlen = len; + return ~result; +} + +int saturnin_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + unsigned char tag[32]; + unsigned char block[32]; + memset(tag, 0, sizeof(tag)); + saturnin_authenticate(tag, block, in, inlen, 16, RC_16_7, RC_16_8); + memcpy(out, tag, 32); + return 0; +} + +void saturnin_hash_init(saturnin_hash_state_t *state) +{ + memset(state, 0, sizeof(saturnin_hash_state_t)); +} + +void saturnin_hash_update + (saturnin_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + unsigned temp; + + /* Handle the partial left-over block from last time */ + if (state->s.count) { + temp = 32 - state->s.count; + if (temp > inlen) { + temp = (unsigned)inlen; + memcpy(state->s.block + state->s.count, in, temp); + state->s.count += temp; + return; + } + memcpy(state->s.block + state->s.count, in, temp); + state->s.count = 0; + in += temp; + inlen -= temp; + saturnin_block_encrypt_xor(state->s.block, state->s.hash, 16, RC_16_7); + } + + /* Process full blocks that are aligned at state->s.count == 0 */ + while (inlen >= 32) { + saturnin_block_encrypt_xor(in, state->s.hash, 16, RC_16_7); + in += 32; + inlen -= 32; + } + + /* Process the left-over block at the end of the input */ + temp = (unsigned)inlen; + memcpy(state->s.block, in, temp); + state->s.count = temp; +} + +void saturnin_hash_finalize + (saturnin_hash_state_t *state, unsigned char *out) +{ + /* Pad the final block */ + state->s.block[state->s.count] = 0x80; + memset(state->s.block + state->s.count + 1, 0, 31 - state->s.count); + + /* Generate the final hash value */ + saturnin_block_encrypt_xor(state->s.block, state->s.hash, 16, RC_16_8); + memcpy(out, state->s.hash, 32); +} diff --git a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/saturnin.h b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/saturnin.h new file mode 100644 index 0000000..873d950 --- /dev/null +++ b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/saturnin.h @@ -0,0 +1,270 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SATURNIN_H +#define LWCRYPTO_SATURNIN_H + +#include "aead-common.h" + +/** + * \file saturnin.h + * \brief Saturnin authenticated encryption algorithm. + * + * The Saturnin family consists of two members: SATURNIN-CTR-Cascade and + * SATURNIN-Short. Both take a 256-bit key and a 128-bit nonce. + * Internally they use a 256-bit block cipher similar in construction to AES. + * + * SATURNIN-Short does not support associated data or plaintext packets + * with more than 15 bytes. This makes it very efficient on short packets + * with only a single block operation involved. + * + * This implementation of SATURNIN-Short will return an error if the + * caller supplies associated data or more than 15 bytes of plaintext. + * + * References: https://project.inria.fr/saturnin/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all SATURNIN family members. + */ +#define SATURNIN_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for SATURNIN-CTR-Cascade or the + * total size of the ciphertext for SATURNIN-Short. + */ +#define SATURNIN_TAG_SIZE 32 + +/** + * \brief Size of the nonce for all SATURNIN family members. + */ +#define SATURNIN_NONCE_SIZE 16 + +/** + * \brief Size of the hash for SATURNIN-Hash. + */ +#define SATURNIN_HASH_SIZE 32 + +/** + * \brief State information for SATURNIN-Hash incremental modes. + */ +typedef union +{ + struct { + unsigned char hash[32]; /**< Current hash state */ + unsigned char block[32]; /**< Left-over block data from last update */ + unsigned char count; /**< Number of bytes in the current block */ + unsigned char mode; /**< Hash mode: 0 for absorb, 1 for squeeze */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} saturnin_hash_state_t; + +/** + * \brief Meta-information block for the SATURNIN-CTR-Cascade cipher. + */ +extern aead_cipher_t const saturnin_cipher; + +/** + * \brief Meta-information block for the SATURNIN-Short cipher. + */ +extern aead_cipher_t const saturnin_short_cipher; + +/** + * \brief Meta-information block for SATURNIN-Hash. + */ +extern aead_hash_algorithm_t const saturnin_hash_algorithm; + +/** + * \brief Encrypts and authenticates a packet with SATURNIN-CTR-Cascade. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 32 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa saturnin_aead_decrypt() + */ +int saturnin_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SATURNIN-CTR-Cascade. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 32 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa saturnin_aead_encrypt() + */ +int saturnin_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SATURNIN-Short. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which is always 32. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes, which must be + * less than or equal to 15 bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes, which must be zero. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or -2 if the caller supplied too many bytes of + * plaintext or they supplied associated data. + * + * \sa saturnin_short_aead_decrypt() + */ +int saturnin_short_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SATURNIN-Short. + * + * \param m Buffer to receive the plaintext message on output. There must + * be at least 15 bytes of space in this buffer even if the caller expects + * to receive less data than that. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext to decrypt. + * \param clen Length of the input data in bytes, which must be 32. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes, which must be zero. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or -2 if the caller supplied associated data. + * + * \sa saturnin_short_aead_encrypt() + */ +int saturnin_short_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with SATURNIN to generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * SATURNIN_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int saturnin_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an SATURNIN-Hash hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa saturnin_hash_update(), saturnin_hash_finalize(), saturnin_hash() + */ +void saturnin_hash_init(saturnin_hash_state_t *state); + +/** + * \brief Updates an SATURNIN-Hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + * + * \sa saturnin_hash_init(), saturnin_hash_finalize() + */ +void saturnin_hash_update + (saturnin_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Returns the final hash value from an SATURNIN-Hash hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the 32-byte hash value. + * + * \sa saturnin_hash_init(), saturnin_hash_update() + */ +void saturnin_hash_finalize + (saturnin_hash_state_t *state, unsigned char *out); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/aead-common.c b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/aead-common.h b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/api.h b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/api.h new file mode 100644 index 0000000..75fabd7 --- /dev/null +++ b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 32 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 32 +#define CRYPTO_NOOVERLAP 1 diff --git a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/encrypt.c b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/encrypt.c new file mode 100644 index 0000000..29d7d06 --- /dev/null +++ b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "saturnin.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return saturnin_short_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return saturnin_short_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/internal-util.h b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/saturnin.c b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/saturnin.c new file mode 100644 index 0000000..734fc69 --- /dev/null +++ b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/saturnin.c @@ -0,0 +1,781 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "saturnin.h" +#include "internal-util.h" +#include + +aead_cipher_t const saturnin_cipher = { + "SATURNIN-CTR-Cascade", + SATURNIN_KEY_SIZE, + SATURNIN_NONCE_SIZE, + SATURNIN_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + saturnin_aead_encrypt, + saturnin_aead_decrypt +}; + +aead_cipher_t const saturnin_short_cipher = { + "SATURNIN-Short", + SATURNIN_KEY_SIZE, + SATURNIN_NONCE_SIZE, + SATURNIN_TAG_SIZE, + AEAD_FLAG_NONE, + saturnin_short_aead_encrypt, + saturnin_short_aead_decrypt +}; + +aead_hash_algorithm_t const saturnin_hash_algorithm = { + "SATURNIN-Hash", + sizeof(saturnin_hash_state_t), + SATURNIN_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + saturnin_hash, + (aead_hash_init_t)saturnin_hash_init, + (aead_hash_update_t)saturnin_hash_update, + (aead_hash_finalize_t)saturnin_hash_finalize, + 0, /* absorb */ + 0 /* squeeze */ +}; + +/* Round constant tables for various combinations of rounds and domain_sep */ +static uint32_t const RC_10_1[] = { + 0x4eb026c2, 0x90595303, 0xaa8fe632, 0xfe928a92, 0x4115a419, + 0x93539532, 0x5db1cc4e, 0x541515ca, 0xbd1f55a8, 0x5a6e1a0d +}; +static uint32_t const RC_10_2[] = { + 0x4e4526b5, 0xa3565ff0, 0x0f8f20d8, 0x0b54bee1, 0x7d1a6c9d, + 0x17a6280a, 0xaa46c986, 0xc1199062, 0x182c5cde, 0xa00d53fe +}; +static uint32_t const RC_10_3[] = { + 0x4e162698, 0xb2535ba1, 0x6c8f9d65, 0x5816ad30, 0x691fd4fa, + 0x6bf5bcf9, 0xf8eb3525, 0xb21decfa, 0x7b3da417, 0xf62c94b4 +}; +static uint32_t const RC_10_4[] = { + 0x4faf265b, 0xc5484616, 0x45dcad21, 0xe08bd607, 0x0504fdb8, + 0x1e1f5257, 0x45fbc216, 0xeb529b1f, 0x52194e32, 0x5498c018 +}; +static uint32_t const RC_10_5[] = { + 0x4ffc2676, 0xd44d4247, 0x26dc109c, 0xb3c9c5d6, 0x110145df, + 0x624cc6a4, 0x17563eb5, 0x9856e787, 0x3108b6fb, 0x02b90752 +}; +static uint32_t const RC_10_6[] = { + 0x4f092601, 0xe7424eb4, 0x83dcd676, 0x460ff1a5, 0x2d0e8d5b, + 0xe6b97b9c, 0xe0a13b7d, 0x0d5a622f, 0x943bbf8d, 0xf8da4ea1 +}; +static uint32_t const RC_16_7[] = { + 0x3fba180c, 0x563ab9ab, 0x125ea5ef, 0x859da26c, 0xb8cf779b, + 0x7d4de793, 0x07efb49f, 0x8d525306, 0x1e08e6ab, 0x41729f87, + 0x8c4aef0a, 0x4aa0c9a7, 0xd93a95ef, 0xbb00d2af, 0xb62c5bf0, + 0x386d94d8 +}; +static uint32_t const RC_16_8[] = { + 0x3c9b19a7, 0xa9098694, 0x23f878da, 0xa7b647d3, 0x74fc9d78, + 0xeacaae11, 0x2f31a677, 0x4cc8c054, 0x2f51ca05, 0x5268f195, + 0x4f5b8a2b, 0xf614b4ac, 0xf1d95401, 0x764d2568, 0x6a493611, + 0x8eef9c3e +}; + +/* Rotate the 4-bit nibbles within a 16-bit word left */ +#define leftRotate4_N(a, mask1, bits1, mask2, bits2) \ + do { \ + uint32_t _temp = (a); \ + (a) = ((_temp & (mask1)) << (bits1)) | \ + ((_temp & ((mask1) ^ (uint32_t)0xFFFFU)) >> (4 - (bits1))) | \ + ((_temp & (((uint32_t)(mask2)) << 16)) << (bits2)) | \ + ((_temp & (((uint32_t)((mask2)) << 16) ^ 0xFFFF0000U)) >> (4 - (bits2))); \ + } while (0) + +/* Rotate 16-bit subwords left */ +#define leftRotate16_N(a, mask1, bits1, mask2, bits2) \ + do { \ + uint32_t _temp = (a); \ + (a) = ((_temp & (mask1)) << (bits1)) | \ + ((_temp & ((mask1) ^ (uint32_t)0xFFFFU)) >> (16 - (bits1))) | \ + ((_temp & (((uint32_t)(mask2)) << 16)) << (bits2)) | \ + ((_temp & (((uint32_t)((mask2)) << 16) ^ 0xFFFF0000U)) >> (16 - (bits2))); \ + } while (0) + +/* XOR the SATURNIN state with the key */ +#define saturnin_xor_key() \ + do { \ + for (index = 0; index < 8; ++index) \ + S[index] ^= K[index]; \ + } while (0) + +/* XOR the SATURNIN state with a rotated version of the key */ +#define saturnin_xor_key_rotated() \ + do { \ + for (index = 0; index < 8; ++index) \ + S[index] ^= K[index + 8]; \ + } while (0) + +/* Apply an SBOX layer for SATURNIN - definition from the specification */ +#define S_LAYER(a, b, c, d) \ + do { \ + (a) ^= (b) & (c); \ + (b) ^= (a) | (d); \ + (d) ^= (b) | (c); \ + (c) ^= (b) & (d); \ + (b) ^= (a) | (c); \ + (a) ^= (b) | (d); \ + } while (0) + +/* Apply an SBOX layer for SATURNIN in reverse */ +#define S_LAYER_INVERSE(a, b, c, d) \ + do { \ + (a) ^= (b) | (d); \ + (b) ^= (a) | (c); \ + (c) ^= (b) & (d); \ + (d) ^= (b) | (c); \ + (b) ^= (a) | (d); \ + (a) ^= (b) & (c); \ + } while (0) + +/** + * \brief Applies the SBOX to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_sbox(uint32_t S[8]) +{ + uint32_t a, b, c, d; + + /* PI_0 on the first half of the state */ + a = S[0]; b = S[1]; c = S[2]; d = S[3]; + S_LAYER(a, b, c, d); + S[0] = b; S[1] = c; S[2] = d; S[3] = a; + + /* PI_1 on the second half of the state */ + a = S[4]; b = S[5]; c = S[6]; d = S[7]; + S_LAYER(a, b, c, d); + S[4] = d; S[5] = b; S[6] = a; S[7] = c; +} + +/** + * \brief Applies the inverse of the SBOX to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_sbox_inverse(uint32_t S[8]) +{ + uint32_t a, b, c, d; + + /* PI_0 on the first half of the state */ + b = S[0]; c = S[1]; d = S[2]; a = S[3]; + S_LAYER_INVERSE(a, b, c, d); + S[0] = a; S[1] = b; S[2] = c; S[3] = d; + + /* PI_1 on the second half of the state */ + d = S[4]; b = S[5]; a = S[6]; c = S[7]; + S_LAYER_INVERSE(a, b, c, d); + S[4] = a; S[5] = b; S[6] = c; S[7] = d; +} + +/** + * \brief Applies the MDS matrix to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_mds(uint32_t S[8]) +{ + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t tmp; + + /* Load the state into temporary working variables */ + x0 = S[0]; x1 = S[1]; x2 = S[2]; x3 = S[3]; + x4 = S[4]; x5 = S[5]; x6 = S[6]; x7 = S[7]; + + /* Apply the MDS matrix to the state */ + #define SWAP(a) (((a) << 16) | ((a) >> 16)) + #define MUL(x0, x1, x2, x3, tmp) \ + do { \ + tmp = x0; x0 = x1; x1 = x2; x2 = x3; x3 = tmp ^ x0; \ + } while (0) + x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; + MUL(x4, x5, x6, x7, tmp); + x4 ^= SWAP(x0); x5 ^= SWAP(x1); + x6 ^= SWAP(x2); x7 ^= SWAP(x3); + MUL(x0, x1, x2, x3, tmp); + MUL(x0, x1, x2, x3, tmp); + x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; + x4 ^= SWAP(x0); x5 ^= SWAP(x1); + x6 ^= SWAP(x2); x7 ^= SWAP(x3); + + /* Store the temporary working variables back into the state */ + S[0] = x0; S[1] = x1; S[2] = x2; S[3] = x3; + S[4] = x4; S[5] = x5; S[6] = x6; S[7] = x7; +} + +/** + * \brief Applies the inverse of the MDS matrix to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_mds_inverse(uint32_t S[8]) +{ + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t tmp; + + /* Load the state into temporary working variables */ + x0 = S[0]; x1 = S[1]; x2 = S[2]; x3 = S[3]; + x4 = S[4]; x5 = S[5]; x6 = S[6]; x7 = S[7]; + + /* Apply the inverse of the MDS matrix to the state */ + #define MULINV(x0, x1, x2, x3, tmp) \ + do { \ + tmp = x3; x3 = x2; x2 = x1; x1 = x0; x0 = x1 ^ tmp; \ + } while (0) + x6 ^= SWAP(x2); x7 ^= SWAP(x3); + x4 ^= SWAP(x0); x5 ^= SWAP(x1); + x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; + MULINV(x0, x1, x2, x3, tmp); + MULINV(x0, x1, x2, x3, tmp); + x6 ^= SWAP(x2); x7 ^= SWAP(x3); + x4 ^= SWAP(x0); x5 ^= SWAP(x1); + MULINV(x4, x5, x6, x7, tmp); + x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; + + /* Store the temporary working variables back into the state */ + S[0] = x0; S[1] = x1; S[2] = x2; S[3] = x3; + S[4] = x4; S[5] = x5; S[6] = x6; S[7] = x7; +} + +/** + * \brief Applies the slice permutation to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_slice(uint32_t S[8]) +{ + leftRotate4_N(S[0], 0xFFFFU, 0, 0x3333, 2); + leftRotate4_N(S[1], 0xFFFFU, 0, 0x3333, 2); + leftRotate4_N(S[2], 0xFFFFU, 0, 0x3333, 2); + leftRotate4_N(S[3], 0xFFFFU, 0, 0x3333, 2); + + leftRotate4_N(S[4], 0x7777U, 1, 0x1111, 3); + leftRotate4_N(S[5], 0x7777U, 1, 0x1111, 3); + leftRotate4_N(S[6], 0x7777U, 1, 0x1111, 3); + leftRotate4_N(S[7], 0x7777U, 1, 0x1111, 3); +} + +/** + * \brief Applies the inverse of the slice permutation to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_slice_inverse(uint32_t S[8]) +{ + leftRotate4_N(S[0], 0xFFFFU, 0, 0x3333, 2); + leftRotate4_N(S[1], 0xFFFFU, 0, 0x3333, 2); + leftRotate4_N(S[2], 0xFFFFU, 0, 0x3333, 2); + leftRotate4_N(S[3], 0xFFFFU, 0, 0x3333, 2); + + leftRotate4_N(S[4], 0x1111U, 3, 0x7777, 1); + leftRotate4_N(S[5], 0x1111U, 3, 0x7777, 1); + leftRotate4_N(S[6], 0x1111U, 3, 0x7777, 1); + leftRotate4_N(S[7], 0x1111U, 3, 0x7777, 1); +} + +/** + * \brief Applies the sheet permutation to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_sheet(uint32_t S[8]) +{ + leftRotate16_N(S[0], 0xFFFFU, 0, 0x00FF, 8); + leftRotate16_N(S[1], 0xFFFFU, 0, 0x00FF, 8); + leftRotate16_N(S[2], 0xFFFFU, 0, 0x00FF, 8); + leftRotate16_N(S[3], 0xFFFFU, 0, 0x00FF, 8); + + leftRotate16_N(S[4], 0x0FFFU, 4, 0x000F, 12); + leftRotate16_N(S[5], 0x0FFFU, 4, 0x000F, 12); + leftRotate16_N(S[6], 0x0FFFU, 4, 0x000F, 12); + leftRotate16_N(S[7], 0x0FFFU, 4, 0x000F, 12); +} + +/** + * \brief Applies the inverse of the sheet permutation to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_sheet_inverse(uint32_t S[8]) +{ + leftRotate16_N(S[0], 0xFFFFU, 0, 0x00FF, 8); + leftRotate16_N(S[1], 0xFFFFU, 0, 0x00FF, 8); + leftRotate16_N(S[2], 0xFFFFU, 0, 0x00FF, 8); + leftRotate16_N(S[3], 0xFFFFU, 0, 0x00FF, 8); + + leftRotate16_N(S[4], 0x000FU, 12, 0x0FFF, 4); + leftRotate16_N(S[5], 0x000FU, 12, 0x0FFF, 4); + leftRotate16_N(S[6], 0x000FU, 12, 0x0FFF, 4); + leftRotate16_N(S[7], 0x000FU, 12, 0x0FFF, 4); +} + +/** + * \brief Encrypts a 256-bit block with the SATURNIN block cipher. + * + * \param output Ciphertext output block, 32 bytes. + * \param input Plaintext input block, 32 bytes. + * \param key Points to the 32 byte key for the block cipher. + * \param rounds Number of rounds to perform. + * \param RC Round constants to use for domain separation. + * + * The \a input and \a output buffers can be the same. + * + * \sa saturnin_block_decrypt() + */ +static void saturnin_block_encrypt + (unsigned char *output, const unsigned char *input, + const unsigned char *key, unsigned rounds, const uint32_t *RC) +{ + uint32_t K[16]; + uint32_t S[8]; + uint32_t temp; + unsigned index; + + /* Unpack the key and the input block */ + for (index = 0; index < 16; index += 2) { + temp = ((uint32_t)(key[index])) | + (((uint32_t)(key[index + 1])) << 8) | + (((uint32_t)(key[index + 16])) << 16) | + (((uint32_t)(key[index + 17])) << 24); + K[index / 2] = temp; + K[8 + (index / 2)] = ((temp & 0x001F001FU) << 11) | + ((temp >> 5) & 0x07FF07FFU); + S[index / 2] = ((uint32_t)(input[index])) | + (((uint32_t)(input[index + 1])) << 8) | + (((uint32_t)(input[index + 16])) << 16) | + (((uint32_t)(input[index + 17])) << 24); + } + + /* XOR the key into the state */ + saturnin_xor_key(); + + /* Perform all encryption rounds */ + for (; rounds > 0; rounds -= 2, RC += 2) { + saturnin_sbox(S); + saturnin_mds(S); + saturnin_sbox(S); + saturnin_slice(S); + saturnin_mds(S); + saturnin_slice_inverse(S); + S[0] ^= RC[0]; + saturnin_xor_key_rotated(); + + saturnin_sbox(S); + saturnin_mds(S); + saturnin_sbox(S); + saturnin_sheet(S); + saturnin_mds(S); + saturnin_sheet_inverse(S); + S[0] ^= RC[1]; + saturnin_xor_key(); + } + + /* Encode the state into the output block */ + for (index = 0; index < 16; index += 2) { + temp = S[index / 2]; + output[index] = (uint8_t)temp; + output[index + 1] = (uint8_t)(temp >> 8); + output[index + 16] = (uint8_t)(temp >> 16); + output[index + 17] = (uint8_t)(temp >> 24); + } +} + +/** + * \brief Decrypts a 256-bit block with the SATURNIN block cipher. + * + * \param output Plaintext output block, 32 bytes. + * \param input Ciphertext input block, 32 bytes. + * \param key Points to the 32 byte key for the block cipher. + * \param rounds Number of rounds to perform. + * \param RC Round constants to use for domain separation. + * + * The \a input and \a output buffers can be the same. + * + * \sa saturnin_block_encrypt() + */ +static void saturnin_block_decrypt + (unsigned char *output, const unsigned char *input, + const unsigned char *key, unsigned rounds, const uint32_t *RC) +{ + uint32_t K[16]; + uint32_t S[8]; + uint32_t temp; + unsigned index; + + /* Unpack the key and the input block */ + for (index = 0; index < 16; index += 2) { + temp = ((uint32_t)(key[index])) | + (((uint32_t)(key[index + 1])) << 8) | + (((uint32_t)(key[index + 16])) << 16) | + (((uint32_t)(key[index + 17])) << 24); + K[index / 2] = temp; + K[8 + (index / 2)] = ((temp & 0x001F001FU) << 11) | + ((temp >> 5) & 0x07FF07FFU); + S[index / 2] = ((uint32_t)(input[index])) | + (((uint32_t)(input[index + 1])) << 8) | + (((uint32_t)(input[index + 16])) << 16) | + (((uint32_t)(input[index + 17])) << 24); + } + + /* Perform all decryption rounds */ + RC += rounds - 2; + for (; rounds > 0; rounds -= 2, RC -= 2) { + saturnin_xor_key(); + S[0] ^= RC[1]; + saturnin_sheet(S); + saturnin_mds_inverse(S); + saturnin_sheet_inverse(S); + saturnin_sbox_inverse(S); + saturnin_mds_inverse(S); + saturnin_sbox_inverse(S); + + saturnin_xor_key_rotated(); + S[0] ^= RC[0]; + saturnin_slice(S); + saturnin_mds_inverse(S); + saturnin_slice_inverse(S); + saturnin_sbox_inverse(S); + saturnin_mds_inverse(S); + saturnin_sbox_inverse(S); + } + + /* XOR the key into the state */ + saturnin_xor_key(); + + /* Encode the state into the output block */ + for (index = 0; index < 16; index += 2) { + temp = S[index / 2]; + output[index] = (uint8_t)temp; + output[index + 1] = (uint8_t)(temp >> 8); + output[index + 16] = (uint8_t)(temp >> 16); + output[index + 17] = (uint8_t)(temp >> 24); + } +} + +/** + * \brief Encrypts a 256-bit block with the SATURNIN block cipher and + * then XOR's itself to generate a new key. + * + * \param block Block to be encrypted and then XOR'ed with itself. + * \param key Points to the 32 byte key for the block cipher. + * \param rounds Number of rounds to perform. + * \param RC Round constants to use for domain separation. + */ +void saturnin_block_encrypt_xor + (const unsigned char *block, unsigned char *key, + unsigned rounds, const uint32_t *RC) +{ + unsigned char temp[32]; + saturnin_block_encrypt(temp, block, key, rounds, RC); + lw_xor_block_2_src(key, block, temp, 32); +} + +/** + * \brief Encrypts (or decrypts) a data packet in CTR mode. + * + * \param c Output ciphertext buffer. + * \param m Input plaintext buffer. + * \param mlen Length of the plaintext in bytes. + * \param k Points to the 32-byte key. + * \param block Points to the pre-formatted nonce block. + */ +static void saturnin_ctr_encrypt + (unsigned char *c, const unsigned char *m, unsigned long long mlen, + const unsigned char *k, unsigned char *block) +{ + /* Note: Specification requires a 95-bit counter but we only use 32-bit. + * This limits the maximum packet size to 128Gb. That should be OK */ + uint32_t counter = 1; + unsigned char out[32]; + while (mlen >= 32) { + be_store_word32(block + 28, counter); + saturnin_block_encrypt(out, block, k, 10, RC_10_1); + lw_xor_block_2_src(c, out, m, 32); + c += 32; + m += 32; + mlen -= 32; + ++counter; + } + if (mlen > 0) { + be_store_word32(block + 28, counter); + saturnin_block_encrypt(out, block, k, 10, RC_10_1); + lw_xor_block_2_src(c, out, m, (unsigned)mlen); + } +} + +/** + * \brief Pads an authenticates a message. + * + * \param tag Points to the authentication tag. + * \param block Temporary block of 32 bytes from the caller. + * \param m Points to the message to be authenticated. + * \param mlen Length of the message to be authenticated in bytes. + * \param rounds Number of rounds to perform. + * \param RC1 Round constants to use for domain separation on full blocks. + * \param RC2 Round constants to use for domain separation on the last block. + */ +static void saturnin_authenticate + (unsigned char *tag, unsigned char *block, + const unsigned char *m, unsigned long long mlen, + unsigned rounds, const uint32_t *RC1, const uint32_t *RC2) +{ + unsigned temp; + while (mlen >= 32) { + saturnin_block_encrypt_xor(m, tag, rounds, RC1); + m += 32; + mlen -= 32; + } + temp = (unsigned)mlen; + memcpy(block, m, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, 31 - temp); + saturnin_block_encrypt_xor(block, tag, rounds, RC2); +} + +int saturnin_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char block[32]; + unsigned char *tag; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SATURNIN_TAG_SIZE; + + /* Format the input block from the padded nonce */ + memcpy(block, npub, 16); + block[16] = 0x80; + memset(block + 17, 0, 15); + + /* Encrypt the plaintext in counter mode to produce the ciphertext */ + saturnin_ctr_encrypt(c, m, mlen, k, block); + + /* Set the counter back to zero and then encrypt the nonce */ + tag = c + mlen; + memcpy(tag, k, 32); + memset(block + 17, 0, 15); + saturnin_block_encrypt_xor(block, tag, 10, RC_10_2); + + /* Authenticate the associated data and the ciphertext */ + saturnin_authenticate(tag, block, ad, adlen, 10, RC_10_2, RC_10_3); + saturnin_authenticate(tag, block, c, mlen, 10, RC_10_4, RC_10_5); + return 0; +} + +int saturnin_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char block[32]; + unsigned char tag[32]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SATURNIN_TAG_SIZE) + return -1; + *mlen = clen - SATURNIN_TAG_SIZE; + + /* Format the input block from the padded nonce */ + memcpy(block, npub, 16); + block[16] = 0x80; + memset(block + 17, 0, 15); + + /* Encrypt the nonce to initialize the authentication phase */ + memcpy(tag, k, 32); + saturnin_block_encrypt_xor(block, tag, 10, RC_10_2); + + /* Authenticate the associated data and the ciphertext */ + saturnin_authenticate(tag, block, ad, adlen, 10, RC_10_2, RC_10_3); + saturnin_authenticate(tag, block, c, *mlen, 10, RC_10_4, RC_10_5); + + /* Decrypt the ciphertext in counter mode to produce the plaintext */ + memcpy(block, npub, 16); + block[16] = 0x80; + memset(block + 17, 0, 15); + saturnin_ctr_encrypt(m, c, *mlen, k, block); + + /* Check the authentication tag at the end of the message */ + return aead_check_tag + (m, *mlen, tag, c + *mlen, SATURNIN_TAG_SIZE); +} + +int saturnin_short_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char block[32]; + unsigned temp; + (void)nsec; + (void)ad; + + /* Validate the parameters: no associated data allowed and m <= 15 bytes */ + if (adlen > 0 || mlen > 15) + return -2; + + /* Format the input block from the nonce and plaintext */ + temp = (unsigned)mlen; + memcpy(block, npub, 16); + memcpy(block + 16, m, temp); + block[16 + temp] = 0x80; /* Padding */ + memset(block + 17 + temp, 0, 15 - temp); + + /* Encrypt the input block to produce the output ciphertext */ + saturnin_block_encrypt(c, block, k, 10, RC_10_6); + *clen = 32; + return 0; +} + +int saturnin_short_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char block[32]; + unsigned check1, check2, len; + int index, result; + (void)nsec; + (void)ad; + + /* Validate the parameters: no associated data and c is always 32 bytes */ + if (adlen > 0) + return -2; + if (clen != 32) + return -1; + + /* Decrypt the ciphertext block */ + saturnin_block_decrypt(block, c, k, 10, RC_10_6); + + /* Verify that the output block starts with the nonce and that it is + * padded correctly. We need to do this very carefully to avoid leaking + * any information that could be used in a padding oracle attack. Use the + * same algorithm as the reference implementation of SATURNIN-Short */ + check1 = 0; + for (index = 0; index < 16; ++index) + check1 |= npub[index] ^ block[index]; + check2 = 0xFF; + len = 0; + for (index = 15; index >= 0; --index) { + unsigned temp = block[16 + index]; + unsigned temp2 = check2 & -(1 - (((temp ^ 0x80) + 0xFF) >> 8)); + len |= temp2 & (unsigned)index; + check2 &= ~temp2; + check1 |= check2 & ((temp + 0xFF) >> 8); + } + check1 |= check2; + + /* At this point, check1 is zero if the nonce and plaintext are good, + * or non-zero if there was an error in the decrypted data */ + result = (((int)check1) - 1) >> 8; + + /* The "result" is -1 if the data is good or zero if the data is invalid. + * Copy either the plaintext or zeroes to the output buffer. We assume + * that the output buffer has space for up to 15 bytes. This may return + * some of the padding to the caller but as long as they restrict + * themselves to the first *mlen bytes then it shouldn't be a problem */ + for (index = 0; index < 15; ++index) + m[index] = block[16 + index] & result; + *mlen = len; + return ~result; +} + +int saturnin_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + unsigned char tag[32]; + unsigned char block[32]; + memset(tag, 0, sizeof(tag)); + saturnin_authenticate(tag, block, in, inlen, 16, RC_16_7, RC_16_8); + memcpy(out, tag, 32); + return 0; +} + +void saturnin_hash_init(saturnin_hash_state_t *state) +{ + memset(state, 0, sizeof(saturnin_hash_state_t)); +} + +void saturnin_hash_update + (saturnin_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + unsigned temp; + + /* Handle the partial left-over block from last time */ + if (state->s.count) { + temp = 32 - state->s.count; + if (temp > inlen) { + temp = (unsigned)inlen; + memcpy(state->s.block + state->s.count, in, temp); + state->s.count += temp; + return; + } + memcpy(state->s.block + state->s.count, in, temp); + state->s.count = 0; + in += temp; + inlen -= temp; + saturnin_block_encrypt_xor(state->s.block, state->s.hash, 16, RC_16_7); + } + + /* Process full blocks that are aligned at state->s.count == 0 */ + while (inlen >= 32) { + saturnin_block_encrypt_xor(in, state->s.hash, 16, RC_16_7); + in += 32; + inlen -= 32; + } + + /* Process the left-over block at the end of the input */ + temp = (unsigned)inlen; + memcpy(state->s.block, in, temp); + state->s.count = temp; +} + +void saturnin_hash_finalize + (saturnin_hash_state_t *state, unsigned char *out) +{ + /* Pad the final block */ + state->s.block[state->s.count] = 0x80; + memset(state->s.block + state->s.count + 1, 0, 31 - state->s.count); + + /* Generate the final hash value */ + saturnin_block_encrypt_xor(state->s.block, state->s.hash, 16, RC_16_8); + memcpy(out, state->s.hash, 32); +} diff --git a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/saturnin.h b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/saturnin.h new file mode 100644 index 0000000..873d950 --- /dev/null +++ b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/saturnin.h @@ -0,0 +1,270 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SATURNIN_H +#define LWCRYPTO_SATURNIN_H + +#include "aead-common.h" + +/** + * \file saturnin.h + * \brief Saturnin authenticated encryption algorithm. + * + * The Saturnin family consists of two members: SATURNIN-CTR-Cascade and + * SATURNIN-Short. Both take a 256-bit key and a 128-bit nonce. + * Internally they use a 256-bit block cipher similar in construction to AES. + * + * SATURNIN-Short does not support associated data or plaintext packets + * with more than 15 bytes. This makes it very efficient on short packets + * with only a single block operation involved. + * + * This implementation of SATURNIN-Short will return an error if the + * caller supplies associated data or more than 15 bytes of plaintext. + * + * References: https://project.inria.fr/saturnin/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all SATURNIN family members. + */ +#define SATURNIN_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for SATURNIN-CTR-Cascade or the + * total size of the ciphertext for SATURNIN-Short. + */ +#define SATURNIN_TAG_SIZE 32 + +/** + * \brief Size of the nonce for all SATURNIN family members. + */ +#define SATURNIN_NONCE_SIZE 16 + +/** + * \brief Size of the hash for SATURNIN-Hash. + */ +#define SATURNIN_HASH_SIZE 32 + +/** + * \brief State information for SATURNIN-Hash incremental modes. + */ +typedef union +{ + struct { + unsigned char hash[32]; /**< Current hash state */ + unsigned char block[32]; /**< Left-over block data from last update */ + unsigned char count; /**< Number of bytes in the current block */ + unsigned char mode; /**< Hash mode: 0 for absorb, 1 for squeeze */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} saturnin_hash_state_t; + +/** + * \brief Meta-information block for the SATURNIN-CTR-Cascade cipher. + */ +extern aead_cipher_t const saturnin_cipher; + +/** + * \brief Meta-information block for the SATURNIN-Short cipher. + */ +extern aead_cipher_t const saturnin_short_cipher; + +/** + * \brief Meta-information block for SATURNIN-Hash. + */ +extern aead_hash_algorithm_t const saturnin_hash_algorithm; + +/** + * \brief Encrypts and authenticates a packet with SATURNIN-CTR-Cascade. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 32 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa saturnin_aead_decrypt() + */ +int saturnin_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SATURNIN-CTR-Cascade. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 32 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa saturnin_aead_encrypt() + */ +int saturnin_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SATURNIN-Short. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which is always 32. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes, which must be + * less than or equal to 15 bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes, which must be zero. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or -2 if the caller supplied too many bytes of + * plaintext or they supplied associated data. + * + * \sa saturnin_short_aead_decrypt() + */ +int saturnin_short_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SATURNIN-Short. + * + * \param m Buffer to receive the plaintext message on output. There must + * be at least 15 bytes of space in this buffer even if the caller expects + * to receive less data than that. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext to decrypt. + * \param clen Length of the input data in bytes, which must be 32. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes, which must be zero. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or -2 if the caller supplied associated data. + * + * \sa saturnin_short_aead_encrypt() + */ +int saturnin_short_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with SATURNIN to generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * SATURNIN_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int saturnin_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an SATURNIN-Hash hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa saturnin_hash_update(), saturnin_hash_finalize(), saturnin_hash() + */ +void saturnin_hash_init(saturnin_hash_state_t *state); + +/** + * \brief Updates an SATURNIN-Hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + * + * \sa saturnin_hash_init(), saturnin_hash_finalize() + */ +void saturnin_hash_update + (saturnin_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Returns the final hash value from an SATURNIN-Hash hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the 32-byte hash value. + * + * \sa saturnin_hash_init(), saturnin_hash_update() + */ +void saturnin_hash_finalize + (saturnin_hash_state_t *state, unsigned char *out); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/aead-common.c b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/aead-common.h b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/api.h b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/api.h new file mode 100644 index 0000000..c3c0a27 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 12 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/encrypt.c b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/encrypt.c new file mode 100644 index 0000000..64c6ea2 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "skinny-aead.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return skinny_aead_m5_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return skinny_aead_m5_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinny128.c b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinny128.c new file mode 100644 index 0000000..65ba4ed --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinny128.c @@ -0,0 +1,811 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-skinny128.h" +#include "internal-skinnyutil.h" +#include "internal-util.h" +#include + +STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) +{ + /* This function is used to fast-forward the TK1 tweak value + * to the value at the end of the key schedule for decryption. + * + * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 + * with 48 rounds does not need any fast forwarding applied. + * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds + * are equivalent to applying the permutation 8 times: + * + * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] + */ + uint32_t row0 = tk[0]; + uint32_t row1 = tk[1]; + uint32_t row2 = tk[2]; + uint32_t row3 = tk[3]; + tk[0] = ((row1 >> 8) & 0x0000FFFFU) | + ((row0 >> 8) & 0x00FF0000U) | + ((row0 << 8) & 0xFF000000U); + tk[1] = ((row1 >> 24) & 0x000000FFU) | + ((row0 << 8) & 0x00FFFF00U) | + ((row1 << 24) & 0xFF000000U); + tk[2] = ((row3 >> 8) & 0x0000FFFFU) | + ((row2 >> 8) & 0x00FF0000U) | + ((row2 << 8) & 0xFF000000U); + tk[3] = ((row3 >> 24) & 0x000000FFU) | + ((row2 << 8) & 0x00FFFF00U) | + ((row3 << 24) & 0xFF000000U); +} + +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 32 && key_len != 48)) + return 0; + + /* Set the initial states of TK1, TK2, and TK3 */ + if (key_len == 32) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + TK3[0] = le_load_word32(key + 16); + TK3[1] = le_load_word32(key + 20); + TK3[2] = le_load_word32(key + 24); + TK3[3] = le_load_word32(key + 28); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + } + + /* Set up the key schedule using TK2 and TK3. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); + + /* Permute TK2 and TK3 for the next round */ + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + + /* Apply the LFSR's to TK2 and TK3 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + return 1; +} + +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Permute TK1 to fast-forward it to the end of the key schedule */ + skinny128_fast_forward_tk(TK1); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + TK2[0] = le_load_word32(tk2); + TK2[1] = le_load_word32(tk2 + 4); + TK2[2] = le_load_word32(tk2 + 8); + TK2[3] = le_load_word32(tk2 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; + s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 16 && key_len != 32)) + return 0; + + /* Set the initial states of TK1 and TK2 */ + if (key_len == 16) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + } + + /* Set up the key schedule using TK2. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ (rc >> 4); + + /* Permute TK2 for the next round */ + skinny128_permute_tk(TK2); + + /* Apply the LFSR to TK2 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + return 1; +} + +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1. + * There is no need to fast-forward TK1 because the value at + * the end of the key schedule is the same as at the start */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK1[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || key_len != 16) + return 0; + + /* Set the initial state of TK1 */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + + /* Set up the key schedule using TK1 */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK1[0] ^ (rc & 0x0F); + schedule[1] = TK1[1] ^ (rc >> 4); + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + return 1; +} + +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinny128.h b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinny128.h new file mode 100644 index 0000000..76b34f5 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinny128.h @@ -0,0 +1,315 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNY128_H +#define LW_INTERNAL_SKINNY128_H + +/** + * \file internal-skinny128.h + * \brief SKINNY-128 block cipher family. + * + * References: https://eprint.iacr.org/2016/660.pdf, + * https://sites.google.com/site/skinnycipher/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a block for SKINNY-128 block ciphers. + */ +#define SKINNY_128_BLOCK_SIZE 16 + +/** + * \brief Number of rounds for SKINNY-128-384. + */ +#define SKINNY_128_384_ROUNDS 56 + +/** + * \brief Structure of the key schedule for SKINNY-128-384. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_384_ROUNDS * 2]; + +} skinny_128_384_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 32 or 48, + * where 32 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly + * provided TK2 value. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tk2 TK2 value that should be updated on the fly. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when both TK1 and TK2 change from block to block. + * When the key is initialized with skinny_128_384_init(), the TK2 part of + * the key value should be set to zero. + */ +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and a + * fully specified tweakey value. + * + * \param key Points to the 384-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-384 but + * more memory-efficient. + */ +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-256. + */ +#define SKINNY_128_256_ROUNDS 48 + +/** + * \brief Structure of the key schedule for SKINNY-128-256. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_256_ROUNDS * 2]; + +} skinny_128_256_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16 or 32, + * where 16 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256 and a + * fully specified tweakey value. + * + * \param key Points to the 256-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-256 but + * more memory-efficient. + */ +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-128. + */ +#define SKINNY_128_128_ROUNDS 40 + +/** + * \brief Structure of the key schedule for SKINNY-128-128. + */ +typedef struct +{ + /** Words of the key schedule */ + uint32_t k[SKINNY_128_128_ROUNDS * 2]; + +} skinny_128_128_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-128. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinnyutil.h b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinnyutil.h new file mode 100644 index 0000000..83136cb --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinnyutil.h @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNYUTIL_H +#define LW_INTERNAL_SKINNYUTIL_H + +/** + * \file internal-skinnyutil.h + * \brief Utilities to help implement SKINNY and its variants. + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond skinnyutil */ + +/* Utilities for implementing SKINNY-128 */ + +#define skinny128_LFSR2(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ + (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ + } while (0) + + +#define skinny128_LFSR3(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ + (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) +#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) + +#define skinny128_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint32_t row2 = tk[2]; \ + uint32_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 16) | (row3 >> 16); \ + tk[0] = ((row2 >> 8) & 0x000000FFU) | \ + ((row2 << 16) & 0x00FF0000U) | \ + ( row3 & 0xFF00FF00U); \ + tk[1] = ((row2 >> 16) & 0x000000FFU) | \ + (row2 & 0xFF000000U) | \ + ((row3 << 8) & 0x0000FF00U) | \ + ( row3 & 0x00FF0000U); \ + } while (0) + +#define skinny128_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint32_t row0 = tk[0]; \ + uint32_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 >> 16) & 0x000000FFU) | \ + ((row0 << 8) & 0x0000FF00U) | \ + ((row1 << 16) & 0x00FF0000U) | \ + ( row1 & 0xFF000000U); \ + tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ + ((row0 << 16) & 0xFF000000U) | \ + ((row1 >> 16) & 0x000000FFU) | \ + ((row1 << 8) & 0x00FF0000U); \ + } while (0) + +/* + * Apply the SKINNY sbox. The original version from the specification is + * equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE(x) + * ((((x) & 0x01010101U) << 2) | + * (((x) & 0x06060606U) << 5) | + * (((x) & 0x20202020U) >> 5) | + * (((x) & 0xC8C8C8C8U) >> 2) | + * (((x) & 0x10101010U) >> 1)) + * + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * return SBOX_SWAP(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ + y = (((x >> 5) & (x << 1)) & 0x04040404U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ + x = ((x & 0x08080808U) << 1) | \ + ((x & 0x32323232U) << 2) | \ + ((x & 0x01010101U) << 5) | \ + ((x & 0x80808080U) >> 6) | \ + ((x & 0x40404040U) >> 4) | \ + ((x & 0x04040404U) >> 2); \ +} while (0) + +/* + * Apply the inverse of the SKINNY sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE_INV(x) + * ((((x) & 0x08080808U) << 1) | + * (((x) & 0x32323232U) << 2) | + * (((x) & 0x01010101U) << 5) | + * (((x) & 0xC0C0C0C0U) >> 5) | + * (((x) & 0x04040404U) >> 2)) + * + * x = SBOX_SWAP(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_inv_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ + x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ + y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ + x = ((x & 0x01010101U) << 2) | \ + ((x & 0x04040404U) << 4) | \ + ((x & 0x02020202U) << 6) | \ + ((x & 0x20202020U) >> 5) | \ + ((x & 0xC8C8C8C8U) >> 2) | \ + ((x & 0x10101010U) >> 1); \ +} while (0) + +/* Utilities for implementing SKINNY-64 */ + +#define skinny64_LFSR2(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ + } while (0) + +#define skinny64_LFSR3(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) +#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) + +#define skinny64_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint16_t row2 = tk[2]; \ + uint16_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 8) | (row3 >> 8); \ + tk[0] = ((row2 << 4) & 0xF000U) | \ + ((row2 >> 8) & 0x00F0U) | \ + ( row3 & 0x0F0FU); \ + tk[1] = ((row2 << 8) & 0xF000U) | \ + ((row3 >> 4) & 0x0F00U) | \ + ( row3 & 0x00F0U) | \ + ( row2 & 0x000FU); \ + } while (0) + +#define skinny64_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint16_t row0 = tk[0]; \ + uint16_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 << 8) & 0xF000U) | \ + ((row0 >> 4) & 0x0F00U) | \ + ((row1 >> 8) & 0x00F0U) | \ + ( row1 & 0x000FU); \ + tk[3] = ((row1 << 8) & 0xF000U) | \ + ((row0 << 8) & 0x0F00U) | \ + ((row1 >> 4) & 0x00F0U) | \ + ((row0 >> 8) & 0x000FU); \ + } while (0) + +/* + * Apply the SKINNY-64 sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT(x) + * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_SHIFT steps to be performed with one final rotation. + * This reduces the number of required shift operations from 14 to 10. + * + * We can further reduce the number of NOT operations from 4 to 2 + * using the technique from https://github.com/kste/skinny_avx to + * convert NOR-XOR operations into AND-XOR operations by converting + * the S-box into its NOT-inverse. + */ +#define skinny64_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ + x = ~x; \ + x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ +} while (0) + +/* + * Apply the inverse of the SKINNY-64 sbox. The original version + * from the specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT_INV(x) + * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * return SBOX_MIX(x); + */ +#define skinny64_inv_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = ~x; \ + x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ +} while (0) + +/** @endcond */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-util.h b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/skinny-aead.c b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/skinny-aead.c new file mode 100644 index 0000000..2bb37e9 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/skinny-aead.c @@ -0,0 +1,803 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "skinny-aead.h" +#include "internal-skinny128.h" +#include "internal-util.h" +#include + +aead_cipher_t const skinny_aead_m1_cipher = { + "SKINNY-AEAD-M1", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M1_NONCE_SIZE, + SKINNY_AEAD_M1_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m1_encrypt, + skinny_aead_m1_decrypt +}; + +aead_cipher_t const skinny_aead_m2_cipher = { + "SKINNY-AEAD-M2", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M2_NONCE_SIZE, + SKINNY_AEAD_M2_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m2_encrypt, + skinny_aead_m2_decrypt +}; + +aead_cipher_t const skinny_aead_m3_cipher = { + "SKINNY-AEAD-M3", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M3_NONCE_SIZE, + SKINNY_AEAD_M3_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m3_encrypt, + skinny_aead_m3_decrypt +}; + +aead_cipher_t const skinny_aead_m4_cipher = { + "SKINNY-AEAD-M4", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M4_NONCE_SIZE, + SKINNY_AEAD_M4_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m4_encrypt, + skinny_aead_m4_decrypt +}; + +aead_cipher_t const skinny_aead_m5_cipher = { + "SKINNY-AEAD-M5", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M5_NONCE_SIZE, + SKINNY_AEAD_M5_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m5_encrypt, + skinny_aead_m5_decrypt +}; + +aead_cipher_t const skinny_aead_m6_cipher = { + "SKINNY-AEAD-M6", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M6_NONCE_SIZE, + SKINNY_AEAD_M6_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m6_encrypt, + skinny_aead_m6_decrypt +}; + +/* Domain separator prefixes for all of the SKINNY-AEAD family members */ +#define DOMAIN_SEP_M1 0x00 +#define DOMAIN_SEP_M2 0x10 +#define DOMAIN_SEP_M3 0x08 +#define DOMAIN_SEP_M4 0x18 +#define DOMAIN_SEP_M5 0x10 +#define DOMAIN_SEP_M6 0x18 + +/** + * \brief Initialize the key and nonce for SKINNY-128-384 based AEAD schemes. + * + * \param ks The key schedule to initialize. + * \param key Points to the 16 bytes of the key. + * \param nonce Points to the nonce. + * \param nonce_len Length of the nonce in bytes. + */ +static void skinny_aead_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + const unsigned char *nonce, unsigned nonce_len) +{ + unsigned char k[32]; + memcpy(k, nonce, nonce_len); + memset(k + nonce_len, 0, 16 - nonce_len); + memcpy(k + 16, key, 16); + skinny_128_384_init(ks, k, 32); +} + +/** + * \brief Set the domain separation value in the tweak for SKINNY-128-384. + * + * \param ks Key schedule for the block cipher. + * \param d Domain separation value to write into the tweak. + */ +#define skinny_aead_128_384_set_domain(ks,d) ((ks)->TK1[15] = (d)) + +/** + * \brief Sets the LFSR field in the tweak for SKINNY-128-384. + * + * \param ks Key schedule for the block cipher. + * \param lfsr 64-bit LFSR value. + */ +#define skinny_aead_128_384_set_lfsr(ks,lfsr) le_store_word64((ks)->TK1, (lfsr)) + +/** + * \brief Updates the LFSR value for SKINNY-128-384. + * + * \param lfsr 64-bit LFSR value to be updated. + */ +#define skinny_aead_128_384_update_lfsr(lfsr) \ + do { \ + uint8_t feedback = ((lfsr) & (1ULL << 63)) ? 0x1B : 0x00; \ + (lfsr) = ((lfsr) << 1) | feedback; \ + } while (0) + +/** + * \brief Authenticates the associated data for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param tag Final tag to XOR the authentication checksum into. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void skinny_aead_128_384_authenticate + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char tag[SKINNY_128_BLOCK_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + skinny_aead_128_384_set_domain(ks, prefix | 2); + while (adlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_128_384_encrypt(ks, block, ad); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + ad += SKINNY_128_BLOCK_SIZE; + adlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 3); + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + } +} + +/** + * \brief Encrypts the plaintext for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the plaintext buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void skinny_aead_128_384_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_384_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, c, m); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + skinny_aead_128_384_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_384_set_domain(ks, prefix | 1); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block_2_src(c, block, m, temp); + skinny_aead_128_384_update_lfsr(lfsr); + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_384_set_domain(ks, prefix | 4); + } + skinny_128_384_encrypt(ks, sum, sum); +} + +/** + * \brief Decrypts the ciphertext for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the ciphertext buffer. + * \param mlen Number of bytes of ciphertext to be decrypted. + */ +static void skinny_aead_128_384_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_384_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_128_384_decrypt(ks, m, c); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + skinny_aead_128_384_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_384_set_domain(ks, prefix | 1); + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block_2_src(m, block, c, temp); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + skinny_aead_128_384_update_lfsr(lfsr); + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_384_set_domain(ks, prefix | 4); + } + skinny_128_384_encrypt(ks, sum, sum); +} + +int skinny_aead_m1_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M1_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M1, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M1_TAG_SIZE); + return 0; +} + +int skinny_aead_m1_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M1_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M1_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M1, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M1_TAG_SIZE); +} + +int skinny_aead_m2_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M2_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M2, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M2_TAG_SIZE); + return 0; +} + +int skinny_aead_m2_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M2_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M2_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M2, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M2_TAG_SIZE); +} + +int skinny_aead_m3_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M3_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M3, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M3_TAG_SIZE); + return 0; +} + +int skinny_aead_m3_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M3_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M3_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M3, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M3_TAG_SIZE); +} + +int skinny_aead_m4_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M4_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M4, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M4_TAG_SIZE); + return 0; +} + +int skinny_aead_m4_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M4_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M4_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M4, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M4_TAG_SIZE); +} + +/** + * \brief Initialize the key and nonce for SKINNY-128-256 based AEAD schemes. + * + * \param ks The key schedule to initialize. + * \param key Points to the 16 bytes of the key. + * \param nonce Points to the nonce. + * \param nonce_len Length of the nonce in bytes. + */ +static void skinny_aead_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + const unsigned char *nonce, unsigned nonce_len) +{ + unsigned char k[32]; + memset(k, 0, 16 - nonce_len); + memcpy(k + 16 - nonce_len, nonce, nonce_len); + memcpy(k + 16, key, 16); + skinny_128_256_init(ks, k, 32); +} + +/** + * \brief Set the domain separation value in the tweak for SKINNY-128-256. + * + * \param ks Key schedule for the block cipher. + * \param d Domain separation value to write into the tweak. + */ +#define skinny_aead_128_256_set_domain(ks,d) ((ks)->TK1[3] = (d)) + +/** + * \brief Sets the LFSR field in the tweak for SKINNY-128-256. + * + * \param ks Key schedule for the block cipher. + * \param lfsr 24-bit LFSR value. + */ +#define skinny_aead_128_256_set_lfsr(ks,lfsr) \ + do { \ + (ks)->TK1[0] = (uint8_t)(lfsr); \ + (ks)->TK1[1] = (uint8_t)((lfsr) >> 8); \ + (ks)->TK1[2] = (uint8_t)((lfsr) >> 16); \ + } while (0) + +/** + * \brief Updates the LFSR value for SKINNY-128-256. + * + * \param lfsr 24-bit LFSR value to be updated. + */ +#define skinny_aead_128_256_update_lfsr(lfsr) \ + do { \ + uint32_t feedback = ((lfsr) & (((uint32_t)1) << 23)) ? 0x1B : 0x00; \ + (lfsr) = ((lfsr) << 1) ^ (feedback); \ + } while (0) + +/** + * \brief Authenticates the associated data for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param tag Final tag to XOR the authentication checksum into. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void skinny_aead_128_256_authenticate + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char tag[SKINNY_128_BLOCK_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + skinny_aead_128_256_set_domain(ks, prefix | 2); + while (adlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_128_256_encrypt(ks, block, ad); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + ad += SKINNY_128_BLOCK_SIZE; + adlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 3); + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + } +} + +/** + * \brief Encrypts the plaintext for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the plaintext buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void skinny_aead_128_256_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_256_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, c, m); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + skinny_aead_128_256_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_256_set_domain(ks, prefix | 1); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block_2_src(c, block, m, temp); + skinny_aead_128_256_update_lfsr(lfsr); + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_256_set_domain(ks, prefix | 4); + } + skinny_128_256_encrypt(ks, sum, sum); +} + +/** + * \brief Decrypts the ciphertext for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the ciphertext buffer. + * \param mlen Number of bytes of ciphertext to be decrypted. + */ +static void skinny_aead_128_256_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_256_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_128_256_decrypt(ks, m, c); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + skinny_aead_128_256_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_256_set_domain(ks, prefix | 1); + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block_2_src(m, block, c, temp); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + skinny_aead_128_256_update_lfsr(lfsr); + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_256_set_domain(ks, prefix | 4); + } + skinny_128_256_encrypt(ks, sum, sum); +} + +int skinny_aead_m5_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M5_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M5, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M5_TAG_SIZE); + return 0; +} + +int skinny_aead_m5_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M5_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M5_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M5, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M5_TAG_SIZE); +} + +int skinny_aead_m6_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M6_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M6, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M6_TAG_SIZE); + return 0; +} + +int skinny_aead_m6_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M6_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M6_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M6, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M6_TAG_SIZE); +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/skinny-aead.h b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/skinny-aead.h new file mode 100644 index 0000000..c6b54fb --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/skinny-aead.h @@ -0,0 +1,518 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SKINNY_AEAD_H +#define LWCRYPTO_SKINNY_AEAD_H + +#include "aead-common.h" + +/** + * \file skinny-aead.h + * \brief Authenticated encryption based on the SKINNY block cipher. + * + * SKINNY-AEAD is a family of authenticated encryption algorithms + * that are built around the SKINNY tweakable block cipher. There + * are six members in the family: + * + * \li SKINNY-AEAD-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. This is the + * primary member of the family. + * \li SKINNY-AEAD-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M3 has a 128-bit key, a 128-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M4 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M5 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * \li SKINNY-AEAD-M6 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * + * The SKINNY-AEAD family also includes two hash algorithms: + * + * \li SKINNY-tk3-HASH with a 256-bit hash output, based around the + * SKINNY-128-384 tweakable block cipher. This is the primary hashing + * member of the family. + * \li SKINNY-tk2-HASH with a 256-bit hash output, based around the + * SKINNY-128-256 tweakable block cipher. + * + * References: https://sites.google.com/site/skinnycipher/home + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all SKINNY-AEAD family members. + */ +#define SKINNY_AEAD_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M1. + */ +#define SKINNY_AEAD_M1_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M1. + */ +#define SKINNY_AEAD_M1_NONCE_SIZE 16 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M2. + */ +#define SKINNY_AEAD_M2_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M2. + */ +#define SKINNY_AEAD_M2_NONCE_SIZE 12 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M3. + */ +#define SKINNY_AEAD_M3_TAG_SIZE 8 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M3. + */ +#define SKINNY_AEAD_M3_NONCE_SIZE 16 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M4. + */ +#define SKINNY_AEAD_M4_TAG_SIZE 8 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M4. + */ +#define SKINNY_AEAD_M4_NONCE_SIZE 12 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M5. + */ +#define SKINNY_AEAD_M5_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M5. + */ +#define SKINNY_AEAD_M5_NONCE_SIZE 12 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M6. + */ +#define SKINNY_AEAD_M6_TAG_SIZE 8 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M6. + */ +#define SKINNY_AEAD_M6_NONCE_SIZE 12 + +/** + * \brief Meta-information block for the SKINNY-AEAD-M1 cipher. + */ +extern aead_cipher_t const skinny_aead_m1_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M2 cipher. + */ +extern aead_cipher_t const skinny_aead_m2_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M3 cipher. + */ +extern aead_cipher_t const skinny_aead_m3_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M4 cipher. + */ +extern aead_cipher_t const skinny_aead_m4_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M5 cipher. + */ +extern aead_cipher_t const skinny_aead_m5_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M6 cipher. + */ +extern aead_cipher_t const skinny_aead_m6_cipher; + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M1. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m1_decrypt() + */ +int skinny_aead_m1_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M1. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m1_encrypt() + */ +int skinny_aead_m1_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M2. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m2_decrypt() + */ +int skinny_aead_m2_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M2. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m2_encrypt() + */ +int skinny_aead_m2_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M3. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m3_decrypt() + */ +int skinny_aead_m3_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M3. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m3_encrypt() + */ +int skinny_aead_m3_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M4. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m4_decrypt() + */ +int skinny_aead_m4_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M4. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m4_encrypt() + */ +int skinny_aead_m4_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M5. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m5_decrypt() + */ +int skinny_aead_m5_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M5. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m5_encrypt() + */ +int skinny_aead_m5_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M6. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m6_decrypt() + */ +int skinny_aead_m6_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M6. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m6_encrypt() + */ +int skinny_aead_m6_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/aead-common.c b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/aead-common.h b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/api.h b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/api.h new file mode 100644 index 0000000..32c9622 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 12 +#define CRYPTO_ABYTES 8 +#define CRYPTO_NOOVERLAP 1 diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/encrypt.c b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/encrypt.c new file mode 100644 index 0000000..d304a40 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "skinny-aead.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return skinny_aead_m6_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return skinny_aead_m6_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinny128.c b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinny128.c new file mode 100644 index 0000000..65ba4ed --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinny128.c @@ -0,0 +1,811 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-skinny128.h" +#include "internal-skinnyutil.h" +#include "internal-util.h" +#include + +STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) +{ + /* This function is used to fast-forward the TK1 tweak value + * to the value at the end of the key schedule for decryption. + * + * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 + * with 48 rounds does not need any fast forwarding applied. + * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds + * are equivalent to applying the permutation 8 times: + * + * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] + */ + uint32_t row0 = tk[0]; + uint32_t row1 = tk[1]; + uint32_t row2 = tk[2]; + uint32_t row3 = tk[3]; + tk[0] = ((row1 >> 8) & 0x0000FFFFU) | + ((row0 >> 8) & 0x00FF0000U) | + ((row0 << 8) & 0xFF000000U); + tk[1] = ((row1 >> 24) & 0x000000FFU) | + ((row0 << 8) & 0x00FFFF00U) | + ((row1 << 24) & 0xFF000000U); + tk[2] = ((row3 >> 8) & 0x0000FFFFU) | + ((row2 >> 8) & 0x00FF0000U) | + ((row2 << 8) & 0xFF000000U); + tk[3] = ((row3 >> 24) & 0x000000FFU) | + ((row2 << 8) & 0x00FFFF00U) | + ((row3 << 24) & 0xFF000000U); +} + +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 32 && key_len != 48)) + return 0; + + /* Set the initial states of TK1, TK2, and TK3 */ + if (key_len == 32) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + TK3[0] = le_load_word32(key + 16); + TK3[1] = le_load_word32(key + 20); + TK3[2] = le_load_word32(key + 24); + TK3[3] = le_load_word32(key + 28); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + } + + /* Set up the key schedule using TK2 and TK3. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); + + /* Permute TK2 and TK3 for the next round */ + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + + /* Apply the LFSR's to TK2 and TK3 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + return 1; +} + +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Permute TK1 to fast-forward it to the end of the key schedule */ + skinny128_fast_forward_tk(TK1); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + TK2[0] = le_load_word32(tk2); + TK2[1] = le_load_word32(tk2 + 4); + TK2[2] = le_load_word32(tk2 + 8); + TK2[3] = le_load_word32(tk2 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; + s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 16 && key_len != 32)) + return 0; + + /* Set the initial states of TK1 and TK2 */ + if (key_len == 16) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + } + + /* Set up the key schedule using TK2. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ (rc >> 4); + + /* Permute TK2 for the next round */ + skinny128_permute_tk(TK2); + + /* Apply the LFSR to TK2 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + return 1; +} + +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1. + * There is no need to fast-forward TK1 because the value at + * the end of the key schedule is the same as at the start */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK1[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || key_len != 16) + return 0; + + /* Set the initial state of TK1 */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + + /* Set up the key schedule using TK1 */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK1[0] ^ (rc & 0x0F); + schedule[1] = TK1[1] ^ (rc >> 4); + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + return 1; +} + +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinny128.h b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinny128.h new file mode 100644 index 0000000..76b34f5 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinny128.h @@ -0,0 +1,315 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNY128_H +#define LW_INTERNAL_SKINNY128_H + +/** + * \file internal-skinny128.h + * \brief SKINNY-128 block cipher family. + * + * References: https://eprint.iacr.org/2016/660.pdf, + * https://sites.google.com/site/skinnycipher/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a block for SKINNY-128 block ciphers. + */ +#define SKINNY_128_BLOCK_SIZE 16 + +/** + * \brief Number of rounds for SKINNY-128-384. + */ +#define SKINNY_128_384_ROUNDS 56 + +/** + * \brief Structure of the key schedule for SKINNY-128-384. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_384_ROUNDS * 2]; + +} skinny_128_384_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 32 or 48, + * where 32 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly + * provided TK2 value. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tk2 TK2 value that should be updated on the fly. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when both TK1 and TK2 change from block to block. + * When the key is initialized with skinny_128_384_init(), the TK2 part of + * the key value should be set to zero. + */ +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and a + * fully specified tweakey value. + * + * \param key Points to the 384-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-384 but + * more memory-efficient. + */ +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-256. + */ +#define SKINNY_128_256_ROUNDS 48 + +/** + * \brief Structure of the key schedule for SKINNY-128-256. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_256_ROUNDS * 2]; + +} skinny_128_256_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16 or 32, + * where 16 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256 and a + * fully specified tweakey value. + * + * \param key Points to the 256-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-256 but + * more memory-efficient. + */ +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-128. + */ +#define SKINNY_128_128_ROUNDS 40 + +/** + * \brief Structure of the key schedule for SKINNY-128-128. + */ +typedef struct +{ + /** Words of the key schedule */ + uint32_t k[SKINNY_128_128_ROUNDS * 2]; + +} skinny_128_128_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-128. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinnyutil.h b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinnyutil.h new file mode 100644 index 0000000..83136cb --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinnyutil.h @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNYUTIL_H +#define LW_INTERNAL_SKINNYUTIL_H + +/** + * \file internal-skinnyutil.h + * \brief Utilities to help implement SKINNY and its variants. + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond skinnyutil */ + +/* Utilities for implementing SKINNY-128 */ + +#define skinny128_LFSR2(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ + (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ + } while (0) + + +#define skinny128_LFSR3(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ + (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) +#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) + +#define skinny128_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint32_t row2 = tk[2]; \ + uint32_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 16) | (row3 >> 16); \ + tk[0] = ((row2 >> 8) & 0x000000FFU) | \ + ((row2 << 16) & 0x00FF0000U) | \ + ( row3 & 0xFF00FF00U); \ + tk[1] = ((row2 >> 16) & 0x000000FFU) | \ + (row2 & 0xFF000000U) | \ + ((row3 << 8) & 0x0000FF00U) | \ + ( row3 & 0x00FF0000U); \ + } while (0) + +#define skinny128_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint32_t row0 = tk[0]; \ + uint32_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 >> 16) & 0x000000FFU) | \ + ((row0 << 8) & 0x0000FF00U) | \ + ((row1 << 16) & 0x00FF0000U) | \ + ( row1 & 0xFF000000U); \ + tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ + ((row0 << 16) & 0xFF000000U) | \ + ((row1 >> 16) & 0x000000FFU) | \ + ((row1 << 8) & 0x00FF0000U); \ + } while (0) + +/* + * Apply the SKINNY sbox. The original version from the specification is + * equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE(x) + * ((((x) & 0x01010101U) << 2) | + * (((x) & 0x06060606U) << 5) | + * (((x) & 0x20202020U) >> 5) | + * (((x) & 0xC8C8C8C8U) >> 2) | + * (((x) & 0x10101010U) >> 1)) + * + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * return SBOX_SWAP(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ + y = (((x >> 5) & (x << 1)) & 0x04040404U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ + x = ((x & 0x08080808U) << 1) | \ + ((x & 0x32323232U) << 2) | \ + ((x & 0x01010101U) << 5) | \ + ((x & 0x80808080U) >> 6) | \ + ((x & 0x40404040U) >> 4) | \ + ((x & 0x04040404U) >> 2); \ +} while (0) + +/* + * Apply the inverse of the SKINNY sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE_INV(x) + * ((((x) & 0x08080808U) << 1) | + * (((x) & 0x32323232U) << 2) | + * (((x) & 0x01010101U) << 5) | + * (((x) & 0xC0C0C0C0U) >> 5) | + * (((x) & 0x04040404U) >> 2)) + * + * x = SBOX_SWAP(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_inv_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ + x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ + y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ + x = ((x & 0x01010101U) << 2) | \ + ((x & 0x04040404U) << 4) | \ + ((x & 0x02020202U) << 6) | \ + ((x & 0x20202020U) >> 5) | \ + ((x & 0xC8C8C8C8U) >> 2) | \ + ((x & 0x10101010U) >> 1); \ +} while (0) + +/* Utilities for implementing SKINNY-64 */ + +#define skinny64_LFSR2(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ + } while (0) + +#define skinny64_LFSR3(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) +#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) + +#define skinny64_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint16_t row2 = tk[2]; \ + uint16_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 8) | (row3 >> 8); \ + tk[0] = ((row2 << 4) & 0xF000U) | \ + ((row2 >> 8) & 0x00F0U) | \ + ( row3 & 0x0F0FU); \ + tk[1] = ((row2 << 8) & 0xF000U) | \ + ((row3 >> 4) & 0x0F00U) | \ + ( row3 & 0x00F0U) | \ + ( row2 & 0x000FU); \ + } while (0) + +#define skinny64_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint16_t row0 = tk[0]; \ + uint16_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 << 8) & 0xF000U) | \ + ((row0 >> 4) & 0x0F00U) | \ + ((row1 >> 8) & 0x00F0U) | \ + ( row1 & 0x000FU); \ + tk[3] = ((row1 << 8) & 0xF000U) | \ + ((row0 << 8) & 0x0F00U) | \ + ((row1 >> 4) & 0x00F0U) | \ + ((row0 >> 8) & 0x000FU); \ + } while (0) + +/* + * Apply the SKINNY-64 sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT(x) + * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_SHIFT steps to be performed with one final rotation. + * This reduces the number of required shift operations from 14 to 10. + * + * We can further reduce the number of NOT operations from 4 to 2 + * using the technique from https://github.com/kste/skinny_avx to + * convert NOR-XOR operations into AND-XOR operations by converting + * the S-box into its NOT-inverse. + */ +#define skinny64_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ + x = ~x; \ + x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ +} while (0) + +/* + * Apply the inverse of the SKINNY-64 sbox. The original version + * from the specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT_INV(x) + * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * return SBOX_MIX(x); + */ +#define skinny64_inv_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = ~x; \ + x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ +} while (0) + +/** @endcond */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-util.h b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/skinny-aead.c b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/skinny-aead.c new file mode 100644 index 0000000..2bb37e9 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/skinny-aead.c @@ -0,0 +1,803 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "skinny-aead.h" +#include "internal-skinny128.h" +#include "internal-util.h" +#include + +aead_cipher_t const skinny_aead_m1_cipher = { + "SKINNY-AEAD-M1", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M1_NONCE_SIZE, + SKINNY_AEAD_M1_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m1_encrypt, + skinny_aead_m1_decrypt +}; + +aead_cipher_t const skinny_aead_m2_cipher = { + "SKINNY-AEAD-M2", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M2_NONCE_SIZE, + SKINNY_AEAD_M2_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m2_encrypt, + skinny_aead_m2_decrypt +}; + +aead_cipher_t const skinny_aead_m3_cipher = { + "SKINNY-AEAD-M3", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M3_NONCE_SIZE, + SKINNY_AEAD_M3_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m3_encrypt, + skinny_aead_m3_decrypt +}; + +aead_cipher_t const skinny_aead_m4_cipher = { + "SKINNY-AEAD-M4", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M4_NONCE_SIZE, + SKINNY_AEAD_M4_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m4_encrypt, + skinny_aead_m4_decrypt +}; + +aead_cipher_t const skinny_aead_m5_cipher = { + "SKINNY-AEAD-M5", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M5_NONCE_SIZE, + SKINNY_AEAD_M5_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m5_encrypt, + skinny_aead_m5_decrypt +}; + +aead_cipher_t const skinny_aead_m6_cipher = { + "SKINNY-AEAD-M6", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M6_NONCE_SIZE, + SKINNY_AEAD_M6_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m6_encrypt, + skinny_aead_m6_decrypt +}; + +/* Domain separator prefixes for all of the SKINNY-AEAD family members */ +#define DOMAIN_SEP_M1 0x00 +#define DOMAIN_SEP_M2 0x10 +#define DOMAIN_SEP_M3 0x08 +#define DOMAIN_SEP_M4 0x18 +#define DOMAIN_SEP_M5 0x10 +#define DOMAIN_SEP_M6 0x18 + +/** + * \brief Initialize the key and nonce for SKINNY-128-384 based AEAD schemes. + * + * \param ks The key schedule to initialize. + * \param key Points to the 16 bytes of the key. + * \param nonce Points to the nonce. + * \param nonce_len Length of the nonce in bytes. + */ +static void skinny_aead_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + const unsigned char *nonce, unsigned nonce_len) +{ + unsigned char k[32]; + memcpy(k, nonce, nonce_len); + memset(k + nonce_len, 0, 16 - nonce_len); + memcpy(k + 16, key, 16); + skinny_128_384_init(ks, k, 32); +} + +/** + * \brief Set the domain separation value in the tweak for SKINNY-128-384. + * + * \param ks Key schedule for the block cipher. + * \param d Domain separation value to write into the tweak. + */ +#define skinny_aead_128_384_set_domain(ks,d) ((ks)->TK1[15] = (d)) + +/** + * \brief Sets the LFSR field in the tweak for SKINNY-128-384. + * + * \param ks Key schedule for the block cipher. + * \param lfsr 64-bit LFSR value. + */ +#define skinny_aead_128_384_set_lfsr(ks,lfsr) le_store_word64((ks)->TK1, (lfsr)) + +/** + * \brief Updates the LFSR value for SKINNY-128-384. + * + * \param lfsr 64-bit LFSR value to be updated. + */ +#define skinny_aead_128_384_update_lfsr(lfsr) \ + do { \ + uint8_t feedback = ((lfsr) & (1ULL << 63)) ? 0x1B : 0x00; \ + (lfsr) = ((lfsr) << 1) | feedback; \ + } while (0) + +/** + * \brief Authenticates the associated data for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param tag Final tag to XOR the authentication checksum into. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void skinny_aead_128_384_authenticate + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char tag[SKINNY_128_BLOCK_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + skinny_aead_128_384_set_domain(ks, prefix | 2); + while (adlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_128_384_encrypt(ks, block, ad); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + ad += SKINNY_128_BLOCK_SIZE; + adlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 3); + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + } +} + +/** + * \brief Encrypts the plaintext for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the plaintext buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void skinny_aead_128_384_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_384_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, c, m); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + skinny_aead_128_384_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_384_set_domain(ks, prefix | 1); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block_2_src(c, block, m, temp); + skinny_aead_128_384_update_lfsr(lfsr); + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_384_set_domain(ks, prefix | 4); + } + skinny_128_384_encrypt(ks, sum, sum); +} + +/** + * \brief Decrypts the ciphertext for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the ciphertext buffer. + * \param mlen Number of bytes of ciphertext to be decrypted. + */ +static void skinny_aead_128_384_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_384_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_128_384_decrypt(ks, m, c); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + skinny_aead_128_384_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_384_set_domain(ks, prefix | 1); + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block_2_src(m, block, c, temp); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + skinny_aead_128_384_update_lfsr(lfsr); + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_384_set_domain(ks, prefix | 4); + } + skinny_128_384_encrypt(ks, sum, sum); +} + +int skinny_aead_m1_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M1_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M1, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M1_TAG_SIZE); + return 0; +} + +int skinny_aead_m1_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M1_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M1_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M1, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M1_TAG_SIZE); +} + +int skinny_aead_m2_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M2_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M2, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M2_TAG_SIZE); + return 0; +} + +int skinny_aead_m2_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M2_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M2_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M2, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M2_TAG_SIZE); +} + +int skinny_aead_m3_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M3_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M3, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M3_TAG_SIZE); + return 0; +} + +int skinny_aead_m3_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M3_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M3_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M3, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M3_TAG_SIZE); +} + +int skinny_aead_m4_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M4_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M4, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M4_TAG_SIZE); + return 0; +} + +int skinny_aead_m4_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M4_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M4_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M4, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M4_TAG_SIZE); +} + +/** + * \brief Initialize the key and nonce for SKINNY-128-256 based AEAD schemes. + * + * \param ks The key schedule to initialize. + * \param key Points to the 16 bytes of the key. + * \param nonce Points to the nonce. + * \param nonce_len Length of the nonce in bytes. + */ +static void skinny_aead_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + const unsigned char *nonce, unsigned nonce_len) +{ + unsigned char k[32]; + memset(k, 0, 16 - nonce_len); + memcpy(k + 16 - nonce_len, nonce, nonce_len); + memcpy(k + 16, key, 16); + skinny_128_256_init(ks, k, 32); +} + +/** + * \brief Set the domain separation value in the tweak for SKINNY-128-256. + * + * \param ks Key schedule for the block cipher. + * \param d Domain separation value to write into the tweak. + */ +#define skinny_aead_128_256_set_domain(ks,d) ((ks)->TK1[3] = (d)) + +/** + * \brief Sets the LFSR field in the tweak for SKINNY-128-256. + * + * \param ks Key schedule for the block cipher. + * \param lfsr 24-bit LFSR value. + */ +#define skinny_aead_128_256_set_lfsr(ks,lfsr) \ + do { \ + (ks)->TK1[0] = (uint8_t)(lfsr); \ + (ks)->TK1[1] = (uint8_t)((lfsr) >> 8); \ + (ks)->TK1[2] = (uint8_t)((lfsr) >> 16); \ + } while (0) + +/** + * \brief Updates the LFSR value for SKINNY-128-256. + * + * \param lfsr 24-bit LFSR value to be updated. + */ +#define skinny_aead_128_256_update_lfsr(lfsr) \ + do { \ + uint32_t feedback = ((lfsr) & (((uint32_t)1) << 23)) ? 0x1B : 0x00; \ + (lfsr) = ((lfsr) << 1) ^ (feedback); \ + } while (0) + +/** + * \brief Authenticates the associated data for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param tag Final tag to XOR the authentication checksum into. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void skinny_aead_128_256_authenticate + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char tag[SKINNY_128_BLOCK_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + skinny_aead_128_256_set_domain(ks, prefix | 2); + while (adlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_128_256_encrypt(ks, block, ad); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + ad += SKINNY_128_BLOCK_SIZE; + adlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 3); + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + } +} + +/** + * \brief Encrypts the plaintext for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the plaintext buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void skinny_aead_128_256_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_256_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, c, m); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + skinny_aead_128_256_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_256_set_domain(ks, prefix | 1); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block_2_src(c, block, m, temp); + skinny_aead_128_256_update_lfsr(lfsr); + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_256_set_domain(ks, prefix | 4); + } + skinny_128_256_encrypt(ks, sum, sum); +} + +/** + * \brief Decrypts the ciphertext for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the ciphertext buffer. + * \param mlen Number of bytes of ciphertext to be decrypted. + */ +static void skinny_aead_128_256_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_256_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_128_256_decrypt(ks, m, c); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + skinny_aead_128_256_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_256_set_domain(ks, prefix | 1); + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block_2_src(m, block, c, temp); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + skinny_aead_128_256_update_lfsr(lfsr); + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_256_set_domain(ks, prefix | 4); + } + skinny_128_256_encrypt(ks, sum, sum); +} + +int skinny_aead_m5_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M5_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M5, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M5_TAG_SIZE); + return 0; +} + +int skinny_aead_m5_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M5_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M5_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M5, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M5_TAG_SIZE); +} + +int skinny_aead_m6_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M6_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M6, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M6_TAG_SIZE); + return 0; +} + +int skinny_aead_m6_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M6_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M6_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M6, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M6_TAG_SIZE); +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/skinny-aead.h b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/skinny-aead.h new file mode 100644 index 0000000..c6b54fb --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/skinny-aead.h @@ -0,0 +1,518 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SKINNY_AEAD_H +#define LWCRYPTO_SKINNY_AEAD_H + +#include "aead-common.h" + +/** + * \file skinny-aead.h + * \brief Authenticated encryption based on the SKINNY block cipher. + * + * SKINNY-AEAD is a family of authenticated encryption algorithms + * that are built around the SKINNY tweakable block cipher. There + * are six members in the family: + * + * \li SKINNY-AEAD-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. This is the + * primary member of the family. + * \li SKINNY-AEAD-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M3 has a 128-bit key, a 128-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M4 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M5 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * \li SKINNY-AEAD-M6 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * + * The SKINNY-AEAD family also includes two hash algorithms: + * + * \li SKINNY-tk3-HASH with a 256-bit hash output, based around the + * SKINNY-128-384 tweakable block cipher. This is the primary hashing + * member of the family. + * \li SKINNY-tk2-HASH with a 256-bit hash output, based around the + * SKINNY-128-256 tweakable block cipher. + * + * References: https://sites.google.com/site/skinnycipher/home + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all SKINNY-AEAD family members. + */ +#define SKINNY_AEAD_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M1. + */ +#define SKINNY_AEAD_M1_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M1. + */ +#define SKINNY_AEAD_M1_NONCE_SIZE 16 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M2. + */ +#define SKINNY_AEAD_M2_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M2. + */ +#define SKINNY_AEAD_M2_NONCE_SIZE 12 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M3. + */ +#define SKINNY_AEAD_M3_TAG_SIZE 8 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M3. + */ +#define SKINNY_AEAD_M3_NONCE_SIZE 16 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M4. + */ +#define SKINNY_AEAD_M4_TAG_SIZE 8 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M4. + */ +#define SKINNY_AEAD_M4_NONCE_SIZE 12 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M5. + */ +#define SKINNY_AEAD_M5_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M5. + */ +#define SKINNY_AEAD_M5_NONCE_SIZE 12 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M6. + */ +#define SKINNY_AEAD_M6_TAG_SIZE 8 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M6. + */ +#define SKINNY_AEAD_M6_NONCE_SIZE 12 + +/** + * \brief Meta-information block for the SKINNY-AEAD-M1 cipher. + */ +extern aead_cipher_t const skinny_aead_m1_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M2 cipher. + */ +extern aead_cipher_t const skinny_aead_m2_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M3 cipher. + */ +extern aead_cipher_t const skinny_aead_m3_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M4 cipher. + */ +extern aead_cipher_t const skinny_aead_m4_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M5 cipher. + */ +extern aead_cipher_t const skinny_aead_m5_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M6 cipher. + */ +extern aead_cipher_t const skinny_aead_m6_cipher; + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M1. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m1_decrypt() + */ +int skinny_aead_m1_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M1. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m1_encrypt() + */ +int skinny_aead_m1_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M2. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m2_decrypt() + */ +int skinny_aead_m2_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M2. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m2_encrypt() + */ +int skinny_aead_m2_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M3. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m3_decrypt() + */ +int skinny_aead_m3_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M3. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m3_encrypt() + */ +int skinny_aead_m3_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M4. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m4_decrypt() + */ +int skinny_aead_m4_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M4. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m4_encrypt() + */ +int skinny_aead_m4_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M5. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m5_decrypt() + */ +int skinny_aead_m5_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M5. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m5_encrypt() + */ +int skinny_aead_m5_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M6. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m6_decrypt() + */ +int skinny_aead_m6_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M6. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m6_encrypt() + */ +int skinny_aead_m6_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/aead-common.c b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/aead-common.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/api.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/encrypt.c b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/encrypt.c new file mode 100644 index 0000000..00e9d2e --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "skinny-aead.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return skinny_aead_m1_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return skinny_aead_m1_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128.c b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128.c new file mode 100644 index 0000000..65ba4ed --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128.c @@ -0,0 +1,811 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-skinny128.h" +#include "internal-skinnyutil.h" +#include "internal-util.h" +#include + +STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) +{ + /* This function is used to fast-forward the TK1 tweak value + * to the value at the end of the key schedule for decryption. + * + * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 + * with 48 rounds does not need any fast forwarding applied. + * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds + * are equivalent to applying the permutation 8 times: + * + * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] + */ + uint32_t row0 = tk[0]; + uint32_t row1 = tk[1]; + uint32_t row2 = tk[2]; + uint32_t row3 = tk[3]; + tk[0] = ((row1 >> 8) & 0x0000FFFFU) | + ((row0 >> 8) & 0x00FF0000U) | + ((row0 << 8) & 0xFF000000U); + tk[1] = ((row1 >> 24) & 0x000000FFU) | + ((row0 << 8) & 0x00FFFF00U) | + ((row1 << 24) & 0xFF000000U); + tk[2] = ((row3 >> 8) & 0x0000FFFFU) | + ((row2 >> 8) & 0x00FF0000U) | + ((row2 << 8) & 0xFF000000U); + tk[3] = ((row3 >> 24) & 0x000000FFU) | + ((row2 << 8) & 0x00FFFF00U) | + ((row3 << 24) & 0xFF000000U); +} + +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 32 && key_len != 48)) + return 0; + + /* Set the initial states of TK1, TK2, and TK3 */ + if (key_len == 32) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + TK3[0] = le_load_word32(key + 16); + TK3[1] = le_load_word32(key + 20); + TK3[2] = le_load_word32(key + 24); + TK3[3] = le_load_word32(key + 28); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + } + + /* Set up the key schedule using TK2 and TK3. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); + + /* Permute TK2 and TK3 for the next round */ + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + + /* Apply the LFSR's to TK2 and TK3 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + return 1; +} + +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Permute TK1 to fast-forward it to the end of the key schedule */ + skinny128_fast_forward_tk(TK1); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + TK2[0] = le_load_word32(tk2); + TK2[1] = le_load_word32(tk2 + 4); + TK2[2] = le_load_word32(tk2 + 8); + TK2[3] = le_load_word32(tk2 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; + s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 16 && key_len != 32)) + return 0; + + /* Set the initial states of TK1 and TK2 */ + if (key_len == 16) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + } + + /* Set up the key schedule using TK2. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ (rc >> 4); + + /* Permute TK2 for the next round */ + skinny128_permute_tk(TK2); + + /* Apply the LFSR to TK2 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + return 1; +} + +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1. + * There is no need to fast-forward TK1 because the value at + * the end of the key schedule is the same as at the start */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK1[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || key_len != 16) + return 0; + + /* Set the initial state of TK1 */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + + /* Set up the key schedule using TK1 */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK1[0] ^ (rc & 0x0F); + schedule[1] = TK1[1] ^ (rc >> 4); + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + return 1; +} + +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128.h new file mode 100644 index 0000000..76b34f5 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128.h @@ -0,0 +1,315 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNY128_H +#define LW_INTERNAL_SKINNY128_H + +/** + * \file internal-skinny128.h + * \brief SKINNY-128 block cipher family. + * + * References: https://eprint.iacr.org/2016/660.pdf, + * https://sites.google.com/site/skinnycipher/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a block for SKINNY-128 block ciphers. + */ +#define SKINNY_128_BLOCK_SIZE 16 + +/** + * \brief Number of rounds for SKINNY-128-384. + */ +#define SKINNY_128_384_ROUNDS 56 + +/** + * \brief Structure of the key schedule for SKINNY-128-384. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_384_ROUNDS * 2]; + +} skinny_128_384_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 32 or 48, + * where 32 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly + * provided TK2 value. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tk2 TK2 value that should be updated on the fly. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when both TK1 and TK2 change from block to block. + * When the key is initialized with skinny_128_384_init(), the TK2 part of + * the key value should be set to zero. + */ +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and a + * fully specified tweakey value. + * + * \param key Points to the 384-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-384 but + * more memory-efficient. + */ +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-256. + */ +#define SKINNY_128_256_ROUNDS 48 + +/** + * \brief Structure of the key schedule for SKINNY-128-256. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_256_ROUNDS * 2]; + +} skinny_128_256_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16 or 32, + * where 16 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256 and a + * fully specified tweakey value. + * + * \param key Points to the 256-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-256 but + * more memory-efficient. + */ +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-128. + */ +#define SKINNY_128_128_ROUNDS 40 + +/** + * \brief Structure of the key schedule for SKINNY-128-128. + */ +typedef struct +{ + /** Words of the key schedule */ + uint32_t k[SKINNY_128_128_ROUNDS * 2]; + +} skinny_128_128_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-128. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinnyutil.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinnyutil.h new file mode 100644 index 0000000..83136cb --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinnyutil.h @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNYUTIL_H +#define LW_INTERNAL_SKINNYUTIL_H + +/** + * \file internal-skinnyutil.h + * \brief Utilities to help implement SKINNY and its variants. + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond skinnyutil */ + +/* Utilities for implementing SKINNY-128 */ + +#define skinny128_LFSR2(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ + (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ + } while (0) + + +#define skinny128_LFSR3(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ + (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) +#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) + +#define skinny128_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint32_t row2 = tk[2]; \ + uint32_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 16) | (row3 >> 16); \ + tk[0] = ((row2 >> 8) & 0x000000FFU) | \ + ((row2 << 16) & 0x00FF0000U) | \ + ( row3 & 0xFF00FF00U); \ + tk[1] = ((row2 >> 16) & 0x000000FFU) | \ + (row2 & 0xFF000000U) | \ + ((row3 << 8) & 0x0000FF00U) | \ + ( row3 & 0x00FF0000U); \ + } while (0) + +#define skinny128_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint32_t row0 = tk[0]; \ + uint32_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 >> 16) & 0x000000FFU) | \ + ((row0 << 8) & 0x0000FF00U) | \ + ((row1 << 16) & 0x00FF0000U) | \ + ( row1 & 0xFF000000U); \ + tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ + ((row0 << 16) & 0xFF000000U) | \ + ((row1 >> 16) & 0x000000FFU) | \ + ((row1 << 8) & 0x00FF0000U); \ + } while (0) + +/* + * Apply the SKINNY sbox. The original version from the specification is + * equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE(x) + * ((((x) & 0x01010101U) << 2) | + * (((x) & 0x06060606U) << 5) | + * (((x) & 0x20202020U) >> 5) | + * (((x) & 0xC8C8C8C8U) >> 2) | + * (((x) & 0x10101010U) >> 1)) + * + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * return SBOX_SWAP(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ + y = (((x >> 5) & (x << 1)) & 0x04040404U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ + x = ((x & 0x08080808U) << 1) | \ + ((x & 0x32323232U) << 2) | \ + ((x & 0x01010101U) << 5) | \ + ((x & 0x80808080U) >> 6) | \ + ((x & 0x40404040U) >> 4) | \ + ((x & 0x04040404U) >> 2); \ +} while (0) + +/* + * Apply the inverse of the SKINNY sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE_INV(x) + * ((((x) & 0x08080808U) << 1) | + * (((x) & 0x32323232U) << 2) | + * (((x) & 0x01010101U) << 5) | + * (((x) & 0xC0C0C0C0U) >> 5) | + * (((x) & 0x04040404U) >> 2)) + * + * x = SBOX_SWAP(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_inv_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ + x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ + y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ + x = ((x & 0x01010101U) << 2) | \ + ((x & 0x04040404U) << 4) | \ + ((x & 0x02020202U) << 6) | \ + ((x & 0x20202020U) >> 5) | \ + ((x & 0xC8C8C8C8U) >> 2) | \ + ((x & 0x10101010U) >> 1); \ +} while (0) + +/* Utilities for implementing SKINNY-64 */ + +#define skinny64_LFSR2(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ + } while (0) + +#define skinny64_LFSR3(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) +#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) + +#define skinny64_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint16_t row2 = tk[2]; \ + uint16_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 8) | (row3 >> 8); \ + tk[0] = ((row2 << 4) & 0xF000U) | \ + ((row2 >> 8) & 0x00F0U) | \ + ( row3 & 0x0F0FU); \ + tk[1] = ((row2 << 8) & 0xF000U) | \ + ((row3 >> 4) & 0x0F00U) | \ + ( row3 & 0x00F0U) | \ + ( row2 & 0x000FU); \ + } while (0) + +#define skinny64_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint16_t row0 = tk[0]; \ + uint16_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 << 8) & 0xF000U) | \ + ((row0 >> 4) & 0x0F00U) | \ + ((row1 >> 8) & 0x00F0U) | \ + ( row1 & 0x000FU); \ + tk[3] = ((row1 << 8) & 0xF000U) | \ + ((row0 << 8) & 0x0F00U) | \ + ((row1 >> 4) & 0x00F0U) | \ + ((row0 >> 8) & 0x000FU); \ + } while (0) + +/* + * Apply the SKINNY-64 sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT(x) + * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_SHIFT steps to be performed with one final rotation. + * This reduces the number of required shift operations from 14 to 10. + * + * We can further reduce the number of NOT operations from 4 to 2 + * using the technique from https://github.com/kste/skinny_avx to + * convert NOR-XOR operations into AND-XOR operations by converting + * the S-box into its NOT-inverse. + */ +#define skinny64_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ + x = ~x; \ + x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ +} while (0) + +/* + * Apply the inverse of the SKINNY-64 sbox. The original version + * from the specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT_INV(x) + * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * return SBOX_MIX(x); + */ +#define skinny64_inv_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = ~x; \ + x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ +} while (0) + +/** @endcond */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-util.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/skinny-aead.c b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/skinny-aead.c new file mode 100644 index 0000000..2bb37e9 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/skinny-aead.c @@ -0,0 +1,803 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "skinny-aead.h" +#include "internal-skinny128.h" +#include "internal-util.h" +#include + +aead_cipher_t const skinny_aead_m1_cipher = { + "SKINNY-AEAD-M1", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M1_NONCE_SIZE, + SKINNY_AEAD_M1_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m1_encrypt, + skinny_aead_m1_decrypt +}; + +aead_cipher_t const skinny_aead_m2_cipher = { + "SKINNY-AEAD-M2", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M2_NONCE_SIZE, + SKINNY_AEAD_M2_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m2_encrypt, + skinny_aead_m2_decrypt +}; + +aead_cipher_t const skinny_aead_m3_cipher = { + "SKINNY-AEAD-M3", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M3_NONCE_SIZE, + SKINNY_AEAD_M3_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m3_encrypt, + skinny_aead_m3_decrypt +}; + +aead_cipher_t const skinny_aead_m4_cipher = { + "SKINNY-AEAD-M4", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M4_NONCE_SIZE, + SKINNY_AEAD_M4_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m4_encrypt, + skinny_aead_m4_decrypt +}; + +aead_cipher_t const skinny_aead_m5_cipher = { + "SKINNY-AEAD-M5", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M5_NONCE_SIZE, + SKINNY_AEAD_M5_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m5_encrypt, + skinny_aead_m5_decrypt +}; + +aead_cipher_t const skinny_aead_m6_cipher = { + "SKINNY-AEAD-M6", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M6_NONCE_SIZE, + SKINNY_AEAD_M6_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m6_encrypt, + skinny_aead_m6_decrypt +}; + +/* Domain separator prefixes for all of the SKINNY-AEAD family members */ +#define DOMAIN_SEP_M1 0x00 +#define DOMAIN_SEP_M2 0x10 +#define DOMAIN_SEP_M3 0x08 +#define DOMAIN_SEP_M4 0x18 +#define DOMAIN_SEP_M5 0x10 +#define DOMAIN_SEP_M6 0x18 + +/** + * \brief Initialize the key and nonce for SKINNY-128-384 based AEAD schemes. + * + * \param ks The key schedule to initialize. + * \param key Points to the 16 bytes of the key. + * \param nonce Points to the nonce. + * \param nonce_len Length of the nonce in bytes. + */ +static void skinny_aead_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + const unsigned char *nonce, unsigned nonce_len) +{ + unsigned char k[32]; + memcpy(k, nonce, nonce_len); + memset(k + nonce_len, 0, 16 - nonce_len); + memcpy(k + 16, key, 16); + skinny_128_384_init(ks, k, 32); +} + +/** + * \brief Set the domain separation value in the tweak for SKINNY-128-384. + * + * \param ks Key schedule for the block cipher. + * \param d Domain separation value to write into the tweak. + */ +#define skinny_aead_128_384_set_domain(ks,d) ((ks)->TK1[15] = (d)) + +/** + * \brief Sets the LFSR field in the tweak for SKINNY-128-384. + * + * \param ks Key schedule for the block cipher. + * \param lfsr 64-bit LFSR value. + */ +#define skinny_aead_128_384_set_lfsr(ks,lfsr) le_store_word64((ks)->TK1, (lfsr)) + +/** + * \brief Updates the LFSR value for SKINNY-128-384. + * + * \param lfsr 64-bit LFSR value to be updated. + */ +#define skinny_aead_128_384_update_lfsr(lfsr) \ + do { \ + uint8_t feedback = ((lfsr) & (1ULL << 63)) ? 0x1B : 0x00; \ + (lfsr) = ((lfsr) << 1) | feedback; \ + } while (0) + +/** + * \brief Authenticates the associated data for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param tag Final tag to XOR the authentication checksum into. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void skinny_aead_128_384_authenticate + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char tag[SKINNY_128_BLOCK_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + skinny_aead_128_384_set_domain(ks, prefix | 2); + while (adlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_128_384_encrypt(ks, block, ad); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + ad += SKINNY_128_BLOCK_SIZE; + adlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 3); + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + } +} + +/** + * \brief Encrypts the plaintext for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the plaintext buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void skinny_aead_128_384_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_384_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, c, m); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + skinny_aead_128_384_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_384_set_domain(ks, prefix | 1); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block_2_src(c, block, m, temp); + skinny_aead_128_384_update_lfsr(lfsr); + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_384_set_domain(ks, prefix | 4); + } + skinny_128_384_encrypt(ks, sum, sum); +} + +/** + * \brief Decrypts the ciphertext for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the ciphertext buffer. + * \param mlen Number of bytes of ciphertext to be decrypted. + */ +static void skinny_aead_128_384_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_384_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_128_384_decrypt(ks, m, c); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + skinny_aead_128_384_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_384_set_domain(ks, prefix | 1); + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block_2_src(m, block, c, temp); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + skinny_aead_128_384_update_lfsr(lfsr); + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_384_set_domain(ks, prefix | 4); + } + skinny_128_384_encrypt(ks, sum, sum); +} + +int skinny_aead_m1_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M1_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M1, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M1_TAG_SIZE); + return 0; +} + +int skinny_aead_m1_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M1_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M1_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M1, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M1_TAG_SIZE); +} + +int skinny_aead_m2_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M2_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M2, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M2_TAG_SIZE); + return 0; +} + +int skinny_aead_m2_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M2_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M2_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M2, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M2_TAG_SIZE); +} + +int skinny_aead_m3_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M3_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M3, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M3_TAG_SIZE); + return 0; +} + +int skinny_aead_m3_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M3_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M3_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M3, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M3_TAG_SIZE); +} + +int skinny_aead_m4_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M4_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M4, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M4_TAG_SIZE); + return 0; +} + +int skinny_aead_m4_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M4_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M4_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M4, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M4_TAG_SIZE); +} + +/** + * \brief Initialize the key and nonce for SKINNY-128-256 based AEAD schemes. + * + * \param ks The key schedule to initialize. + * \param key Points to the 16 bytes of the key. + * \param nonce Points to the nonce. + * \param nonce_len Length of the nonce in bytes. + */ +static void skinny_aead_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + const unsigned char *nonce, unsigned nonce_len) +{ + unsigned char k[32]; + memset(k, 0, 16 - nonce_len); + memcpy(k + 16 - nonce_len, nonce, nonce_len); + memcpy(k + 16, key, 16); + skinny_128_256_init(ks, k, 32); +} + +/** + * \brief Set the domain separation value in the tweak for SKINNY-128-256. + * + * \param ks Key schedule for the block cipher. + * \param d Domain separation value to write into the tweak. + */ +#define skinny_aead_128_256_set_domain(ks,d) ((ks)->TK1[3] = (d)) + +/** + * \brief Sets the LFSR field in the tweak for SKINNY-128-256. + * + * \param ks Key schedule for the block cipher. + * \param lfsr 24-bit LFSR value. + */ +#define skinny_aead_128_256_set_lfsr(ks,lfsr) \ + do { \ + (ks)->TK1[0] = (uint8_t)(lfsr); \ + (ks)->TK1[1] = (uint8_t)((lfsr) >> 8); \ + (ks)->TK1[2] = (uint8_t)((lfsr) >> 16); \ + } while (0) + +/** + * \brief Updates the LFSR value for SKINNY-128-256. + * + * \param lfsr 24-bit LFSR value to be updated. + */ +#define skinny_aead_128_256_update_lfsr(lfsr) \ + do { \ + uint32_t feedback = ((lfsr) & (((uint32_t)1) << 23)) ? 0x1B : 0x00; \ + (lfsr) = ((lfsr) << 1) ^ (feedback); \ + } while (0) + +/** + * \brief Authenticates the associated data for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param tag Final tag to XOR the authentication checksum into. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void skinny_aead_128_256_authenticate + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char tag[SKINNY_128_BLOCK_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + skinny_aead_128_256_set_domain(ks, prefix | 2); + while (adlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_128_256_encrypt(ks, block, ad); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + ad += SKINNY_128_BLOCK_SIZE; + adlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 3); + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + } +} + +/** + * \brief Encrypts the plaintext for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the plaintext buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void skinny_aead_128_256_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_256_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, c, m); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + skinny_aead_128_256_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_256_set_domain(ks, prefix | 1); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block_2_src(c, block, m, temp); + skinny_aead_128_256_update_lfsr(lfsr); + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_256_set_domain(ks, prefix | 4); + } + skinny_128_256_encrypt(ks, sum, sum); +} + +/** + * \brief Decrypts the ciphertext for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the ciphertext buffer. + * \param mlen Number of bytes of ciphertext to be decrypted. + */ +static void skinny_aead_128_256_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_256_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_128_256_decrypt(ks, m, c); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + skinny_aead_128_256_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_256_set_domain(ks, prefix | 1); + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block_2_src(m, block, c, temp); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + skinny_aead_128_256_update_lfsr(lfsr); + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_256_set_domain(ks, prefix | 4); + } + skinny_128_256_encrypt(ks, sum, sum); +} + +int skinny_aead_m5_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M5_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M5, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M5_TAG_SIZE); + return 0; +} + +int skinny_aead_m5_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M5_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M5_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M5, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M5_TAG_SIZE); +} + +int skinny_aead_m6_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M6_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M6, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M6_TAG_SIZE); + return 0; +} + +int skinny_aead_m6_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M6_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M6_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M6, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M6_TAG_SIZE); +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/skinny-aead.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/skinny-aead.h new file mode 100644 index 0000000..c6b54fb --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/skinny-aead.h @@ -0,0 +1,518 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SKINNY_AEAD_H +#define LWCRYPTO_SKINNY_AEAD_H + +#include "aead-common.h" + +/** + * \file skinny-aead.h + * \brief Authenticated encryption based on the SKINNY block cipher. + * + * SKINNY-AEAD is a family of authenticated encryption algorithms + * that are built around the SKINNY tweakable block cipher. There + * are six members in the family: + * + * \li SKINNY-AEAD-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. This is the + * primary member of the family. + * \li SKINNY-AEAD-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M3 has a 128-bit key, a 128-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M4 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M5 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * \li SKINNY-AEAD-M6 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * + * The SKINNY-AEAD family also includes two hash algorithms: + * + * \li SKINNY-tk3-HASH with a 256-bit hash output, based around the + * SKINNY-128-384 tweakable block cipher. This is the primary hashing + * member of the family. + * \li SKINNY-tk2-HASH with a 256-bit hash output, based around the + * SKINNY-128-256 tweakable block cipher. + * + * References: https://sites.google.com/site/skinnycipher/home + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all SKINNY-AEAD family members. + */ +#define SKINNY_AEAD_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M1. + */ +#define SKINNY_AEAD_M1_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M1. + */ +#define SKINNY_AEAD_M1_NONCE_SIZE 16 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M2. + */ +#define SKINNY_AEAD_M2_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M2. + */ +#define SKINNY_AEAD_M2_NONCE_SIZE 12 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M3. + */ +#define SKINNY_AEAD_M3_TAG_SIZE 8 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M3. + */ +#define SKINNY_AEAD_M3_NONCE_SIZE 16 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M4. + */ +#define SKINNY_AEAD_M4_TAG_SIZE 8 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M4. + */ +#define SKINNY_AEAD_M4_NONCE_SIZE 12 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M5. + */ +#define SKINNY_AEAD_M5_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M5. + */ +#define SKINNY_AEAD_M5_NONCE_SIZE 12 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M6. + */ +#define SKINNY_AEAD_M6_TAG_SIZE 8 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M6. + */ +#define SKINNY_AEAD_M6_NONCE_SIZE 12 + +/** + * \brief Meta-information block for the SKINNY-AEAD-M1 cipher. + */ +extern aead_cipher_t const skinny_aead_m1_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M2 cipher. + */ +extern aead_cipher_t const skinny_aead_m2_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M3 cipher. + */ +extern aead_cipher_t const skinny_aead_m3_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M4 cipher. + */ +extern aead_cipher_t const skinny_aead_m4_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M5 cipher. + */ +extern aead_cipher_t const skinny_aead_m5_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M6 cipher. + */ +extern aead_cipher_t const skinny_aead_m6_cipher; + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M1. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m1_decrypt() + */ +int skinny_aead_m1_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M1. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m1_encrypt() + */ +int skinny_aead_m1_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M2. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m2_decrypt() + */ +int skinny_aead_m2_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M2. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m2_encrypt() + */ +int skinny_aead_m2_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M3. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m3_decrypt() + */ +int skinny_aead_m3_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M3. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m3_encrypt() + */ +int skinny_aead_m3_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M4. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m4_decrypt() + */ +int skinny_aead_m4_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M4. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m4_encrypt() + */ +int skinny_aead_m4_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M5. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m5_decrypt() + */ +int skinny_aead_m5_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M5. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m5_encrypt() + */ +int skinny_aead_m5_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M6. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m6_decrypt() + */ +int skinny_aead_m6_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M6. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m6_encrypt() + */ +int skinny_aead_m6_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/aead-common.c b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/aead-common.h b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/api.h b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/api.h new file mode 100644 index 0000000..4bf8f5c --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 8 +#define CRYPTO_NOOVERLAP 1 diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/encrypt.c b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/encrypt.c new file mode 100644 index 0000000..db41b19 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "skinny-aead.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return skinny_aead_m3_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return skinny_aead_m3_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128.c b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128.c new file mode 100644 index 0000000..65ba4ed --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128.c @@ -0,0 +1,811 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-skinny128.h" +#include "internal-skinnyutil.h" +#include "internal-util.h" +#include + +STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) +{ + /* This function is used to fast-forward the TK1 tweak value + * to the value at the end of the key schedule for decryption. + * + * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 + * with 48 rounds does not need any fast forwarding applied. + * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds + * are equivalent to applying the permutation 8 times: + * + * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] + */ + uint32_t row0 = tk[0]; + uint32_t row1 = tk[1]; + uint32_t row2 = tk[2]; + uint32_t row3 = tk[3]; + tk[0] = ((row1 >> 8) & 0x0000FFFFU) | + ((row0 >> 8) & 0x00FF0000U) | + ((row0 << 8) & 0xFF000000U); + tk[1] = ((row1 >> 24) & 0x000000FFU) | + ((row0 << 8) & 0x00FFFF00U) | + ((row1 << 24) & 0xFF000000U); + tk[2] = ((row3 >> 8) & 0x0000FFFFU) | + ((row2 >> 8) & 0x00FF0000U) | + ((row2 << 8) & 0xFF000000U); + tk[3] = ((row3 >> 24) & 0x000000FFU) | + ((row2 << 8) & 0x00FFFF00U) | + ((row3 << 24) & 0xFF000000U); +} + +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 32 && key_len != 48)) + return 0; + + /* Set the initial states of TK1, TK2, and TK3 */ + if (key_len == 32) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + TK3[0] = le_load_word32(key + 16); + TK3[1] = le_load_word32(key + 20); + TK3[2] = le_load_word32(key + 24); + TK3[3] = le_load_word32(key + 28); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + } + + /* Set up the key schedule using TK2 and TK3. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); + + /* Permute TK2 and TK3 for the next round */ + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + + /* Apply the LFSR's to TK2 and TK3 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + return 1; +} + +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Permute TK1 to fast-forward it to the end of the key schedule */ + skinny128_fast_forward_tk(TK1); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + TK2[0] = le_load_word32(tk2); + TK2[1] = le_load_word32(tk2 + 4); + TK2[2] = le_load_word32(tk2 + 8); + TK2[3] = le_load_word32(tk2 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; + s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 16 && key_len != 32)) + return 0; + + /* Set the initial states of TK1 and TK2 */ + if (key_len == 16) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + } + + /* Set up the key schedule using TK2. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ (rc >> 4); + + /* Permute TK2 for the next round */ + skinny128_permute_tk(TK2); + + /* Apply the LFSR to TK2 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + return 1; +} + +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1. + * There is no need to fast-forward TK1 because the value at + * the end of the key schedule is the same as at the start */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK1[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || key_len != 16) + return 0; + + /* Set the initial state of TK1 */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + + /* Set up the key schedule using TK1 */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK1[0] ^ (rc & 0x0F); + schedule[1] = TK1[1] ^ (rc >> 4); + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + return 1; +} + +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128.h b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128.h new file mode 100644 index 0000000..76b34f5 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128.h @@ -0,0 +1,315 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNY128_H +#define LW_INTERNAL_SKINNY128_H + +/** + * \file internal-skinny128.h + * \brief SKINNY-128 block cipher family. + * + * References: https://eprint.iacr.org/2016/660.pdf, + * https://sites.google.com/site/skinnycipher/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a block for SKINNY-128 block ciphers. + */ +#define SKINNY_128_BLOCK_SIZE 16 + +/** + * \brief Number of rounds for SKINNY-128-384. + */ +#define SKINNY_128_384_ROUNDS 56 + +/** + * \brief Structure of the key schedule for SKINNY-128-384. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_384_ROUNDS * 2]; + +} skinny_128_384_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 32 or 48, + * where 32 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly + * provided TK2 value. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tk2 TK2 value that should be updated on the fly. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when both TK1 and TK2 change from block to block. + * When the key is initialized with skinny_128_384_init(), the TK2 part of + * the key value should be set to zero. + */ +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and a + * fully specified tweakey value. + * + * \param key Points to the 384-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-384 but + * more memory-efficient. + */ +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-256. + */ +#define SKINNY_128_256_ROUNDS 48 + +/** + * \brief Structure of the key schedule for SKINNY-128-256. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_256_ROUNDS * 2]; + +} skinny_128_256_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16 or 32, + * where 16 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256 and a + * fully specified tweakey value. + * + * \param key Points to the 256-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-256 but + * more memory-efficient. + */ +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-128. + */ +#define SKINNY_128_128_ROUNDS 40 + +/** + * \brief Structure of the key schedule for SKINNY-128-128. + */ +typedef struct +{ + /** Words of the key schedule */ + uint32_t k[SKINNY_128_128_ROUNDS * 2]; + +} skinny_128_128_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-128. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinnyutil.h b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinnyutil.h new file mode 100644 index 0000000..83136cb --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinnyutil.h @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNYUTIL_H +#define LW_INTERNAL_SKINNYUTIL_H + +/** + * \file internal-skinnyutil.h + * \brief Utilities to help implement SKINNY and its variants. + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond skinnyutil */ + +/* Utilities for implementing SKINNY-128 */ + +#define skinny128_LFSR2(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ + (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ + } while (0) + + +#define skinny128_LFSR3(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ + (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) +#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) + +#define skinny128_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint32_t row2 = tk[2]; \ + uint32_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 16) | (row3 >> 16); \ + tk[0] = ((row2 >> 8) & 0x000000FFU) | \ + ((row2 << 16) & 0x00FF0000U) | \ + ( row3 & 0xFF00FF00U); \ + tk[1] = ((row2 >> 16) & 0x000000FFU) | \ + (row2 & 0xFF000000U) | \ + ((row3 << 8) & 0x0000FF00U) | \ + ( row3 & 0x00FF0000U); \ + } while (0) + +#define skinny128_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint32_t row0 = tk[0]; \ + uint32_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 >> 16) & 0x000000FFU) | \ + ((row0 << 8) & 0x0000FF00U) | \ + ((row1 << 16) & 0x00FF0000U) | \ + ( row1 & 0xFF000000U); \ + tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ + ((row0 << 16) & 0xFF000000U) | \ + ((row1 >> 16) & 0x000000FFU) | \ + ((row1 << 8) & 0x00FF0000U); \ + } while (0) + +/* + * Apply the SKINNY sbox. The original version from the specification is + * equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE(x) + * ((((x) & 0x01010101U) << 2) | + * (((x) & 0x06060606U) << 5) | + * (((x) & 0x20202020U) >> 5) | + * (((x) & 0xC8C8C8C8U) >> 2) | + * (((x) & 0x10101010U) >> 1)) + * + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * return SBOX_SWAP(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ + y = (((x >> 5) & (x << 1)) & 0x04040404U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ + x = ((x & 0x08080808U) << 1) | \ + ((x & 0x32323232U) << 2) | \ + ((x & 0x01010101U) << 5) | \ + ((x & 0x80808080U) >> 6) | \ + ((x & 0x40404040U) >> 4) | \ + ((x & 0x04040404U) >> 2); \ +} while (0) + +/* + * Apply the inverse of the SKINNY sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE_INV(x) + * ((((x) & 0x08080808U) << 1) | + * (((x) & 0x32323232U) << 2) | + * (((x) & 0x01010101U) << 5) | + * (((x) & 0xC0C0C0C0U) >> 5) | + * (((x) & 0x04040404U) >> 2)) + * + * x = SBOX_SWAP(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_inv_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ + x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ + y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ + x = ((x & 0x01010101U) << 2) | \ + ((x & 0x04040404U) << 4) | \ + ((x & 0x02020202U) << 6) | \ + ((x & 0x20202020U) >> 5) | \ + ((x & 0xC8C8C8C8U) >> 2) | \ + ((x & 0x10101010U) >> 1); \ +} while (0) + +/* Utilities for implementing SKINNY-64 */ + +#define skinny64_LFSR2(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ + } while (0) + +#define skinny64_LFSR3(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) +#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) + +#define skinny64_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint16_t row2 = tk[2]; \ + uint16_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 8) | (row3 >> 8); \ + tk[0] = ((row2 << 4) & 0xF000U) | \ + ((row2 >> 8) & 0x00F0U) | \ + ( row3 & 0x0F0FU); \ + tk[1] = ((row2 << 8) & 0xF000U) | \ + ((row3 >> 4) & 0x0F00U) | \ + ( row3 & 0x00F0U) | \ + ( row2 & 0x000FU); \ + } while (0) + +#define skinny64_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint16_t row0 = tk[0]; \ + uint16_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 << 8) & 0xF000U) | \ + ((row0 >> 4) & 0x0F00U) | \ + ((row1 >> 8) & 0x00F0U) | \ + ( row1 & 0x000FU); \ + tk[3] = ((row1 << 8) & 0xF000U) | \ + ((row0 << 8) & 0x0F00U) | \ + ((row1 >> 4) & 0x00F0U) | \ + ((row0 >> 8) & 0x000FU); \ + } while (0) + +/* + * Apply the SKINNY-64 sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT(x) + * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_SHIFT steps to be performed with one final rotation. + * This reduces the number of required shift operations from 14 to 10. + * + * We can further reduce the number of NOT operations from 4 to 2 + * using the technique from https://github.com/kste/skinny_avx to + * convert NOR-XOR operations into AND-XOR operations by converting + * the S-box into its NOT-inverse. + */ +#define skinny64_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ + x = ~x; \ + x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ +} while (0) + +/* + * Apply the inverse of the SKINNY-64 sbox. The original version + * from the specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT_INV(x) + * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * return SBOX_MIX(x); + */ +#define skinny64_inv_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = ~x; \ + x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ +} while (0) + +/** @endcond */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-util.h b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/skinny-aead.c b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/skinny-aead.c new file mode 100644 index 0000000..2bb37e9 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/skinny-aead.c @@ -0,0 +1,803 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "skinny-aead.h" +#include "internal-skinny128.h" +#include "internal-util.h" +#include + +aead_cipher_t const skinny_aead_m1_cipher = { + "SKINNY-AEAD-M1", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M1_NONCE_SIZE, + SKINNY_AEAD_M1_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m1_encrypt, + skinny_aead_m1_decrypt +}; + +aead_cipher_t const skinny_aead_m2_cipher = { + "SKINNY-AEAD-M2", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M2_NONCE_SIZE, + SKINNY_AEAD_M2_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m2_encrypt, + skinny_aead_m2_decrypt +}; + +aead_cipher_t const skinny_aead_m3_cipher = { + "SKINNY-AEAD-M3", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M3_NONCE_SIZE, + SKINNY_AEAD_M3_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m3_encrypt, + skinny_aead_m3_decrypt +}; + +aead_cipher_t const skinny_aead_m4_cipher = { + "SKINNY-AEAD-M4", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M4_NONCE_SIZE, + SKINNY_AEAD_M4_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m4_encrypt, + skinny_aead_m4_decrypt +}; + +aead_cipher_t const skinny_aead_m5_cipher = { + "SKINNY-AEAD-M5", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M5_NONCE_SIZE, + SKINNY_AEAD_M5_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m5_encrypt, + skinny_aead_m5_decrypt +}; + +aead_cipher_t const skinny_aead_m6_cipher = { + "SKINNY-AEAD-M6", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M6_NONCE_SIZE, + SKINNY_AEAD_M6_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m6_encrypt, + skinny_aead_m6_decrypt +}; + +/* Domain separator prefixes for all of the SKINNY-AEAD family members */ +#define DOMAIN_SEP_M1 0x00 +#define DOMAIN_SEP_M2 0x10 +#define DOMAIN_SEP_M3 0x08 +#define DOMAIN_SEP_M4 0x18 +#define DOMAIN_SEP_M5 0x10 +#define DOMAIN_SEP_M6 0x18 + +/** + * \brief Initialize the key and nonce for SKINNY-128-384 based AEAD schemes. + * + * \param ks The key schedule to initialize. + * \param key Points to the 16 bytes of the key. + * \param nonce Points to the nonce. + * \param nonce_len Length of the nonce in bytes. + */ +static void skinny_aead_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + const unsigned char *nonce, unsigned nonce_len) +{ + unsigned char k[32]; + memcpy(k, nonce, nonce_len); + memset(k + nonce_len, 0, 16 - nonce_len); + memcpy(k + 16, key, 16); + skinny_128_384_init(ks, k, 32); +} + +/** + * \brief Set the domain separation value in the tweak for SKINNY-128-384. + * + * \param ks Key schedule for the block cipher. + * \param d Domain separation value to write into the tweak. + */ +#define skinny_aead_128_384_set_domain(ks,d) ((ks)->TK1[15] = (d)) + +/** + * \brief Sets the LFSR field in the tweak for SKINNY-128-384. + * + * \param ks Key schedule for the block cipher. + * \param lfsr 64-bit LFSR value. + */ +#define skinny_aead_128_384_set_lfsr(ks,lfsr) le_store_word64((ks)->TK1, (lfsr)) + +/** + * \brief Updates the LFSR value for SKINNY-128-384. + * + * \param lfsr 64-bit LFSR value to be updated. + */ +#define skinny_aead_128_384_update_lfsr(lfsr) \ + do { \ + uint8_t feedback = ((lfsr) & (1ULL << 63)) ? 0x1B : 0x00; \ + (lfsr) = ((lfsr) << 1) | feedback; \ + } while (0) + +/** + * \brief Authenticates the associated data for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param tag Final tag to XOR the authentication checksum into. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void skinny_aead_128_384_authenticate + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char tag[SKINNY_128_BLOCK_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + skinny_aead_128_384_set_domain(ks, prefix | 2); + while (adlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_128_384_encrypt(ks, block, ad); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + ad += SKINNY_128_BLOCK_SIZE; + adlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 3); + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + } +} + +/** + * \brief Encrypts the plaintext for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the plaintext buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void skinny_aead_128_384_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_384_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, c, m); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + skinny_aead_128_384_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_384_set_domain(ks, prefix | 1); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block_2_src(c, block, m, temp); + skinny_aead_128_384_update_lfsr(lfsr); + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_384_set_domain(ks, prefix | 4); + } + skinny_128_384_encrypt(ks, sum, sum); +} + +/** + * \brief Decrypts the ciphertext for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the ciphertext buffer. + * \param mlen Number of bytes of ciphertext to be decrypted. + */ +static void skinny_aead_128_384_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_384_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_128_384_decrypt(ks, m, c); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + skinny_aead_128_384_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_384_set_domain(ks, prefix | 1); + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block_2_src(m, block, c, temp); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + skinny_aead_128_384_update_lfsr(lfsr); + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_384_set_domain(ks, prefix | 4); + } + skinny_128_384_encrypt(ks, sum, sum); +} + +int skinny_aead_m1_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M1_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M1, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M1_TAG_SIZE); + return 0; +} + +int skinny_aead_m1_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M1_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M1_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M1, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M1_TAG_SIZE); +} + +int skinny_aead_m2_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M2_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M2, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M2_TAG_SIZE); + return 0; +} + +int skinny_aead_m2_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M2_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M2_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M2, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M2_TAG_SIZE); +} + +int skinny_aead_m3_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M3_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M3, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M3_TAG_SIZE); + return 0; +} + +int skinny_aead_m3_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M3_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M3_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M3, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M3_TAG_SIZE); +} + +int skinny_aead_m4_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M4_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M4, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M4_TAG_SIZE); + return 0; +} + +int skinny_aead_m4_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M4_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M4_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M4, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M4_TAG_SIZE); +} + +/** + * \brief Initialize the key and nonce for SKINNY-128-256 based AEAD schemes. + * + * \param ks The key schedule to initialize. + * \param key Points to the 16 bytes of the key. + * \param nonce Points to the nonce. + * \param nonce_len Length of the nonce in bytes. + */ +static void skinny_aead_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + const unsigned char *nonce, unsigned nonce_len) +{ + unsigned char k[32]; + memset(k, 0, 16 - nonce_len); + memcpy(k + 16 - nonce_len, nonce, nonce_len); + memcpy(k + 16, key, 16); + skinny_128_256_init(ks, k, 32); +} + +/** + * \brief Set the domain separation value in the tweak for SKINNY-128-256. + * + * \param ks Key schedule for the block cipher. + * \param d Domain separation value to write into the tweak. + */ +#define skinny_aead_128_256_set_domain(ks,d) ((ks)->TK1[3] = (d)) + +/** + * \brief Sets the LFSR field in the tweak for SKINNY-128-256. + * + * \param ks Key schedule for the block cipher. + * \param lfsr 24-bit LFSR value. + */ +#define skinny_aead_128_256_set_lfsr(ks,lfsr) \ + do { \ + (ks)->TK1[0] = (uint8_t)(lfsr); \ + (ks)->TK1[1] = (uint8_t)((lfsr) >> 8); \ + (ks)->TK1[2] = (uint8_t)((lfsr) >> 16); \ + } while (0) + +/** + * \brief Updates the LFSR value for SKINNY-128-256. + * + * \param lfsr 24-bit LFSR value to be updated. + */ +#define skinny_aead_128_256_update_lfsr(lfsr) \ + do { \ + uint32_t feedback = ((lfsr) & (((uint32_t)1) << 23)) ? 0x1B : 0x00; \ + (lfsr) = ((lfsr) << 1) ^ (feedback); \ + } while (0) + +/** + * \brief Authenticates the associated data for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param tag Final tag to XOR the authentication checksum into. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void skinny_aead_128_256_authenticate + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char tag[SKINNY_128_BLOCK_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + skinny_aead_128_256_set_domain(ks, prefix | 2); + while (adlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_128_256_encrypt(ks, block, ad); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + ad += SKINNY_128_BLOCK_SIZE; + adlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 3); + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + } +} + +/** + * \brief Encrypts the plaintext for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the plaintext buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void skinny_aead_128_256_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_256_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, c, m); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + skinny_aead_128_256_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_256_set_domain(ks, prefix | 1); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block_2_src(c, block, m, temp); + skinny_aead_128_256_update_lfsr(lfsr); + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_256_set_domain(ks, prefix | 4); + } + skinny_128_256_encrypt(ks, sum, sum); +} + +/** + * \brief Decrypts the ciphertext for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the ciphertext buffer. + * \param mlen Number of bytes of ciphertext to be decrypted. + */ +static void skinny_aead_128_256_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_256_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_128_256_decrypt(ks, m, c); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + skinny_aead_128_256_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_256_set_domain(ks, prefix | 1); + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block_2_src(m, block, c, temp); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + skinny_aead_128_256_update_lfsr(lfsr); + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_256_set_domain(ks, prefix | 4); + } + skinny_128_256_encrypt(ks, sum, sum); +} + +int skinny_aead_m5_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M5_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M5, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M5_TAG_SIZE); + return 0; +} + +int skinny_aead_m5_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M5_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M5_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M5, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M5_TAG_SIZE); +} + +int skinny_aead_m6_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M6_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M6, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M6_TAG_SIZE); + return 0; +} + +int skinny_aead_m6_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M6_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M6_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M6, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M6_TAG_SIZE); +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/skinny-aead.h b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/skinny-aead.h new file mode 100644 index 0000000..c6b54fb --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/skinny-aead.h @@ -0,0 +1,518 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SKINNY_AEAD_H +#define LWCRYPTO_SKINNY_AEAD_H + +#include "aead-common.h" + +/** + * \file skinny-aead.h + * \brief Authenticated encryption based on the SKINNY block cipher. + * + * SKINNY-AEAD is a family of authenticated encryption algorithms + * that are built around the SKINNY tweakable block cipher. There + * are six members in the family: + * + * \li SKINNY-AEAD-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. This is the + * primary member of the family. + * \li SKINNY-AEAD-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M3 has a 128-bit key, a 128-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M4 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M5 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * \li SKINNY-AEAD-M6 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * + * The SKINNY-AEAD family also includes two hash algorithms: + * + * \li SKINNY-tk3-HASH with a 256-bit hash output, based around the + * SKINNY-128-384 tweakable block cipher. This is the primary hashing + * member of the family. + * \li SKINNY-tk2-HASH with a 256-bit hash output, based around the + * SKINNY-128-256 tweakable block cipher. + * + * References: https://sites.google.com/site/skinnycipher/home + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all SKINNY-AEAD family members. + */ +#define SKINNY_AEAD_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M1. + */ +#define SKINNY_AEAD_M1_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M1. + */ +#define SKINNY_AEAD_M1_NONCE_SIZE 16 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M2. + */ +#define SKINNY_AEAD_M2_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M2. + */ +#define SKINNY_AEAD_M2_NONCE_SIZE 12 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M3. + */ +#define SKINNY_AEAD_M3_TAG_SIZE 8 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M3. + */ +#define SKINNY_AEAD_M3_NONCE_SIZE 16 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M4. + */ +#define SKINNY_AEAD_M4_TAG_SIZE 8 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M4. + */ +#define SKINNY_AEAD_M4_NONCE_SIZE 12 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M5. + */ +#define SKINNY_AEAD_M5_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M5. + */ +#define SKINNY_AEAD_M5_NONCE_SIZE 12 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M6. + */ +#define SKINNY_AEAD_M6_TAG_SIZE 8 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M6. + */ +#define SKINNY_AEAD_M6_NONCE_SIZE 12 + +/** + * \brief Meta-information block for the SKINNY-AEAD-M1 cipher. + */ +extern aead_cipher_t const skinny_aead_m1_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M2 cipher. + */ +extern aead_cipher_t const skinny_aead_m2_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M3 cipher. + */ +extern aead_cipher_t const skinny_aead_m3_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M4 cipher. + */ +extern aead_cipher_t const skinny_aead_m4_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M5 cipher. + */ +extern aead_cipher_t const skinny_aead_m5_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M6 cipher. + */ +extern aead_cipher_t const skinny_aead_m6_cipher; + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M1. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m1_decrypt() + */ +int skinny_aead_m1_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M1. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m1_encrypt() + */ +int skinny_aead_m1_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M2. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m2_decrypt() + */ +int skinny_aead_m2_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M2. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m2_encrypt() + */ +int skinny_aead_m2_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M3. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m3_decrypt() + */ +int skinny_aead_m3_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M3. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m3_encrypt() + */ +int skinny_aead_m3_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M4. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m4_decrypt() + */ +int skinny_aead_m4_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M4. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m4_encrypt() + */ +int skinny_aead_m4_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M5. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m5_decrypt() + */ +int skinny_aead_m5_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M5. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m5_encrypt() + */ +int skinny_aead_m5_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M6. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m6_decrypt() + */ +int skinny_aead_m6_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M6. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m6_encrypt() + */ +int skinny_aead_m6_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/aead-common.c b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/aead-common.h b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/api.h b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/api.h new file mode 100644 index 0000000..c3c0a27 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 12 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/encrypt.c b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/encrypt.c new file mode 100644 index 0000000..92605fe --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "skinny-aead.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return skinny_aead_m2_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return skinny_aead_m2_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128.c b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128.c new file mode 100644 index 0000000..65ba4ed --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128.c @@ -0,0 +1,811 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-skinny128.h" +#include "internal-skinnyutil.h" +#include "internal-util.h" +#include + +STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) +{ + /* This function is used to fast-forward the TK1 tweak value + * to the value at the end of the key schedule for decryption. + * + * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 + * with 48 rounds does not need any fast forwarding applied. + * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds + * are equivalent to applying the permutation 8 times: + * + * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] + */ + uint32_t row0 = tk[0]; + uint32_t row1 = tk[1]; + uint32_t row2 = tk[2]; + uint32_t row3 = tk[3]; + tk[0] = ((row1 >> 8) & 0x0000FFFFU) | + ((row0 >> 8) & 0x00FF0000U) | + ((row0 << 8) & 0xFF000000U); + tk[1] = ((row1 >> 24) & 0x000000FFU) | + ((row0 << 8) & 0x00FFFF00U) | + ((row1 << 24) & 0xFF000000U); + tk[2] = ((row3 >> 8) & 0x0000FFFFU) | + ((row2 >> 8) & 0x00FF0000U) | + ((row2 << 8) & 0xFF000000U); + tk[3] = ((row3 >> 24) & 0x000000FFU) | + ((row2 << 8) & 0x00FFFF00U) | + ((row3 << 24) & 0xFF000000U); +} + +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 32 && key_len != 48)) + return 0; + + /* Set the initial states of TK1, TK2, and TK3 */ + if (key_len == 32) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + TK3[0] = le_load_word32(key + 16); + TK3[1] = le_load_word32(key + 20); + TK3[2] = le_load_word32(key + 24); + TK3[3] = le_load_word32(key + 28); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + } + + /* Set up the key schedule using TK2 and TK3. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); + + /* Permute TK2 and TK3 for the next round */ + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + + /* Apply the LFSR's to TK2 and TK3 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + return 1; +} + +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Permute TK1 to fast-forward it to the end of the key schedule */ + skinny128_fast_forward_tk(TK1); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + TK2[0] = le_load_word32(tk2); + TK2[1] = le_load_word32(tk2 + 4); + TK2[2] = le_load_word32(tk2 + 8); + TK2[3] = le_load_word32(tk2 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; + s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 16 && key_len != 32)) + return 0; + + /* Set the initial states of TK1 and TK2 */ + if (key_len == 16) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + } + + /* Set up the key schedule using TK2. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ (rc >> 4); + + /* Permute TK2 for the next round */ + skinny128_permute_tk(TK2); + + /* Apply the LFSR to TK2 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + return 1; +} + +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1. + * There is no need to fast-forward TK1 because the value at + * the end of the key schedule is the same as at the start */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK1[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || key_len != 16) + return 0; + + /* Set the initial state of TK1 */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + + /* Set up the key schedule using TK1 */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK1[0] ^ (rc & 0x0F); + schedule[1] = TK1[1] ^ (rc >> 4); + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + return 1; +} + +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128.h b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128.h new file mode 100644 index 0000000..76b34f5 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128.h @@ -0,0 +1,315 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNY128_H +#define LW_INTERNAL_SKINNY128_H + +/** + * \file internal-skinny128.h + * \brief SKINNY-128 block cipher family. + * + * References: https://eprint.iacr.org/2016/660.pdf, + * https://sites.google.com/site/skinnycipher/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a block for SKINNY-128 block ciphers. + */ +#define SKINNY_128_BLOCK_SIZE 16 + +/** + * \brief Number of rounds for SKINNY-128-384. + */ +#define SKINNY_128_384_ROUNDS 56 + +/** + * \brief Structure of the key schedule for SKINNY-128-384. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_384_ROUNDS * 2]; + +} skinny_128_384_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 32 or 48, + * where 32 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly + * provided TK2 value. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tk2 TK2 value that should be updated on the fly. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when both TK1 and TK2 change from block to block. + * When the key is initialized with skinny_128_384_init(), the TK2 part of + * the key value should be set to zero. + */ +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and a + * fully specified tweakey value. + * + * \param key Points to the 384-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-384 but + * more memory-efficient. + */ +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-256. + */ +#define SKINNY_128_256_ROUNDS 48 + +/** + * \brief Structure of the key schedule for SKINNY-128-256. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_256_ROUNDS * 2]; + +} skinny_128_256_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16 or 32, + * where 16 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256 and a + * fully specified tweakey value. + * + * \param key Points to the 256-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-256 but + * more memory-efficient. + */ +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-128. + */ +#define SKINNY_128_128_ROUNDS 40 + +/** + * \brief Structure of the key schedule for SKINNY-128-128. + */ +typedef struct +{ + /** Words of the key schedule */ + uint32_t k[SKINNY_128_128_ROUNDS * 2]; + +} skinny_128_128_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-128. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinnyutil.h b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinnyutil.h new file mode 100644 index 0000000..83136cb --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinnyutil.h @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNYUTIL_H +#define LW_INTERNAL_SKINNYUTIL_H + +/** + * \file internal-skinnyutil.h + * \brief Utilities to help implement SKINNY and its variants. + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond skinnyutil */ + +/* Utilities for implementing SKINNY-128 */ + +#define skinny128_LFSR2(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ + (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ + } while (0) + + +#define skinny128_LFSR3(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ + (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) +#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) + +#define skinny128_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint32_t row2 = tk[2]; \ + uint32_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 16) | (row3 >> 16); \ + tk[0] = ((row2 >> 8) & 0x000000FFU) | \ + ((row2 << 16) & 0x00FF0000U) | \ + ( row3 & 0xFF00FF00U); \ + tk[1] = ((row2 >> 16) & 0x000000FFU) | \ + (row2 & 0xFF000000U) | \ + ((row3 << 8) & 0x0000FF00U) | \ + ( row3 & 0x00FF0000U); \ + } while (0) + +#define skinny128_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint32_t row0 = tk[0]; \ + uint32_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 >> 16) & 0x000000FFU) | \ + ((row0 << 8) & 0x0000FF00U) | \ + ((row1 << 16) & 0x00FF0000U) | \ + ( row1 & 0xFF000000U); \ + tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ + ((row0 << 16) & 0xFF000000U) | \ + ((row1 >> 16) & 0x000000FFU) | \ + ((row1 << 8) & 0x00FF0000U); \ + } while (0) + +/* + * Apply the SKINNY sbox. The original version from the specification is + * equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE(x) + * ((((x) & 0x01010101U) << 2) | + * (((x) & 0x06060606U) << 5) | + * (((x) & 0x20202020U) >> 5) | + * (((x) & 0xC8C8C8C8U) >> 2) | + * (((x) & 0x10101010U) >> 1)) + * + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * return SBOX_SWAP(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ + y = (((x >> 5) & (x << 1)) & 0x04040404U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ + x = ((x & 0x08080808U) << 1) | \ + ((x & 0x32323232U) << 2) | \ + ((x & 0x01010101U) << 5) | \ + ((x & 0x80808080U) >> 6) | \ + ((x & 0x40404040U) >> 4) | \ + ((x & 0x04040404U) >> 2); \ +} while (0) + +/* + * Apply the inverse of the SKINNY sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE_INV(x) + * ((((x) & 0x08080808U) << 1) | + * (((x) & 0x32323232U) << 2) | + * (((x) & 0x01010101U) << 5) | + * (((x) & 0xC0C0C0C0U) >> 5) | + * (((x) & 0x04040404U) >> 2)) + * + * x = SBOX_SWAP(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_inv_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ + x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ + y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ + x = ((x & 0x01010101U) << 2) | \ + ((x & 0x04040404U) << 4) | \ + ((x & 0x02020202U) << 6) | \ + ((x & 0x20202020U) >> 5) | \ + ((x & 0xC8C8C8C8U) >> 2) | \ + ((x & 0x10101010U) >> 1); \ +} while (0) + +/* Utilities for implementing SKINNY-64 */ + +#define skinny64_LFSR2(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ + } while (0) + +#define skinny64_LFSR3(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) +#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) + +#define skinny64_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint16_t row2 = tk[2]; \ + uint16_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 8) | (row3 >> 8); \ + tk[0] = ((row2 << 4) & 0xF000U) | \ + ((row2 >> 8) & 0x00F0U) | \ + ( row3 & 0x0F0FU); \ + tk[1] = ((row2 << 8) & 0xF000U) | \ + ((row3 >> 4) & 0x0F00U) | \ + ( row3 & 0x00F0U) | \ + ( row2 & 0x000FU); \ + } while (0) + +#define skinny64_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint16_t row0 = tk[0]; \ + uint16_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 << 8) & 0xF000U) | \ + ((row0 >> 4) & 0x0F00U) | \ + ((row1 >> 8) & 0x00F0U) | \ + ( row1 & 0x000FU); \ + tk[3] = ((row1 << 8) & 0xF000U) | \ + ((row0 << 8) & 0x0F00U) | \ + ((row1 >> 4) & 0x00F0U) | \ + ((row0 >> 8) & 0x000FU); \ + } while (0) + +/* + * Apply the SKINNY-64 sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT(x) + * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_SHIFT steps to be performed with one final rotation. + * This reduces the number of required shift operations from 14 to 10. + * + * We can further reduce the number of NOT operations from 4 to 2 + * using the technique from https://github.com/kste/skinny_avx to + * convert NOR-XOR operations into AND-XOR operations by converting + * the S-box into its NOT-inverse. + */ +#define skinny64_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ + x = ~x; \ + x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ +} while (0) + +/* + * Apply the inverse of the SKINNY-64 sbox. The original version + * from the specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT_INV(x) + * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * return SBOX_MIX(x); + */ +#define skinny64_inv_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = ~x; \ + x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ +} while (0) + +/** @endcond */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-util.h b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/skinny-aead.c b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/skinny-aead.c new file mode 100644 index 0000000..2bb37e9 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/skinny-aead.c @@ -0,0 +1,803 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "skinny-aead.h" +#include "internal-skinny128.h" +#include "internal-util.h" +#include + +aead_cipher_t const skinny_aead_m1_cipher = { + "SKINNY-AEAD-M1", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M1_NONCE_SIZE, + SKINNY_AEAD_M1_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m1_encrypt, + skinny_aead_m1_decrypt +}; + +aead_cipher_t const skinny_aead_m2_cipher = { + "SKINNY-AEAD-M2", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M2_NONCE_SIZE, + SKINNY_AEAD_M2_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m2_encrypt, + skinny_aead_m2_decrypt +}; + +aead_cipher_t const skinny_aead_m3_cipher = { + "SKINNY-AEAD-M3", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M3_NONCE_SIZE, + SKINNY_AEAD_M3_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m3_encrypt, + skinny_aead_m3_decrypt +}; + +aead_cipher_t const skinny_aead_m4_cipher = { + "SKINNY-AEAD-M4", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M4_NONCE_SIZE, + SKINNY_AEAD_M4_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m4_encrypt, + skinny_aead_m4_decrypt +}; + +aead_cipher_t const skinny_aead_m5_cipher = { + "SKINNY-AEAD-M5", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M5_NONCE_SIZE, + SKINNY_AEAD_M5_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m5_encrypt, + skinny_aead_m5_decrypt +}; + +aead_cipher_t const skinny_aead_m6_cipher = { + "SKINNY-AEAD-M6", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M6_NONCE_SIZE, + SKINNY_AEAD_M6_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m6_encrypt, + skinny_aead_m6_decrypt +}; + +/* Domain separator prefixes for all of the SKINNY-AEAD family members */ +#define DOMAIN_SEP_M1 0x00 +#define DOMAIN_SEP_M2 0x10 +#define DOMAIN_SEP_M3 0x08 +#define DOMAIN_SEP_M4 0x18 +#define DOMAIN_SEP_M5 0x10 +#define DOMAIN_SEP_M6 0x18 + +/** + * \brief Initialize the key and nonce for SKINNY-128-384 based AEAD schemes. + * + * \param ks The key schedule to initialize. + * \param key Points to the 16 bytes of the key. + * \param nonce Points to the nonce. + * \param nonce_len Length of the nonce in bytes. + */ +static void skinny_aead_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + const unsigned char *nonce, unsigned nonce_len) +{ + unsigned char k[32]; + memcpy(k, nonce, nonce_len); + memset(k + nonce_len, 0, 16 - nonce_len); + memcpy(k + 16, key, 16); + skinny_128_384_init(ks, k, 32); +} + +/** + * \brief Set the domain separation value in the tweak for SKINNY-128-384. + * + * \param ks Key schedule for the block cipher. + * \param d Domain separation value to write into the tweak. + */ +#define skinny_aead_128_384_set_domain(ks,d) ((ks)->TK1[15] = (d)) + +/** + * \brief Sets the LFSR field in the tweak for SKINNY-128-384. + * + * \param ks Key schedule for the block cipher. + * \param lfsr 64-bit LFSR value. + */ +#define skinny_aead_128_384_set_lfsr(ks,lfsr) le_store_word64((ks)->TK1, (lfsr)) + +/** + * \brief Updates the LFSR value for SKINNY-128-384. + * + * \param lfsr 64-bit LFSR value to be updated. + */ +#define skinny_aead_128_384_update_lfsr(lfsr) \ + do { \ + uint8_t feedback = ((lfsr) & (1ULL << 63)) ? 0x1B : 0x00; \ + (lfsr) = ((lfsr) << 1) | feedback; \ + } while (0) + +/** + * \brief Authenticates the associated data for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param tag Final tag to XOR the authentication checksum into. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void skinny_aead_128_384_authenticate + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char tag[SKINNY_128_BLOCK_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + skinny_aead_128_384_set_domain(ks, prefix | 2); + while (adlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_128_384_encrypt(ks, block, ad); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + ad += SKINNY_128_BLOCK_SIZE; + adlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 3); + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + } +} + +/** + * \brief Encrypts the plaintext for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the plaintext buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void skinny_aead_128_384_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_384_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, c, m); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + skinny_aead_128_384_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_384_set_domain(ks, prefix | 1); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block_2_src(c, block, m, temp); + skinny_aead_128_384_update_lfsr(lfsr); + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_384_set_domain(ks, prefix | 4); + } + skinny_128_384_encrypt(ks, sum, sum); +} + +/** + * \brief Decrypts the ciphertext for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the ciphertext buffer. + * \param mlen Number of bytes of ciphertext to be decrypted. + */ +static void skinny_aead_128_384_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_384_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_128_384_decrypt(ks, m, c); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + skinny_aead_128_384_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_384_set_domain(ks, prefix | 1); + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block_2_src(m, block, c, temp); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + skinny_aead_128_384_update_lfsr(lfsr); + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_384_set_domain(ks, prefix | 4); + } + skinny_128_384_encrypt(ks, sum, sum); +} + +int skinny_aead_m1_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M1_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M1, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M1_TAG_SIZE); + return 0; +} + +int skinny_aead_m1_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M1_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M1_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M1, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M1_TAG_SIZE); +} + +int skinny_aead_m2_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M2_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M2, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M2_TAG_SIZE); + return 0; +} + +int skinny_aead_m2_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M2_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M2_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M2, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M2_TAG_SIZE); +} + +int skinny_aead_m3_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M3_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M3, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M3_TAG_SIZE); + return 0; +} + +int skinny_aead_m3_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M3_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M3_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M3, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M3_TAG_SIZE); +} + +int skinny_aead_m4_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M4_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M4, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M4_TAG_SIZE); + return 0; +} + +int skinny_aead_m4_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M4_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M4_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M4, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M4_TAG_SIZE); +} + +/** + * \brief Initialize the key and nonce for SKINNY-128-256 based AEAD schemes. + * + * \param ks The key schedule to initialize. + * \param key Points to the 16 bytes of the key. + * \param nonce Points to the nonce. + * \param nonce_len Length of the nonce in bytes. + */ +static void skinny_aead_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + const unsigned char *nonce, unsigned nonce_len) +{ + unsigned char k[32]; + memset(k, 0, 16 - nonce_len); + memcpy(k + 16 - nonce_len, nonce, nonce_len); + memcpy(k + 16, key, 16); + skinny_128_256_init(ks, k, 32); +} + +/** + * \brief Set the domain separation value in the tweak for SKINNY-128-256. + * + * \param ks Key schedule for the block cipher. + * \param d Domain separation value to write into the tweak. + */ +#define skinny_aead_128_256_set_domain(ks,d) ((ks)->TK1[3] = (d)) + +/** + * \brief Sets the LFSR field in the tweak for SKINNY-128-256. + * + * \param ks Key schedule for the block cipher. + * \param lfsr 24-bit LFSR value. + */ +#define skinny_aead_128_256_set_lfsr(ks,lfsr) \ + do { \ + (ks)->TK1[0] = (uint8_t)(lfsr); \ + (ks)->TK1[1] = (uint8_t)((lfsr) >> 8); \ + (ks)->TK1[2] = (uint8_t)((lfsr) >> 16); \ + } while (0) + +/** + * \brief Updates the LFSR value for SKINNY-128-256. + * + * \param lfsr 24-bit LFSR value to be updated. + */ +#define skinny_aead_128_256_update_lfsr(lfsr) \ + do { \ + uint32_t feedback = ((lfsr) & (((uint32_t)1) << 23)) ? 0x1B : 0x00; \ + (lfsr) = ((lfsr) << 1) ^ (feedback); \ + } while (0) + +/** + * \brief Authenticates the associated data for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param tag Final tag to XOR the authentication checksum into. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void skinny_aead_128_256_authenticate + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char tag[SKINNY_128_BLOCK_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + skinny_aead_128_256_set_domain(ks, prefix | 2); + while (adlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_128_256_encrypt(ks, block, ad); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + ad += SKINNY_128_BLOCK_SIZE; + adlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 3); + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + } +} + +/** + * \brief Encrypts the plaintext for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the plaintext buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void skinny_aead_128_256_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_256_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, c, m); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + skinny_aead_128_256_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_256_set_domain(ks, prefix | 1); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block_2_src(c, block, m, temp); + skinny_aead_128_256_update_lfsr(lfsr); + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_256_set_domain(ks, prefix | 4); + } + skinny_128_256_encrypt(ks, sum, sum); +} + +/** + * \brief Decrypts the ciphertext for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the ciphertext buffer. + * \param mlen Number of bytes of ciphertext to be decrypted. + */ +static void skinny_aead_128_256_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_256_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_128_256_decrypt(ks, m, c); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + skinny_aead_128_256_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_256_set_domain(ks, prefix | 1); + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block_2_src(m, block, c, temp); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + skinny_aead_128_256_update_lfsr(lfsr); + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_256_set_domain(ks, prefix | 4); + } + skinny_128_256_encrypt(ks, sum, sum); +} + +int skinny_aead_m5_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M5_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M5, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M5_TAG_SIZE); + return 0; +} + +int skinny_aead_m5_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M5_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M5_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M5, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M5_TAG_SIZE); +} + +int skinny_aead_m6_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M6_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M6, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M6_TAG_SIZE); + return 0; +} + +int skinny_aead_m6_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M6_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M6_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M6, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M6_TAG_SIZE); +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/skinny-aead.h b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/skinny-aead.h new file mode 100644 index 0000000..c6b54fb --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/skinny-aead.h @@ -0,0 +1,518 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SKINNY_AEAD_H +#define LWCRYPTO_SKINNY_AEAD_H + +#include "aead-common.h" + +/** + * \file skinny-aead.h + * \brief Authenticated encryption based on the SKINNY block cipher. + * + * SKINNY-AEAD is a family of authenticated encryption algorithms + * that are built around the SKINNY tweakable block cipher. There + * are six members in the family: + * + * \li SKINNY-AEAD-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. This is the + * primary member of the family. + * \li SKINNY-AEAD-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M3 has a 128-bit key, a 128-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M4 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M5 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * \li SKINNY-AEAD-M6 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * + * The SKINNY-AEAD family also includes two hash algorithms: + * + * \li SKINNY-tk3-HASH with a 256-bit hash output, based around the + * SKINNY-128-384 tweakable block cipher. This is the primary hashing + * member of the family. + * \li SKINNY-tk2-HASH with a 256-bit hash output, based around the + * SKINNY-128-256 tweakable block cipher. + * + * References: https://sites.google.com/site/skinnycipher/home + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all SKINNY-AEAD family members. + */ +#define SKINNY_AEAD_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M1. + */ +#define SKINNY_AEAD_M1_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M1. + */ +#define SKINNY_AEAD_M1_NONCE_SIZE 16 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M2. + */ +#define SKINNY_AEAD_M2_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M2. + */ +#define SKINNY_AEAD_M2_NONCE_SIZE 12 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M3. + */ +#define SKINNY_AEAD_M3_TAG_SIZE 8 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M3. + */ +#define SKINNY_AEAD_M3_NONCE_SIZE 16 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M4. + */ +#define SKINNY_AEAD_M4_TAG_SIZE 8 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M4. + */ +#define SKINNY_AEAD_M4_NONCE_SIZE 12 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M5. + */ +#define SKINNY_AEAD_M5_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M5. + */ +#define SKINNY_AEAD_M5_NONCE_SIZE 12 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M6. + */ +#define SKINNY_AEAD_M6_TAG_SIZE 8 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M6. + */ +#define SKINNY_AEAD_M6_NONCE_SIZE 12 + +/** + * \brief Meta-information block for the SKINNY-AEAD-M1 cipher. + */ +extern aead_cipher_t const skinny_aead_m1_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M2 cipher. + */ +extern aead_cipher_t const skinny_aead_m2_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M3 cipher. + */ +extern aead_cipher_t const skinny_aead_m3_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M4 cipher. + */ +extern aead_cipher_t const skinny_aead_m4_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M5 cipher. + */ +extern aead_cipher_t const skinny_aead_m5_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M6 cipher. + */ +extern aead_cipher_t const skinny_aead_m6_cipher; + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M1. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m1_decrypt() + */ +int skinny_aead_m1_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M1. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m1_encrypt() + */ +int skinny_aead_m1_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M2. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m2_decrypt() + */ +int skinny_aead_m2_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M2. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m2_encrypt() + */ +int skinny_aead_m2_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M3. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m3_decrypt() + */ +int skinny_aead_m3_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M3. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m3_encrypt() + */ +int skinny_aead_m3_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M4. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m4_decrypt() + */ +int skinny_aead_m4_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M4. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m4_encrypt() + */ +int skinny_aead_m4_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M5. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m5_decrypt() + */ +int skinny_aead_m5_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M5. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m5_encrypt() + */ +int skinny_aead_m5_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M6. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m6_decrypt() + */ +int skinny_aead_m6_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M6. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m6_encrypt() + */ +int skinny_aead_m6_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/aead-common.c b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/aead-common.h b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/api.h b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/api.h new file mode 100644 index 0000000..32c9622 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 12 +#define CRYPTO_ABYTES 8 +#define CRYPTO_NOOVERLAP 1 diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/encrypt.c b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/encrypt.c new file mode 100644 index 0000000..0623826 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "skinny-aead.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return skinny_aead_m4_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return skinny_aead_m4_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128.c b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128.c new file mode 100644 index 0000000..65ba4ed --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128.c @@ -0,0 +1,811 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-skinny128.h" +#include "internal-skinnyutil.h" +#include "internal-util.h" +#include + +STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) +{ + /* This function is used to fast-forward the TK1 tweak value + * to the value at the end of the key schedule for decryption. + * + * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 + * with 48 rounds does not need any fast forwarding applied. + * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds + * are equivalent to applying the permutation 8 times: + * + * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] + */ + uint32_t row0 = tk[0]; + uint32_t row1 = tk[1]; + uint32_t row2 = tk[2]; + uint32_t row3 = tk[3]; + tk[0] = ((row1 >> 8) & 0x0000FFFFU) | + ((row0 >> 8) & 0x00FF0000U) | + ((row0 << 8) & 0xFF000000U); + tk[1] = ((row1 >> 24) & 0x000000FFU) | + ((row0 << 8) & 0x00FFFF00U) | + ((row1 << 24) & 0xFF000000U); + tk[2] = ((row3 >> 8) & 0x0000FFFFU) | + ((row2 >> 8) & 0x00FF0000U) | + ((row2 << 8) & 0xFF000000U); + tk[3] = ((row3 >> 24) & 0x000000FFU) | + ((row2 << 8) & 0x00FFFF00U) | + ((row3 << 24) & 0xFF000000U); +} + +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 32 && key_len != 48)) + return 0; + + /* Set the initial states of TK1, TK2, and TK3 */ + if (key_len == 32) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + TK3[0] = le_load_word32(key + 16); + TK3[1] = le_load_word32(key + 20); + TK3[2] = le_load_word32(key + 24); + TK3[3] = le_load_word32(key + 28); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + } + + /* Set up the key schedule using TK2 and TK3. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); + + /* Permute TK2 and TK3 for the next round */ + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + + /* Apply the LFSR's to TK2 and TK3 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + return 1; +} + +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Permute TK1 to fast-forward it to the end of the key schedule */ + skinny128_fast_forward_tk(TK1); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + TK2[0] = le_load_word32(tk2); + TK2[1] = le_load_word32(tk2 + 4); + TK2[2] = le_load_word32(tk2 + 8); + TK2[3] = le_load_word32(tk2 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; + s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK2[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || (key_len != 16 && key_len != 32)) + return 0; + + /* Set the initial states of TK1 and TK2 */ + if (key_len == 16) { + memset(ks->TK1, 0, sizeof(ks->TK1)); + TK2[0] = le_load_word32(key); + TK2[1] = le_load_word32(key + 4); + TK2[2] = le_load_word32(key + 8); + TK2[3] = le_load_word32(key + 12); + } else { + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + } + + /* Set up the key schedule using TK2. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ (rc >> 4); + + /* Permute TK2 for the next round */ + skinny128_permute_tk(TK2); + + /* Apply the LFSR to TK2 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + return 1; +} + +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len) +{ + /* Validate the parameters */ + if (!ks || !tweak || tweak_len != 16) + return 0; + + /* Set TK1 directly from the tweak value */ + memcpy(ks->TK1, tweak, 16); + return 1; +} + +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1. + * There is no need to fast-forward TK1 because the value at + * the end of the key schedule is the same as at the start */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len) +{ + uint32_t TK1[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; + + /* Validate the parameters */ + if (!ks || !key || key_len != 16) + return 0; + + /* Set the initial state of TK1 */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + + /* Set up the key schedule using TK1 */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK1[0] ^ (rc & 0x0F); + schedule[1] = TK1[1] ^ (rc >> 4); + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); + } + return 1; +} + +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule = ks->k; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + const uint32_t *schedule; + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all decryption rounds */ + schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); + for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ + s0 ^= schedule[0]; + s1 ^= schedule[1]; + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128.h b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128.h new file mode 100644 index 0000000..76b34f5 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128.h @@ -0,0 +1,315 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNY128_H +#define LW_INTERNAL_SKINNY128_H + +/** + * \file internal-skinny128.h + * \brief SKINNY-128 block cipher family. + * + * References: https://eprint.iacr.org/2016/660.pdf, + * https://sites.google.com/site/skinnycipher/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a block for SKINNY-128 block ciphers. + */ +#define SKINNY_128_BLOCK_SIZE 16 + +/** + * \brief Number of rounds for SKINNY-128-384. + */ +#define SKINNY_128_384_ROUNDS 56 + +/** + * \brief Structure of the key schedule for SKINNY-128-384. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_384_ROUNDS * 2]; + +} skinny_128_384_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 32 or 48, + * where 32 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_384_set_tweak + (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly + * provided TK2 value. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tk2 TK2 value that should be updated on the fly. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when both TK1 and TK2 change from block to block. + * When the key is initialized with skinny_128_384_init(), the TK2 part of + * the key value should be set to zero. + */ +void skinny_128_384_encrypt_tk2 + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and a + * fully specified tweakey value. + * + * \param key Points to the 384-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-384 but + * more memory-efficient. + */ +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-256. + */ +#define SKINNY_128_256_ROUNDS 48 + +/** + * \brief Structure of the key schedule for SKINNY-128-256. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + + /** Words of the key schedule */ + uint32_t k[SKINNY_128_256_ROUNDS * 2]; + +} skinny_128_256_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16 or 32, + * where 16 is used for the tweakable variant. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to modify. + * \param tweak Points to the tweak data. + * \param tweak_len Length of the tweak data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_256_set_tweak + (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, + size_t tweak_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256 and a + * fully specified tweakey value. + * + * \param key Points to the 256-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-256 but + * more memory-efficient. + */ +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-128. + */ +#define SKINNY_128_128_ROUNDS 40 + +/** + * \brief Structure of the key schedule for SKINNY-128-128. + */ +typedef struct +{ + /** Words of the key schedule */ + uint32_t k[SKINNY_128_128_ROUNDS * 2]; + +} skinny_128_128_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-128. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int skinny_128_128_init + (skinny_128_128_key_schedule_t *ks, const unsigned char *key, + size_t key_len); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_encrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-128. + * + * \param ks Points to the SKINNY-128-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_128_decrypt + (const skinny_128_128_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinnyutil.h b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinnyutil.h new file mode 100644 index 0000000..83136cb --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinnyutil.h @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNYUTIL_H +#define LW_INTERNAL_SKINNYUTIL_H + +/** + * \file internal-skinnyutil.h + * \brief Utilities to help implement SKINNY and its variants. + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond skinnyutil */ + +/* Utilities for implementing SKINNY-128 */ + +#define skinny128_LFSR2(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ + (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ + } while (0) + + +#define skinny128_LFSR3(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ + (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) +#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) + +#define skinny128_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint32_t row2 = tk[2]; \ + uint32_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 16) | (row3 >> 16); \ + tk[0] = ((row2 >> 8) & 0x000000FFU) | \ + ((row2 << 16) & 0x00FF0000U) | \ + ( row3 & 0xFF00FF00U); \ + tk[1] = ((row2 >> 16) & 0x000000FFU) | \ + (row2 & 0xFF000000U) | \ + ((row3 << 8) & 0x0000FF00U) | \ + ( row3 & 0x00FF0000U); \ + } while (0) + +#define skinny128_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint32_t row0 = tk[0]; \ + uint32_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 >> 16) & 0x000000FFU) | \ + ((row0 << 8) & 0x0000FF00U) | \ + ((row1 << 16) & 0x00FF0000U) | \ + ( row1 & 0xFF000000U); \ + tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ + ((row0 << 16) & 0xFF000000U) | \ + ((row1 >> 16) & 0x000000FFU) | \ + ((row1 << 8) & 0x00FF0000U); \ + } while (0) + +/* + * Apply the SKINNY sbox. The original version from the specification is + * equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE(x) + * ((((x) & 0x01010101U) << 2) | + * (((x) & 0x06060606U) << 5) | + * (((x) & 0x20202020U) >> 5) | + * (((x) & 0xC8C8C8C8U) >> 2) | + * (((x) & 0x10101010U) >> 1)) + * + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * return SBOX_SWAP(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ + y = (((x >> 5) & (x << 1)) & 0x04040404U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ + x = ((x & 0x08080808U) << 1) | \ + ((x & 0x32323232U) << 2) | \ + ((x & 0x01010101U) << 5) | \ + ((x & 0x80808080U) >> 6) | \ + ((x & 0x40404040U) >> 4) | \ + ((x & 0x04040404U) >> 2); \ +} while (0) + +/* + * Apply the inverse of the SKINNY sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE_INV(x) + * ((((x) & 0x08080808U) << 1) | + * (((x) & 0x32323232U) << 2) | + * (((x) & 0x01010101U) << 5) | + * (((x) & 0xC0C0C0C0U) >> 5) | + * (((x) & 0x04040404U) >> 2)) + * + * x = SBOX_SWAP(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_inv_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ + x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ + y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ + x = ((x & 0x01010101U) << 2) | \ + ((x & 0x04040404U) << 4) | \ + ((x & 0x02020202U) << 6) | \ + ((x & 0x20202020U) >> 5) | \ + ((x & 0xC8C8C8C8U) >> 2) | \ + ((x & 0x10101010U) >> 1); \ +} while (0) + +/* Utilities for implementing SKINNY-64 */ + +#define skinny64_LFSR2(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ + } while (0) + +#define skinny64_LFSR3(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) +#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) + +#define skinny64_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint16_t row2 = tk[2]; \ + uint16_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 8) | (row3 >> 8); \ + tk[0] = ((row2 << 4) & 0xF000U) | \ + ((row2 >> 8) & 0x00F0U) | \ + ( row3 & 0x0F0FU); \ + tk[1] = ((row2 << 8) & 0xF000U) | \ + ((row3 >> 4) & 0x0F00U) | \ + ( row3 & 0x00F0U) | \ + ( row2 & 0x000FU); \ + } while (0) + +#define skinny64_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint16_t row0 = tk[0]; \ + uint16_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 << 8) & 0xF000U) | \ + ((row0 >> 4) & 0x0F00U) | \ + ((row1 >> 8) & 0x00F0U) | \ + ( row1 & 0x000FU); \ + tk[3] = ((row1 << 8) & 0xF000U) | \ + ((row0 << 8) & 0x0F00U) | \ + ((row1 >> 4) & 0x00F0U) | \ + ((row0 >> 8) & 0x000FU); \ + } while (0) + +/* + * Apply the SKINNY-64 sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT(x) + * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_SHIFT steps to be performed with one final rotation. + * This reduces the number of required shift operations from 14 to 10. + * + * We can further reduce the number of NOT operations from 4 to 2 + * using the technique from https://github.com/kste/skinny_avx to + * convert NOR-XOR operations into AND-XOR operations by converting + * the S-box into its NOT-inverse. + */ +#define skinny64_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ + x = ~x; \ + x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ +} while (0) + +/* + * Apply the inverse of the SKINNY-64 sbox. The original version + * from the specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT_INV(x) + * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * return SBOX_MIX(x); + */ +#define skinny64_inv_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = ~x; \ + x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ +} while (0) + +/** @endcond */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-util.h b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/skinny-aead.c b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/skinny-aead.c new file mode 100644 index 0000000..2bb37e9 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/skinny-aead.c @@ -0,0 +1,803 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "skinny-aead.h" +#include "internal-skinny128.h" +#include "internal-util.h" +#include + +aead_cipher_t const skinny_aead_m1_cipher = { + "SKINNY-AEAD-M1", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M1_NONCE_SIZE, + SKINNY_AEAD_M1_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m1_encrypt, + skinny_aead_m1_decrypt +}; + +aead_cipher_t const skinny_aead_m2_cipher = { + "SKINNY-AEAD-M2", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M2_NONCE_SIZE, + SKINNY_AEAD_M2_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m2_encrypt, + skinny_aead_m2_decrypt +}; + +aead_cipher_t const skinny_aead_m3_cipher = { + "SKINNY-AEAD-M3", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M3_NONCE_SIZE, + SKINNY_AEAD_M3_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m3_encrypt, + skinny_aead_m3_decrypt +}; + +aead_cipher_t const skinny_aead_m4_cipher = { + "SKINNY-AEAD-M4", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M4_NONCE_SIZE, + SKINNY_AEAD_M4_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m4_encrypt, + skinny_aead_m4_decrypt +}; + +aead_cipher_t const skinny_aead_m5_cipher = { + "SKINNY-AEAD-M5", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M5_NONCE_SIZE, + SKINNY_AEAD_M5_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m5_encrypt, + skinny_aead_m5_decrypt +}; + +aead_cipher_t const skinny_aead_m6_cipher = { + "SKINNY-AEAD-M6", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M6_NONCE_SIZE, + SKINNY_AEAD_M6_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m6_encrypt, + skinny_aead_m6_decrypt +}; + +/* Domain separator prefixes for all of the SKINNY-AEAD family members */ +#define DOMAIN_SEP_M1 0x00 +#define DOMAIN_SEP_M2 0x10 +#define DOMAIN_SEP_M3 0x08 +#define DOMAIN_SEP_M4 0x18 +#define DOMAIN_SEP_M5 0x10 +#define DOMAIN_SEP_M6 0x18 + +/** + * \brief Initialize the key and nonce for SKINNY-128-384 based AEAD schemes. + * + * \param ks The key schedule to initialize. + * \param key Points to the 16 bytes of the key. + * \param nonce Points to the nonce. + * \param nonce_len Length of the nonce in bytes. + */ +static void skinny_aead_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + const unsigned char *nonce, unsigned nonce_len) +{ + unsigned char k[32]; + memcpy(k, nonce, nonce_len); + memset(k + nonce_len, 0, 16 - nonce_len); + memcpy(k + 16, key, 16); + skinny_128_384_init(ks, k, 32); +} + +/** + * \brief Set the domain separation value in the tweak for SKINNY-128-384. + * + * \param ks Key schedule for the block cipher. + * \param d Domain separation value to write into the tweak. + */ +#define skinny_aead_128_384_set_domain(ks,d) ((ks)->TK1[15] = (d)) + +/** + * \brief Sets the LFSR field in the tweak for SKINNY-128-384. + * + * \param ks Key schedule for the block cipher. + * \param lfsr 64-bit LFSR value. + */ +#define skinny_aead_128_384_set_lfsr(ks,lfsr) le_store_word64((ks)->TK1, (lfsr)) + +/** + * \brief Updates the LFSR value for SKINNY-128-384. + * + * \param lfsr 64-bit LFSR value to be updated. + */ +#define skinny_aead_128_384_update_lfsr(lfsr) \ + do { \ + uint8_t feedback = ((lfsr) & (1ULL << 63)) ? 0x1B : 0x00; \ + (lfsr) = ((lfsr) << 1) | feedback; \ + } while (0) + +/** + * \brief Authenticates the associated data for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param tag Final tag to XOR the authentication checksum into. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void skinny_aead_128_384_authenticate + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char tag[SKINNY_128_BLOCK_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + skinny_aead_128_384_set_domain(ks, prefix | 2); + while (adlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_128_384_encrypt(ks, block, ad); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + ad += SKINNY_128_BLOCK_SIZE; + adlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 3); + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + } +} + +/** + * \brief Encrypts the plaintext for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the plaintext buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void skinny_aead_128_384_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_384_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, c, m); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + skinny_aead_128_384_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_384_set_domain(ks, prefix | 1); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block_2_src(c, block, m, temp); + skinny_aead_128_384_update_lfsr(lfsr); + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_384_set_domain(ks, prefix | 4); + } + skinny_128_384_encrypt(ks, sum, sum); +} + +/** + * \brief Decrypts the ciphertext for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the ciphertext buffer. + * \param mlen Number of bytes of ciphertext to be decrypted. + */ +static void skinny_aead_128_384_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_384_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_128_384_decrypt(ks, m, c); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + skinny_aead_128_384_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_384_set_domain(ks, prefix | 1); + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block_2_src(m, block, c, temp); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + skinny_aead_128_384_update_lfsr(lfsr); + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_384_set_domain(ks, prefix | 4); + } + skinny_128_384_encrypt(ks, sum, sum); +} + +int skinny_aead_m1_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M1_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M1, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M1_TAG_SIZE); + return 0; +} + +int skinny_aead_m1_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M1_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M1_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M1, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M1_TAG_SIZE); +} + +int skinny_aead_m2_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M2_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M2, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M2_TAG_SIZE); + return 0; +} + +int skinny_aead_m2_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M2_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M2_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M2, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M2_TAG_SIZE); +} + +int skinny_aead_m3_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M3_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M3, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M3_TAG_SIZE); + return 0; +} + +int skinny_aead_m3_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M3_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M3_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M3, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M3_TAG_SIZE); +} + +int skinny_aead_m4_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M4_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M4, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M4_TAG_SIZE); + return 0; +} + +int skinny_aead_m4_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M4_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M4_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M4, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M4_TAG_SIZE); +} + +/** + * \brief Initialize the key and nonce for SKINNY-128-256 based AEAD schemes. + * + * \param ks The key schedule to initialize. + * \param key Points to the 16 bytes of the key. + * \param nonce Points to the nonce. + * \param nonce_len Length of the nonce in bytes. + */ +static void skinny_aead_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + const unsigned char *nonce, unsigned nonce_len) +{ + unsigned char k[32]; + memset(k, 0, 16 - nonce_len); + memcpy(k + 16 - nonce_len, nonce, nonce_len); + memcpy(k + 16, key, 16); + skinny_128_256_init(ks, k, 32); +} + +/** + * \brief Set the domain separation value in the tweak for SKINNY-128-256. + * + * \param ks Key schedule for the block cipher. + * \param d Domain separation value to write into the tweak. + */ +#define skinny_aead_128_256_set_domain(ks,d) ((ks)->TK1[3] = (d)) + +/** + * \brief Sets the LFSR field in the tweak for SKINNY-128-256. + * + * \param ks Key schedule for the block cipher. + * \param lfsr 24-bit LFSR value. + */ +#define skinny_aead_128_256_set_lfsr(ks,lfsr) \ + do { \ + (ks)->TK1[0] = (uint8_t)(lfsr); \ + (ks)->TK1[1] = (uint8_t)((lfsr) >> 8); \ + (ks)->TK1[2] = (uint8_t)((lfsr) >> 16); \ + } while (0) + +/** + * \brief Updates the LFSR value for SKINNY-128-256. + * + * \param lfsr 24-bit LFSR value to be updated. + */ +#define skinny_aead_128_256_update_lfsr(lfsr) \ + do { \ + uint32_t feedback = ((lfsr) & (((uint32_t)1) << 23)) ? 0x1B : 0x00; \ + (lfsr) = ((lfsr) << 1) ^ (feedback); \ + } while (0) + +/** + * \brief Authenticates the associated data for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param tag Final tag to XOR the authentication checksum into. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void skinny_aead_128_256_authenticate + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char tag[SKINNY_128_BLOCK_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + skinny_aead_128_256_set_domain(ks, prefix | 2); + while (adlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_128_256_encrypt(ks, block, ad); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + ad += SKINNY_128_BLOCK_SIZE; + adlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 3); + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + } +} + +/** + * \brief Encrypts the plaintext for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the plaintext buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void skinny_aead_128_256_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_256_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, c, m); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + skinny_aead_128_256_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_256_set_domain(ks, prefix | 1); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block_2_src(c, block, m, temp); + skinny_aead_128_256_update_lfsr(lfsr); + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_256_set_domain(ks, prefix | 4); + } + skinny_128_256_encrypt(ks, sum, sum); +} + +/** + * \brief Decrypts the ciphertext for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the ciphertext buffer. + * \param mlen Number of bytes of ciphertext to be decrypted. + */ +static void skinny_aead_128_256_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_256_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_128_256_decrypt(ks, m, c); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + skinny_aead_128_256_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_256_set_domain(ks, prefix | 1); + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block_2_src(m, block, c, temp); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + skinny_aead_128_256_update_lfsr(lfsr); + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_256_set_domain(ks, prefix | 4); + } + skinny_128_256_encrypt(ks, sum, sum); +} + +int skinny_aead_m5_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M5_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M5, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M5_TAG_SIZE); + return 0; +} + +int skinny_aead_m5_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M5_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M5_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M5, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M5_TAG_SIZE); +} + +int skinny_aead_m6_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M6_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M6, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M6_TAG_SIZE); + return 0; +} + +int skinny_aead_m6_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M6_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M6_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M6, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M6_TAG_SIZE); +} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/skinny-aead.h b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/skinny-aead.h new file mode 100644 index 0000000..c6b54fb --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/skinny-aead.h @@ -0,0 +1,518 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SKINNY_AEAD_H +#define LWCRYPTO_SKINNY_AEAD_H + +#include "aead-common.h" + +/** + * \file skinny-aead.h + * \brief Authenticated encryption based on the SKINNY block cipher. + * + * SKINNY-AEAD is a family of authenticated encryption algorithms + * that are built around the SKINNY tweakable block cipher. There + * are six members in the family: + * + * \li SKINNY-AEAD-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. This is the + * primary member of the family. + * \li SKINNY-AEAD-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M3 has a 128-bit key, a 128-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M4 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M5 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * \li SKINNY-AEAD-M6 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * + * The SKINNY-AEAD family also includes two hash algorithms: + * + * \li SKINNY-tk3-HASH with a 256-bit hash output, based around the + * SKINNY-128-384 tweakable block cipher. This is the primary hashing + * member of the family. + * \li SKINNY-tk2-HASH with a 256-bit hash output, based around the + * SKINNY-128-256 tweakable block cipher. + * + * References: https://sites.google.com/site/skinnycipher/home + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all SKINNY-AEAD family members. + */ +#define SKINNY_AEAD_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M1. + */ +#define SKINNY_AEAD_M1_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M1. + */ +#define SKINNY_AEAD_M1_NONCE_SIZE 16 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M2. + */ +#define SKINNY_AEAD_M2_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M2. + */ +#define SKINNY_AEAD_M2_NONCE_SIZE 12 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M3. + */ +#define SKINNY_AEAD_M3_TAG_SIZE 8 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M3. + */ +#define SKINNY_AEAD_M3_NONCE_SIZE 16 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M4. + */ +#define SKINNY_AEAD_M4_TAG_SIZE 8 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M4. + */ +#define SKINNY_AEAD_M4_NONCE_SIZE 12 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M5. + */ +#define SKINNY_AEAD_M5_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M5. + */ +#define SKINNY_AEAD_M5_NONCE_SIZE 12 + +/** + * \brief Size of the authentication tag for SKINNY-AEAD-M6. + */ +#define SKINNY_AEAD_M6_TAG_SIZE 8 + +/** + * \brief Size of the nonce for SKINNY-AEAD-M6. + */ +#define SKINNY_AEAD_M6_NONCE_SIZE 12 + +/** + * \brief Meta-information block for the SKINNY-AEAD-M1 cipher. + */ +extern aead_cipher_t const skinny_aead_m1_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M2 cipher. + */ +extern aead_cipher_t const skinny_aead_m2_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M3 cipher. + */ +extern aead_cipher_t const skinny_aead_m3_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M4 cipher. + */ +extern aead_cipher_t const skinny_aead_m4_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M5 cipher. + */ +extern aead_cipher_t const skinny_aead_m5_cipher; + +/** + * \brief Meta-information block for the SKINNY-AEAD-M6 cipher. + */ +extern aead_cipher_t const skinny_aead_m6_cipher; + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M1. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m1_decrypt() + */ +int skinny_aead_m1_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M1. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m1_encrypt() + */ +int skinny_aead_m1_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M2. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m2_decrypt() + */ +int skinny_aead_m2_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M2. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m2_encrypt() + */ +int skinny_aead_m2_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M3. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m3_decrypt() + */ +int skinny_aead_m3_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M3. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m3_encrypt() + */ +int skinny_aead_m3_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M4. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m4_decrypt() + */ +int skinny_aead_m4_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M4. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m4_encrypt() + */ +int skinny_aead_m4_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M5. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m5_decrypt() + */ +int skinny_aead_m5_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M5. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m5_encrypt() + */ +int skinny_aead_m5_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M6. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa skinny_aead_m6_decrypt() + */ +int skinny_aead_m6_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M6. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa skinny_aead_m6_encrypt() + */ +int skinny_aead_m6_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/aead-common.c b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/aead-common.h b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/api.h b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/encrypt.c b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/encrypt.c new file mode 100644 index 0000000..a56e57a --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "sparkle.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return schwaemm_128_128_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return schwaemm_128_128_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-sparkle.c new file mode 100644 index 0000000..822af50 --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-sparkle.c @@ -0,0 +1,366 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-sparkle.h" + +/* The 8 basic round constants from the specification */ +#define RC_0 0xB7E15162 +#define RC_1 0xBF715880 +#define RC_2 0x38B4DA56 +#define RC_3 0x324E7738 +#define RC_4 0xBB1185EB +#define RC_5 0x4F7C7B57 +#define RC_6 0xCFBFA1C8 +#define RC_7 0xC2B3293D + +/* Round constants for all SPARKLE steps; maximum of 12 for SPARKLE-512 */ +static uint32_t const sparkle_rc[12] = { + RC_0, RC_1, RC_2, RC_3, RC_4, RC_5, RC_6, RC_7, + RC_0, RC_1, RC_2, RC_3 +}; + +/** + * \brief Alzette block cipher that implements the ARXbox layer of the + * SPARKLE permutation. + * + * \param x Left half of the 64-bit block. + * \param y Right half of the 64-bit block. + * \param k 32-bit round key. + */ +#define alzette(x, y, k) \ + do { \ + (x) += leftRotate1((y)); \ + (y) ^= leftRotate8((x)); \ + (x) ^= (k); \ + (x) += leftRotate15((y)); \ + (y) ^= leftRotate15((x)); \ + (x) ^= (k); \ + (x) += (y); \ + (y) ^= leftRotate1((x)); \ + (x) ^= (k); \ + (x) += leftRotate8((y)); \ + (y) ^= leftRotate16((x)); \ + (x) ^= (k); \ + } while (0) + +void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps) +{ + uint32_t x0, x1, x2, x3; + uint32_t y0, y1, y2, y3; + uint32_t tx, ty, tz, tw; + unsigned step; + + /* Load the SPARKLE-256 state up into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = s[0]; + y0 = s[1]; + x1 = s[2]; + y1 = s[3]; + x2 = s[4]; + y2 = s[5]; + x3 = s[6]; + y3 = s[7]; +#else + x0 = le_load_word32((const uint8_t *)&(s[0])); + y0 = le_load_word32((const uint8_t *)&(s[1])); + x1 = le_load_word32((const uint8_t *)&(s[2])); + y1 = le_load_word32((const uint8_t *)&(s[3])); + x2 = le_load_word32((const uint8_t *)&(s[4])); + y2 = le_load_word32((const uint8_t *)&(s[5])); + x3 = le_load_word32((const uint8_t *)&(s[6])); + y3 = le_load_word32((const uint8_t *)&(s[7])); +#endif + + /* Perform all requested steps */ + for (step = 0; step < steps; ++step) { + /* Add round constants */ + y0 ^= sparkle_rc[step]; + y1 ^= step; + + /* ARXbox layer */ + alzette(x0, y0, RC_0); + alzette(x1, y1, RC_1); + alzette(x2, y2, RC_2); + alzette(x3, y3, RC_3); + + /* Linear layer */ + tx = x0 ^ x1; + ty = y0 ^ y1; + tw = x0; + tz = y0; + tx = leftRotate16(tx ^ (tx << 16)); + ty = leftRotate16(ty ^ (ty << 16)); + x0 = x3 ^ x1 ^ ty; + x3 = x1; + y0 = y3 ^ y1 ^ tx; + y3 = y1; + x1 = x2 ^ tw ^ ty; + x2 = tw; + y1 = y2 ^ tz ^ tx; + y2 = tz; + } + + /* Write the local variables back to the SPARKLE-256 state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s[0] = x0; + s[1] = y0; + s[2] = x1; + s[3] = y1; + s[4] = x2; + s[5] = y2; + s[6] = x3; + s[7] = y3; +#else + le_store_word32((uint8_t *)&(s[0]), x0); + le_store_word32((uint8_t *)&(s[1]), y0); + le_store_word32((uint8_t *)&(s[2]), x1); + le_store_word32((uint8_t *)&(s[3]), y1); + le_store_word32((uint8_t *)&(s[4]), x2); + le_store_word32((uint8_t *)&(s[5]), y2); + le_store_word32((uint8_t *)&(s[6]), x3); + le_store_word32((uint8_t *)&(s[7]), y3); +#endif +} + +void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps) +{ + uint32_t x0, x1, x2, x3, x4, x5; + uint32_t y0, y1, y2, y3, y4, y5; + uint32_t tx, ty, tz, tw; + unsigned step; + + /* Load the SPARKLE-384 state up into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = s[0]; + y0 = s[1]; + x1 = s[2]; + y1 = s[3]; + x2 = s[4]; + y2 = s[5]; + x3 = s[6]; + y3 = s[7]; + x4 = s[8]; + y4 = s[9]; + x5 = s[10]; + y5 = s[11]; +#else + x0 = le_load_word32((const uint8_t *)&(s[0])); + y0 = le_load_word32((const uint8_t *)&(s[1])); + x1 = le_load_word32((const uint8_t *)&(s[2])); + y1 = le_load_word32((const uint8_t *)&(s[3])); + x2 = le_load_word32((const uint8_t *)&(s[4])); + y2 = le_load_word32((const uint8_t *)&(s[5])); + x3 = le_load_word32((const uint8_t *)&(s[6])); + y3 = le_load_word32((const uint8_t *)&(s[7])); + x4 = le_load_word32((const uint8_t *)&(s[8])); + y4 = le_load_word32((const uint8_t *)&(s[9])); + x5 = le_load_word32((const uint8_t *)&(s[10])); + y5 = le_load_word32((const uint8_t *)&(s[11])); +#endif + + /* Perform all requested steps */ + for (step = 0; step < steps; ++step) { + /* Add round constants */ + y0 ^= sparkle_rc[step]; + y1 ^= step; + + /* ARXbox layer */ + alzette(x0, y0, RC_0); + alzette(x1, y1, RC_1); + alzette(x2, y2, RC_2); + alzette(x3, y3, RC_3); + alzette(x4, y4, RC_4); + alzette(x5, y5, RC_5); + + /* Linear layer */ + tx = x0 ^ x1 ^ x2; + ty = y0 ^ y1 ^ y2; + tw = x0; + tz = y0; + tx = leftRotate16(tx ^ (tx << 16)); + ty = leftRotate16(ty ^ (ty << 16)); + x0 = x4 ^ x1 ^ ty; + x4 = x1; + y0 = y4 ^ y1 ^ tx; + y4 = y1; + x1 = x5 ^ x2 ^ ty; + x5 = x2; + y1 = y5 ^ y2 ^ tx; + y5 = y2; + x2 = x3 ^ tw ^ ty; + x3 = tw; + y2 = y3 ^ tz ^ tx; + y3 = tz; + } + + /* Write the local variables back to the SPARKLE-384 state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s[0] = x0; + s[1] = y0; + s[2] = x1; + s[3] = y1; + s[4] = x2; + s[5] = y2; + s[6] = x3; + s[7] = y3; + s[8] = x4; + s[9] = y4; + s[10] = x5; + s[11] = y5; +#else + le_store_word32((uint8_t *)&(s[0]), x0); + le_store_word32((uint8_t *)&(s[1]), y0); + le_store_word32((uint8_t *)&(s[2]), x1); + le_store_word32((uint8_t *)&(s[3]), y1); + le_store_word32((uint8_t *)&(s[4]), x2); + le_store_word32((uint8_t *)&(s[5]), y2); + le_store_word32((uint8_t *)&(s[6]), x3); + le_store_word32((uint8_t *)&(s[7]), y3); + le_store_word32((uint8_t *)&(s[8]), x4); + le_store_word32((uint8_t *)&(s[9]), y4); + le_store_word32((uint8_t *)&(s[10]), x5); + le_store_word32((uint8_t *)&(s[11]), y5); +#endif +} + +void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) +{ + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t y0, y1, y2, y3, y4, y5, y6, y7; + uint32_t tx, ty, tz, tw; + unsigned step; + + /* Load the SPARKLE-512 state up into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = s[0]; + y0 = s[1]; + x1 = s[2]; + y1 = s[3]; + x2 = s[4]; + y2 = s[5]; + x3 = s[6]; + y3 = s[7]; + x4 = s[8]; + y4 = s[9]; + x5 = s[10]; + y5 = s[11]; + x6 = s[12]; + y6 = s[13]; + x7 = s[14]; + y7 = s[15]; +#else + x0 = le_load_word32((const uint8_t *)&(s[0])); + y0 = le_load_word32((const uint8_t *)&(s[1])); + x1 = le_load_word32((const uint8_t *)&(s[2])); + y1 = le_load_word32((const uint8_t *)&(s[3])); + x2 = le_load_word32((const uint8_t *)&(s[4])); + y2 = le_load_word32((const uint8_t *)&(s[5])); + x3 = le_load_word32((const uint8_t *)&(s[6])); + y3 = le_load_word32((const uint8_t *)&(s[7])); + x4 = le_load_word32((const uint8_t *)&(s[8])); + y4 = le_load_word32((const uint8_t *)&(s[9])); + x5 = le_load_word32((const uint8_t *)&(s[10])); + y5 = le_load_word32((const uint8_t *)&(s[11])); + x6 = le_load_word32((const uint8_t *)&(s[12])); + y6 = le_load_word32((const uint8_t *)&(s[13])); + x7 = le_load_word32((const uint8_t *)&(s[14])); + y7 = le_load_word32((const uint8_t *)&(s[15])); +#endif + + /* Perform all requested steps */ + for (step = 0; step < steps; ++step) { + /* Add round constants */ + y0 ^= sparkle_rc[step]; + y1 ^= step; + + /* ARXbox layer */ + alzette(x0, y0, RC_0); + alzette(x1, y1, RC_1); + alzette(x2, y2, RC_2); + alzette(x3, y3, RC_3); + alzette(x4, y4, RC_4); + alzette(x5, y5, RC_5); + alzette(x6, y6, RC_6); + alzette(x7, y7, RC_7); + + /* Linear layer */ + tx = x0 ^ x1 ^ x2 ^ x3; + ty = y0 ^ y1 ^ y2 ^ y3; + tw = x0; + tz = y0; + tx = leftRotate16(tx ^ (tx << 16)); + ty = leftRotate16(ty ^ (ty << 16)); + x0 = x5 ^ x1 ^ ty; + x5 = x1; + y0 = y5 ^ y1 ^ tx; + y5 = y1; + x1 = x6 ^ x2 ^ ty; + x6 = x2; + y1 = y6 ^ y2 ^ tx; + y6 = y2; + x2 = x7 ^ x3 ^ ty; + x7 = x3; + y2 = y7 ^ y3 ^ tx; + y7 = y3; + x3 = x4 ^ tw ^ ty; + x4 = tw; + y3 = y4 ^ tz ^ tx; + y4 = tz; + } + + /* Write the local variables back to the SPARKLE-512 state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s[0] = x0; + s[1] = y0; + s[2] = x1; + s[3] = y1; + s[4] = x2; + s[5] = y2; + s[6] = x3; + s[7] = y3; + s[8] = x4; + s[9] = y4; + s[10] = x5; + s[11] = y5; + s[12] = x6; + s[13] = y6; + s[14] = x7; + s[15] = y7; +#else + le_store_word32((uint8_t *)&(s[0]), x0); + le_store_word32((uint8_t *)&(s[1]), y0); + le_store_word32((uint8_t *)&(s[2]), x1); + le_store_word32((uint8_t *)&(s[3]), y1); + le_store_word32((uint8_t *)&(s[4]), x2); + le_store_word32((uint8_t *)&(s[5]), y2); + le_store_word32((uint8_t *)&(s[6]), x3); + le_store_word32((uint8_t *)&(s[7]), y3); + le_store_word32((uint8_t *)&(s[8]), x4); + le_store_word32((uint8_t *)&(s[9]), y4); + le_store_word32((uint8_t *)&(s[10]), x5); + le_store_word32((uint8_t *)&(s[11]), y5); + le_store_word32((uint8_t *)&(s[12]), x6); + le_store_word32((uint8_t *)&(s[13]), y6); + le_store_word32((uint8_t *)&(s[14]), x7); + le_store_word32((uint8_t *)&(s[15]), y7); +#endif +} diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-sparkle.h b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-sparkle.h new file mode 100644 index 0000000..fbdabc1 --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-sparkle.h @@ -0,0 +1,82 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SPARKLE_H +#define LW_INTERNAL_SPARKLE_H + +#include "internal-util.h" + +/** + * \file internal-sparkle.h + * \brief Internal implementation of the SPARKLE permutation. + * + * References: https://www.cryptolux.org/index.php/Sparkle + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the state for SPARKLE-256. + */ +#define SPARKLE_256_STATE_SIZE 8 + +/** + * \brief Size of the state for SPARKLE-384. + */ +#define SPARKLE_384_STATE_SIZE 12 + +/** + * \brief Size of the state for SPARKLE-512. + */ +#define SPARKLE_512_STATE_SIZE 16 + +/** + * \brief Performs the SPARKLE-256 permutation. + * + * \param s The words of the SPARKLE-256 state in little-endian byte order. + * \param steps The number of steps to perform, 7 or 10. + */ +void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps); + +/** + * \brief Performs the SPARKLE-384 permutation. + * + * \param s The words of the SPARKLE-384 state in little-endian byte order. + * \param steps The number of steps to perform, 7 or 11. + */ +void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps); + +/** + * \brief Performs the SPARKLE-512 permutation. + * + * \param s The words of the SPARKLE-512 state in little-endian byte order. + * \param steps The number of steps to perform, 8 or 12. + */ +void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-util.h b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/sparkle.c new file mode 100644 index 0000000..b357de6 --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/sparkle.c @@ -0,0 +1,1123 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "sparkle.h" +#include "internal-sparkle.h" +#include + +aead_cipher_t const schwaemm_256_128_cipher = { + "Schwaemm256-128", + SCHWAEMM_256_128_KEY_SIZE, + SCHWAEMM_256_128_NONCE_SIZE, + SCHWAEMM_256_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_256_128_aead_encrypt, + schwaemm_256_128_aead_decrypt +}; + +aead_cipher_t const schwaemm_192_192_cipher = { + "Schwaemm192-192", + SCHWAEMM_192_192_KEY_SIZE, + SCHWAEMM_192_192_NONCE_SIZE, + SCHWAEMM_192_192_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_192_192_aead_encrypt, + schwaemm_192_192_aead_decrypt +}; + +aead_cipher_t const schwaemm_128_128_cipher = { + "Schwaemm128-128", + SCHWAEMM_128_128_KEY_SIZE, + SCHWAEMM_128_128_NONCE_SIZE, + SCHWAEMM_128_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_128_128_aead_encrypt, + schwaemm_128_128_aead_decrypt +}; + +aead_cipher_t const schwaemm_256_256_cipher = { + "Schwaemm256-256", + SCHWAEMM_256_256_KEY_SIZE, + SCHWAEMM_256_256_NONCE_SIZE, + SCHWAEMM_256_256_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_256_256_aead_encrypt, + schwaemm_256_256_aead_decrypt +}; + +aead_hash_algorithm_t const esch_256_hash_algorithm = { + "Esch256", + sizeof(esch_256_hash_state_t), + ESCH_256_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + esch_256_hash, + (aead_hash_init_t)esch_256_hash_init, + (aead_hash_update_t)esch_256_hash_update, + (aead_hash_finalize_t)esch_256_hash_finalize, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const esch_384_hash_algorithm = { + "Esch384", + sizeof(esch_384_hash_state_t), + ESCH_384_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + esch_384_hash, + (aead_hash_init_t)esch_384_hash_init, + (aead_hash_update_t)esch_384_hash_update, + (aead_hash_finalize_t)esch_384_hash_finalize, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/** + * \def DOMAIN(value) + * \brief Build a domain separation value as a 32-bit word. + * + * \param value The base value. + * \return The domain separation value as a 32-bit word. + */ +#if defined(LW_UTIL_LITTLE_ENDIAN) +#define DOMAIN(value) (((uint32_t)(value)) << 24) +#else +#define DOMAIN(value) (value) +#endif + +/** + * \brief Rate at which bytes are processed by Schwaemm256-128. + */ +#define SCHWAEMM_256_128_RATE 32 + +/** + * \brief Pointer to the left of the state for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_RIGHT(s) \ + (SCHWAEMM_256_128_LEFT(s) + SCHWAEMM_256_128_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm256-128. + * + * \param s SPARKLE-384 state. + * \param domain Domain separator for this phase. + */ +#define schwaemm_256_128_rho(s, domain) \ + do { \ + uint32_t t0 = s[0]; \ + uint32_t t1 = s[1]; \ + uint32_t t2 = s[2]; \ + uint32_t t3 = s[3]; \ + if ((domain) != 0) \ + s[11] ^= DOMAIN(domain); \ + s[0] = s[4] ^ s[8]; \ + s[1] = s[5] ^ s[9]; \ + s[2] = s[6] ^ s[10]; \ + s[3] = s[7] ^ s[11]; \ + s[4] ^= t0 ^ s[8]; \ + s[5] ^= t1 ^ s[9]; \ + s[6] ^= t2 ^ s[10]; \ + s[7] ^= t3 ^ s[11]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm256-128. + * + * \param s SPARKLE-384 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_256_128_authenticate + (uint32_t s[SPARKLE_384_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_256_128_RATE) { + schwaemm_256_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); + sparkle_384(s, 7); + ad += SCHWAEMM_256_128_RATE; + adlen -= SCHWAEMM_256_128_RATE; + } + if (adlen == SCHWAEMM_256_128_RATE) { + schwaemm_256_128_rho(s, 0x05); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); + } else { + unsigned temp = (unsigned)adlen; + schwaemm_256_128_rho(s, 0x04); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); +} + +int schwaemm_256_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + uint8_t block[SCHWAEMM_256_128_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_256_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); + memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_128_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); + schwaemm_256_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + sparkle_384(s, 7); + memcpy(c, block, SCHWAEMM_256_128_RATE); + c += SCHWAEMM_256_128_RATE; + m += SCHWAEMM_256_128_RATE; + mlen -= SCHWAEMM_256_128_RATE; + } + if (mlen == SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); + schwaemm_256_128_rho(s, 0x07); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + memcpy(c, block, SCHWAEMM_256_128_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + schwaemm_256_128_rho(s, 0x06); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_384(s, 11); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); + return 0; +} + +int schwaemm_256_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_256_128_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_256_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); + memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_128_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_256_128_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); + schwaemm_256_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + sparkle_384(s, 7); + c += SCHWAEMM_256_128_RATE; + m += SCHWAEMM_256_128_RATE; + clen -= SCHWAEMM_256_128_RATE; + } + if (clen == SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); + schwaemm_256_128_rho(s, 0x07); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + schwaemm_256_128_rho(s, 0x06); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_256_128_RIGHT(s), c, SCHWAEMM_256_128_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Schwaemm192-192. + */ +#define SCHWAEMM_192_192_RATE 24 + +/** + * \brief Pointer to the left of the state for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_RIGHT(s) \ + (SCHWAEMM_192_192_LEFT(s) + SCHWAEMM_192_192_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm192-192. + * + * \param s SPARKLE-384 state. + * \param domain Domain separator for this phase. + */ +#define schwaemm_192_192_rho(s, domain) \ + do { \ + uint32_t t0 = s[0]; \ + uint32_t t1 = s[1]; \ + uint32_t t2 = s[2]; \ + if ((domain) != 0) \ + s[11] ^= DOMAIN(domain); \ + s[0] = s[3] ^ s[6]; \ + s[1] = s[4] ^ s[7]; \ + s[2] = s[5] ^ s[8]; \ + s[3] ^= t0 ^ s[9]; \ + s[4] ^= t1 ^ s[10]; \ + s[5] ^= t2 ^ s[11]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm192-192. + * + * \param s SPARKLE-384 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_192_192_authenticate + (uint32_t s[SPARKLE_384_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_192_192_RATE) { + schwaemm_192_192_rho(s, 0x00); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); + sparkle_384(s, 7); + ad += SCHWAEMM_192_192_RATE; + adlen -= SCHWAEMM_192_192_RATE; + } + if (adlen == SCHWAEMM_192_192_RATE) { + schwaemm_192_192_rho(s, 0x09); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); + } else { + unsigned temp = (unsigned)adlen; + schwaemm_192_192_rho(s, 0x08); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); +} + +int schwaemm_192_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + uint8_t block[SCHWAEMM_192_192_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_192_192_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); + memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_192_192_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); + schwaemm_192_192_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + sparkle_384(s, 7); + memcpy(c, block, SCHWAEMM_192_192_RATE); + c += SCHWAEMM_192_192_RATE; + m += SCHWAEMM_192_192_RATE; + mlen -= SCHWAEMM_192_192_RATE; + } + if (mlen == SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); + schwaemm_192_192_rho(s, 0x0B); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + memcpy(c, block, SCHWAEMM_192_192_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + schwaemm_192_192_rho(s, 0x0A); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_384(s, 11); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); + return 0; +} + +int schwaemm_192_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_192_192_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_192_192_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); + memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_192_192_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_192_192_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); + schwaemm_192_192_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + sparkle_384(s, 7); + c += SCHWAEMM_192_192_RATE; + m += SCHWAEMM_192_192_RATE; + clen -= SCHWAEMM_192_192_RATE; + } + if (clen == SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); + schwaemm_192_192_rho(s, 0x0B); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + schwaemm_192_192_rho(s, 0x0A); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_192_192_RIGHT(s), c, SCHWAEMM_192_192_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Schwaemm128-128. + */ +#define SCHWAEMM_128_128_RATE 16 + +/** + * \brief Pointer to the left of the state for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_RIGHT(s) \ + (SCHWAEMM_128_128_LEFT(s) + SCHWAEMM_128_128_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm128-128. + * + * \param s SPARKLE-256 state. + * \param domain Domain separator for this phase. + */ +#define schwaemm_128_128_rho(s, domain) \ + do { \ + uint32_t t0 = s[0]; \ + uint32_t t1 = s[1]; \ + if ((domain) != 0) \ + s[7] ^= DOMAIN(domain); \ + s[0] = s[2] ^ s[4]; \ + s[1] = s[3] ^ s[5]; \ + s[2] ^= t0 ^ s[6]; \ + s[3] ^= t1 ^ s[7]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm128-128. + * + * \param s SPARKLE-256 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_128_128_authenticate + (uint32_t s[SPARKLE_256_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_128_128_RATE) { + schwaemm_128_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); + sparkle_256(s, 7); + ad += SCHWAEMM_128_128_RATE; + adlen -= SCHWAEMM_128_128_RATE; + } + if (adlen == SCHWAEMM_128_128_RATE) { + schwaemm_128_128_rho(s, 0x05); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); + } else { + unsigned temp = (unsigned)adlen; + schwaemm_128_128_rho(s, 0x04); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_256(s, 10); +} + +int schwaemm_128_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_256_STATE_SIZE]; + uint8_t block[SCHWAEMM_128_128_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_128_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); + memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); + sparkle_256(s, 10); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_128_128_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); + schwaemm_128_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + sparkle_256(s, 7); + memcpy(c, block, SCHWAEMM_128_128_RATE); + c += SCHWAEMM_128_128_RATE; + m += SCHWAEMM_128_128_RATE; + mlen -= SCHWAEMM_128_128_RATE; + } + if (mlen == SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); + schwaemm_128_128_rho(s, 0x07); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + memcpy(c, block, SCHWAEMM_128_128_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + schwaemm_128_128_rho(s, 0x06); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_256(s, 10); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); + return 0; +} + +int schwaemm_128_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_256_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_128_128_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_128_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); + memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); + sparkle_256(s, 10); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_128_128_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_128_128_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); + schwaemm_128_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + sparkle_256(s, 7); + c += SCHWAEMM_128_128_RATE; + m += SCHWAEMM_128_128_RATE; + clen -= SCHWAEMM_128_128_RATE; + } + if (clen == SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); + schwaemm_128_128_rho(s, 0x07); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + schwaemm_128_128_rho(s, 0x06); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_256(s, 10); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_128_128_RIGHT(s), c, SCHWAEMM_128_128_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Schwaemm256-256. + */ +#define SCHWAEMM_256_256_RATE 32 + +/** + * \brief Pointer to the left of the state for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_RIGHT(s) \ + (SCHWAEMM_256_256_LEFT(s) + SCHWAEMM_256_256_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm256-256. + * + * \param s SPARKLE-512 state. + * \param domain Domain separator for this phase. + */ +#define schwaemm_256_256_rho(s, domain) \ + do { \ + uint32_t t0 = s[0]; \ + uint32_t t1 = s[1]; \ + uint32_t t2 = s[2]; \ + uint32_t t3 = s[3]; \ + if ((domain) != 0) \ + s[15] ^= DOMAIN(domain); \ + s[0] = s[4] ^ s[8]; \ + s[1] = s[5] ^ s[9]; \ + s[2] = s[6] ^ s[10]; \ + s[3] = s[7] ^ s[11]; \ + s[4] ^= t0 ^ s[12]; \ + s[5] ^= t1 ^ s[13]; \ + s[6] ^= t2 ^ s[14]; \ + s[7] ^= t3 ^ s[15]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm256-256. + * + * \param s SPARKLE-512 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_256_256_authenticate + (uint32_t s[SPARKLE_512_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_256_256_RATE) { + schwaemm_256_256_rho(s, 0x00); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); + sparkle_512(s, 8); + ad += SCHWAEMM_256_256_RATE; + adlen -= SCHWAEMM_256_256_RATE; + } + if (adlen == SCHWAEMM_256_256_RATE) { + schwaemm_256_256_rho(s, 0x11); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); + } else { + unsigned temp = (unsigned)adlen; + schwaemm_256_256_rho(s, 0x10); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_512(s, 12); +} + +int schwaemm_256_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_512_STATE_SIZE]; + uint8_t block[SCHWAEMM_256_256_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_256_256_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); + memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); + sparkle_512(s, 12); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_256_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); + schwaemm_256_256_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + sparkle_512(s, 8); + memcpy(c, block, SCHWAEMM_256_256_RATE); + c += SCHWAEMM_256_256_RATE; + m += SCHWAEMM_256_256_RATE; + mlen -= SCHWAEMM_256_256_RATE; + } + if (mlen == SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); + schwaemm_256_256_rho(s, 0x13); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + memcpy(c, block, SCHWAEMM_256_256_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + schwaemm_256_256_rho(s, 0x12); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_512(s, 12); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); + return 0; +} + +int schwaemm_256_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_512_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_256_256_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_256_256_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); + memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); + sparkle_512(s, 12); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_256_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_256_256_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); + schwaemm_256_256_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + sparkle_512(s, 8); + c += SCHWAEMM_256_256_RATE; + m += SCHWAEMM_256_256_RATE; + clen -= SCHWAEMM_256_256_RATE; + } + if (clen == SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); + schwaemm_256_256_rho(s, 0x13); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + schwaemm_256_256_rho(s, 0x12); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_512(s, 12); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_256_256_RIGHT(s), c, SCHWAEMM_256_256_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Esch256. + */ +#define ESCH_256_RATE 16 + +/** + * \brief Perform the M3 step for Esch256 to mix the input with the state. + * + * \param s SPARKLE-384 state. + * \param block Block of input data that has been padded to the rate. + * \param domain Domain separator for this phase. + */ +#define esch_256_m3(s, block, domain) \ + do { \ + uint32_t tx = (block)[0] ^ (block)[2]; \ + uint32_t ty = (block)[1] ^ (block)[3]; \ + tx = leftRotate16(tx ^ (tx << 16)); \ + ty = leftRotate16(ty ^ (ty << 16)); \ + s[0] ^= (block)[0] ^ ty; \ + s[1] ^= (block)[1] ^ tx; \ + s[2] ^= (block)[2] ^ ty; \ + s[3] ^= (block)[3] ^ tx; \ + if ((domain) != 0) \ + s[5] ^= DOMAIN(domain); \ + s[4] ^= ty; \ + s[5] ^= tx; \ + } while (0) + +/** @cond esch_256 */ + +/** + * \brief Word-based state for the Esch256 incremental hash mode. + */ +typedef union +{ + struct { + uint32_t state[SPARKLE_384_STATE_SIZE]; + uint32_t block[4]; + unsigned char count; + } s; + unsigned long long align; + +} esch_256_hash_state_wt; + +/** @endcond */ + +int esch_256_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + uint32_t block[ESCH_256_RATE / 4]; + memset(s, 0, sizeof(s)); + while (inlen > ESCH_256_RATE) { + memcpy(block, in, ESCH_256_RATE); + esch_256_m3(s, block, 0x00); + sparkle_384(s, 7); + in += ESCH_256_RATE; + inlen -= ESCH_256_RATE; + } + if (inlen == ESCH_256_RATE) { + memcpy(block, in, ESCH_256_RATE); + esch_256_m3(s, block, 0x02); + } else { + unsigned temp = (unsigned)inlen; + memcpy(block, in, temp); + ((unsigned char *)block)[temp] = 0x80; + memset(((unsigned char *)block) + temp + 1, 0, + ESCH_256_RATE - temp - 1); + esch_256_m3(s, block, 0x01); + } + sparkle_384(s, 11); + memcpy(out, s, ESCH_256_RATE); + sparkle_384(s, 7); + memcpy(out + ESCH_256_RATE, s, ESCH_256_RATE); + return 0; +} + +void esch_256_hash_init(esch_256_hash_state_t *state) +{ + memset(state, 0, sizeof(esch_256_hash_state_t)); +} + +void esch_256_hash_update + (esch_256_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; + unsigned temp; + while (inlen > 0) { + if (st->s.count == ESCH_256_RATE) { + esch_256_m3(st->s.state, st->s.block, 0x00); + sparkle_384(st->s.state, 7); + st->s.count = 0; + } + temp = ESCH_256_RATE - st->s.count; + if (temp > inlen) + temp = (unsigned)inlen; + memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); + st->s.count += temp; + in += temp; + inlen -= temp; + } +} + +void esch_256_hash_finalize + (esch_256_hash_state_t *state, unsigned char *out) +{ + esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; + + /* Pad and process the last block */ + if (st->s.count == ESCH_256_RATE) { + esch_256_m3(st->s.state, st->s.block, 0x02); + } else { + unsigned temp = st->s.count; + ((unsigned char *)(st->s.block))[temp] = 0x80; + memset(((unsigned char *)(st->s.block)) + temp + 1, 0, + ESCH_256_RATE - temp - 1); + esch_256_m3(st->s.state, st->s.block, 0x01); + } + sparkle_384(st->s.state, 11); + + /* Generate the final hash value */ + memcpy(out, st->s.state, ESCH_256_RATE); + sparkle_384(st->s.state, 7); + memcpy(out + ESCH_256_RATE, st->s.state, ESCH_256_RATE); +} + +/** + * \brief Rate at which bytes are processed by Esch384. + */ +#define ESCH_384_RATE 16 + +/** + * \brief Perform the M4 step for Esch384 to mix the input with the state. + * + * \param s SPARKLE-512 state. + * \param block Block of input data that has been padded to the rate. + * \param domain Domain separator for this phase. + */ +#define esch_384_m4(s, block, domain) \ + do { \ + uint32_t tx = block[0] ^ block[2]; \ + uint32_t ty = block[1] ^ block[3]; \ + tx = leftRotate16(tx ^ (tx << 16)); \ + ty = leftRotate16(ty ^ (ty << 16)); \ + s[0] ^= block[0] ^ ty; \ + s[1] ^= block[1] ^ tx; \ + s[2] ^= block[2] ^ ty; \ + s[3] ^= block[3] ^ tx; \ + if ((domain) != 0) \ + s[7] ^= DOMAIN(domain); \ + s[4] ^= ty; \ + s[5] ^= tx; \ + s[6] ^= ty; \ + s[7] ^= tx; \ + } while (0) + +/** @cond esch_384 */ + +/** + * \brief Word-based state for the Esch384 incremental hash mode. + */ +typedef union +{ + struct { + uint32_t state[SPARKLE_512_STATE_SIZE]; + uint32_t block[4]; + unsigned char count; + } s; + unsigned long long align; + +} esch_384_hash_state_wt; + +/** @endcond */ + +int esch_384_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + uint32_t s[SPARKLE_512_STATE_SIZE]; + uint32_t block[ESCH_256_RATE / 4]; + memset(s, 0, sizeof(s)); + while (inlen > ESCH_384_RATE) { + memcpy(block, in, ESCH_384_RATE); + esch_384_m4(s, block, 0x00); + sparkle_512(s, 8); + in += ESCH_384_RATE; + inlen -= ESCH_384_RATE; + } + if (inlen == ESCH_384_RATE) { + memcpy(block, in, ESCH_384_RATE); + esch_384_m4(s, block, 0x02); + } else { + unsigned temp = (unsigned)inlen; + memcpy(block, in, temp); + ((unsigned char *)block)[temp] = 0x80; + memset(((unsigned char *)block) + temp + 1, 0, + ESCH_384_RATE - temp - 1); + esch_384_m4(s, block, 0x01); + } + sparkle_512(s, 12); + memcpy(out, s, ESCH_384_RATE); + sparkle_512(s, 8); + memcpy(out + ESCH_384_RATE, s, ESCH_384_RATE); + sparkle_512(s, 8); + memcpy(out + ESCH_384_RATE * 2, s, ESCH_384_RATE); + return 0; +} + +void esch_384_hash_init(esch_384_hash_state_t *state) +{ + memset(state, 0, sizeof(esch_384_hash_state_t)); +} + +void esch_384_hash_update + (esch_384_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; + unsigned temp; + while (inlen > 0) { + if (st->s.count == ESCH_384_RATE) { + esch_384_m4(st->s.state, st->s.block, 0x00); + sparkle_512(st->s.state, 8); + st->s.count = 0; + } + temp = ESCH_384_RATE - st->s.count; + if (temp > inlen) + temp = (unsigned)inlen; + memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); + st->s.count += temp; + in += temp; + inlen -= temp; + } +} + +void esch_384_hash_finalize + (esch_384_hash_state_t *state, unsigned char *out) +{ + esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; + + /* Pad and process the last block */ + if (st->s.count == ESCH_384_RATE) { + esch_384_m4(st->s.state, st->s.block, 0x02); + } else { + unsigned temp = st->s.count; + ((unsigned char *)(st->s.block))[temp] = 0x80; + memset(((unsigned char *)(st->s.block)) + temp + 1, 0, + ESCH_384_RATE - temp - 1); + esch_384_m4(st->s.state, st->s.block, 0x01); + } + sparkle_512(st->s.state, 12); + + /* Generate the final hash value */ + memcpy(out, st->s.state, ESCH_384_RATE); + sparkle_512(st->s.state, 8); + memcpy(out + ESCH_384_RATE, st->s.state, ESCH_384_RATE); + sparkle_512(st->s.state, 8); + memcpy(out + ESCH_384_RATE * 2, st->s.state, ESCH_384_RATE); +} diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/sparkle.h b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/sparkle.h new file mode 100644 index 0000000..dd0999e --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/sparkle.h @@ -0,0 +1,515 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SPARKLE_H +#define LWCRYPTO_SPARKLE_H + +#include "aead-common.h" + +/** + * \file sparkle.h + * \brief Encryption and hash algorithms based on the SPARKLE permutation. + * + * SPARKLE is a family of encryption and hash algorithms that are based + * around the SPARKLE permutation. There are three versions of the + * permutation with 256-bit, 384-bit, and 512-bit state sizes. + * The algorithms in the family are: + * + * \li Schwaemm256-128 with a 128-bit key, a 256-bit nonce, and a 128-bit tag. + * This is the primary encryption algorithm in the family. + * \li Schwaemm192-192 with a 192-bit key, a 192-bit nonce, and a 192-bit tag. + * \li Schwaemm128-128 with a 128-bit key, a 128-bit nonce, and a 128-bit tag. + * \li Schwaemm256-256 with a 256-bit key, a 256-bit nonce, and a 256-bit tag. + * \li Esch256 hash algorithm with a 256-bit digest output. This is the + * primary hash algorithm in the family. + * \li Esch384 hash algorithm with a 384-bit digest output. + * + * References: https://www.cryptolux.org/index.php/Sparkle + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_NONCE_SIZE 32 + +/** + * \brief Size of the key for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_KEY_SIZE 24 + +/** + * \brief Size of the authentication tag for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_TAG_SIZE 24 + +/** + * \brief Size of the nonce for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_NONCE_SIZE 24 + +/** + * \brief Size of the key for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_NONCE_SIZE 16 + +/** + * \brief Size of the key for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_TAG_SIZE 32 + +/** + * \brief Size of the nonce for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_NONCE_SIZE 32 + +/** + * \brief Size of the hash output for Esch256. + */ +#define ESCH_256_HASH_SIZE 32 + +/** + * \brief Size of the hash output for Esch384. + */ +#define ESCH_384_HASH_SIZE 48 + +/** + * \brief Meta-information block for the Schwaemm256-128 cipher. + */ +extern aead_cipher_t const schwaemm_256_128_cipher; + +/** + * \brief Meta-information block for the Schwaemm192-192 cipher. + */ +extern aead_cipher_t const schwaemm_192_192_cipher; + +/** + * \brief Meta-information block for the Schwaemm128-128 cipher. + */ +extern aead_cipher_t const schwaemm_128_128_cipher; + +/** + * \brief Meta-information block for the Schwaemm256-256 cipher. + */ +extern aead_cipher_t const schwaemm_256_256_cipher; + +/** + * \brief Meta-information block for the Esch256 hash algorithm. + */ +extern aead_hash_algorithm_t const esch_256_hash_algorithm; + +/** + * \brief Meta-information block for the Esch384 hash algorithm. + */ +extern aead_hash_algorithm_t const esch_384_hash_algorithm; + +/** + * \brief State information for the Esch256 incremental hash mode. + */ +typedef union +{ + struct { + unsigned char state[48]; /**< Current hash state */ + unsigned char block[16]; /**< Partial input data block */ + unsigned char count; /**< Number of bytes in the current block */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} esch_256_hash_state_t; + +/** + * \brief State information for the Esch384 incremental hash mode. + */ +typedef union +{ + struct { + unsigned char state[64]; /**< Current hash state */ + unsigned char block[16]; /**< Partial input data block */ + unsigned char count; /**< Number of bytes in the current block */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} esch_384_hash_state_t; + +/** + * \brief Encrypts and authenticates a packet with Schwaemm256-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 32 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_256_128_aead_decrypt() + */ +int schwaemm_256_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm256-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 32 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_256_128_aead_encrypt() + */ +int schwaemm_256_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Schwaemm192-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 24 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 24 bytes in length. + * \param k Points to the 24 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_192_192_aead_decrypt() + */ +int schwaemm_192_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm192-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 24 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 24 bytes in length. + * \param k Points to the 24 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_192_192_aead_encrypt() + */ +int schwaemm_192_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Schwaemm128-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_128_128_aead_decrypt() + */ +int schwaemm_128_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm128-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_128_128_aead_encrypt() + */ +int schwaemm_128_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Schwaemm256-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_256_256_aead_decrypt() + */ +int schwaemm_256_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm256-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_256_256_aead_encrypt() + */ +int schwaemm_256_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with Esch256 to generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * ESCH_256_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int esch_256_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an Esch256 hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa esch_256_hash_update(), esch_256_hash_finalize(), esch_256_hash() + */ +void esch_256_hash_init(esch_256_hash_state_t *state); + +/** + * \brief Updates an Esch256 state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + * + * \sa esch_256_hash_init(), esch_256_hash_finalize() + */ +void esch_256_hash_update + (esch_256_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Returns the final hash value from an Esch256 hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the 32-byte hash value. + * + * \sa esch_256_hash_init(), esch_256_hash_update() + */ +void esch_256_hash_finalize + (esch_256_hash_state_t *state, unsigned char *out); + +/** + * \brief Hashes a block of input data with Esch384 to generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * ESCH_384_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int esch_384_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an Esch384 hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa esch_384_hash_update(), esch_384_hash_finalize(), esch_384_hash() + */ +void esch_384_hash_init(esch_384_hash_state_t *state); + +/** + * \brief Updates an Esch384 state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + * + * \sa esch_384_hash_init(), esch_384_hash_finalize() + */ +void esch_384_hash_update + (esch_384_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Returns the final hash value from an Esch384 hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the 48-byte hash value. + * + * \sa esch_384_hash_init(), esch_384_hash_update() + */ +void esch_384_hash_finalize + (esch_384_hash_state_t *state, unsigned char *out); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/aead-common.c b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/aead-common.h b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/api.h b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/api.h new file mode 100644 index 0000000..c340ebc --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 24 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 24 +#define CRYPTO_ABYTES 24 +#define CRYPTO_NOOVERLAP 1 diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/encrypt.c b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/encrypt.c new file mode 100644 index 0000000..43a4aac --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "sparkle.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return schwaemm_192_192_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return schwaemm_192_192_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-sparkle.c new file mode 100644 index 0000000..822af50 --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-sparkle.c @@ -0,0 +1,366 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-sparkle.h" + +/* The 8 basic round constants from the specification */ +#define RC_0 0xB7E15162 +#define RC_1 0xBF715880 +#define RC_2 0x38B4DA56 +#define RC_3 0x324E7738 +#define RC_4 0xBB1185EB +#define RC_5 0x4F7C7B57 +#define RC_6 0xCFBFA1C8 +#define RC_7 0xC2B3293D + +/* Round constants for all SPARKLE steps; maximum of 12 for SPARKLE-512 */ +static uint32_t const sparkle_rc[12] = { + RC_0, RC_1, RC_2, RC_3, RC_4, RC_5, RC_6, RC_7, + RC_0, RC_1, RC_2, RC_3 +}; + +/** + * \brief Alzette block cipher that implements the ARXbox layer of the + * SPARKLE permutation. + * + * \param x Left half of the 64-bit block. + * \param y Right half of the 64-bit block. + * \param k 32-bit round key. + */ +#define alzette(x, y, k) \ + do { \ + (x) += leftRotate1((y)); \ + (y) ^= leftRotate8((x)); \ + (x) ^= (k); \ + (x) += leftRotate15((y)); \ + (y) ^= leftRotate15((x)); \ + (x) ^= (k); \ + (x) += (y); \ + (y) ^= leftRotate1((x)); \ + (x) ^= (k); \ + (x) += leftRotate8((y)); \ + (y) ^= leftRotate16((x)); \ + (x) ^= (k); \ + } while (0) + +void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps) +{ + uint32_t x0, x1, x2, x3; + uint32_t y0, y1, y2, y3; + uint32_t tx, ty, tz, tw; + unsigned step; + + /* Load the SPARKLE-256 state up into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = s[0]; + y0 = s[1]; + x1 = s[2]; + y1 = s[3]; + x2 = s[4]; + y2 = s[5]; + x3 = s[6]; + y3 = s[7]; +#else + x0 = le_load_word32((const uint8_t *)&(s[0])); + y0 = le_load_word32((const uint8_t *)&(s[1])); + x1 = le_load_word32((const uint8_t *)&(s[2])); + y1 = le_load_word32((const uint8_t *)&(s[3])); + x2 = le_load_word32((const uint8_t *)&(s[4])); + y2 = le_load_word32((const uint8_t *)&(s[5])); + x3 = le_load_word32((const uint8_t *)&(s[6])); + y3 = le_load_word32((const uint8_t *)&(s[7])); +#endif + + /* Perform all requested steps */ + for (step = 0; step < steps; ++step) { + /* Add round constants */ + y0 ^= sparkle_rc[step]; + y1 ^= step; + + /* ARXbox layer */ + alzette(x0, y0, RC_0); + alzette(x1, y1, RC_1); + alzette(x2, y2, RC_2); + alzette(x3, y3, RC_3); + + /* Linear layer */ + tx = x0 ^ x1; + ty = y0 ^ y1; + tw = x0; + tz = y0; + tx = leftRotate16(tx ^ (tx << 16)); + ty = leftRotate16(ty ^ (ty << 16)); + x0 = x3 ^ x1 ^ ty; + x3 = x1; + y0 = y3 ^ y1 ^ tx; + y3 = y1; + x1 = x2 ^ tw ^ ty; + x2 = tw; + y1 = y2 ^ tz ^ tx; + y2 = tz; + } + + /* Write the local variables back to the SPARKLE-256 state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s[0] = x0; + s[1] = y0; + s[2] = x1; + s[3] = y1; + s[4] = x2; + s[5] = y2; + s[6] = x3; + s[7] = y3; +#else + le_store_word32((uint8_t *)&(s[0]), x0); + le_store_word32((uint8_t *)&(s[1]), y0); + le_store_word32((uint8_t *)&(s[2]), x1); + le_store_word32((uint8_t *)&(s[3]), y1); + le_store_word32((uint8_t *)&(s[4]), x2); + le_store_word32((uint8_t *)&(s[5]), y2); + le_store_word32((uint8_t *)&(s[6]), x3); + le_store_word32((uint8_t *)&(s[7]), y3); +#endif +} + +void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps) +{ + uint32_t x0, x1, x2, x3, x4, x5; + uint32_t y0, y1, y2, y3, y4, y5; + uint32_t tx, ty, tz, tw; + unsigned step; + + /* Load the SPARKLE-384 state up into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = s[0]; + y0 = s[1]; + x1 = s[2]; + y1 = s[3]; + x2 = s[4]; + y2 = s[5]; + x3 = s[6]; + y3 = s[7]; + x4 = s[8]; + y4 = s[9]; + x5 = s[10]; + y5 = s[11]; +#else + x0 = le_load_word32((const uint8_t *)&(s[0])); + y0 = le_load_word32((const uint8_t *)&(s[1])); + x1 = le_load_word32((const uint8_t *)&(s[2])); + y1 = le_load_word32((const uint8_t *)&(s[3])); + x2 = le_load_word32((const uint8_t *)&(s[4])); + y2 = le_load_word32((const uint8_t *)&(s[5])); + x3 = le_load_word32((const uint8_t *)&(s[6])); + y3 = le_load_word32((const uint8_t *)&(s[7])); + x4 = le_load_word32((const uint8_t *)&(s[8])); + y4 = le_load_word32((const uint8_t *)&(s[9])); + x5 = le_load_word32((const uint8_t *)&(s[10])); + y5 = le_load_word32((const uint8_t *)&(s[11])); +#endif + + /* Perform all requested steps */ + for (step = 0; step < steps; ++step) { + /* Add round constants */ + y0 ^= sparkle_rc[step]; + y1 ^= step; + + /* ARXbox layer */ + alzette(x0, y0, RC_0); + alzette(x1, y1, RC_1); + alzette(x2, y2, RC_2); + alzette(x3, y3, RC_3); + alzette(x4, y4, RC_4); + alzette(x5, y5, RC_5); + + /* Linear layer */ + tx = x0 ^ x1 ^ x2; + ty = y0 ^ y1 ^ y2; + tw = x0; + tz = y0; + tx = leftRotate16(tx ^ (tx << 16)); + ty = leftRotate16(ty ^ (ty << 16)); + x0 = x4 ^ x1 ^ ty; + x4 = x1; + y0 = y4 ^ y1 ^ tx; + y4 = y1; + x1 = x5 ^ x2 ^ ty; + x5 = x2; + y1 = y5 ^ y2 ^ tx; + y5 = y2; + x2 = x3 ^ tw ^ ty; + x3 = tw; + y2 = y3 ^ tz ^ tx; + y3 = tz; + } + + /* Write the local variables back to the SPARKLE-384 state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s[0] = x0; + s[1] = y0; + s[2] = x1; + s[3] = y1; + s[4] = x2; + s[5] = y2; + s[6] = x3; + s[7] = y3; + s[8] = x4; + s[9] = y4; + s[10] = x5; + s[11] = y5; +#else + le_store_word32((uint8_t *)&(s[0]), x0); + le_store_word32((uint8_t *)&(s[1]), y0); + le_store_word32((uint8_t *)&(s[2]), x1); + le_store_word32((uint8_t *)&(s[3]), y1); + le_store_word32((uint8_t *)&(s[4]), x2); + le_store_word32((uint8_t *)&(s[5]), y2); + le_store_word32((uint8_t *)&(s[6]), x3); + le_store_word32((uint8_t *)&(s[7]), y3); + le_store_word32((uint8_t *)&(s[8]), x4); + le_store_word32((uint8_t *)&(s[9]), y4); + le_store_word32((uint8_t *)&(s[10]), x5); + le_store_word32((uint8_t *)&(s[11]), y5); +#endif +} + +void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) +{ + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t y0, y1, y2, y3, y4, y5, y6, y7; + uint32_t tx, ty, tz, tw; + unsigned step; + + /* Load the SPARKLE-512 state up into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = s[0]; + y0 = s[1]; + x1 = s[2]; + y1 = s[3]; + x2 = s[4]; + y2 = s[5]; + x3 = s[6]; + y3 = s[7]; + x4 = s[8]; + y4 = s[9]; + x5 = s[10]; + y5 = s[11]; + x6 = s[12]; + y6 = s[13]; + x7 = s[14]; + y7 = s[15]; +#else + x0 = le_load_word32((const uint8_t *)&(s[0])); + y0 = le_load_word32((const uint8_t *)&(s[1])); + x1 = le_load_word32((const uint8_t *)&(s[2])); + y1 = le_load_word32((const uint8_t *)&(s[3])); + x2 = le_load_word32((const uint8_t *)&(s[4])); + y2 = le_load_word32((const uint8_t *)&(s[5])); + x3 = le_load_word32((const uint8_t *)&(s[6])); + y3 = le_load_word32((const uint8_t *)&(s[7])); + x4 = le_load_word32((const uint8_t *)&(s[8])); + y4 = le_load_word32((const uint8_t *)&(s[9])); + x5 = le_load_word32((const uint8_t *)&(s[10])); + y5 = le_load_word32((const uint8_t *)&(s[11])); + x6 = le_load_word32((const uint8_t *)&(s[12])); + y6 = le_load_word32((const uint8_t *)&(s[13])); + x7 = le_load_word32((const uint8_t *)&(s[14])); + y7 = le_load_word32((const uint8_t *)&(s[15])); +#endif + + /* Perform all requested steps */ + for (step = 0; step < steps; ++step) { + /* Add round constants */ + y0 ^= sparkle_rc[step]; + y1 ^= step; + + /* ARXbox layer */ + alzette(x0, y0, RC_0); + alzette(x1, y1, RC_1); + alzette(x2, y2, RC_2); + alzette(x3, y3, RC_3); + alzette(x4, y4, RC_4); + alzette(x5, y5, RC_5); + alzette(x6, y6, RC_6); + alzette(x7, y7, RC_7); + + /* Linear layer */ + tx = x0 ^ x1 ^ x2 ^ x3; + ty = y0 ^ y1 ^ y2 ^ y3; + tw = x0; + tz = y0; + tx = leftRotate16(tx ^ (tx << 16)); + ty = leftRotate16(ty ^ (ty << 16)); + x0 = x5 ^ x1 ^ ty; + x5 = x1; + y0 = y5 ^ y1 ^ tx; + y5 = y1; + x1 = x6 ^ x2 ^ ty; + x6 = x2; + y1 = y6 ^ y2 ^ tx; + y6 = y2; + x2 = x7 ^ x3 ^ ty; + x7 = x3; + y2 = y7 ^ y3 ^ tx; + y7 = y3; + x3 = x4 ^ tw ^ ty; + x4 = tw; + y3 = y4 ^ tz ^ tx; + y4 = tz; + } + + /* Write the local variables back to the SPARKLE-512 state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s[0] = x0; + s[1] = y0; + s[2] = x1; + s[3] = y1; + s[4] = x2; + s[5] = y2; + s[6] = x3; + s[7] = y3; + s[8] = x4; + s[9] = y4; + s[10] = x5; + s[11] = y5; + s[12] = x6; + s[13] = y6; + s[14] = x7; + s[15] = y7; +#else + le_store_word32((uint8_t *)&(s[0]), x0); + le_store_word32((uint8_t *)&(s[1]), y0); + le_store_word32((uint8_t *)&(s[2]), x1); + le_store_word32((uint8_t *)&(s[3]), y1); + le_store_word32((uint8_t *)&(s[4]), x2); + le_store_word32((uint8_t *)&(s[5]), y2); + le_store_word32((uint8_t *)&(s[6]), x3); + le_store_word32((uint8_t *)&(s[7]), y3); + le_store_word32((uint8_t *)&(s[8]), x4); + le_store_word32((uint8_t *)&(s[9]), y4); + le_store_word32((uint8_t *)&(s[10]), x5); + le_store_word32((uint8_t *)&(s[11]), y5); + le_store_word32((uint8_t *)&(s[12]), x6); + le_store_word32((uint8_t *)&(s[13]), y6); + le_store_word32((uint8_t *)&(s[14]), x7); + le_store_word32((uint8_t *)&(s[15]), y7); +#endif +} diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-sparkle.h b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-sparkle.h new file mode 100644 index 0000000..fbdabc1 --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-sparkle.h @@ -0,0 +1,82 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SPARKLE_H +#define LW_INTERNAL_SPARKLE_H + +#include "internal-util.h" + +/** + * \file internal-sparkle.h + * \brief Internal implementation of the SPARKLE permutation. + * + * References: https://www.cryptolux.org/index.php/Sparkle + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the state for SPARKLE-256. + */ +#define SPARKLE_256_STATE_SIZE 8 + +/** + * \brief Size of the state for SPARKLE-384. + */ +#define SPARKLE_384_STATE_SIZE 12 + +/** + * \brief Size of the state for SPARKLE-512. + */ +#define SPARKLE_512_STATE_SIZE 16 + +/** + * \brief Performs the SPARKLE-256 permutation. + * + * \param s The words of the SPARKLE-256 state in little-endian byte order. + * \param steps The number of steps to perform, 7 or 10. + */ +void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps); + +/** + * \brief Performs the SPARKLE-384 permutation. + * + * \param s The words of the SPARKLE-384 state in little-endian byte order. + * \param steps The number of steps to perform, 7 or 11. + */ +void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps); + +/** + * \brief Performs the SPARKLE-512 permutation. + * + * \param s The words of the SPARKLE-512 state in little-endian byte order. + * \param steps The number of steps to perform, 8 or 12. + */ +void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-util.h b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/sparkle.c new file mode 100644 index 0000000..b357de6 --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/sparkle.c @@ -0,0 +1,1123 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "sparkle.h" +#include "internal-sparkle.h" +#include + +aead_cipher_t const schwaemm_256_128_cipher = { + "Schwaemm256-128", + SCHWAEMM_256_128_KEY_SIZE, + SCHWAEMM_256_128_NONCE_SIZE, + SCHWAEMM_256_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_256_128_aead_encrypt, + schwaemm_256_128_aead_decrypt +}; + +aead_cipher_t const schwaemm_192_192_cipher = { + "Schwaemm192-192", + SCHWAEMM_192_192_KEY_SIZE, + SCHWAEMM_192_192_NONCE_SIZE, + SCHWAEMM_192_192_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_192_192_aead_encrypt, + schwaemm_192_192_aead_decrypt +}; + +aead_cipher_t const schwaemm_128_128_cipher = { + "Schwaemm128-128", + SCHWAEMM_128_128_KEY_SIZE, + SCHWAEMM_128_128_NONCE_SIZE, + SCHWAEMM_128_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_128_128_aead_encrypt, + schwaemm_128_128_aead_decrypt +}; + +aead_cipher_t const schwaemm_256_256_cipher = { + "Schwaemm256-256", + SCHWAEMM_256_256_KEY_SIZE, + SCHWAEMM_256_256_NONCE_SIZE, + SCHWAEMM_256_256_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_256_256_aead_encrypt, + schwaemm_256_256_aead_decrypt +}; + +aead_hash_algorithm_t const esch_256_hash_algorithm = { + "Esch256", + sizeof(esch_256_hash_state_t), + ESCH_256_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + esch_256_hash, + (aead_hash_init_t)esch_256_hash_init, + (aead_hash_update_t)esch_256_hash_update, + (aead_hash_finalize_t)esch_256_hash_finalize, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const esch_384_hash_algorithm = { + "Esch384", + sizeof(esch_384_hash_state_t), + ESCH_384_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + esch_384_hash, + (aead_hash_init_t)esch_384_hash_init, + (aead_hash_update_t)esch_384_hash_update, + (aead_hash_finalize_t)esch_384_hash_finalize, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/** + * \def DOMAIN(value) + * \brief Build a domain separation value as a 32-bit word. + * + * \param value The base value. + * \return The domain separation value as a 32-bit word. + */ +#if defined(LW_UTIL_LITTLE_ENDIAN) +#define DOMAIN(value) (((uint32_t)(value)) << 24) +#else +#define DOMAIN(value) (value) +#endif + +/** + * \brief Rate at which bytes are processed by Schwaemm256-128. + */ +#define SCHWAEMM_256_128_RATE 32 + +/** + * \brief Pointer to the left of the state for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_RIGHT(s) \ + (SCHWAEMM_256_128_LEFT(s) + SCHWAEMM_256_128_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm256-128. + * + * \param s SPARKLE-384 state. + * \param domain Domain separator for this phase. + */ +#define schwaemm_256_128_rho(s, domain) \ + do { \ + uint32_t t0 = s[0]; \ + uint32_t t1 = s[1]; \ + uint32_t t2 = s[2]; \ + uint32_t t3 = s[3]; \ + if ((domain) != 0) \ + s[11] ^= DOMAIN(domain); \ + s[0] = s[4] ^ s[8]; \ + s[1] = s[5] ^ s[9]; \ + s[2] = s[6] ^ s[10]; \ + s[3] = s[7] ^ s[11]; \ + s[4] ^= t0 ^ s[8]; \ + s[5] ^= t1 ^ s[9]; \ + s[6] ^= t2 ^ s[10]; \ + s[7] ^= t3 ^ s[11]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm256-128. + * + * \param s SPARKLE-384 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_256_128_authenticate + (uint32_t s[SPARKLE_384_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_256_128_RATE) { + schwaemm_256_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); + sparkle_384(s, 7); + ad += SCHWAEMM_256_128_RATE; + adlen -= SCHWAEMM_256_128_RATE; + } + if (adlen == SCHWAEMM_256_128_RATE) { + schwaemm_256_128_rho(s, 0x05); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); + } else { + unsigned temp = (unsigned)adlen; + schwaemm_256_128_rho(s, 0x04); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); +} + +int schwaemm_256_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + uint8_t block[SCHWAEMM_256_128_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_256_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); + memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_128_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); + schwaemm_256_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + sparkle_384(s, 7); + memcpy(c, block, SCHWAEMM_256_128_RATE); + c += SCHWAEMM_256_128_RATE; + m += SCHWAEMM_256_128_RATE; + mlen -= SCHWAEMM_256_128_RATE; + } + if (mlen == SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); + schwaemm_256_128_rho(s, 0x07); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + memcpy(c, block, SCHWAEMM_256_128_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + schwaemm_256_128_rho(s, 0x06); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_384(s, 11); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); + return 0; +} + +int schwaemm_256_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_256_128_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_256_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); + memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_128_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_256_128_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); + schwaemm_256_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + sparkle_384(s, 7); + c += SCHWAEMM_256_128_RATE; + m += SCHWAEMM_256_128_RATE; + clen -= SCHWAEMM_256_128_RATE; + } + if (clen == SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); + schwaemm_256_128_rho(s, 0x07); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + schwaemm_256_128_rho(s, 0x06); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_256_128_RIGHT(s), c, SCHWAEMM_256_128_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Schwaemm192-192. + */ +#define SCHWAEMM_192_192_RATE 24 + +/** + * \brief Pointer to the left of the state for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_RIGHT(s) \ + (SCHWAEMM_192_192_LEFT(s) + SCHWAEMM_192_192_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm192-192. + * + * \param s SPARKLE-384 state. + * \param domain Domain separator for this phase. + */ +#define schwaemm_192_192_rho(s, domain) \ + do { \ + uint32_t t0 = s[0]; \ + uint32_t t1 = s[1]; \ + uint32_t t2 = s[2]; \ + if ((domain) != 0) \ + s[11] ^= DOMAIN(domain); \ + s[0] = s[3] ^ s[6]; \ + s[1] = s[4] ^ s[7]; \ + s[2] = s[5] ^ s[8]; \ + s[3] ^= t0 ^ s[9]; \ + s[4] ^= t1 ^ s[10]; \ + s[5] ^= t2 ^ s[11]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm192-192. + * + * \param s SPARKLE-384 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_192_192_authenticate + (uint32_t s[SPARKLE_384_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_192_192_RATE) { + schwaemm_192_192_rho(s, 0x00); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); + sparkle_384(s, 7); + ad += SCHWAEMM_192_192_RATE; + adlen -= SCHWAEMM_192_192_RATE; + } + if (adlen == SCHWAEMM_192_192_RATE) { + schwaemm_192_192_rho(s, 0x09); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); + } else { + unsigned temp = (unsigned)adlen; + schwaemm_192_192_rho(s, 0x08); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); +} + +int schwaemm_192_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + uint8_t block[SCHWAEMM_192_192_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_192_192_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); + memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_192_192_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); + schwaemm_192_192_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + sparkle_384(s, 7); + memcpy(c, block, SCHWAEMM_192_192_RATE); + c += SCHWAEMM_192_192_RATE; + m += SCHWAEMM_192_192_RATE; + mlen -= SCHWAEMM_192_192_RATE; + } + if (mlen == SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); + schwaemm_192_192_rho(s, 0x0B); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + memcpy(c, block, SCHWAEMM_192_192_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + schwaemm_192_192_rho(s, 0x0A); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_384(s, 11); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); + return 0; +} + +int schwaemm_192_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_192_192_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_192_192_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); + memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_192_192_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_192_192_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); + schwaemm_192_192_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + sparkle_384(s, 7); + c += SCHWAEMM_192_192_RATE; + m += SCHWAEMM_192_192_RATE; + clen -= SCHWAEMM_192_192_RATE; + } + if (clen == SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); + schwaemm_192_192_rho(s, 0x0B); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + schwaemm_192_192_rho(s, 0x0A); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_192_192_RIGHT(s), c, SCHWAEMM_192_192_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Schwaemm128-128. + */ +#define SCHWAEMM_128_128_RATE 16 + +/** + * \brief Pointer to the left of the state for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_RIGHT(s) \ + (SCHWAEMM_128_128_LEFT(s) + SCHWAEMM_128_128_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm128-128. + * + * \param s SPARKLE-256 state. + * \param domain Domain separator for this phase. + */ +#define schwaemm_128_128_rho(s, domain) \ + do { \ + uint32_t t0 = s[0]; \ + uint32_t t1 = s[1]; \ + if ((domain) != 0) \ + s[7] ^= DOMAIN(domain); \ + s[0] = s[2] ^ s[4]; \ + s[1] = s[3] ^ s[5]; \ + s[2] ^= t0 ^ s[6]; \ + s[3] ^= t1 ^ s[7]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm128-128. + * + * \param s SPARKLE-256 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_128_128_authenticate + (uint32_t s[SPARKLE_256_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_128_128_RATE) { + schwaemm_128_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); + sparkle_256(s, 7); + ad += SCHWAEMM_128_128_RATE; + adlen -= SCHWAEMM_128_128_RATE; + } + if (adlen == SCHWAEMM_128_128_RATE) { + schwaemm_128_128_rho(s, 0x05); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); + } else { + unsigned temp = (unsigned)adlen; + schwaemm_128_128_rho(s, 0x04); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_256(s, 10); +} + +int schwaemm_128_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_256_STATE_SIZE]; + uint8_t block[SCHWAEMM_128_128_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_128_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); + memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); + sparkle_256(s, 10); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_128_128_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); + schwaemm_128_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + sparkle_256(s, 7); + memcpy(c, block, SCHWAEMM_128_128_RATE); + c += SCHWAEMM_128_128_RATE; + m += SCHWAEMM_128_128_RATE; + mlen -= SCHWAEMM_128_128_RATE; + } + if (mlen == SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); + schwaemm_128_128_rho(s, 0x07); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + memcpy(c, block, SCHWAEMM_128_128_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + schwaemm_128_128_rho(s, 0x06); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_256(s, 10); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); + return 0; +} + +int schwaemm_128_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_256_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_128_128_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_128_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); + memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); + sparkle_256(s, 10); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_128_128_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_128_128_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); + schwaemm_128_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + sparkle_256(s, 7); + c += SCHWAEMM_128_128_RATE; + m += SCHWAEMM_128_128_RATE; + clen -= SCHWAEMM_128_128_RATE; + } + if (clen == SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); + schwaemm_128_128_rho(s, 0x07); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + schwaemm_128_128_rho(s, 0x06); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_256(s, 10); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_128_128_RIGHT(s), c, SCHWAEMM_128_128_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Schwaemm256-256. + */ +#define SCHWAEMM_256_256_RATE 32 + +/** + * \brief Pointer to the left of the state for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_RIGHT(s) \ + (SCHWAEMM_256_256_LEFT(s) + SCHWAEMM_256_256_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm256-256. + * + * \param s SPARKLE-512 state. + * \param domain Domain separator for this phase. + */ +#define schwaemm_256_256_rho(s, domain) \ + do { \ + uint32_t t0 = s[0]; \ + uint32_t t1 = s[1]; \ + uint32_t t2 = s[2]; \ + uint32_t t3 = s[3]; \ + if ((domain) != 0) \ + s[15] ^= DOMAIN(domain); \ + s[0] = s[4] ^ s[8]; \ + s[1] = s[5] ^ s[9]; \ + s[2] = s[6] ^ s[10]; \ + s[3] = s[7] ^ s[11]; \ + s[4] ^= t0 ^ s[12]; \ + s[5] ^= t1 ^ s[13]; \ + s[6] ^= t2 ^ s[14]; \ + s[7] ^= t3 ^ s[15]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm256-256. + * + * \param s SPARKLE-512 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_256_256_authenticate + (uint32_t s[SPARKLE_512_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_256_256_RATE) { + schwaemm_256_256_rho(s, 0x00); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); + sparkle_512(s, 8); + ad += SCHWAEMM_256_256_RATE; + adlen -= SCHWAEMM_256_256_RATE; + } + if (adlen == SCHWAEMM_256_256_RATE) { + schwaemm_256_256_rho(s, 0x11); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); + } else { + unsigned temp = (unsigned)adlen; + schwaemm_256_256_rho(s, 0x10); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_512(s, 12); +} + +int schwaemm_256_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_512_STATE_SIZE]; + uint8_t block[SCHWAEMM_256_256_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_256_256_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); + memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); + sparkle_512(s, 12); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_256_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); + schwaemm_256_256_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + sparkle_512(s, 8); + memcpy(c, block, SCHWAEMM_256_256_RATE); + c += SCHWAEMM_256_256_RATE; + m += SCHWAEMM_256_256_RATE; + mlen -= SCHWAEMM_256_256_RATE; + } + if (mlen == SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); + schwaemm_256_256_rho(s, 0x13); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + memcpy(c, block, SCHWAEMM_256_256_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + schwaemm_256_256_rho(s, 0x12); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_512(s, 12); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); + return 0; +} + +int schwaemm_256_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_512_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_256_256_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_256_256_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); + memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); + sparkle_512(s, 12); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_256_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_256_256_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); + schwaemm_256_256_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + sparkle_512(s, 8); + c += SCHWAEMM_256_256_RATE; + m += SCHWAEMM_256_256_RATE; + clen -= SCHWAEMM_256_256_RATE; + } + if (clen == SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); + schwaemm_256_256_rho(s, 0x13); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + schwaemm_256_256_rho(s, 0x12); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_512(s, 12); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_256_256_RIGHT(s), c, SCHWAEMM_256_256_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Esch256. + */ +#define ESCH_256_RATE 16 + +/** + * \brief Perform the M3 step for Esch256 to mix the input with the state. + * + * \param s SPARKLE-384 state. + * \param block Block of input data that has been padded to the rate. + * \param domain Domain separator for this phase. + */ +#define esch_256_m3(s, block, domain) \ + do { \ + uint32_t tx = (block)[0] ^ (block)[2]; \ + uint32_t ty = (block)[1] ^ (block)[3]; \ + tx = leftRotate16(tx ^ (tx << 16)); \ + ty = leftRotate16(ty ^ (ty << 16)); \ + s[0] ^= (block)[0] ^ ty; \ + s[1] ^= (block)[1] ^ tx; \ + s[2] ^= (block)[2] ^ ty; \ + s[3] ^= (block)[3] ^ tx; \ + if ((domain) != 0) \ + s[5] ^= DOMAIN(domain); \ + s[4] ^= ty; \ + s[5] ^= tx; \ + } while (0) + +/** @cond esch_256 */ + +/** + * \brief Word-based state for the Esch256 incremental hash mode. + */ +typedef union +{ + struct { + uint32_t state[SPARKLE_384_STATE_SIZE]; + uint32_t block[4]; + unsigned char count; + } s; + unsigned long long align; + +} esch_256_hash_state_wt; + +/** @endcond */ + +int esch_256_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + uint32_t block[ESCH_256_RATE / 4]; + memset(s, 0, sizeof(s)); + while (inlen > ESCH_256_RATE) { + memcpy(block, in, ESCH_256_RATE); + esch_256_m3(s, block, 0x00); + sparkle_384(s, 7); + in += ESCH_256_RATE; + inlen -= ESCH_256_RATE; + } + if (inlen == ESCH_256_RATE) { + memcpy(block, in, ESCH_256_RATE); + esch_256_m3(s, block, 0x02); + } else { + unsigned temp = (unsigned)inlen; + memcpy(block, in, temp); + ((unsigned char *)block)[temp] = 0x80; + memset(((unsigned char *)block) + temp + 1, 0, + ESCH_256_RATE - temp - 1); + esch_256_m3(s, block, 0x01); + } + sparkle_384(s, 11); + memcpy(out, s, ESCH_256_RATE); + sparkle_384(s, 7); + memcpy(out + ESCH_256_RATE, s, ESCH_256_RATE); + return 0; +} + +void esch_256_hash_init(esch_256_hash_state_t *state) +{ + memset(state, 0, sizeof(esch_256_hash_state_t)); +} + +void esch_256_hash_update + (esch_256_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; + unsigned temp; + while (inlen > 0) { + if (st->s.count == ESCH_256_RATE) { + esch_256_m3(st->s.state, st->s.block, 0x00); + sparkle_384(st->s.state, 7); + st->s.count = 0; + } + temp = ESCH_256_RATE - st->s.count; + if (temp > inlen) + temp = (unsigned)inlen; + memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); + st->s.count += temp; + in += temp; + inlen -= temp; + } +} + +void esch_256_hash_finalize + (esch_256_hash_state_t *state, unsigned char *out) +{ + esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; + + /* Pad and process the last block */ + if (st->s.count == ESCH_256_RATE) { + esch_256_m3(st->s.state, st->s.block, 0x02); + } else { + unsigned temp = st->s.count; + ((unsigned char *)(st->s.block))[temp] = 0x80; + memset(((unsigned char *)(st->s.block)) + temp + 1, 0, + ESCH_256_RATE - temp - 1); + esch_256_m3(st->s.state, st->s.block, 0x01); + } + sparkle_384(st->s.state, 11); + + /* Generate the final hash value */ + memcpy(out, st->s.state, ESCH_256_RATE); + sparkle_384(st->s.state, 7); + memcpy(out + ESCH_256_RATE, st->s.state, ESCH_256_RATE); +} + +/** + * \brief Rate at which bytes are processed by Esch384. + */ +#define ESCH_384_RATE 16 + +/** + * \brief Perform the M4 step for Esch384 to mix the input with the state. + * + * \param s SPARKLE-512 state. + * \param block Block of input data that has been padded to the rate. + * \param domain Domain separator for this phase. + */ +#define esch_384_m4(s, block, domain) \ + do { \ + uint32_t tx = block[0] ^ block[2]; \ + uint32_t ty = block[1] ^ block[3]; \ + tx = leftRotate16(tx ^ (tx << 16)); \ + ty = leftRotate16(ty ^ (ty << 16)); \ + s[0] ^= block[0] ^ ty; \ + s[1] ^= block[1] ^ tx; \ + s[2] ^= block[2] ^ ty; \ + s[3] ^= block[3] ^ tx; \ + if ((domain) != 0) \ + s[7] ^= DOMAIN(domain); \ + s[4] ^= ty; \ + s[5] ^= tx; \ + s[6] ^= ty; \ + s[7] ^= tx; \ + } while (0) + +/** @cond esch_384 */ + +/** + * \brief Word-based state for the Esch384 incremental hash mode. + */ +typedef union +{ + struct { + uint32_t state[SPARKLE_512_STATE_SIZE]; + uint32_t block[4]; + unsigned char count; + } s; + unsigned long long align; + +} esch_384_hash_state_wt; + +/** @endcond */ + +int esch_384_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + uint32_t s[SPARKLE_512_STATE_SIZE]; + uint32_t block[ESCH_256_RATE / 4]; + memset(s, 0, sizeof(s)); + while (inlen > ESCH_384_RATE) { + memcpy(block, in, ESCH_384_RATE); + esch_384_m4(s, block, 0x00); + sparkle_512(s, 8); + in += ESCH_384_RATE; + inlen -= ESCH_384_RATE; + } + if (inlen == ESCH_384_RATE) { + memcpy(block, in, ESCH_384_RATE); + esch_384_m4(s, block, 0x02); + } else { + unsigned temp = (unsigned)inlen; + memcpy(block, in, temp); + ((unsigned char *)block)[temp] = 0x80; + memset(((unsigned char *)block) + temp + 1, 0, + ESCH_384_RATE - temp - 1); + esch_384_m4(s, block, 0x01); + } + sparkle_512(s, 12); + memcpy(out, s, ESCH_384_RATE); + sparkle_512(s, 8); + memcpy(out + ESCH_384_RATE, s, ESCH_384_RATE); + sparkle_512(s, 8); + memcpy(out + ESCH_384_RATE * 2, s, ESCH_384_RATE); + return 0; +} + +void esch_384_hash_init(esch_384_hash_state_t *state) +{ + memset(state, 0, sizeof(esch_384_hash_state_t)); +} + +void esch_384_hash_update + (esch_384_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; + unsigned temp; + while (inlen > 0) { + if (st->s.count == ESCH_384_RATE) { + esch_384_m4(st->s.state, st->s.block, 0x00); + sparkle_512(st->s.state, 8); + st->s.count = 0; + } + temp = ESCH_384_RATE - st->s.count; + if (temp > inlen) + temp = (unsigned)inlen; + memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); + st->s.count += temp; + in += temp; + inlen -= temp; + } +} + +void esch_384_hash_finalize + (esch_384_hash_state_t *state, unsigned char *out) +{ + esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; + + /* Pad and process the last block */ + if (st->s.count == ESCH_384_RATE) { + esch_384_m4(st->s.state, st->s.block, 0x02); + } else { + unsigned temp = st->s.count; + ((unsigned char *)(st->s.block))[temp] = 0x80; + memset(((unsigned char *)(st->s.block)) + temp + 1, 0, + ESCH_384_RATE - temp - 1); + esch_384_m4(st->s.state, st->s.block, 0x01); + } + sparkle_512(st->s.state, 12); + + /* Generate the final hash value */ + memcpy(out, st->s.state, ESCH_384_RATE); + sparkle_512(st->s.state, 8); + memcpy(out + ESCH_384_RATE, st->s.state, ESCH_384_RATE); + sparkle_512(st->s.state, 8); + memcpy(out + ESCH_384_RATE * 2, st->s.state, ESCH_384_RATE); +} diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/sparkle.h b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/sparkle.h new file mode 100644 index 0000000..dd0999e --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/sparkle.h @@ -0,0 +1,515 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SPARKLE_H +#define LWCRYPTO_SPARKLE_H + +#include "aead-common.h" + +/** + * \file sparkle.h + * \brief Encryption and hash algorithms based on the SPARKLE permutation. + * + * SPARKLE is a family of encryption and hash algorithms that are based + * around the SPARKLE permutation. There are three versions of the + * permutation with 256-bit, 384-bit, and 512-bit state sizes. + * The algorithms in the family are: + * + * \li Schwaemm256-128 with a 128-bit key, a 256-bit nonce, and a 128-bit tag. + * This is the primary encryption algorithm in the family. + * \li Schwaemm192-192 with a 192-bit key, a 192-bit nonce, and a 192-bit tag. + * \li Schwaemm128-128 with a 128-bit key, a 128-bit nonce, and a 128-bit tag. + * \li Schwaemm256-256 with a 256-bit key, a 256-bit nonce, and a 256-bit tag. + * \li Esch256 hash algorithm with a 256-bit digest output. This is the + * primary hash algorithm in the family. + * \li Esch384 hash algorithm with a 384-bit digest output. + * + * References: https://www.cryptolux.org/index.php/Sparkle + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_NONCE_SIZE 32 + +/** + * \brief Size of the key for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_KEY_SIZE 24 + +/** + * \brief Size of the authentication tag for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_TAG_SIZE 24 + +/** + * \brief Size of the nonce for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_NONCE_SIZE 24 + +/** + * \brief Size of the key for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_NONCE_SIZE 16 + +/** + * \brief Size of the key for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_TAG_SIZE 32 + +/** + * \brief Size of the nonce for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_NONCE_SIZE 32 + +/** + * \brief Size of the hash output for Esch256. + */ +#define ESCH_256_HASH_SIZE 32 + +/** + * \brief Size of the hash output for Esch384. + */ +#define ESCH_384_HASH_SIZE 48 + +/** + * \brief Meta-information block for the Schwaemm256-128 cipher. + */ +extern aead_cipher_t const schwaemm_256_128_cipher; + +/** + * \brief Meta-information block for the Schwaemm192-192 cipher. + */ +extern aead_cipher_t const schwaemm_192_192_cipher; + +/** + * \brief Meta-information block for the Schwaemm128-128 cipher. + */ +extern aead_cipher_t const schwaemm_128_128_cipher; + +/** + * \brief Meta-information block for the Schwaemm256-256 cipher. + */ +extern aead_cipher_t const schwaemm_256_256_cipher; + +/** + * \brief Meta-information block for the Esch256 hash algorithm. + */ +extern aead_hash_algorithm_t const esch_256_hash_algorithm; + +/** + * \brief Meta-information block for the Esch384 hash algorithm. + */ +extern aead_hash_algorithm_t const esch_384_hash_algorithm; + +/** + * \brief State information for the Esch256 incremental hash mode. + */ +typedef union +{ + struct { + unsigned char state[48]; /**< Current hash state */ + unsigned char block[16]; /**< Partial input data block */ + unsigned char count; /**< Number of bytes in the current block */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} esch_256_hash_state_t; + +/** + * \brief State information for the Esch384 incremental hash mode. + */ +typedef union +{ + struct { + unsigned char state[64]; /**< Current hash state */ + unsigned char block[16]; /**< Partial input data block */ + unsigned char count; /**< Number of bytes in the current block */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} esch_384_hash_state_t; + +/** + * \brief Encrypts and authenticates a packet with Schwaemm256-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 32 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_256_128_aead_decrypt() + */ +int schwaemm_256_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm256-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 32 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_256_128_aead_encrypt() + */ +int schwaemm_256_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Schwaemm192-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 24 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 24 bytes in length. + * \param k Points to the 24 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_192_192_aead_decrypt() + */ +int schwaemm_192_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm192-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 24 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 24 bytes in length. + * \param k Points to the 24 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_192_192_aead_encrypt() + */ +int schwaemm_192_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Schwaemm128-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_128_128_aead_decrypt() + */ +int schwaemm_128_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm128-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_128_128_aead_encrypt() + */ +int schwaemm_128_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Schwaemm256-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_256_256_aead_decrypt() + */ +int schwaemm_256_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm256-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_256_256_aead_encrypt() + */ +int schwaemm_256_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with Esch256 to generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * ESCH_256_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int esch_256_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an Esch256 hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa esch_256_hash_update(), esch_256_hash_finalize(), esch_256_hash() + */ +void esch_256_hash_init(esch_256_hash_state_t *state); + +/** + * \brief Updates an Esch256 state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + * + * \sa esch_256_hash_init(), esch_256_hash_finalize() + */ +void esch_256_hash_update + (esch_256_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Returns the final hash value from an Esch256 hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the 32-byte hash value. + * + * \sa esch_256_hash_init(), esch_256_hash_update() + */ +void esch_256_hash_finalize + (esch_256_hash_state_t *state, unsigned char *out); + +/** + * \brief Hashes a block of input data with Esch384 to generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * ESCH_384_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int esch_384_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an Esch384 hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa esch_384_hash_update(), esch_384_hash_finalize(), esch_384_hash() + */ +void esch_384_hash_init(esch_384_hash_state_t *state); + +/** + * \brief Updates an Esch384 state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + * + * \sa esch_384_hash_init(), esch_384_hash_finalize() + */ +void esch_384_hash_update + (esch_384_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Returns the final hash value from an Esch384 hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the 48-byte hash value. + * + * \sa esch_384_hash_init(), esch_384_hash_update() + */ +void esch_384_hash_finalize + (esch_384_hash_state_t *state, unsigned char *out); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/aead-common.c b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/aead-common.h b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/api.h b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/api.h new file mode 100644 index 0000000..420cea6 --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 32 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/encrypt.c b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/encrypt.c new file mode 100644 index 0000000..6063cb6 --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "sparkle.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return schwaemm_256_128_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return schwaemm_256_128_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-sparkle.c new file mode 100644 index 0000000..822af50 --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-sparkle.c @@ -0,0 +1,366 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-sparkle.h" + +/* The 8 basic round constants from the specification */ +#define RC_0 0xB7E15162 +#define RC_1 0xBF715880 +#define RC_2 0x38B4DA56 +#define RC_3 0x324E7738 +#define RC_4 0xBB1185EB +#define RC_5 0x4F7C7B57 +#define RC_6 0xCFBFA1C8 +#define RC_7 0xC2B3293D + +/* Round constants for all SPARKLE steps; maximum of 12 for SPARKLE-512 */ +static uint32_t const sparkle_rc[12] = { + RC_0, RC_1, RC_2, RC_3, RC_4, RC_5, RC_6, RC_7, + RC_0, RC_1, RC_2, RC_3 +}; + +/** + * \brief Alzette block cipher that implements the ARXbox layer of the + * SPARKLE permutation. + * + * \param x Left half of the 64-bit block. + * \param y Right half of the 64-bit block. + * \param k 32-bit round key. + */ +#define alzette(x, y, k) \ + do { \ + (x) += leftRotate1((y)); \ + (y) ^= leftRotate8((x)); \ + (x) ^= (k); \ + (x) += leftRotate15((y)); \ + (y) ^= leftRotate15((x)); \ + (x) ^= (k); \ + (x) += (y); \ + (y) ^= leftRotate1((x)); \ + (x) ^= (k); \ + (x) += leftRotate8((y)); \ + (y) ^= leftRotate16((x)); \ + (x) ^= (k); \ + } while (0) + +void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps) +{ + uint32_t x0, x1, x2, x3; + uint32_t y0, y1, y2, y3; + uint32_t tx, ty, tz, tw; + unsigned step; + + /* Load the SPARKLE-256 state up into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = s[0]; + y0 = s[1]; + x1 = s[2]; + y1 = s[3]; + x2 = s[4]; + y2 = s[5]; + x3 = s[6]; + y3 = s[7]; +#else + x0 = le_load_word32((const uint8_t *)&(s[0])); + y0 = le_load_word32((const uint8_t *)&(s[1])); + x1 = le_load_word32((const uint8_t *)&(s[2])); + y1 = le_load_word32((const uint8_t *)&(s[3])); + x2 = le_load_word32((const uint8_t *)&(s[4])); + y2 = le_load_word32((const uint8_t *)&(s[5])); + x3 = le_load_word32((const uint8_t *)&(s[6])); + y3 = le_load_word32((const uint8_t *)&(s[7])); +#endif + + /* Perform all requested steps */ + for (step = 0; step < steps; ++step) { + /* Add round constants */ + y0 ^= sparkle_rc[step]; + y1 ^= step; + + /* ARXbox layer */ + alzette(x0, y0, RC_0); + alzette(x1, y1, RC_1); + alzette(x2, y2, RC_2); + alzette(x3, y3, RC_3); + + /* Linear layer */ + tx = x0 ^ x1; + ty = y0 ^ y1; + tw = x0; + tz = y0; + tx = leftRotate16(tx ^ (tx << 16)); + ty = leftRotate16(ty ^ (ty << 16)); + x0 = x3 ^ x1 ^ ty; + x3 = x1; + y0 = y3 ^ y1 ^ tx; + y3 = y1; + x1 = x2 ^ tw ^ ty; + x2 = tw; + y1 = y2 ^ tz ^ tx; + y2 = tz; + } + + /* Write the local variables back to the SPARKLE-256 state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s[0] = x0; + s[1] = y0; + s[2] = x1; + s[3] = y1; + s[4] = x2; + s[5] = y2; + s[6] = x3; + s[7] = y3; +#else + le_store_word32((uint8_t *)&(s[0]), x0); + le_store_word32((uint8_t *)&(s[1]), y0); + le_store_word32((uint8_t *)&(s[2]), x1); + le_store_word32((uint8_t *)&(s[3]), y1); + le_store_word32((uint8_t *)&(s[4]), x2); + le_store_word32((uint8_t *)&(s[5]), y2); + le_store_word32((uint8_t *)&(s[6]), x3); + le_store_word32((uint8_t *)&(s[7]), y3); +#endif +} + +void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps) +{ + uint32_t x0, x1, x2, x3, x4, x5; + uint32_t y0, y1, y2, y3, y4, y5; + uint32_t tx, ty, tz, tw; + unsigned step; + + /* Load the SPARKLE-384 state up into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = s[0]; + y0 = s[1]; + x1 = s[2]; + y1 = s[3]; + x2 = s[4]; + y2 = s[5]; + x3 = s[6]; + y3 = s[7]; + x4 = s[8]; + y4 = s[9]; + x5 = s[10]; + y5 = s[11]; +#else + x0 = le_load_word32((const uint8_t *)&(s[0])); + y0 = le_load_word32((const uint8_t *)&(s[1])); + x1 = le_load_word32((const uint8_t *)&(s[2])); + y1 = le_load_word32((const uint8_t *)&(s[3])); + x2 = le_load_word32((const uint8_t *)&(s[4])); + y2 = le_load_word32((const uint8_t *)&(s[5])); + x3 = le_load_word32((const uint8_t *)&(s[6])); + y3 = le_load_word32((const uint8_t *)&(s[7])); + x4 = le_load_word32((const uint8_t *)&(s[8])); + y4 = le_load_word32((const uint8_t *)&(s[9])); + x5 = le_load_word32((const uint8_t *)&(s[10])); + y5 = le_load_word32((const uint8_t *)&(s[11])); +#endif + + /* Perform all requested steps */ + for (step = 0; step < steps; ++step) { + /* Add round constants */ + y0 ^= sparkle_rc[step]; + y1 ^= step; + + /* ARXbox layer */ + alzette(x0, y0, RC_0); + alzette(x1, y1, RC_1); + alzette(x2, y2, RC_2); + alzette(x3, y3, RC_3); + alzette(x4, y4, RC_4); + alzette(x5, y5, RC_5); + + /* Linear layer */ + tx = x0 ^ x1 ^ x2; + ty = y0 ^ y1 ^ y2; + tw = x0; + tz = y0; + tx = leftRotate16(tx ^ (tx << 16)); + ty = leftRotate16(ty ^ (ty << 16)); + x0 = x4 ^ x1 ^ ty; + x4 = x1; + y0 = y4 ^ y1 ^ tx; + y4 = y1; + x1 = x5 ^ x2 ^ ty; + x5 = x2; + y1 = y5 ^ y2 ^ tx; + y5 = y2; + x2 = x3 ^ tw ^ ty; + x3 = tw; + y2 = y3 ^ tz ^ tx; + y3 = tz; + } + + /* Write the local variables back to the SPARKLE-384 state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s[0] = x0; + s[1] = y0; + s[2] = x1; + s[3] = y1; + s[4] = x2; + s[5] = y2; + s[6] = x3; + s[7] = y3; + s[8] = x4; + s[9] = y4; + s[10] = x5; + s[11] = y5; +#else + le_store_word32((uint8_t *)&(s[0]), x0); + le_store_word32((uint8_t *)&(s[1]), y0); + le_store_word32((uint8_t *)&(s[2]), x1); + le_store_word32((uint8_t *)&(s[3]), y1); + le_store_word32((uint8_t *)&(s[4]), x2); + le_store_word32((uint8_t *)&(s[5]), y2); + le_store_word32((uint8_t *)&(s[6]), x3); + le_store_word32((uint8_t *)&(s[7]), y3); + le_store_word32((uint8_t *)&(s[8]), x4); + le_store_word32((uint8_t *)&(s[9]), y4); + le_store_word32((uint8_t *)&(s[10]), x5); + le_store_word32((uint8_t *)&(s[11]), y5); +#endif +} + +void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) +{ + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t y0, y1, y2, y3, y4, y5, y6, y7; + uint32_t tx, ty, tz, tw; + unsigned step; + + /* Load the SPARKLE-512 state up into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = s[0]; + y0 = s[1]; + x1 = s[2]; + y1 = s[3]; + x2 = s[4]; + y2 = s[5]; + x3 = s[6]; + y3 = s[7]; + x4 = s[8]; + y4 = s[9]; + x5 = s[10]; + y5 = s[11]; + x6 = s[12]; + y6 = s[13]; + x7 = s[14]; + y7 = s[15]; +#else + x0 = le_load_word32((const uint8_t *)&(s[0])); + y0 = le_load_word32((const uint8_t *)&(s[1])); + x1 = le_load_word32((const uint8_t *)&(s[2])); + y1 = le_load_word32((const uint8_t *)&(s[3])); + x2 = le_load_word32((const uint8_t *)&(s[4])); + y2 = le_load_word32((const uint8_t *)&(s[5])); + x3 = le_load_word32((const uint8_t *)&(s[6])); + y3 = le_load_word32((const uint8_t *)&(s[7])); + x4 = le_load_word32((const uint8_t *)&(s[8])); + y4 = le_load_word32((const uint8_t *)&(s[9])); + x5 = le_load_word32((const uint8_t *)&(s[10])); + y5 = le_load_word32((const uint8_t *)&(s[11])); + x6 = le_load_word32((const uint8_t *)&(s[12])); + y6 = le_load_word32((const uint8_t *)&(s[13])); + x7 = le_load_word32((const uint8_t *)&(s[14])); + y7 = le_load_word32((const uint8_t *)&(s[15])); +#endif + + /* Perform all requested steps */ + for (step = 0; step < steps; ++step) { + /* Add round constants */ + y0 ^= sparkle_rc[step]; + y1 ^= step; + + /* ARXbox layer */ + alzette(x0, y0, RC_0); + alzette(x1, y1, RC_1); + alzette(x2, y2, RC_2); + alzette(x3, y3, RC_3); + alzette(x4, y4, RC_4); + alzette(x5, y5, RC_5); + alzette(x6, y6, RC_6); + alzette(x7, y7, RC_7); + + /* Linear layer */ + tx = x0 ^ x1 ^ x2 ^ x3; + ty = y0 ^ y1 ^ y2 ^ y3; + tw = x0; + tz = y0; + tx = leftRotate16(tx ^ (tx << 16)); + ty = leftRotate16(ty ^ (ty << 16)); + x0 = x5 ^ x1 ^ ty; + x5 = x1; + y0 = y5 ^ y1 ^ tx; + y5 = y1; + x1 = x6 ^ x2 ^ ty; + x6 = x2; + y1 = y6 ^ y2 ^ tx; + y6 = y2; + x2 = x7 ^ x3 ^ ty; + x7 = x3; + y2 = y7 ^ y3 ^ tx; + y7 = y3; + x3 = x4 ^ tw ^ ty; + x4 = tw; + y3 = y4 ^ tz ^ tx; + y4 = tz; + } + + /* Write the local variables back to the SPARKLE-512 state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s[0] = x0; + s[1] = y0; + s[2] = x1; + s[3] = y1; + s[4] = x2; + s[5] = y2; + s[6] = x3; + s[7] = y3; + s[8] = x4; + s[9] = y4; + s[10] = x5; + s[11] = y5; + s[12] = x6; + s[13] = y6; + s[14] = x7; + s[15] = y7; +#else + le_store_word32((uint8_t *)&(s[0]), x0); + le_store_word32((uint8_t *)&(s[1]), y0); + le_store_word32((uint8_t *)&(s[2]), x1); + le_store_word32((uint8_t *)&(s[3]), y1); + le_store_word32((uint8_t *)&(s[4]), x2); + le_store_word32((uint8_t *)&(s[5]), y2); + le_store_word32((uint8_t *)&(s[6]), x3); + le_store_word32((uint8_t *)&(s[7]), y3); + le_store_word32((uint8_t *)&(s[8]), x4); + le_store_word32((uint8_t *)&(s[9]), y4); + le_store_word32((uint8_t *)&(s[10]), x5); + le_store_word32((uint8_t *)&(s[11]), y5); + le_store_word32((uint8_t *)&(s[12]), x6); + le_store_word32((uint8_t *)&(s[13]), y6); + le_store_word32((uint8_t *)&(s[14]), x7); + le_store_word32((uint8_t *)&(s[15]), y7); +#endif +} diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-sparkle.h b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-sparkle.h new file mode 100644 index 0000000..fbdabc1 --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-sparkle.h @@ -0,0 +1,82 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SPARKLE_H +#define LW_INTERNAL_SPARKLE_H + +#include "internal-util.h" + +/** + * \file internal-sparkle.h + * \brief Internal implementation of the SPARKLE permutation. + * + * References: https://www.cryptolux.org/index.php/Sparkle + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the state for SPARKLE-256. + */ +#define SPARKLE_256_STATE_SIZE 8 + +/** + * \brief Size of the state for SPARKLE-384. + */ +#define SPARKLE_384_STATE_SIZE 12 + +/** + * \brief Size of the state for SPARKLE-512. + */ +#define SPARKLE_512_STATE_SIZE 16 + +/** + * \brief Performs the SPARKLE-256 permutation. + * + * \param s The words of the SPARKLE-256 state in little-endian byte order. + * \param steps The number of steps to perform, 7 or 10. + */ +void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps); + +/** + * \brief Performs the SPARKLE-384 permutation. + * + * \param s The words of the SPARKLE-384 state in little-endian byte order. + * \param steps The number of steps to perform, 7 or 11. + */ +void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps); + +/** + * \brief Performs the SPARKLE-512 permutation. + * + * \param s The words of the SPARKLE-512 state in little-endian byte order. + * \param steps The number of steps to perform, 8 or 12. + */ +void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-util.h b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/sparkle.c new file mode 100644 index 0000000..b357de6 --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/sparkle.c @@ -0,0 +1,1123 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "sparkle.h" +#include "internal-sparkle.h" +#include + +aead_cipher_t const schwaemm_256_128_cipher = { + "Schwaemm256-128", + SCHWAEMM_256_128_KEY_SIZE, + SCHWAEMM_256_128_NONCE_SIZE, + SCHWAEMM_256_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_256_128_aead_encrypt, + schwaemm_256_128_aead_decrypt +}; + +aead_cipher_t const schwaemm_192_192_cipher = { + "Schwaemm192-192", + SCHWAEMM_192_192_KEY_SIZE, + SCHWAEMM_192_192_NONCE_SIZE, + SCHWAEMM_192_192_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_192_192_aead_encrypt, + schwaemm_192_192_aead_decrypt +}; + +aead_cipher_t const schwaemm_128_128_cipher = { + "Schwaemm128-128", + SCHWAEMM_128_128_KEY_SIZE, + SCHWAEMM_128_128_NONCE_SIZE, + SCHWAEMM_128_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_128_128_aead_encrypt, + schwaemm_128_128_aead_decrypt +}; + +aead_cipher_t const schwaemm_256_256_cipher = { + "Schwaemm256-256", + SCHWAEMM_256_256_KEY_SIZE, + SCHWAEMM_256_256_NONCE_SIZE, + SCHWAEMM_256_256_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_256_256_aead_encrypt, + schwaemm_256_256_aead_decrypt +}; + +aead_hash_algorithm_t const esch_256_hash_algorithm = { + "Esch256", + sizeof(esch_256_hash_state_t), + ESCH_256_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + esch_256_hash, + (aead_hash_init_t)esch_256_hash_init, + (aead_hash_update_t)esch_256_hash_update, + (aead_hash_finalize_t)esch_256_hash_finalize, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const esch_384_hash_algorithm = { + "Esch384", + sizeof(esch_384_hash_state_t), + ESCH_384_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + esch_384_hash, + (aead_hash_init_t)esch_384_hash_init, + (aead_hash_update_t)esch_384_hash_update, + (aead_hash_finalize_t)esch_384_hash_finalize, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/** + * \def DOMAIN(value) + * \brief Build a domain separation value as a 32-bit word. + * + * \param value The base value. + * \return The domain separation value as a 32-bit word. + */ +#if defined(LW_UTIL_LITTLE_ENDIAN) +#define DOMAIN(value) (((uint32_t)(value)) << 24) +#else +#define DOMAIN(value) (value) +#endif + +/** + * \brief Rate at which bytes are processed by Schwaemm256-128. + */ +#define SCHWAEMM_256_128_RATE 32 + +/** + * \brief Pointer to the left of the state for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_RIGHT(s) \ + (SCHWAEMM_256_128_LEFT(s) + SCHWAEMM_256_128_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm256-128. + * + * \param s SPARKLE-384 state. + * \param domain Domain separator for this phase. + */ +#define schwaemm_256_128_rho(s, domain) \ + do { \ + uint32_t t0 = s[0]; \ + uint32_t t1 = s[1]; \ + uint32_t t2 = s[2]; \ + uint32_t t3 = s[3]; \ + if ((domain) != 0) \ + s[11] ^= DOMAIN(domain); \ + s[0] = s[4] ^ s[8]; \ + s[1] = s[5] ^ s[9]; \ + s[2] = s[6] ^ s[10]; \ + s[3] = s[7] ^ s[11]; \ + s[4] ^= t0 ^ s[8]; \ + s[5] ^= t1 ^ s[9]; \ + s[6] ^= t2 ^ s[10]; \ + s[7] ^= t3 ^ s[11]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm256-128. + * + * \param s SPARKLE-384 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_256_128_authenticate + (uint32_t s[SPARKLE_384_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_256_128_RATE) { + schwaemm_256_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); + sparkle_384(s, 7); + ad += SCHWAEMM_256_128_RATE; + adlen -= SCHWAEMM_256_128_RATE; + } + if (adlen == SCHWAEMM_256_128_RATE) { + schwaemm_256_128_rho(s, 0x05); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); + } else { + unsigned temp = (unsigned)adlen; + schwaemm_256_128_rho(s, 0x04); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); +} + +int schwaemm_256_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + uint8_t block[SCHWAEMM_256_128_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_256_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); + memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_128_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); + schwaemm_256_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + sparkle_384(s, 7); + memcpy(c, block, SCHWAEMM_256_128_RATE); + c += SCHWAEMM_256_128_RATE; + m += SCHWAEMM_256_128_RATE; + mlen -= SCHWAEMM_256_128_RATE; + } + if (mlen == SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); + schwaemm_256_128_rho(s, 0x07); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + memcpy(c, block, SCHWAEMM_256_128_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + schwaemm_256_128_rho(s, 0x06); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_384(s, 11); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); + return 0; +} + +int schwaemm_256_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_256_128_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_256_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); + memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_128_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_256_128_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); + schwaemm_256_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + sparkle_384(s, 7); + c += SCHWAEMM_256_128_RATE; + m += SCHWAEMM_256_128_RATE; + clen -= SCHWAEMM_256_128_RATE; + } + if (clen == SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); + schwaemm_256_128_rho(s, 0x07); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + schwaemm_256_128_rho(s, 0x06); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_256_128_RIGHT(s), c, SCHWAEMM_256_128_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Schwaemm192-192. + */ +#define SCHWAEMM_192_192_RATE 24 + +/** + * \brief Pointer to the left of the state for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_RIGHT(s) \ + (SCHWAEMM_192_192_LEFT(s) + SCHWAEMM_192_192_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm192-192. + * + * \param s SPARKLE-384 state. + * \param domain Domain separator for this phase. + */ +#define schwaemm_192_192_rho(s, domain) \ + do { \ + uint32_t t0 = s[0]; \ + uint32_t t1 = s[1]; \ + uint32_t t2 = s[2]; \ + if ((domain) != 0) \ + s[11] ^= DOMAIN(domain); \ + s[0] = s[3] ^ s[6]; \ + s[1] = s[4] ^ s[7]; \ + s[2] = s[5] ^ s[8]; \ + s[3] ^= t0 ^ s[9]; \ + s[4] ^= t1 ^ s[10]; \ + s[5] ^= t2 ^ s[11]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm192-192. + * + * \param s SPARKLE-384 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_192_192_authenticate + (uint32_t s[SPARKLE_384_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_192_192_RATE) { + schwaemm_192_192_rho(s, 0x00); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); + sparkle_384(s, 7); + ad += SCHWAEMM_192_192_RATE; + adlen -= SCHWAEMM_192_192_RATE; + } + if (adlen == SCHWAEMM_192_192_RATE) { + schwaemm_192_192_rho(s, 0x09); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); + } else { + unsigned temp = (unsigned)adlen; + schwaemm_192_192_rho(s, 0x08); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); +} + +int schwaemm_192_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + uint8_t block[SCHWAEMM_192_192_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_192_192_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); + memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_192_192_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); + schwaemm_192_192_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + sparkle_384(s, 7); + memcpy(c, block, SCHWAEMM_192_192_RATE); + c += SCHWAEMM_192_192_RATE; + m += SCHWAEMM_192_192_RATE; + mlen -= SCHWAEMM_192_192_RATE; + } + if (mlen == SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); + schwaemm_192_192_rho(s, 0x0B); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + memcpy(c, block, SCHWAEMM_192_192_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + schwaemm_192_192_rho(s, 0x0A); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_384(s, 11); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); + return 0; +} + +int schwaemm_192_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_192_192_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_192_192_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); + memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_192_192_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_192_192_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); + schwaemm_192_192_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + sparkle_384(s, 7); + c += SCHWAEMM_192_192_RATE; + m += SCHWAEMM_192_192_RATE; + clen -= SCHWAEMM_192_192_RATE; + } + if (clen == SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); + schwaemm_192_192_rho(s, 0x0B); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + schwaemm_192_192_rho(s, 0x0A); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_192_192_RIGHT(s), c, SCHWAEMM_192_192_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Schwaemm128-128. + */ +#define SCHWAEMM_128_128_RATE 16 + +/** + * \brief Pointer to the left of the state for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_RIGHT(s) \ + (SCHWAEMM_128_128_LEFT(s) + SCHWAEMM_128_128_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm128-128. + * + * \param s SPARKLE-256 state. + * \param domain Domain separator for this phase. + */ +#define schwaemm_128_128_rho(s, domain) \ + do { \ + uint32_t t0 = s[0]; \ + uint32_t t1 = s[1]; \ + if ((domain) != 0) \ + s[7] ^= DOMAIN(domain); \ + s[0] = s[2] ^ s[4]; \ + s[1] = s[3] ^ s[5]; \ + s[2] ^= t0 ^ s[6]; \ + s[3] ^= t1 ^ s[7]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm128-128. + * + * \param s SPARKLE-256 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_128_128_authenticate + (uint32_t s[SPARKLE_256_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_128_128_RATE) { + schwaemm_128_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); + sparkle_256(s, 7); + ad += SCHWAEMM_128_128_RATE; + adlen -= SCHWAEMM_128_128_RATE; + } + if (adlen == SCHWAEMM_128_128_RATE) { + schwaemm_128_128_rho(s, 0x05); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); + } else { + unsigned temp = (unsigned)adlen; + schwaemm_128_128_rho(s, 0x04); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_256(s, 10); +} + +int schwaemm_128_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_256_STATE_SIZE]; + uint8_t block[SCHWAEMM_128_128_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_128_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); + memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); + sparkle_256(s, 10); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_128_128_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); + schwaemm_128_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + sparkle_256(s, 7); + memcpy(c, block, SCHWAEMM_128_128_RATE); + c += SCHWAEMM_128_128_RATE; + m += SCHWAEMM_128_128_RATE; + mlen -= SCHWAEMM_128_128_RATE; + } + if (mlen == SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); + schwaemm_128_128_rho(s, 0x07); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + memcpy(c, block, SCHWAEMM_128_128_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + schwaemm_128_128_rho(s, 0x06); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_256(s, 10); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); + return 0; +} + +int schwaemm_128_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_256_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_128_128_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_128_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); + memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); + sparkle_256(s, 10); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_128_128_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_128_128_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); + schwaemm_128_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + sparkle_256(s, 7); + c += SCHWAEMM_128_128_RATE; + m += SCHWAEMM_128_128_RATE; + clen -= SCHWAEMM_128_128_RATE; + } + if (clen == SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); + schwaemm_128_128_rho(s, 0x07); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + schwaemm_128_128_rho(s, 0x06); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_256(s, 10); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_128_128_RIGHT(s), c, SCHWAEMM_128_128_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Schwaemm256-256. + */ +#define SCHWAEMM_256_256_RATE 32 + +/** + * \brief Pointer to the left of the state for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_RIGHT(s) \ + (SCHWAEMM_256_256_LEFT(s) + SCHWAEMM_256_256_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm256-256. + * + * \param s SPARKLE-512 state. + * \param domain Domain separator for this phase. + */ +#define schwaemm_256_256_rho(s, domain) \ + do { \ + uint32_t t0 = s[0]; \ + uint32_t t1 = s[1]; \ + uint32_t t2 = s[2]; \ + uint32_t t3 = s[3]; \ + if ((domain) != 0) \ + s[15] ^= DOMAIN(domain); \ + s[0] = s[4] ^ s[8]; \ + s[1] = s[5] ^ s[9]; \ + s[2] = s[6] ^ s[10]; \ + s[3] = s[7] ^ s[11]; \ + s[4] ^= t0 ^ s[12]; \ + s[5] ^= t1 ^ s[13]; \ + s[6] ^= t2 ^ s[14]; \ + s[7] ^= t3 ^ s[15]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm256-256. + * + * \param s SPARKLE-512 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_256_256_authenticate + (uint32_t s[SPARKLE_512_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_256_256_RATE) { + schwaemm_256_256_rho(s, 0x00); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); + sparkle_512(s, 8); + ad += SCHWAEMM_256_256_RATE; + adlen -= SCHWAEMM_256_256_RATE; + } + if (adlen == SCHWAEMM_256_256_RATE) { + schwaemm_256_256_rho(s, 0x11); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); + } else { + unsigned temp = (unsigned)adlen; + schwaemm_256_256_rho(s, 0x10); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_512(s, 12); +} + +int schwaemm_256_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_512_STATE_SIZE]; + uint8_t block[SCHWAEMM_256_256_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_256_256_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); + memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); + sparkle_512(s, 12); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_256_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); + schwaemm_256_256_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + sparkle_512(s, 8); + memcpy(c, block, SCHWAEMM_256_256_RATE); + c += SCHWAEMM_256_256_RATE; + m += SCHWAEMM_256_256_RATE; + mlen -= SCHWAEMM_256_256_RATE; + } + if (mlen == SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); + schwaemm_256_256_rho(s, 0x13); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + memcpy(c, block, SCHWAEMM_256_256_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + schwaemm_256_256_rho(s, 0x12); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_512(s, 12); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); + return 0; +} + +int schwaemm_256_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_512_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_256_256_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_256_256_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); + memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); + sparkle_512(s, 12); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_256_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_256_256_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); + schwaemm_256_256_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + sparkle_512(s, 8); + c += SCHWAEMM_256_256_RATE; + m += SCHWAEMM_256_256_RATE; + clen -= SCHWAEMM_256_256_RATE; + } + if (clen == SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); + schwaemm_256_256_rho(s, 0x13); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + schwaemm_256_256_rho(s, 0x12); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_512(s, 12); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_256_256_RIGHT(s), c, SCHWAEMM_256_256_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Esch256. + */ +#define ESCH_256_RATE 16 + +/** + * \brief Perform the M3 step for Esch256 to mix the input with the state. + * + * \param s SPARKLE-384 state. + * \param block Block of input data that has been padded to the rate. + * \param domain Domain separator for this phase. + */ +#define esch_256_m3(s, block, domain) \ + do { \ + uint32_t tx = (block)[0] ^ (block)[2]; \ + uint32_t ty = (block)[1] ^ (block)[3]; \ + tx = leftRotate16(tx ^ (tx << 16)); \ + ty = leftRotate16(ty ^ (ty << 16)); \ + s[0] ^= (block)[0] ^ ty; \ + s[1] ^= (block)[1] ^ tx; \ + s[2] ^= (block)[2] ^ ty; \ + s[3] ^= (block)[3] ^ tx; \ + if ((domain) != 0) \ + s[5] ^= DOMAIN(domain); \ + s[4] ^= ty; \ + s[5] ^= tx; \ + } while (0) + +/** @cond esch_256 */ + +/** + * \brief Word-based state for the Esch256 incremental hash mode. + */ +typedef union +{ + struct { + uint32_t state[SPARKLE_384_STATE_SIZE]; + uint32_t block[4]; + unsigned char count; + } s; + unsigned long long align; + +} esch_256_hash_state_wt; + +/** @endcond */ + +int esch_256_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + uint32_t block[ESCH_256_RATE / 4]; + memset(s, 0, sizeof(s)); + while (inlen > ESCH_256_RATE) { + memcpy(block, in, ESCH_256_RATE); + esch_256_m3(s, block, 0x00); + sparkle_384(s, 7); + in += ESCH_256_RATE; + inlen -= ESCH_256_RATE; + } + if (inlen == ESCH_256_RATE) { + memcpy(block, in, ESCH_256_RATE); + esch_256_m3(s, block, 0x02); + } else { + unsigned temp = (unsigned)inlen; + memcpy(block, in, temp); + ((unsigned char *)block)[temp] = 0x80; + memset(((unsigned char *)block) + temp + 1, 0, + ESCH_256_RATE - temp - 1); + esch_256_m3(s, block, 0x01); + } + sparkle_384(s, 11); + memcpy(out, s, ESCH_256_RATE); + sparkle_384(s, 7); + memcpy(out + ESCH_256_RATE, s, ESCH_256_RATE); + return 0; +} + +void esch_256_hash_init(esch_256_hash_state_t *state) +{ + memset(state, 0, sizeof(esch_256_hash_state_t)); +} + +void esch_256_hash_update + (esch_256_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; + unsigned temp; + while (inlen > 0) { + if (st->s.count == ESCH_256_RATE) { + esch_256_m3(st->s.state, st->s.block, 0x00); + sparkle_384(st->s.state, 7); + st->s.count = 0; + } + temp = ESCH_256_RATE - st->s.count; + if (temp > inlen) + temp = (unsigned)inlen; + memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); + st->s.count += temp; + in += temp; + inlen -= temp; + } +} + +void esch_256_hash_finalize + (esch_256_hash_state_t *state, unsigned char *out) +{ + esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; + + /* Pad and process the last block */ + if (st->s.count == ESCH_256_RATE) { + esch_256_m3(st->s.state, st->s.block, 0x02); + } else { + unsigned temp = st->s.count; + ((unsigned char *)(st->s.block))[temp] = 0x80; + memset(((unsigned char *)(st->s.block)) + temp + 1, 0, + ESCH_256_RATE - temp - 1); + esch_256_m3(st->s.state, st->s.block, 0x01); + } + sparkle_384(st->s.state, 11); + + /* Generate the final hash value */ + memcpy(out, st->s.state, ESCH_256_RATE); + sparkle_384(st->s.state, 7); + memcpy(out + ESCH_256_RATE, st->s.state, ESCH_256_RATE); +} + +/** + * \brief Rate at which bytes are processed by Esch384. + */ +#define ESCH_384_RATE 16 + +/** + * \brief Perform the M4 step for Esch384 to mix the input with the state. + * + * \param s SPARKLE-512 state. + * \param block Block of input data that has been padded to the rate. + * \param domain Domain separator for this phase. + */ +#define esch_384_m4(s, block, domain) \ + do { \ + uint32_t tx = block[0] ^ block[2]; \ + uint32_t ty = block[1] ^ block[3]; \ + tx = leftRotate16(tx ^ (tx << 16)); \ + ty = leftRotate16(ty ^ (ty << 16)); \ + s[0] ^= block[0] ^ ty; \ + s[1] ^= block[1] ^ tx; \ + s[2] ^= block[2] ^ ty; \ + s[3] ^= block[3] ^ tx; \ + if ((domain) != 0) \ + s[7] ^= DOMAIN(domain); \ + s[4] ^= ty; \ + s[5] ^= tx; \ + s[6] ^= ty; \ + s[7] ^= tx; \ + } while (0) + +/** @cond esch_384 */ + +/** + * \brief Word-based state for the Esch384 incremental hash mode. + */ +typedef union +{ + struct { + uint32_t state[SPARKLE_512_STATE_SIZE]; + uint32_t block[4]; + unsigned char count; + } s; + unsigned long long align; + +} esch_384_hash_state_wt; + +/** @endcond */ + +int esch_384_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + uint32_t s[SPARKLE_512_STATE_SIZE]; + uint32_t block[ESCH_256_RATE / 4]; + memset(s, 0, sizeof(s)); + while (inlen > ESCH_384_RATE) { + memcpy(block, in, ESCH_384_RATE); + esch_384_m4(s, block, 0x00); + sparkle_512(s, 8); + in += ESCH_384_RATE; + inlen -= ESCH_384_RATE; + } + if (inlen == ESCH_384_RATE) { + memcpy(block, in, ESCH_384_RATE); + esch_384_m4(s, block, 0x02); + } else { + unsigned temp = (unsigned)inlen; + memcpy(block, in, temp); + ((unsigned char *)block)[temp] = 0x80; + memset(((unsigned char *)block) + temp + 1, 0, + ESCH_384_RATE - temp - 1); + esch_384_m4(s, block, 0x01); + } + sparkle_512(s, 12); + memcpy(out, s, ESCH_384_RATE); + sparkle_512(s, 8); + memcpy(out + ESCH_384_RATE, s, ESCH_384_RATE); + sparkle_512(s, 8); + memcpy(out + ESCH_384_RATE * 2, s, ESCH_384_RATE); + return 0; +} + +void esch_384_hash_init(esch_384_hash_state_t *state) +{ + memset(state, 0, sizeof(esch_384_hash_state_t)); +} + +void esch_384_hash_update + (esch_384_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; + unsigned temp; + while (inlen > 0) { + if (st->s.count == ESCH_384_RATE) { + esch_384_m4(st->s.state, st->s.block, 0x00); + sparkle_512(st->s.state, 8); + st->s.count = 0; + } + temp = ESCH_384_RATE - st->s.count; + if (temp > inlen) + temp = (unsigned)inlen; + memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); + st->s.count += temp; + in += temp; + inlen -= temp; + } +} + +void esch_384_hash_finalize + (esch_384_hash_state_t *state, unsigned char *out) +{ + esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; + + /* Pad and process the last block */ + if (st->s.count == ESCH_384_RATE) { + esch_384_m4(st->s.state, st->s.block, 0x02); + } else { + unsigned temp = st->s.count; + ((unsigned char *)(st->s.block))[temp] = 0x80; + memset(((unsigned char *)(st->s.block)) + temp + 1, 0, + ESCH_384_RATE - temp - 1); + esch_384_m4(st->s.state, st->s.block, 0x01); + } + sparkle_512(st->s.state, 12); + + /* Generate the final hash value */ + memcpy(out, st->s.state, ESCH_384_RATE); + sparkle_512(st->s.state, 8); + memcpy(out + ESCH_384_RATE, st->s.state, ESCH_384_RATE); + sparkle_512(st->s.state, 8); + memcpy(out + ESCH_384_RATE * 2, st->s.state, ESCH_384_RATE); +} diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/sparkle.h b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/sparkle.h new file mode 100644 index 0000000..dd0999e --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/sparkle.h @@ -0,0 +1,515 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SPARKLE_H +#define LWCRYPTO_SPARKLE_H + +#include "aead-common.h" + +/** + * \file sparkle.h + * \brief Encryption and hash algorithms based on the SPARKLE permutation. + * + * SPARKLE is a family of encryption and hash algorithms that are based + * around the SPARKLE permutation. There are three versions of the + * permutation with 256-bit, 384-bit, and 512-bit state sizes. + * The algorithms in the family are: + * + * \li Schwaemm256-128 with a 128-bit key, a 256-bit nonce, and a 128-bit tag. + * This is the primary encryption algorithm in the family. + * \li Schwaemm192-192 with a 192-bit key, a 192-bit nonce, and a 192-bit tag. + * \li Schwaemm128-128 with a 128-bit key, a 128-bit nonce, and a 128-bit tag. + * \li Schwaemm256-256 with a 256-bit key, a 256-bit nonce, and a 256-bit tag. + * \li Esch256 hash algorithm with a 256-bit digest output. This is the + * primary hash algorithm in the family. + * \li Esch384 hash algorithm with a 384-bit digest output. + * + * References: https://www.cryptolux.org/index.php/Sparkle + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_NONCE_SIZE 32 + +/** + * \brief Size of the key for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_KEY_SIZE 24 + +/** + * \brief Size of the authentication tag for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_TAG_SIZE 24 + +/** + * \brief Size of the nonce for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_NONCE_SIZE 24 + +/** + * \brief Size of the key for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_NONCE_SIZE 16 + +/** + * \brief Size of the key for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_TAG_SIZE 32 + +/** + * \brief Size of the nonce for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_NONCE_SIZE 32 + +/** + * \brief Size of the hash output for Esch256. + */ +#define ESCH_256_HASH_SIZE 32 + +/** + * \brief Size of the hash output for Esch384. + */ +#define ESCH_384_HASH_SIZE 48 + +/** + * \brief Meta-information block for the Schwaemm256-128 cipher. + */ +extern aead_cipher_t const schwaemm_256_128_cipher; + +/** + * \brief Meta-information block for the Schwaemm192-192 cipher. + */ +extern aead_cipher_t const schwaemm_192_192_cipher; + +/** + * \brief Meta-information block for the Schwaemm128-128 cipher. + */ +extern aead_cipher_t const schwaemm_128_128_cipher; + +/** + * \brief Meta-information block for the Schwaemm256-256 cipher. + */ +extern aead_cipher_t const schwaemm_256_256_cipher; + +/** + * \brief Meta-information block for the Esch256 hash algorithm. + */ +extern aead_hash_algorithm_t const esch_256_hash_algorithm; + +/** + * \brief Meta-information block for the Esch384 hash algorithm. + */ +extern aead_hash_algorithm_t const esch_384_hash_algorithm; + +/** + * \brief State information for the Esch256 incremental hash mode. + */ +typedef union +{ + struct { + unsigned char state[48]; /**< Current hash state */ + unsigned char block[16]; /**< Partial input data block */ + unsigned char count; /**< Number of bytes in the current block */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} esch_256_hash_state_t; + +/** + * \brief State information for the Esch384 incremental hash mode. + */ +typedef union +{ + struct { + unsigned char state[64]; /**< Current hash state */ + unsigned char block[16]; /**< Partial input data block */ + unsigned char count; /**< Number of bytes in the current block */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} esch_384_hash_state_t; + +/** + * \brief Encrypts and authenticates a packet with Schwaemm256-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 32 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_256_128_aead_decrypt() + */ +int schwaemm_256_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm256-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 32 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_256_128_aead_encrypt() + */ +int schwaemm_256_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Schwaemm192-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 24 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 24 bytes in length. + * \param k Points to the 24 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_192_192_aead_decrypt() + */ +int schwaemm_192_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm192-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 24 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 24 bytes in length. + * \param k Points to the 24 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_192_192_aead_encrypt() + */ +int schwaemm_192_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Schwaemm128-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_128_128_aead_decrypt() + */ +int schwaemm_128_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm128-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_128_128_aead_encrypt() + */ +int schwaemm_128_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Schwaemm256-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_256_256_aead_decrypt() + */ +int schwaemm_256_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm256-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_256_256_aead_encrypt() + */ +int schwaemm_256_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with Esch256 to generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * ESCH_256_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int esch_256_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an Esch256 hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa esch_256_hash_update(), esch_256_hash_finalize(), esch_256_hash() + */ +void esch_256_hash_init(esch_256_hash_state_t *state); + +/** + * \brief Updates an Esch256 state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + * + * \sa esch_256_hash_init(), esch_256_hash_finalize() + */ +void esch_256_hash_update + (esch_256_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Returns the final hash value from an Esch256 hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the 32-byte hash value. + * + * \sa esch_256_hash_init(), esch_256_hash_update() + */ +void esch_256_hash_finalize + (esch_256_hash_state_t *state, unsigned char *out); + +/** + * \brief Hashes a block of input data with Esch384 to generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * ESCH_384_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int esch_384_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an Esch384 hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa esch_384_hash_update(), esch_384_hash_finalize(), esch_384_hash() + */ +void esch_384_hash_init(esch_384_hash_state_t *state); + +/** + * \brief Updates an Esch384 state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + * + * \sa esch_384_hash_init(), esch_384_hash_finalize() + */ +void esch_384_hash_update + (esch_384_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Returns the final hash value from an Esch384 hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the 48-byte hash value. + * + * \sa esch_384_hash_init(), esch_384_hash_update() + */ +void esch_384_hash_finalize + (esch_384_hash_state_t *state, unsigned char *out); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/aead-common.c b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/aead-common.h b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/api.h b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/api.h new file mode 100644 index 0000000..c11fc10 --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 32 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 32 +#define CRYPTO_ABYTES 32 +#define CRYPTO_NOOVERLAP 1 diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/encrypt.c b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/encrypt.c new file mode 100644 index 0000000..c5f15f6 --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "sparkle.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return schwaemm_256_256_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return schwaemm_256_256_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-sparkle.c new file mode 100644 index 0000000..822af50 --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-sparkle.c @@ -0,0 +1,366 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-sparkle.h" + +/* The 8 basic round constants from the specification */ +#define RC_0 0xB7E15162 +#define RC_1 0xBF715880 +#define RC_2 0x38B4DA56 +#define RC_3 0x324E7738 +#define RC_4 0xBB1185EB +#define RC_5 0x4F7C7B57 +#define RC_6 0xCFBFA1C8 +#define RC_7 0xC2B3293D + +/* Round constants for all SPARKLE steps; maximum of 12 for SPARKLE-512 */ +static uint32_t const sparkle_rc[12] = { + RC_0, RC_1, RC_2, RC_3, RC_4, RC_5, RC_6, RC_7, + RC_0, RC_1, RC_2, RC_3 +}; + +/** + * \brief Alzette block cipher that implements the ARXbox layer of the + * SPARKLE permutation. + * + * \param x Left half of the 64-bit block. + * \param y Right half of the 64-bit block. + * \param k 32-bit round key. + */ +#define alzette(x, y, k) \ + do { \ + (x) += leftRotate1((y)); \ + (y) ^= leftRotate8((x)); \ + (x) ^= (k); \ + (x) += leftRotate15((y)); \ + (y) ^= leftRotate15((x)); \ + (x) ^= (k); \ + (x) += (y); \ + (y) ^= leftRotate1((x)); \ + (x) ^= (k); \ + (x) += leftRotate8((y)); \ + (y) ^= leftRotate16((x)); \ + (x) ^= (k); \ + } while (0) + +void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps) +{ + uint32_t x0, x1, x2, x3; + uint32_t y0, y1, y2, y3; + uint32_t tx, ty, tz, tw; + unsigned step; + + /* Load the SPARKLE-256 state up into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = s[0]; + y0 = s[1]; + x1 = s[2]; + y1 = s[3]; + x2 = s[4]; + y2 = s[5]; + x3 = s[6]; + y3 = s[7]; +#else + x0 = le_load_word32((const uint8_t *)&(s[0])); + y0 = le_load_word32((const uint8_t *)&(s[1])); + x1 = le_load_word32((const uint8_t *)&(s[2])); + y1 = le_load_word32((const uint8_t *)&(s[3])); + x2 = le_load_word32((const uint8_t *)&(s[4])); + y2 = le_load_word32((const uint8_t *)&(s[5])); + x3 = le_load_word32((const uint8_t *)&(s[6])); + y3 = le_load_word32((const uint8_t *)&(s[7])); +#endif + + /* Perform all requested steps */ + for (step = 0; step < steps; ++step) { + /* Add round constants */ + y0 ^= sparkle_rc[step]; + y1 ^= step; + + /* ARXbox layer */ + alzette(x0, y0, RC_0); + alzette(x1, y1, RC_1); + alzette(x2, y2, RC_2); + alzette(x3, y3, RC_3); + + /* Linear layer */ + tx = x0 ^ x1; + ty = y0 ^ y1; + tw = x0; + tz = y0; + tx = leftRotate16(tx ^ (tx << 16)); + ty = leftRotate16(ty ^ (ty << 16)); + x0 = x3 ^ x1 ^ ty; + x3 = x1; + y0 = y3 ^ y1 ^ tx; + y3 = y1; + x1 = x2 ^ tw ^ ty; + x2 = tw; + y1 = y2 ^ tz ^ tx; + y2 = tz; + } + + /* Write the local variables back to the SPARKLE-256 state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s[0] = x0; + s[1] = y0; + s[2] = x1; + s[3] = y1; + s[4] = x2; + s[5] = y2; + s[6] = x3; + s[7] = y3; +#else + le_store_word32((uint8_t *)&(s[0]), x0); + le_store_word32((uint8_t *)&(s[1]), y0); + le_store_word32((uint8_t *)&(s[2]), x1); + le_store_word32((uint8_t *)&(s[3]), y1); + le_store_word32((uint8_t *)&(s[4]), x2); + le_store_word32((uint8_t *)&(s[5]), y2); + le_store_word32((uint8_t *)&(s[6]), x3); + le_store_word32((uint8_t *)&(s[7]), y3); +#endif +} + +void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps) +{ + uint32_t x0, x1, x2, x3, x4, x5; + uint32_t y0, y1, y2, y3, y4, y5; + uint32_t tx, ty, tz, tw; + unsigned step; + + /* Load the SPARKLE-384 state up into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = s[0]; + y0 = s[1]; + x1 = s[2]; + y1 = s[3]; + x2 = s[4]; + y2 = s[5]; + x3 = s[6]; + y3 = s[7]; + x4 = s[8]; + y4 = s[9]; + x5 = s[10]; + y5 = s[11]; +#else + x0 = le_load_word32((const uint8_t *)&(s[0])); + y0 = le_load_word32((const uint8_t *)&(s[1])); + x1 = le_load_word32((const uint8_t *)&(s[2])); + y1 = le_load_word32((const uint8_t *)&(s[3])); + x2 = le_load_word32((const uint8_t *)&(s[4])); + y2 = le_load_word32((const uint8_t *)&(s[5])); + x3 = le_load_word32((const uint8_t *)&(s[6])); + y3 = le_load_word32((const uint8_t *)&(s[7])); + x4 = le_load_word32((const uint8_t *)&(s[8])); + y4 = le_load_word32((const uint8_t *)&(s[9])); + x5 = le_load_word32((const uint8_t *)&(s[10])); + y5 = le_load_word32((const uint8_t *)&(s[11])); +#endif + + /* Perform all requested steps */ + for (step = 0; step < steps; ++step) { + /* Add round constants */ + y0 ^= sparkle_rc[step]; + y1 ^= step; + + /* ARXbox layer */ + alzette(x0, y0, RC_0); + alzette(x1, y1, RC_1); + alzette(x2, y2, RC_2); + alzette(x3, y3, RC_3); + alzette(x4, y4, RC_4); + alzette(x5, y5, RC_5); + + /* Linear layer */ + tx = x0 ^ x1 ^ x2; + ty = y0 ^ y1 ^ y2; + tw = x0; + tz = y0; + tx = leftRotate16(tx ^ (tx << 16)); + ty = leftRotate16(ty ^ (ty << 16)); + x0 = x4 ^ x1 ^ ty; + x4 = x1; + y0 = y4 ^ y1 ^ tx; + y4 = y1; + x1 = x5 ^ x2 ^ ty; + x5 = x2; + y1 = y5 ^ y2 ^ tx; + y5 = y2; + x2 = x3 ^ tw ^ ty; + x3 = tw; + y2 = y3 ^ tz ^ tx; + y3 = tz; + } + + /* Write the local variables back to the SPARKLE-384 state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s[0] = x0; + s[1] = y0; + s[2] = x1; + s[3] = y1; + s[4] = x2; + s[5] = y2; + s[6] = x3; + s[7] = y3; + s[8] = x4; + s[9] = y4; + s[10] = x5; + s[11] = y5; +#else + le_store_word32((uint8_t *)&(s[0]), x0); + le_store_word32((uint8_t *)&(s[1]), y0); + le_store_word32((uint8_t *)&(s[2]), x1); + le_store_word32((uint8_t *)&(s[3]), y1); + le_store_word32((uint8_t *)&(s[4]), x2); + le_store_word32((uint8_t *)&(s[5]), y2); + le_store_word32((uint8_t *)&(s[6]), x3); + le_store_word32((uint8_t *)&(s[7]), y3); + le_store_word32((uint8_t *)&(s[8]), x4); + le_store_word32((uint8_t *)&(s[9]), y4); + le_store_word32((uint8_t *)&(s[10]), x5); + le_store_word32((uint8_t *)&(s[11]), y5); +#endif +} + +void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) +{ + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t y0, y1, y2, y3, y4, y5, y6, y7; + uint32_t tx, ty, tz, tw; + unsigned step; + + /* Load the SPARKLE-512 state up into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = s[0]; + y0 = s[1]; + x1 = s[2]; + y1 = s[3]; + x2 = s[4]; + y2 = s[5]; + x3 = s[6]; + y3 = s[7]; + x4 = s[8]; + y4 = s[9]; + x5 = s[10]; + y5 = s[11]; + x6 = s[12]; + y6 = s[13]; + x7 = s[14]; + y7 = s[15]; +#else + x0 = le_load_word32((const uint8_t *)&(s[0])); + y0 = le_load_word32((const uint8_t *)&(s[1])); + x1 = le_load_word32((const uint8_t *)&(s[2])); + y1 = le_load_word32((const uint8_t *)&(s[3])); + x2 = le_load_word32((const uint8_t *)&(s[4])); + y2 = le_load_word32((const uint8_t *)&(s[5])); + x3 = le_load_word32((const uint8_t *)&(s[6])); + y3 = le_load_word32((const uint8_t *)&(s[7])); + x4 = le_load_word32((const uint8_t *)&(s[8])); + y4 = le_load_word32((const uint8_t *)&(s[9])); + x5 = le_load_word32((const uint8_t *)&(s[10])); + y5 = le_load_word32((const uint8_t *)&(s[11])); + x6 = le_load_word32((const uint8_t *)&(s[12])); + y6 = le_load_word32((const uint8_t *)&(s[13])); + x7 = le_load_word32((const uint8_t *)&(s[14])); + y7 = le_load_word32((const uint8_t *)&(s[15])); +#endif + + /* Perform all requested steps */ + for (step = 0; step < steps; ++step) { + /* Add round constants */ + y0 ^= sparkle_rc[step]; + y1 ^= step; + + /* ARXbox layer */ + alzette(x0, y0, RC_0); + alzette(x1, y1, RC_1); + alzette(x2, y2, RC_2); + alzette(x3, y3, RC_3); + alzette(x4, y4, RC_4); + alzette(x5, y5, RC_5); + alzette(x6, y6, RC_6); + alzette(x7, y7, RC_7); + + /* Linear layer */ + tx = x0 ^ x1 ^ x2 ^ x3; + ty = y0 ^ y1 ^ y2 ^ y3; + tw = x0; + tz = y0; + tx = leftRotate16(tx ^ (tx << 16)); + ty = leftRotate16(ty ^ (ty << 16)); + x0 = x5 ^ x1 ^ ty; + x5 = x1; + y0 = y5 ^ y1 ^ tx; + y5 = y1; + x1 = x6 ^ x2 ^ ty; + x6 = x2; + y1 = y6 ^ y2 ^ tx; + y6 = y2; + x2 = x7 ^ x3 ^ ty; + x7 = x3; + y2 = y7 ^ y3 ^ tx; + y7 = y3; + x3 = x4 ^ tw ^ ty; + x4 = tw; + y3 = y4 ^ tz ^ tx; + y4 = tz; + } + + /* Write the local variables back to the SPARKLE-512 state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s[0] = x0; + s[1] = y0; + s[2] = x1; + s[3] = y1; + s[4] = x2; + s[5] = y2; + s[6] = x3; + s[7] = y3; + s[8] = x4; + s[9] = y4; + s[10] = x5; + s[11] = y5; + s[12] = x6; + s[13] = y6; + s[14] = x7; + s[15] = y7; +#else + le_store_word32((uint8_t *)&(s[0]), x0); + le_store_word32((uint8_t *)&(s[1]), y0); + le_store_word32((uint8_t *)&(s[2]), x1); + le_store_word32((uint8_t *)&(s[3]), y1); + le_store_word32((uint8_t *)&(s[4]), x2); + le_store_word32((uint8_t *)&(s[5]), y2); + le_store_word32((uint8_t *)&(s[6]), x3); + le_store_word32((uint8_t *)&(s[7]), y3); + le_store_word32((uint8_t *)&(s[8]), x4); + le_store_word32((uint8_t *)&(s[9]), y4); + le_store_word32((uint8_t *)&(s[10]), x5); + le_store_word32((uint8_t *)&(s[11]), y5); + le_store_word32((uint8_t *)&(s[12]), x6); + le_store_word32((uint8_t *)&(s[13]), y6); + le_store_word32((uint8_t *)&(s[14]), x7); + le_store_word32((uint8_t *)&(s[15]), y7); +#endif +} diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-sparkle.h b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-sparkle.h new file mode 100644 index 0000000..fbdabc1 --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-sparkle.h @@ -0,0 +1,82 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SPARKLE_H +#define LW_INTERNAL_SPARKLE_H + +#include "internal-util.h" + +/** + * \file internal-sparkle.h + * \brief Internal implementation of the SPARKLE permutation. + * + * References: https://www.cryptolux.org/index.php/Sparkle + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the state for SPARKLE-256. + */ +#define SPARKLE_256_STATE_SIZE 8 + +/** + * \brief Size of the state for SPARKLE-384. + */ +#define SPARKLE_384_STATE_SIZE 12 + +/** + * \brief Size of the state for SPARKLE-512. + */ +#define SPARKLE_512_STATE_SIZE 16 + +/** + * \brief Performs the SPARKLE-256 permutation. + * + * \param s The words of the SPARKLE-256 state in little-endian byte order. + * \param steps The number of steps to perform, 7 or 10. + */ +void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps); + +/** + * \brief Performs the SPARKLE-384 permutation. + * + * \param s The words of the SPARKLE-384 state in little-endian byte order. + * \param steps The number of steps to perform, 7 or 11. + */ +void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps); + +/** + * \brief Performs the SPARKLE-512 permutation. + * + * \param s The words of the SPARKLE-512 state in little-endian byte order. + * \param steps The number of steps to perform, 8 or 12. + */ +void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-util.h b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/sparkle.c new file mode 100644 index 0000000..b357de6 --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/sparkle.c @@ -0,0 +1,1123 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "sparkle.h" +#include "internal-sparkle.h" +#include + +aead_cipher_t const schwaemm_256_128_cipher = { + "Schwaemm256-128", + SCHWAEMM_256_128_KEY_SIZE, + SCHWAEMM_256_128_NONCE_SIZE, + SCHWAEMM_256_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_256_128_aead_encrypt, + schwaemm_256_128_aead_decrypt +}; + +aead_cipher_t const schwaemm_192_192_cipher = { + "Schwaemm192-192", + SCHWAEMM_192_192_KEY_SIZE, + SCHWAEMM_192_192_NONCE_SIZE, + SCHWAEMM_192_192_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_192_192_aead_encrypt, + schwaemm_192_192_aead_decrypt +}; + +aead_cipher_t const schwaemm_128_128_cipher = { + "Schwaemm128-128", + SCHWAEMM_128_128_KEY_SIZE, + SCHWAEMM_128_128_NONCE_SIZE, + SCHWAEMM_128_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_128_128_aead_encrypt, + schwaemm_128_128_aead_decrypt +}; + +aead_cipher_t const schwaemm_256_256_cipher = { + "Schwaemm256-256", + SCHWAEMM_256_256_KEY_SIZE, + SCHWAEMM_256_256_NONCE_SIZE, + SCHWAEMM_256_256_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_256_256_aead_encrypt, + schwaemm_256_256_aead_decrypt +}; + +aead_hash_algorithm_t const esch_256_hash_algorithm = { + "Esch256", + sizeof(esch_256_hash_state_t), + ESCH_256_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + esch_256_hash, + (aead_hash_init_t)esch_256_hash_init, + (aead_hash_update_t)esch_256_hash_update, + (aead_hash_finalize_t)esch_256_hash_finalize, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const esch_384_hash_algorithm = { + "Esch384", + sizeof(esch_384_hash_state_t), + ESCH_384_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + esch_384_hash, + (aead_hash_init_t)esch_384_hash_init, + (aead_hash_update_t)esch_384_hash_update, + (aead_hash_finalize_t)esch_384_hash_finalize, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/** + * \def DOMAIN(value) + * \brief Build a domain separation value as a 32-bit word. + * + * \param value The base value. + * \return The domain separation value as a 32-bit word. + */ +#if defined(LW_UTIL_LITTLE_ENDIAN) +#define DOMAIN(value) (((uint32_t)(value)) << 24) +#else +#define DOMAIN(value) (value) +#endif + +/** + * \brief Rate at which bytes are processed by Schwaemm256-128. + */ +#define SCHWAEMM_256_128_RATE 32 + +/** + * \brief Pointer to the left of the state for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_RIGHT(s) \ + (SCHWAEMM_256_128_LEFT(s) + SCHWAEMM_256_128_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm256-128. + * + * \param s SPARKLE-384 state. + * \param domain Domain separator for this phase. + */ +#define schwaemm_256_128_rho(s, domain) \ + do { \ + uint32_t t0 = s[0]; \ + uint32_t t1 = s[1]; \ + uint32_t t2 = s[2]; \ + uint32_t t3 = s[3]; \ + if ((domain) != 0) \ + s[11] ^= DOMAIN(domain); \ + s[0] = s[4] ^ s[8]; \ + s[1] = s[5] ^ s[9]; \ + s[2] = s[6] ^ s[10]; \ + s[3] = s[7] ^ s[11]; \ + s[4] ^= t0 ^ s[8]; \ + s[5] ^= t1 ^ s[9]; \ + s[6] ^= t2 ^ s[10]; \ + s[7] ^= t3 ^ s[11]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm256-128. + * + * \param s SPARKLE-384 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_256_128_authenticate + (uint32_t s[SPARKLE_384_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_256_128_RATE) { + schwaemm_256_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); + sparkle_384(s, 7); + ad += SCHWAEMM_256_128_RATE; + adlen -= SCHWAEMM_256_128_RATE; + } + if (adlen == SCHWAEMM_256_128_RATE) { + schwaemm_256_128_rho(s, 0x05); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); + } else { + unsigned temp = (unsigned)adlen; + schwaemm_256_128_rho(s, 0x04); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); +} + +int schwaemm_256_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + uint8_t block[SCHWAEMM_256_128_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_256_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); + memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_128_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); + schwaemm_256_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + sparkle_384(s, 7); + memcpy(c, block, SCHWAEMM_256_128_RATE); + c += SCHWAEMM_256_128_RATE; + m += SCHWAEMM_256_128_RATE; + mlen -= SCHWAEMM_256_128_RATE; + } + if (mlen == SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); + schwaemm_256_128_rho(s, 0x07); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + memcpy(c, block, SCHWAEMM_256_128_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + schwaemm_256_128_rho(s, 0x06); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_384(s, 11); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); + return 0; +} + +int schwaemm_256_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_256_128_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_256_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); + memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_128_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_256_128_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); + schwaemm_256_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + sparkle_384(s, 7); + c += SCHWAEMM_256_128_RATE; + m += SCHWAEMM_256_128_RATE; + clen -= SCHWAEMM_256_128_RATE; + } + if (clen == SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); + schwaemm_256_128_rho(s, 0x07); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + schwaemm_256_128_rho(s, 0x06); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_256_128_RIGHT(s), c, SCHWAEMM_256_128_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Schwaemm192-192. + */ +#define SCHWAEMM_192_192_RATE 24 + +/** + * \brief Pointer to the left of the state for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_RIGHT(s) \ + (SCHWAEMM_192_192_LEFT(s) + SCHWAEMM_192_192_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm192-192. + * + * \param s SPARKLE-384 state. + * \param domain Domain separator for this phase. + */ +#define schwaemm_192_192_rho(s, domain) \ + do { \ + uint32_t t0 = s[0]; \ + uint32_t t1 = s[1]; \ + uint32_t t2 = s[2]; \ + if ((domain) != 0) \ + s[11] ^= DOMAIN(domain); \ + s[0] = s[3] ^ s[6]; \ + s[1] = s[4] ^ s[7]; \ + s[2] = s[5] ^ s[8]; \ + s[3] ^= t0 ^ s[9]; \ + s[4] ^= t1 ^ s[10]; \ + s[5] ^= t2 ^ s[11]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm192-192. + * + * \param s SPARKLE-384 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_192_192_authenticate + (uint32_t s[SPARKLE_384_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_192_192_RATE) { + schwaemm_192_192_rho(s, 0x00); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); + sparkle_384(s, 7); + ad += SCHWAEMM_192_192_RATE; + adlen -= SCHWAEMM_192_192_RATE; + } + if (adlen == SCHWAEMM_192_192_RATE) { + schwaemm_192_192_rho(s, 0x09); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); + } else { + unsigned temp = (unsigned)adlen; + schwaemm_192_192_rho(s, 0x08); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); +} + +int schwaemm_192_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + uint8_t block[SCHWAEMM_192_192_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_192_192_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); + memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_192_192_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); + schwaemm_192_192_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + sparkle_384(s, 7); + memcpy(c, block, SCHWAEMM_192_192_RATE); + c += SCHWAEMM_192_192_RATE; + m += SCHWAEMM_192_192_RATE; + mlen -= SCHWAEMM_192_192_RATE; + } + if (mlen == SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); + schwaemm_192_192_rho(s, 0x0B); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + memcpy(c, block, SCHWAEMM_192_192_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + schwaemm_192_192_rho(s, 0x0A); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_384(s, 11); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); + return 0; +} + +int schwaemm_192_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_192_192_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_192_192_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); + memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_192_192_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_192_192_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); + schwaemm_192_192_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + sparkle_384(s, 7); + c += SCHWAEMM_192_192_RATE; + m += SCHWAEMM_192_192_RATE; + clen -= SCHWAEMM_192_192_RATE; + } + if (clen == SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); + schwaemm_192_192_rho(s, 0x0B); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + schwaemm_192_192_rho(s, 0x0A); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_192_192_RIGHT(s), c, SCHWAEMM_192_192_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Schwaemm128-128. + */ +#define SCHWAEMM_128_128_RATE 16 + +/** + * \brief Pointer to the left of the state for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_RIGHT(s) \ + (SCHWAEMM_128_128_LEFT(s) + SCHWAEMM_128_128_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm128-128. + * + * \param s SPARKLE-256 state. + * \param domain Domain separator for this phase. + */ +#define schwaemm_128_128_rho(s, domain) \ + do { \ + uint32_t t0 = s[0]; \ + uint32_t t1 = s[1]; \ + if ((domain) != 0) \ + s[7] ^= DOMAIN(domain); \ + s[0] = s[2] ^ s[4]; \ + s[1] = s[3] ^ s[5]; \ + s[2] ^= t0 ^ s[6]; \ + s[3] ^= t1 ^ s[7]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm128-128. + * + * \param s SPARKLE-256 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_128_128_authenticate + (uint32_t s[SPARKLE_256_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_128_128_RATE) { + schwaemm_128_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); + sparkle_256(s, 7); + ad += SCHWAEMM_128_128_RATE; + adlen -= SCHWAEMM_128_128_RATE; + } + if (adlen == SCHWAEMM_128_128_RATE) { + schwaemm_128_128_rho(s, 0x05); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); + } else { + unsigned temp = (unsigned)adlen; + schwaemm_128_128_rho(s, 0x04); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_256(s, 10); +} + +int schwaemm_128_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_256_STATE_SIZE]; + uint8_t block[SCHWAEMM_128_128_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_128_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); + memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); + sparkle_256(s, 10); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_128_128_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); + schwaemm_128_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + sparkle_256(s, 7); + memcpy(c, block, SCHWAEMM_128_128_RATE); + c += SCHWAEMM_128_128_RATE; + m += SCHWAEMM_128_128_RATE; + mlen -= SCHWAEMM_128_128_RATE; + } + if (mlen == SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); + schwaemm_128_128_rho(s, 0x07); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + memcpy(c, block, SCHWAEMM_128_128_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + schwaemm_128_128_rho(s, 0x06); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_256(s, 10); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); + return 0; +} + +int schwaemm_128_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_256_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_128_128_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_128_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); + memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); + sparkle_256(s, 10); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_128_128_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_128_128_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); + schwaemm_128_128_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + sparkle_256(s, 7); + c += SCHWAEMM_128_128_RATE; + m += SCHWAEMM_128_128_RATE; + clen -= SCHWAEMM_128_128_RATE; + } + if (clen == SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); + schwaemm_128_128_rho(s, 0x07); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + schwaemm_128_128_rho(s, 0x06); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_256(s, 10); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_128_128_RIGHT(s), c, SCHWAEMM_128_128_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Schwaemm256-256. + */ +#define SCHWAEMM_256_256_RATE 32 + +/** + * \brief Pointer to the left of the state for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_RIGHT(s) \ + (SCHWAEMM_256_256_LEFT(s) + SCHWAEMM_256_256_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm256-256. + * + * \param s SPARKLE-512 state. + * \param domain Domain separator for this phase. + */ +#define schwaemm_256_256_rho(s, domain) \ + do { \ + uint32_t t0 = s[0]; \ + uint32_t t1 = s[1]; \ + uint32_t t2 = s[2]; \ + uint32_t t3 = s[3]; \ + if ((domain) != 0) \ + s[15] ^= DOMAIN(domain); \ + s[0] = s[4] ^ s[8]; \ + s[1] = s[5] ^ s[9]; \ + s[2] = s[6] ^ s[10]; \ + s[3] = s[7] ^ s[11]; \ + s[4] ^= t0 ^ s[12]; \ + s[5] ^= t1 ^ s[13]; \ + s[6] ^= t2 ^ s[14]; \ + s[7] ^= t3 ^ s[15]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm256-256. + * + * \param s SPARKLE-512 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_256_256_authenticate + (uint32_t s[SPARKLE_512_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_256_256_RATE) { + schwaemm_256_256_rho(s, 0x00); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); + sparkle_512(s, 8); + ad += SCHWAEMM_256_256_RATE; + adlen -= SCHWAEMM_256_256_RATE; + } + if (adlen == SCHWAEMM_256_256_RATE) { + schwaemm_256_256_rho(s, 0x11); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); + } else { + unsigned temp = (unsigned)adlen; + schwaemm_256_256_rho(s, 0x10); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_512(s, 12); +} + +int schwaemm_256_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_512_STATE_SIZE]; + uint8_t block[SCHWAEMM_256_256_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_256_256_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); + memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); + sparkle_512(s, 12); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_256_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); + schwaemm_256_256_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + sparkle_512(s, 8); + memcpy(c, block, SCHWAEMM_256_256_RATE); + c += SCHWAEMM_256_256_RATE; + m += SCHWAEMM_256_256_RATE; + mlen -= SCHWAEMM_256_256_RATE; + } + if (mlen == SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); + schwaemm_256_256_rho(s, 0x13); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + memcpy(c, block, SCHWAEMM_256_256_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + schwaemm_256_256_rho(s, 0x12); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_512(s, 12); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); + return 0; +} + +int schwaemm_256_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_512_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_256_256_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_256_256_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); + memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); + sparkle_512(s, 12); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_256_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_256_256_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); + schwaemm_256_256_rho(s, 0x00); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + sparkle_512(s, 8); + c += SCHWAEMM_256_256_RATE; + m += SCHWAEMM_256_256_RATE; + clen -= SCHWAEMM_256_256_RATE; + } + if (clen == SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); + schwaemm_256_256_rho(s, 0x13); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + schwaemm_256_256_rho(s, 0x12); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_512(s, 12); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_256_256_RIGHT(s), c, SCHWAEMM_256_256_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Esch256. + */ +#define ESCH_256_RATE 16 + +/** + * \brief Perform the M3 step for Esch256 to mix the input with the state. + * + * \param s SPARKLE-384 state. + * \param block Block of input data that has been padded to the rate. + * \param domain Domain separator for this phase. + */ +#define esch_256_m3(s, block, domain) \ + do { \ + uint32_t tx = (block)[0] ^ (block)[2]; \ + uint32_t ty = (block)[1] ^ (block)[3]; \ + tx = leftRotate16(tx ^ (tx << 16)); \ + ty = leftRotate16(ty ^ (ty << 16)); \ + s[0] ^= (block)[0] ^ ty; \ + s[1] ^= (block)[1] ^ tx; \ + s[2] ^= (block)[2] ^ ty; \ + s[3] ^= (block)[3] ^ tx; \ + if ((domain) != 0) \ + s[5] ^= DOMAIN(domain); \ + s[4] ^= ty; \ + s[5] ^= tx; \ + } while (0) + +/** @cond esch_256 */ + +/** + * \brief Word-based state for the Esch256 incremental hash mode. + */ +typedef union +{ + struct { + uint32_t state[SPARKLE_384_STATE_SIZE]; + uint32_t block[4]; + unsigned char count; + } s; + unsigned long long align; + +} esch_256_hash_state_wt; + +/** @endcond */ + +int esch_256_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + uint32_t block[ESCH_256_RATE / 4]; + memset(s, 0, sizeof(s)); + while (inlen > ESCH_256_RATE) { + memcpy(block, in, ESCH_256_RATE); + esch_256_m3(s, block, 0x00); + sparkle_384(s, 7); + in += ESCH_256_RATE; + inlen -= ESCH_256_RATE; + } + if (inlen == ESCH_256_RATE) { + memcpy(block, in, ESCH_256_RATE); + esch_256_m3(s, block, 0x02); + } else { + unsigned temp = (unsigned)inlen; + memcpy(block, in, temp); + ((unsigned char *)block)[temp] = 0x80; + memset(((unsigned char *)block) + temp + 1, 0, + ESCH_256_RATE - temp - 1); + esch_256_m3(s, block, 0x01); + } + sparkle_384(s, 11); + memcpy(out, s, ESCH_256_RATE); + sparkle_384(s, 7); + memcpy(out + ESCH_256_RATE, s, ESCH_256_RATE); + return 0; +} + +void esch_256_hash_init(esch_256_hash_state_t *state) +{ + memset(state, 0, sizeof(esch_256_hash_state_t)); +} + +void esch_256_hash_update + (esch_256_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; + unsigned temp; + while (inlen > 0) { + if (st->s.count == ESCH_256_RATE) { + esch_256_m3(st->s.state, st->s.block, 0x00); + sparkle_384(st->s.state, 7); + st->s.count = 0; + } + temp = ESCH_256_RATE - st->s.count; + if (temp > inlen) + temp = (unsigned)inlen; + memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); + st->s.count += temp; + in += temp; + inlen -= temp; + } +} + +void esch_256_hash_finalize + (esch_256_hash_state_t *state, unsigned char *out) +{ + esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; + + /* Pad and process the last block */ + if (st->s.count == ESCH_256_RATE) { + esch_256_m3(st->s.state, st->s.block, 0x02); + } else { + unsigned temp = st->s.count; + ((unsigned char *)(st->s.block))[temp] = 0x80; + memset(((unsigned char *)(st->s.block)) + temp + 1, 0, + ESCH_256_RATE - temp - 1); + esch_256_m3(st->s.state, st->s.block, 0x01); + } + sparkle_384(st->s.state, 11); + + /* Generate the final hash value */ + memcpy(out, st->s.state, ESCH_256_RATE); + sparkle_384(st->s.state, 7); + memcpy(out + ESCH_256_RATE, st->s.state, ESCH_256_RATE); +} + +/** + * \brief Rate at which bytes are processed by Esch384. + */ +#define ESCH_384_RATE 16 + +/** + * \brief Perform the M4 step for Esch384 to mix the input with the state. + * + * \param s SPARKLE-512 state. + * \param block Block of input data that has been padded to the rate. + * \param domain Domain separator for this phase. + */ +#define esch_384_m4(s, block, domain) \ + do { \ + uint32_t tx = block[0] ^ block[2]; \ + uint32_t ty = block[1] ^ block[3]; \ + tx = leftRotate16(tx ^ (tx << 16)); \ + ty = leftRotate16(ty ^ (ty << 16)); \ + s[0] ^= block[0] ^ ty; \ + s[1] ^= block[1] ^ tx; \ + s[2] ^= block[2] ^ ty; \ + s[3] ^= block[3] ^ tx; \ + if ((domain) != 0) \ + s[7] ^= DOMAIN(domain); \ + s[4] ^= ty; \ + s[5] ^= tx; \ + s[6] ^= ty; \ + s[7] ^= tx; \ + } while (0) + +/** @cond esch_384 */ + +/** + * \brief Word-based state for the Esch384 incremental hash mode. + */ +typedef union +{ + struct { + uint32_t state[SPARKLE_512_STATE_SIZE]; + uint32_t block[4]; + unsigned char count; + } s; + unsigned long long align; + +} esch_384_hash_state_wt; + +/** @endcond */ + +int esch_384_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + uint32_t s[SPARKLE_512_STATE_SIZE]; + uint32_t block[ESCH_256_RATE / 4]; + memset(s, 0, sizeof(s)); + while (inlen > ESCH_384_RATE) { + memcpy(block, in, ESCH_384_RATE); + esch_384_m4(s, block, 0x00); + sparkle_512(s, 8); + in += ESCH_384_RATE; + inlen -= ESCH_384_RATE; + } + if (inlen == ESCH_384_RATE) { + memcpy(block, in, ESCH_384_RATE); + esch_384_m4(s, block, 0x02); + } else { + unsigned temp = (unsigned)inlen; + memcpy(block, in, temp); + ((unsigned char *)block)[temp] = 0x80; + memset(((unsigned char *)block) + temp + 1, 0, + ESCH_384_RATE - temp - 1); + esch_384_m4(s, block, 0x01); + } + sparkle_512(s, 12); + memcpy(out, s, ESCH_384_RATE); + sparkle_512(s, 8); + memcpy(out + ESCH_384_RATE, s, ESCH_384_RATE); + sparkle_512(s, 8); + memcpy(out + ESCH_384_RATE * 2, s, ESCH_384_RATE); + return 0; +} + +void esch_384_hash_init(esch_384_hash_state_t *state) +{ + memset(state, 0, sizeof(esch_384_hash_state_t)); +} + +void esch_384_hash_update + (esch_384_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; + unsigned temp; + while (inlen > 0) { + if (st->s.count == ESCH_384_RATE) { + esch_384_m4(st->s.state, st->s.block, 0x00); + sparkle_512(st->s.state, 8); + st->s.count = 0; + } + temp = ESCH_384_RATE - st->s.count; + if (temp > inlen) + temp = (unsigned)inlen; + memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); + st->s.count += temp; + in += temp; + inlen -= temp; + } +} + +void esch_384_hash_finalize + (esch_384_hash_state_t *state, unsigned char *out) +{ + esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; + + /* Pad and process the last block */ + if (st->s.count == ESCH_384_RATE) { + esch_384_m4(st->s.state, st->s.block, 0x02); + } else { + unsigned temp = st->s.count; + ((unsigned char *)(st->s.block))[temp] = 0x80; + memset(((unsigned char *)(st->s.block)) + temp + 1, 0, + ESCH_384_RATE - temp - 1); + esch_384_m4(st->s.state, st->s.block, 0x01); + } + sparkle_512(st->s.state, 12); + + /* Generate the final hash value */ + memcpy(out, st->s.state, ESCH_384_RATE); + sparkle_512(st->s.state, 8); + memcpy(out + ESCH_384_RATE, st->s.state, ESCH_384_RATE); + sparkle_512(st->s.state, 8); + memcpy(out + ESCH_384_RATE * 2, st->s.state, ESCH_384_RATE); +} diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/sparkle.h b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/sparkle.h new file mode 100644 index 0000000..dd0999e --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/sparkle.h @@ -0,0 +1,515 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SPARKLE_H +#define LWCRYPTO_SPARKLE_H + +#include "aead-common.h" + +/** + * \file sparkle.h + * \brief Encryption and hash algorithms based on the SPARKLE permutation. + * + * SPARKLE is a family of encryption and hash algorithms that are based + * around the SPARKLE permutation. There are three versions of the + * permutation with 256-bit, 384-bit, and 512-bit state sizes. + * The algorithms in the family are: + * + * \li Schwaemm256-128 with a 128-bit key, a 256-bit nonce, and a 128-bit tag. + * This is the primary encryption algorithm in the family. + * \li Schwaemm192-192 with a 192-bit key, a 192-bit nonce, and a 192-bit tag. + * \li Schwaemm128-128 with a 128-bit key, a 128-bit nonce, and a 128-bit tag. + * \li Schwaemm256-256 with a 256-bit key, a 256-bit nonce, and a 256-bit tag. + * \li Esch256 hash algorithm with a 256-bit digest output. This is the + * primary hash algorithm in the family. + * \li Esch384 hash algorithm with a 384-bit digest output. + * + * References: https://www.cryptolux.org/index.php/Sparkle + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_NONCE_SIZE 32 + +/** + * \brief Size of the key for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_KEY_SIZE 24 + +/** + * \brief Size of the authentication tag for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_TAG_SIZE 24 + +/** + * \brief Size of the nonce for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_NONCE_SIZE 24 + +/** + * \brief Size of the key for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_NONCE_SIZE 16 + +/** + * \brief Size of the key for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_TAG_SIZE 32 + +/** + * \brief Size of the nonce for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_NONCE_SIZE 32 + +/** + * \brief Size of the hash output for Esch256. + */ +#define ESCH_256_HASH_SIZE 32 + +/** + * \brief Size of the hash output for Esch384. + */ +#define ESCH_384_HASH_SIZE 48 + +/** + * \brief Meta-information block for the Schwaemm256-128 cipher. + */ +extern aead_cipher_t const schwaemm_256_128_cipher; + +/** + * \brief Meta-information block for the Schwaemm192-192 cipher. + */ +extern aead_cipher_t const schwaemm_192_192_cipher; + +/** + * \brief Meta-information block for the Schwaemm128-128 cipher. + */ +extern aead_cipher_t const schwaemm_128_128_cipher; + +/** + * \brief Meta-information block for the Schwaemm256-256 cipher. + */ +extern aead_cipher_t const schwaemm_256_256_cipher; + +/** + * \brief Meta-information block for the Esch256 hash algorithm. + */ +extern aead_hash_algorithm_t const esch_256_hash_algorithm; + +/** + * \brief Meta-information block for the Esch384 hash algorithm. + */ +extern aead_hash_algorithm_t const esch_384_hash_algorithm; + +/** + * \brief State information for the Esch256 incremental hash mode. + */ +typedef union +{ + struct { + unsigned char state[48]; /**< Current hash state */ + unsigned char block[16]; /**< Partial input data block */ + unsigned char count; /**< Number of bytes in the current block */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} esch_256_hash_state_t; + +/** + * \brief State information for the Esch384 incremental hash mode. + */ +typedef union +{ + struct { + unsigned char state[64]; /**< Current hash state */ + unsigned char block[16]; /**< Partial input data block */ + unsigned char count; /**< Number of bytes in the current block */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} esch_384_hash_state_t; + +/** + * \brief Encrypts and authenticates a packet with Schwaemm256-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 32 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_256_128_aead_decrypt() + */ +int schwaemm_256_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm256-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 32 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_256_128_aead_encrypt() + */ +int schwaemm_256_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Schwaemm192-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 24 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 24 bytes in length. + * \param k Points to the 24 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_192_192_aead_decrypt() + */ +int schwaemm_192_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm192-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 24 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 24 bytes in length. + * \param k Points to the 24 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_192_192_aead_encrypt() + */ +int schwaemm_192_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Schwaemm128-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_128_128_aead_decrypt() + */ +int schwaemm_128_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm128-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_128_128_aead_encrypt() + */ +int schwaemm_128_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Schwaemm256-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_256_256_aead_decrypt() + */ +int schwaemm_256_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm256-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_256_256_aead_encrypt() + */ +int schwaemm_256_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with Esch256 to generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * ESCH_256_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int esch_256_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an Esch256 hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa esch_256_hash_update(), esch_256_hash_finalize(), esch_256_hash() + */ +void esch_256_hash_init(esch_256_hash_state_t *state); + +/** + * \brief Updates an Esch256 state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + * + * \sa esch_256_hash_init(), esch_256_hash_finalize() + */ +void esch_256_hash_update + (esch_256_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Returns the final hash value from an Esch256 hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the 32-byte hash value. + * + * \sa esch_256_hash_init(), esch_256_hash_update() + */ +void esch_256_hash_finalize + (esch_256_hash_state_t *state, unsigned char *out); + +/** + * \brief Hashes a block of input data with Esch384 to generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * ESCH_384_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int esch_384_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an Esch384 hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa esch_384_hash_update(), esch_384_hash_finalize(), esch_384_hash() + */ +void esch_384_hash_init(esch_384_hash_state_t *state); + +/** + * \brief Updates an Esch384 state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + * + * \sa esch_384_hash_init(), esch_384_hash_finalize() + */ +void esch_384_hash_update + (esch_384_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Returns the final hash value from an Esch384 hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the 48-byte hash value. + * + * \sa esch_384_hash_init(), esch_384_hash_update() + */ +void esch_384_hash_finalize + (esch_384_hash_state_t *state, unsigned char *out); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys/aead-common.c b/spix/Implementations/crypto_aead/spix128v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/spix/Implementations/crypto_aead/spix128v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys/aead-common.h b/spix/Implementations/crypto_aead/spix128v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/spix/Implementations/crypto_aead/spix128v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys/api.h b/spix/Implementations/crypto_aead/spix128v1/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/spix/Implementations/crypto_aead/spix128v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys/encrypt.c b/spix/Implementations/crypto_aead/spix128v1/rhys/encrypt.c new file mode 100644 index 0000000..facb770 --- /dev/null +++ b/spix/Implementations/crypto_aead/spix128v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "spix.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return spix_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return spix_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-light.c b/spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-light.c new file mode 100644 index 0000000..69b4519 --- /dev/null +++ b/spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-light.c @@ -0,0 +1,408 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-sliscp-light.h" + +/** + * \brief Performs one round of the Simeck-64 block cipher. + * + * \param x Left half of the 64-bit block. + * \param y Right half of the 64-bit block. + */ +#define simeck64_round(x, y) \ + do { \ + (y) ^= (leftRotate5((x)) & (x)) ^ leftRotate1((x)) ^ \ + 0xFFFFFFFEU ^ (_rc & 1); \ + _rc >>= 1; \ + } while (0) + +/** + * \brief Encrypts a 64-bit block with the 8 round version of Simeck-64. + * + * \param x Left half of the 64-bit block. + * \param y Right half of the 64-bit block. + * \param rc Round constants for the 8 rounds, 1 bit per round. + * + * It is assumed that the two halves have already been converted from + * big-endian to host byte order before calling this function. The output + * halves will also be in host byte order. + */ +#define simeck64_box(x, y, rc) \ + do { \ + unsigned char _rc = (rc); \ + simeck64_round(x, y); /* Round 1 */ \ + simeck64_round(y, x); /* Round 2 */ \ + simeck64_round(x, y); /* Round 3 */ \ + simeck64_round(y, x); /* Round 4 */ \ + simeck64_round(x, y); /* Round 5 */ \ + simeck64_round(y, x); /* Round 6 */ \ + simeck64_round(x, y); /* Round 7 */ \ + simeck64_round(y, x); /* Round 8 */ \ + } while (0) + +/* Helper macros for 48-bit left rotations */ +#define leftRotate5_48(x) (((x) << 5) | ((x) >> 19)) +#define leftRotate1_48(x) (((x) << 1) | ((x) >> 23)) + +/** + * \brief Performs one round of the Simeck-48 block cipher. + * + * \param x Left half of the 48-bit block. + * \param y Right half of the 48-bit block. + */ +#define simeck48_round(x, y) \ + do { \ + (y) ^= (leftRotate5_48((x)) & (x)) ^ leftRotate1_48((x)) ^ \ + 0x00FFFFFEU ^ (_rc & 1); \ + (y) &= 0x00FFFFFFU; \ + _rc >>= 1; \ + } while (0) + +/** + * \brief Encrypts a 48-bit block with the 6 round version of Simeck-48. + * + * \param x Left half of the 48-bit block. + * \param y Right half of the 48-bit block. + * \param rc Round constants for the 8 rounds, 1 bit per round. + * + * It is assumed that the two halves have already been converted from + * big-endian to host byte order before calling this function. The output + * halves will also be in host byte order. + */ +#define simeck48_box(x, y, rc) \ + do { \ + unsigned char _rc = (rc); \ + simeck48_round(x, y); /* Round 1 */ \ + simeck48_round(y, x); /* Round 2 */ \ + simeck48_round(x, y); /* Round 3 */ \ + simeck48_round(y, x); /* Round 4 */ \ + simeck48_round(x, y); /* Round 5 */ \ + simeck48_round(y, x); /* Round 6 */ \ + } while (0) + +/* Interleaved rc0, rc1, sc0, and sc1 values for each round */ +static unsigned char const sliscp_light256_RC[18 * 4] = { + 0x0f, 0x47, 0x08, 0x64, 0x04, 0xb2, 0x86, 0x6b, + 0x43, 0xb5, 0xe2, 0x6f, 0xf1, 0x37, 0x89, 0x2c, + 0x44, 0x96, 0xe6, 0xdd, 0x73, 0xee, 0xca, 0x99, + 0xe5, 0x4c, 0x17, 0xea, 0x0b, 0xf5, 0x8e, 0x0f, + 0x47, 0x07, 0x64, 0x04, 0xb2, 0x82, 0x6b, 0x43, + 0xb5, 0xa1, 0x6f, 0xf1, 0x37, 0x78, 0x2c, 0x44, + 0x96, 0xa2, 0xdd, 0x73, 0xee, 0xb9, 0x99, 0xe5, + 0x4c, 0xf2, 0xea, 0x0b, 0xf5, 0x85, 0x0f, 0x47, + 0x07, 0x23, 0x04, 0xb2, 0x82, 0xd9, 0x43, 0xb5 +}; + +void sliscp_light256_permute_spix(unsigned char block[32], unsigned rounds) +{ + const unsigned char *rc = sliscp_light256_RC; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t t0, t1; + + /* Load the block into local state variables */ + x0 = be_load_word32(block); + x1 = be_load_word32(block + 4); + x2 = be_load_word32(block + 8); + x3 = be_load_word32(block + 24); /* Assumes the block is pre-swapped */ + x4 = be_load_word32(block + 16); + x5 = be_load_word32(block + 20); + x6 = be_load_word32(block + 12); + x7 = be_load_word32(block + 28); + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds, rc += 4) { + /* Apply Simeck-64 to two of the 64-bit sub-blocks */ + simeck64_box(x2, x3, rc[0]); + simeck64_box(x6, x7, rc[1]); + + /* Add step constants */ + x0 ^= 0xFFFFFFFFU; + x1 ^= 0xFFFFFF00U ^ rc[2]; + x4 ^= 0xFFFFFFFFU; + x5 ^= 0xFFFFFF00U ^ rc[3]; + + /* Mix the sub-blocks */ + t0 = x0 ^ x2; + t1 = x1 ^ x3; + x0 = x2; + x1 = x3; + x2 = x4 ^ x6; + x3 = x5 ^ x7; + x4 = x6; + x5 = x7; + x6 = t0; + x7 = t1; + } + + /* Store the state back into the block */ + be_store_word32(block, x0); + be_store_word32(block + 4, x1); + be_store_word32(block + 8, x2); + be_store_word32(block + 24, x3); /* Assumes the block is pre-swapped */ + be_store_word32(block + 16, x4); + be_store_word32(block + 20, x5); + be_store_word32(block + 12, x6); + be_store_word32(block + 28, x7); +} + +void sliscp_light256_swap_spix(unsigned char block[32]) +{ + uint32_t t1, t2; + t1 = le_load_word32(block + 12); + t2 = le_load_word32(block + 24); + le_store_word32(block + 24, t1); + le_store_word32(block + 12, t2); +} + +void sliscp_light256_permute_spoc(unsigned char block[32], unsigned rounds) +{ + const unsigned char *rc = sliscp_light256_RC; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t t0, t1; + + /* Load the block into local state variables */ + x0 = be_load_word32(block); + x1 = be_load_word32(block + 4); + x2 = be_load_word32(block + 16); /* Assumes the block is pre-swapped */ + x3 = be_load_word32(block + 20); + x4 = be_load_word32(block + 8); + x5 = be_load_word32(block + 12); + x6 = be_load_word32(block + 24); + x7 = be_load_word32(block + 28); + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds, rc += 4) { + /* Apply Simeck-64 to two of the 64-bit sub-blocks */ + simeck64_box(x2, x3, rc[0]); + simeck64_box(x6, x7, rc[1]); + + /* Add step constants */ + x0 ^= 0xFFFFFFFFU; + x1 ^= 0xFFFFFF00U ^ rc[2]; + x4 ^= 0xFFFFFFFFU; + x5 ^= 0xFFFFFF00U ^ rc[3]; + + /* Mix the sub-blocks */ + t0 = x0 ^ x2; + t1 = x1 ^ x3; + x0 = x2; + x1 = x3; + x2 = x4 ^ x6; + x3 = x5 ^ x7; + x4 = x6; + x5 = x7; + x6 = t0; + x7 = t1; + } + + /* Store the state back into the block */ + be_store_word32(block, x0); + be_store_word32(block + 4, x1); + be_store_word32(block + 16, x2); /* Assumes the block is pre-swapped */ + be_store_word32(block + 20, x3); + be_store_word32(block + 8, x4); + be_store_word32(block + 12, x5); + be_store_word32(block + 24, x6); + be_store_word32(block + 28, x7); +} + +void sliscp_light256_swap_spoc(unsigned char block[32]) +{ + uint64_t t1, t2; + t1 = le_load_word64(block + 8); + t2 = le_load_word64(block + 16); + le_store_word64(block + 16, t1); + le_store_word64(block + 8, t2); +} + +/* Load a big-endian 24-bit word from a byte buffer */ +#define be_load_word24(ptr) \ + ((((uint32_t)((ptr)[0])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[2]))) + +/* Store a big-endian 24-bit word into a byte buffer */ +#define be_store_word24(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 16); \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)_x; \ + } while (0) + +void sliscp_light192_permute(unsigned char block[24]) +{ + /* Interleaved rc0, rc1, sc0, and sc1 values for each round */ + static unsigned char const RC[18 * 4] = { + 0x07, 0x27, 0x08, 0x29, 0x04, 0x34, 0x0c, 0x1d, + 0x06, 0x2e, 0x0a, 0x33, 0x25, 0x19, 0x2f, 0x2a, + 0x17, 0x35, 0x38, 0x1f, 0x1c, 0x0f, 0x24, 0x10, + 0x12, 0x08, 0x36, 0x18, 0x3b, 0x0c, 0x0d, 0x14, + 0x26, 0x0a, 0x2b, 0x1e, 0x15, 0x2f, 0x3e, 0x31, + 0x3f, 0x38, 0x01, 0x09, 0x20, 0x24, 0x21, 0x2d, + 0x30, 0x36, 0x11, 0x1b, 0x28, 0x0d, 0x39, 0x16, + 0x3c, 0x2b, 0x05, 0x3d, 0x22, 0x3e, 0x27, 0x03, + 0x13, 0x01, 0x34, 0x02, 0x1a, 0x21, 0x2e, 0x23 + }; + const unsigned char *rc = RC; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t t0, t1; + unsigned round; + + /* Load the block into local state variables. Each 24-bit block is + * placed into a separate 32-bit word which improves efficiency below */ + x0 = be_load_word24(block); + x1 = be_load_word24(block + 3); + x2 = be_load_word24(block + 6); + x3 = be_load_word24(block + 9); + x4 = be_load_word24(block + 12); + x5 = be_load_word24(block + 15); + x6 = be_load_word24(block + 18); + x7 = be_load_word24(block + 21); + + /* Perform all permutation rounds */ + for (round = 0; round < 18; ++round, rc += 4) { + /* Apply Simeck-48 to two of the 48-bit sub-blocks */ + simeck48_box(x2, x3, rc[0]); + simeck48_box(x6, x7, rc[1]); + + /* Add step constants */ + x0 ^= 0x00FFFFFFU; + x1 ^= 0x00FFFF00U ^ rc[2]; + x4 ^= 0x00FFFFFFU; + x5 ^= 0x00FFFF00U ^ rc[3]; + + /* Mix the sub-blocks */ + t0 = x0 ^ x2; + t1 = x1 ^ x3; + x0 = x2; + x1 = x3; + x2 = x4 ^ x6; + x3 = x5 ^ x7; + x4 = x6; + x5 = x7; + x6 = t0; + x7 = t1; + } + + /* Store the state back into the block */ + be_store_word24(block, x0); + be_store_word24(block + 3, x1); + be_store_word24(block + 6, x2); + be_store_word24(block + 9, x3); + be_store_word24(block + 12, x4); + be_store_word24(block + 15, x5); + be_store_word24(block + 18, x6); + be_store_word24(block + 21, x7); +} + +void sliscp_light320_permute(unsigned char block[40]) +{ + /* Interleaved rc0, rc1, rc2, sc0, sc1, and sc2 values for each round */ + static unsigned char const RC[16 * 6] = { + 0x07, 0x53, 0x43, 0x50, 0x28, 0x14, 0x0a, 0x5d, + 0xe4, 0x5c, 0xae, 0x57, 0x9b, 0x49, 0x5e, 0x91, + 0x48, 0x24, 0xe0, 0x7f, 0xcc, 0x8d, 0xc6, 0x63, + 0xd1, 0xbe, 0x32, 0x53, 0xa9, 0x54, 0x1a, 0x1d, + 0x4e, 0x60, 0x30, 0x18, 0x22, 0x28, 0x75, 0x68, + 0x34, 0x9a, 0xf7, 0x6c, 0x25, 0xe1, 0x70, 0x38, + 0x62, 0x82, 0xfd, 0xf6, 0x7b, 0xbd, 0x96, 0x47, + 0xf9, 0x9d, 0xce, 0x67, 0x71, 0x6b, 0x76, 0x40, + 0x20, 0x10, 0xaa, 0x88, 0xa0, 0x4f, 0x27, 0x13, + 0x2b, 0xdc, 0xb0, 0xbe, 0x5f, 0x2f, 0xe9, 0x8b, + 0x09, 0x5b, 0xad, 0xd6, 0xcf, 0x59, 0x1e, 0xe9, + 0x74, 0xba, 0xb7, 0xc6, 0xad, 0x7f, 0x3f, 0x1f + }; + const unsigned char *rc = RC; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9; + uint32_t t0, t1; + unsigned round; + + /* Load the block into local state variables */ + x0 = be_load_word32(block); + x1 = be_load_word32(block + 16); /* Assumes the block is pre-swapped */ + x2 = be_load_word32(block + 8); + x3 = be_load_word32(block + 12); + x4 = be_load_word32(block + 4); + x5 = be_load_word32(block + 20); + x6 = be_load_word32(block + 24); + x7 = be_load_word32(block + 28); + x8 = be_load_word32(block + 32); + x9 = be_load_word32(block + 36); + + /* Perform all permutation rounds */ + for (round = 0; round < 16; ++round, rc += 6) { + /* Apply Simeck-64 to three of the 64-bit sub-blocks */ + simeck64_box(x0, x1, rc[0]); + simeck64_box(x4, x5, rc[1]); + simeck64_box(x8, x9, rc[2]); + x6 ^= x8; + x7 ^= x9; + x2 ^= x4; + x3 ^= x5; + x8 ^= x0; + x9 ^= x1; + + /* Add step constants */ + x2 ^= 0xFFFFFFFFU; + x3 ^= 0xFFFFFF00U ^ rc[3]; + x6 ^= 0xFFFFFFFFU; + x7 ^= 0xFFFFFF00U ^ rc[4]; + x8 ^= 0xFFFFFFFFU; + x9 ^= 0xFFFFFF00U ^ rc[5]; + + /* Rotate the sub-blocks */ + t0 = x8; + t1 = x9; + x8 = x2; + x9 = x3; + x2 = x4; + x3 = x5; + x4 = x0; + x5 = x1; + x0 = x6; + x1 = x7; + x6 = t0; + x7 = t1; + } + + /* Store the state back into the block */ + be_store_word32(block, x0); + be_store_word32(block + 16, x1); /* Assumes the block is pre-swapped */ + be_store_word32(block + 8, x2); + be_store_word32(block + 12, x3); + be_store_word32(block + 4, x4); + be_store_word32(block + 20, x5); + be_store_word32(block + 24, x6); + be_store_word32(block + 28, x7); + be_store_word32(block + 32, x8); + be_store_word32(block + 36, x9); +} + +void sliscp_light320_swap(unsigned char block[40]) +{ + uint32_t t1, t2; + t1 = le_load_word32(block + 4); + t2 = le_load_word32(block + 16); + le_store_word32(block + 16, t1); + le_store_word32(block + 4, t2); +} diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-light.h b/spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-light.h new file mode 100644 index 0000000..fa6b9ba --- /dev/null +++ b/spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-light.h @@ -0,0 +1,169 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SLISCP_LIGHT_H +#define LW_INTERNAL_SLISCP_LIGHT_H + +/** + * \file internal-sliscp-light.h + * \brief sLiSCP-light permutation + * + * There are three variants of sLiSCP-light in use in the NIST submissions: + * + * \li sLiSCP-light-256 with a 256-bit block size, used in SPIX and SpoC. + * \li sLiSCP-light-192 with a 192-bit block size, used in SpoC. + * \li sLiSCP-light-320 with a 320-bit block size, used in ACE. + * + * References: https://uwaterloo.ca/communications-security-lab/lwc/ace, + * https://uwaterloo.ca/communications-security-lab/lwc/spix, + * https://uwaterloo.ca/communications-security-lab/lwc/spoc + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the state for sLiSCP-light-256. + */ +#define SLISCP_LIGHT256_STATE_SIZE 32 + +/** + * \brief Size of the state for sLiSCP-light-192. + */ +#define SLISCP_LIGHT192_STATE_SIZE 24 + +/** + * \brief Size of the state for sLiSCP-light-320. + */ +#define SLISCP_LIGHT320_STATE_SIZE 40 + +/** + * \brief Performs the sLiSCP-light permutation on a 256-bit block. + * + * \param block Points to the block to be permuted. + * \param rounds Number of rounds to be performed, usually 9 or 18. + * + * The bytes of the block are assumed to be rearranged to match the + * requirements of the SPIX cipher. SPIX places the rate bytes at + * positions 8, 9, 10, 11, 24, 25, 26, and 27. + * + * This function assumes that bytes 24-27 have been pre-swapped with + * bytes 12-15 so that the rate portion of the state is contiguous. + * + * The sliscp_light256_swap_spix() function can be used to switch + * between the canonical order and the pre-swapped order. + * + * \sa sliscp_light256_swap_spix() + */ +void sliscp_light256_permute_spix(unsigned char block[32], unsigned rounds); + +/** + * \brief Swaps rate bytes in a sLiSCP-light 256-bit block for SPIX. + * + * \param block Points to the block to be rate-swapped. + * + * \sa sliscp_light256_permute_spix() + */ +void sliscp_light256_swap_spix(unsigned char block[32]); + +/** + * \brief Performs the sLiSCP-light permutation on a 256-bit block. + * + * \param block Points to the block to be permuted. + * \param rounds Number of rounds to be performed, usually 9 or 18. + * + * The bytes of the block are assumed to be rearranged to match the + * requirements of the SpoC-128 cipher. SpoC-128 interleaves the + * rate bytes and the mask bytes. This version assumes that the + * rate and mask are in contiguous bytes of the state. + * + * SpoC-128 absorbs bytes using the mask bytes of the state at offsets + * 8, 9, 10, 11, 12, 13, 14, 15, 24, 25, 26, 27, 28, 29, 30, and 31. + * It squeezes bytes using the rate bytes of the state at offsets + * 0, 1, 2, 3, 4, 5, 6, 7, 16, 17, 18, 19, 20, 21, 22, and 23. + * + * This function assumes that bytes 8-15 have been pre-swapped with 16-23 + * so that the rate and mask portions of the state are contiguous. + * + * The sliscp_light256_swap_spoc() function can be used to switch + * between the canonical order and the pre-swapped order. + * + * \sa sliscp_light256_swap_spoc() + */ +void sliscp_light256_permute_spoc(unsigned char block[32], unsigned rounds); + +/** + * \brief Swaps rate bytes in a sLiSCP-light 256-bit block for SpoC-128. + * + * \param block Points to the block to be rate-swapped. + * + * \sa sliscp_light256_permute_spoc() + */ +void sliscp_light256_swap_spoc(unsigned char block[32]); + +/** + * \brief Performs the sLiSCP-light permutation on a 192-bit block. + * + * \param block Points to the block to be permuted. + */ +void sliscp_light192_permute(unsigned char block[24]); + +/** + * \brief Performs the sLiSCP-light permutation on a 320-bit block. + * + * \param block Points to the block to be permuted. + * + * The ACE specification refers to this permutation as "ACE" but that + * can be confused with the name of the AEAD mode so we call this + * permutation "sLiSCP-light-320" instead. + * + * ACE absorbs and squeezes data at the rate bytes 0, 1, 2, 3, 16, 17, 18, 19. + * Efficiency can suffer because of the discontinuity in rate byte positions. + * + * To counteract this, we assume that the input to the permutation has been + * pre-swapped: bytes 4, 5, 6, 7 are swapped with bytes 16, 17, 18, 19 so + * that the rate is contiguous at the start of the state. + * + * The sliscp_light320_swap() function can be used to switch between the + * canonical order and the pre-swapped order. + * + * \sa sliscp_light320_swap() + */ +void sliscp_light320_permute(unsigned char block[40]); + +/** + * \brief Swaps rate bytes in a sLiSCP-light 320-bit block. + * + * \param block Points to the block to be rate-swapped. + * + * \sa sliscp_light320_permute() + */ +void sliscp_light320_swap(unsigned char block[40]); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys/internal-util.h b/spix/Implementations/crypto_aead/spix128v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/spix/Implementations/crypto_aead/spix128v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys/spix.c b/spix/Implementations/crypto_aead/spix128v1/rhys/spix.c new file mode 100644 index 0000000..7fc8f6a --- /dev/null +++ b/spix/Implementations/crypto_aead/spix128v1/rhys/spix.c @@ -0,0 +1,211 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "spix.h" +#include "internal-sliscp-light.h" +#include "internal-util.h" +#include + +/** + * \brief Size of the state for the internal sLiSCP-light permutation. + */ +#define SPIX_STATE_SIZE SLISCP_LIGHT256_STATE_SIZE + +/** + * \brief Rate for absorbing data into the sLiSCP-light state and for + * squeezing data out again. + */ +#define SPIX_RATE 8 + +aead_cipher_t const spix_cipher = { + "SPIX", + SPIX_KEY_SIZE, + SPIX_NONCE_SIZE, + SPIX_TAG_SIZE, + AEAD_FLAG_NONE, + spix_aead_encrypt, + spix_aead_decrypt +}; + +/* Indices of where a rate byte is located in the state. We don't + * need this array any more because sliscp_light256_permute_spix() + * operates on byte-swapped states where the rate bytes are contiguous + * in the bytes 8 to 15 */ +/* +static unsigned char const spix_rate_posn[8] = { + 8, 9, 10, 11, 24, 25, 26, 27 +}; +*/ + +/** + * \brief Initializes the SPIX state. + * + * \param state sLiSCP-light-256 permutation state. + * \param k Points to the 128-bit key. + * \param npub Points to the 128-bit nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void spix_init + (unsigned char state[SPIX_STATE_SIZE], + const unsigned char *k, const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned temp; + + /* Initialize the state by interleaving the key and nonce */ + memcpy(state, npub, 8); + memcpy(state + 8, k, 8); + memcpy(state + 16, npub + 8, 8); + memcpy(state + 24, k + 8, 8); + sliscp_light256_swap_spix(state); + + /* Run the permutation to scramble the initial state */ + sliscp_light256_permute_spix(state, 18); + + /* Absorb the key in two further permutation operations */ + lw_xor_block(state + 8, k, 8); + sliscp_light256_permute_spix(state, 18); + lw_xor_block(state + 8, k + 8, 8); + sliscp_light256_permute_spix(state, 18); + + /* Absorb the associated data into the state */ + if (adlen != 0) { + while (adlen >= SPIX_RATE) { + lw_xor_block(state + 8, ad, SPIX_RATE); + state[SPIX_STATE_SIZE - 1] ^= 0x01; /* domain separation */ + sliscp_light256_permute_spix(state, 9); + ad += SPIX_RATE; + adlen -= SPIX_RATE; + } + temp = (unsigned)adlen; + lw_xor_block(state + 8, ad, temp); + state[temp + 8] ^= 0x80; /* padding */ + state[SPIX_STATE_SIZE - 1] ^= 0x01; /* domain separation */ + sliscp_light256_permute_spix(state, 9); + } +} + +/** + * \brief Finalizes the SPIX encryption or decryption operation. + * + * \param state sLiSCP-light-256 permutation state. + * \param k Points to the 128-bit key. + * \param tag Points to the 16 byte buffer to receive the computed tag. + */ +static void spix_finalize + (unsigned char state[SPIX_STATE_SIZE], const unsigned char *k, + unsigned char *tag) +{ + /* Absorb the key into the state again */ + lw_xor_block(state + 8, k, 8); + sliscp_light256_permute_spix(state, 18); + lw_xor_block(state + 8, k + 8, 8); + sliscp_light256_permute_spix(state, 18); + + /* Copy out the authentication tag */ + sliscp_light256_swap_spix(state); + memcpy(tag, state + 8, 8); + memcpy(tag + 8, state + 24, 8); +} + +int spix_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[SPIX_STATE_SIZE]; + unsigned temp; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPIX_TAG_SIZE; + + /* Initialize the SPIX state and absorb the associated data */ + spix_init(state, k, npub, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + while (mlen >= SPIX_RATE) { + lw_xor_block_2_dest(c, state + 8, m, SPIX_RATE); + state[SPIX_STATE_SIZE - 1] ^= 0x02; /* domain separation */ + sliscp_light256_permute_spix(state, 9); + c += SPIX_RATE; + m += SPIX_RATE; + mlen -= SPIX_RATE; + } + temp = (unsigned)mlen; + lw_xor_block_2_dest(c, state + 8, m, temp); + state[temp + 8] ^= 0x80; /* padding */ + state[SPIX_STATE_SIZE - 1] ^= 0x02; /* domain separation */ + sliscp_light256_permute_spix(state, 9); + c += mlen; + + /* Generate the authentication tag */ + spix_finalize(state, k, c); + return 0; +} + +int spix_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[SPIX_STATE_SIZE]; + unsigned char *mtemp = m; + unsigned temp; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPIX_TAG_SIZE) + return -1; + *mlen = clen - SPIX_TAG_SIZE; + + /* Initialize the SPIX state and absorb the associated data */ + spix_init(state, k, npub, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPIX_TAG_SIZE; + while (clen >= SPIX_RATE) { + lw_xor_block_swap(m, state + 8, c, SPIX_RATE); + state[SPIX_STATE_SIZE - 1] ^= 0x02; /* domain separation */ + sliscp_light256_permute_spix(state, 9); + c += SPIX_RATE; + m += SPIX_RATE; + clen -= SPIX_RATE; + } + temp = (unsigned)clen; + lw_xor_block_swap(m, state + 8, c, temp); + state[temp + 8] ^= 0x80; /* padding */ + state[SPIX_STATE_SIZE - 1] ^= 0x02; /* domain separation */ + sliscp_light256_permute_spix(state, 9); + c += clen; + + /* Finalize the SPIX state and compare against the authentication tag */ + spix_finalize(state, k, state); + return aead_check_tag(mtemp, *mlen, state, c, SPIX_TAG_SIZE); +} diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys/spix.h b/spix/Implementations/crypto_aead/spix128v1/rhys/spix.h new file mode 100644 index 0000000..844c514 --- /dev/null +++ b/spix/Implementations/crypto_aead/spix128v1/rhys/spix.h @@ -0,0 +1,126 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SPIX_H +#define LWCRYPTO_SPIX_H + +#include "aead-common.h" + +/** + * \file spix.h + * \brief SPIX authenticated encryption algorithm. + * + * SPIX is an authenticated encryption algorithm with a 128-bit key, + * a 128-bit nonce, and a 128-bit tag. It uses the MonkeyDuplex + * construction on top of the 256-bit sLiSCP-light permutation. + * + * References: https://uwaterloo.ca/communications-security-lab/lwc/spix + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for SPIX. + */ +#define SPIX_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SPIX. + */ +#define SPIX_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SPIX. + */ +#define SPIX_NONCE_SIZE 16 + +/** + * \brief Meta-information block for the SPIX cipher. + */ +extern aead_cipher_t const spix_cipher; + +/** + * \brief Encrypts and authenticates a packet with SPIX. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spix_aead_decrypt() + */ +int spix_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SPIX. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spix_aead_encrypt() + */ +int spix_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/aead-common.c b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/aead-common.h b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/api.h b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/encrypt.c b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/encrypt.c new file mode 100644 index 0000000..6856b6f --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "spoc.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return spoc_128_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return spoc_128_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-light.c b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-light.c new file mode 100644 index 0000000..69b4519 --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-light.c @@ -0,0 +1,408 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-sliscp-light.h" + +/** + * \brief Performs one round of the Simeck-64 block cipher. + * + * \param x Left half of the 64-bit block. + * \param y Right half of the 64-bit block. + */ +#define simeck64_round(x, y) \ + do { \ + (y) ^= (leftRotate5((x)) & (x)) ^ leftRotate1((x)) ^ \ + 0xFFFFFFFEU ^ (_rc & 1); \ + _rc >>= 1; \ + } while (0) + +/** + * \brief Encrypts a 64-bit block with the 8 round version of Simeck-64. + * + * \param x Left half of the 64-bit block. + * \param y Right half of the 64-bit block. + * \param rc Round constants for the 8 rounds, 1 bit per round. + * + * It is assumed that the two halves have already been converted from + * big-endian to host byte order before calling this function. The output + * halves will also be in host byte order. + */ +#define simeck64_box(x, y, rc) \ + do { \ + unsigned char _rc = (rc); \ + simeck64_round(x, y); /* Round 1 */ \ + simeck64_round(y, x); /* Round 2 */ \ + simeck64_round(x, y); /* Round 3 */ \ + simeck64_round(y, x); /* Round 4 */ \ + simeck64_round(x, y); /* Round 5 */ \ + simeck64_round(y, x); /* Round 6 */ \ + simeck64_round(x, y); /* Round 7 */ \ + simeck64_round(y, x); /* Round 8 */ \ + } while (0) + +/* Helper macros for 48-bit left rotations */ +#define leftRotate5_48(x) (((x) << 5) | ((x) >> 19)) +#define leftRotate1_48(x) (((x) << 1) | ((x) >> 23)) + +/** + * \brief Performs one round of the Simeck-48 block cipher. + * + * \param x Left half of the 48-bit block. + * \param y Right half of the 48-bit block. + */ +#define simeck48_round(x, y) \ + do { \ + (y) ^= (leftRotate5_48((x)) & (x)) ^ leftRotate1_48((x)) ^ \ + 0x00FFFFFEU ^ (_rc & 1); \ + (y) &= 0x00FFFFFFU; \ + _rc >>= 1; \ + } while (0) + +/** + * \brief Encrypts a 48-bit block with the 6 round version of Simeck-48. + * + * \param x Left half of the 48-bit block. + * \param y Right half of the 48-bit block. + * \param rc Round constants for the 8 rounds, 1 bit per round. + * + * It is assumed that the two halves have already been converted from + * big-endian to host byte order before calling this function. The output + * halves will also be in host byte order. + */ +#define simeck48_box(x, y, rc) \ + do { \ + unsigned char _rc = (rc); \ + simeck48_round(x, y); /* Round 1 */ \ + simeck48_round(y, x); /* Round 2 */ \ + simeck48_round(x, y); /* Round 3 */ \ + simeck48_round(y, x); /* Round 4 */ \ + simeck48_round(x, y); /* Round 5 */ \ + simeck48_round(y, x); /* Round 6 */ \ + } while (0) + +/* Interleaved rc0, rc1, sc0, and sc1 values for each round */ +static unsigned char const sliscp_light256_RC[18 * 4] = { + 0x0f, 0x47, 0x08, 0x64, 0x04, 0xb2, 0x86, 0x6b, + 0x43, 0xb5, 0xe2, 0x6f, 0xf1, 0x37, 0x89, 0x2c, + 0x44, 0x96, 0xe6, 0xdd, 0x73, 0xee, 0xca, 0x99, + 0xe5, 0x4c, 0x17, 0xea, 0x0b, 0xf5, 0x8e, 0x0f, + 0x47, 0x07, 0x64, 0x04, 0xb2, 0x82, 0x6b, 0x43, + 0xb5, 0xa1, 0x6f, 0xf1, 0x37, 0x78, 0x2c, 0x44, + 0x96, 0xa2, 0xdd, 0x73, 0xee, 0xb9, 0x99, 0xe5, + 0x4c, 0xf2, 0xea, 0x0b, 0xf5, 0x85, 0x0f, 0x47, + 0x07, 0x23, 0x04, 0xb2, 0x82, 0xd9, 0x43, 0xb5 +}; + +void sliscp_light256_permute_spix(unsigned char block[32], unsigned rounds) +{ + const unsigned char *rc = sliscp_light256_RC; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t t0, t1; + + /* Load the block into local state variables */ + x0 = be_load_word32(block); + x1 = be_load_word32(block + 4); + x2 = be_load_word32(block + 8); + x3 = be_load_word32(block + 24); /* Assumes the block is pre-swapped */ + x4 = be_load_word32(block + 16); + x5 = be_load_word32(block + 20); + x6 = be_load_word32(block + 12); + x7 = be_load_word32(block + 28); + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds, rc += 4) { + /* Apply Simeck-64 to two of the 64-bit sub-blocks */ + simeck64_box(x2, x3, rc[0]); + simeck64_box(x6, x7, rc[1]); + + /* Add step constants */ + x0 ^= 0xFFFFFFFFU; + x1 ^= 0xFFFFFF00U ^ rc[2]; + x4 ^= 0xFFFFFFFFU; + x5 ^= 0xFFFFFF00U ^ rc[3]; + + /* Mix the sub-blocks */ + t0 = x0 ^ x2; + t1 = x1 ^ x3; + x0 = x2; + x1 = x3; + x2 = x4 ^ x6; + x3 = x5 ^ x7; + x4 = x6; + x5 = x7; + x6 = t0; + x7 = t1; + } + + /* Store the state back into the block */ + be_store_word32(block, x0); + be_store_word32(block + 4, x1); + be_store_word32(block + 8, x2); + be_store_word32(block + 24, x3); /* Assumes the block is pre-swapped */ + be_store_word32(block + 16, x4); + be_store_word32(block + 20, x5); + be_store_word32(block + 12, x6); + be_store_word32(block + 28, x7); +} + +void sliscp_light256_swap_spix(unsigned char block[32]) +{ + uint32_t t1, t2; + t1 = le_load_word32(block + 12); + t2 = le_load_word32(block + 24); + le_store_word32(block + 24, t1); + le_store_word32(block + 12, t2); +} + +void sliscp_light256_permute_spoc(unsigned char block[32], unsigned rounds) +{ + const unsigned char *rc = sliscp_light256_RC; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t t0, t1; + + /* Load the block into local state variables */ + x0 = be_load_word32(block); + x1 = be_load_word32(block + 4); + x2 = be_load_word32(block + 16); /* Assumes the block is pre-swapped */ + x3 = be_load_word32(block + 20); + x4 = be_load_word32(block + 8); + x5 = be_load_word32(block + 12); + x6 = be_load_word32(block + 24); + x7 = be_load_word32(block + 28); + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds, rc += 4) { + /* Apply Simeck-64 to two of the 64-bit sub-blocks */ + simeck64_box(x2, x3, rc[0]); + simeck64_box(x6, x7, rc[1]); + + /* Add step constants */ + x0 ^= 0xFFFFFFFFU; + x1 ^= 0xFFFFFF00U ^ rc[2]; + x4 ^= 0xFFFFFFFFU; + x5 ^= 0xFFFFFF00U ^ rc[3]; + + /* Mix the sub-blocks */ + t0 = x0 ^ x2; + t1 = x1 ^ x3; + x0 = x2; + x1 = x3; + x2 = x4 ^ x6; + x3 = x5 ^ x7; + x4 = x6; + x5 = x7; + x6 = t0; + x7 = t1; + } + + /* Store the state back into the block */ + be_store_word32(block, x0); + be_store_word32(block + 4, x1); + be_store_word32(block + 16, x2); /* Assumes the block is pre-swapped */ + be_store_word32(block + 20, x3); + be_store_word32(block + 8, x4); + be_store_word32(block + 12, x5); + be_store_word32(block + 24, x6); + be_store_word32(block + 28, x7); +} + +void sliscp_light256_swap_spoc(unsigned char block[32]) +{ + uint64_t t1, t2; + t1 = le_load_word64(block + 8); + t2 = le_load_word64(block + 16); + le_store_word64(block + 16, t1); + le_store_word64(block + 8, t2); +} + +/* Load a big-endian 24-bit word from a byte buffer */ +#define be_load_word24(ptr) \ + ((((uint32_t)((ptr)[0])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[2]))) + +/* Store a big-endian 24-bit word into a byte buffer */ +#define be_store_word24(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 16); \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)_x; \ + } while (0) + +void sliscp_light192_permute(unsigned char block[24]) +{ + /* Interleaved rc0, rc1, sc0, and sc1 values for each round */ + static unsigned char const RC[18 * 4] = { + 0x07, 0x27, 0x08, 0x29, 0x04, 0x34, 0x0c, 0x1d, + 0x06, 0x2e, 0x0a, 0x33, 0x25, 0x19, 0x2f, 0x2a, + 0x17, 0x35, 0x38, 0x1f, 0x1c, 0x0f, 0x24, 0x10, + 0x12, 0x08, 0x36, 0x18, 0x3b, 0x0c, 0x0d, 0x14, + 0x26, 0x0a, 0x2b, 0x1e, 0x15, 0x2f, 0x3e, 0x31, + 0x3f, 0x38, 0x01, 0x09, 0x20, 0x24, 0x21, 0x2d, + 0x30, 0x36, 0x11, 0x1b, 0x28, 0x0d, 0x39, 0x16, + 0x3c, 0x2b, 0x05, 0x3d, 0x22, 0x3e, 0x27, 0x03, + 0x13, 0x01, 0x34, 0x02, 0x1a, 0x21, 0x2e, 0x23 + }; + const unsigned char *rc = RC; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t t0, t1; + unsigned round; + + /* Load the block into local state variables. Each 24-bit block is + * placed into a separate 32-bit word which improves efficiency below */ + x0 = be_load_word24(block); + x1 = be_load_word24(block + 3); + x2 = be_load_word24(block + 6); + x3 = be_load_word24(block + 9); + x4 = be_load_word24(block + 12); + x5 = be_load_word24(block + 15); + x6 = be_load_word24(block + 18); + x7 = be_load_word24(block + 21); + + /* Perform all permutation rounds */ + for (round = 0; round < 18; ++round, rc += 4) { + /* Apply Simeck-48 to two of the 48-bit sub-blocks */ + simeck48_box(x2, x3, rc[0]); + simeck48_box(x6, x7, rc[1]); + + /* Add step constants */ + x0 ^= 0x00FFFFFFU; + x1 ^= 0x00FFFF00U ^ rc[2]; + x4 ^= 0x00FFFFFFU; + x5 ^= 0x00FFFF00U ^ rc[3]; + + /* Mix the sub-blocks */ + t0 = x0 ^ x2; + t1 = x1 ^ x3; + x0 = x2; + x1 = x3; + x2 = x4 ^ x6; + x3 = x5 ^ x7; + x4 = x6; + x5 = x7; + x6 = t0; + x7 = t1; + } + + /* Store the state back into the block */ + be_store_word24(block, x0); + be_store_word24(block + 3, x1); + be_store_word24(block + 6, x2); + be_store_word24(block + 9, x3); + be_store_word24(block + 12, x4); + be_store_word24(block + 15, x5); + be_store_word24(block + 18, x6); + be_store_word24(block + 21, x7); +} + +void sliscp_light320_permute(unsigned char block[40]) +{ + /* Interleaved rc0, rc1, rc2, sc0, sc1, and sc2 values for each round */ + static unsigned char const RC[16 * 6] = { + 0x07, 0x53, 0x43, 0x50, 0x28, 0x14, 0x0a, 0x5d, + 0xe4, 0x5c, 0xae, 0x57, 0x9b, 0x49, 0x5e, 0x91, + 0x48, 0x24, 0xe0, 0x7f, 0xcc, 0x8d, 0xc6, 0x63, + 0xd1, 0xbe, 0x32, 0x53, 0xa9, 0x54, 0x1a, 0x1d, + 0x4e, 0x60, 0x30, 0x18, 0x22, 0x28, 0x75, 0x68, + 0x34, 0x9a, 0xf7, 0x6c, 0x25, 0xe1, 0x70, 0x38, + 0x62, 0x82, 0xfd, 0xf6, 0x7b, 0xbd, 0x96, 0x47, + 0xf9, 0x9d, 0xce, 0x67, 0x71, 0x6b, 0x76, 0x40, + 0x20, 0x10, 0xaa, 0x88, 0xa0, 0x4f, 0x27, 0x13, + 0x2b, 0xdc, 0xb0, 0xbe, 0x5f, 0x2f, 0xe9, 0x8b, + 0x09, 0x5b, 0xad, 0xd6, 0xcf, 0x59, 0x1e, 0xe9, + 0x74, 0xba, 0xb7, 0xc6, 0xad, 0x7f, 0x3f, 0x1f + }; + const unsigned char *rc = RC; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9; + uint32_t t0, t1; + unsigned round; + + /* Load the block into local state variables */ + x0 = be_load_word32(block); + x1 = be_load_word32(block + 16); /* Assumes the block is pre-swapped */ + x2 = be_load_word32(block + 8); + x3 = be_load_word32(block + 12); + x4 = be_load_word32(block + 4); + x5 = be_load_word32(block + 20); + x6 = be_load_word32(block + 24); + x7 = be_load_word32(block + 28); + x8 = be_load_word32(block + 32); + x9 = be_load_word32(block + 36); + + /* Perform all permutation rounds */ + for (round = 0; round < 16; ++round, rc += 6) { + /* Apply Simeck-64 to three of the 64-bit sub-blocks */ + simeck64_box(x0, x1, rc[0]); + simeck64_box(x4, x5, rc[1]); + simeck64_box(x8, x9, rc[2]); + x6 ^= x8; + x7 ^= x9; + x2 ^= x4; + x3 ^= x5; + x8 ^= x0; + x9 ^= x1; + + /* Add step constants */ + x2 ^= 0xFFFFFFFFU; + x3 ^= 0xFFFFFF00U ^ rc[3]; + x6 ^= 0xFFFFFFFFU; + x7 ^= 0xFFFFFF00U ^ rc[4]; + x8 ^= 0xFFFFFFFFU; + x9 ^= 0xFFFFFF00U ^ rc[5]; + + /* Rotate the sub-blocks */ + t0 = x8; + t1 = x9; + x8 = x2; + x9 = x3; + x2 = x4; + x3 = x5; + x4 = x0; + x5 = x1; + x0 = x6; + x1 = x7; + x6 = t0; + x7 = t1; + } + + /* Store the state back into the block */ + be_store_word32(block, x0); + be_store_word32(block + 16, x1); /* Assumes the block is pre-swapped */ + be_store_word32(block + 8, x2); + be_store_word32(block + 12, x3); + be_store_word32(block + 4, x4); + be_store_word32(block + 20, x5); + be_store_word32(block + 24, x6); + be_store_word32(block + 28, x7); + be_store_word32(block + 32, x8); + be_store_word32(block + 36, x9); +} + +void sliscp_light320_swap(unsigned char block[40]) +{ + uint32_t t1, t2; + t1 = le_load_word32(block + 4); + t2 = le_load_word32(block + 16); + le_store_word32(block + 16, t1); + le_store_word32(block + 4, t2); +} diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-light.h b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-light.h new file mode 100644 index 0000000..fa6b9ba --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-light.h @@ -0,0 +1,169 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SLISCP_LIGHT_H +#define LW_INTERNAL_SLISCP_LIGHT_H + +/** + * \file internal-sliscp-light.h + * \brief sLiSCP-light permutation + * + * There are three variants of sLiSCP-light in use in the NIST submissions: + * + * \li sLiSCP-light-256 with a 256-bit block size, used in SPIX and SpoC. + * \li sLiSCP-light-192 with a 192-bit block size, used in SpoC. + * \li sLiSCP-light-320 with a 320-bit block size, used in ACE. + * + * References: https://uwaterloo.ca/communications-security-lab/lwc/ace, + * https://uwaterloo.ca/communications-security-lab/lwc/spix, + * https://uwaterloo.ca/communications-security-lab/lwc/spoc + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the state for sLiSCP-light-256. + */ +#define SLISCP_LIGHT256_STATE_SIZE 32 + +/** + * \brief Size of the state for sLiSCP-light-192. + */ +#define SLISCP_LIGHT192_STATE_SIZE 24 + +/** + * \brief Size of the state for sLiSCP-light-320. + */ +#define SLISCP_LIGHT320_STATE_SIZE 40 + +/** + * \brief Performs the sLiSCP-light permutation on a 256-bit block. + * + * \param block Points to the block to be permuted. + * \param rounds Number of rounds to be performed, usually 9 or 18. + * + * The bytes of the block are assumed to be rearranged to match the + * requirements of the SPIX cipher. SPIX places the rate bytes at + * positions 8, 9, 10, 11, 24, 25, 26, and 27. + * + * This function assumes that bytes 24-27 have been pre-swapped with + * bytes 12-15 so that the rate portion of the state is contiguous. + * + * The sliscp_light256_swap_spix() function can be used to switch + * between the canonical order and the pre-swapped order. + * + * \sa sliscp_light256_swap_spix() + */ +void sliscp_light256_permute_spix(unsigned char block[32], unsigned rounds); + +/** + * \brief Swaps rate bytes in a sLiSCP-light 256-bit block for SPIX. + * + * \param block Points to the block to be rate-swapped. + * + * \sa sliscp_light256_permute_spix() + */ +void sliscp_light256_swap_spix(unsigned char block[32]); + +/** + * \brief Performs the sLiSCP-light permutation on a 256-bit block. + * + * \param block Points to the block to be permuted. + * \param rounds Number of rounds to be performed, usually 9 or 18. + * + * The bytes of the block are assumed to be rearranged to match the + * requirements of the SpoC-128 cipher. SpoC-128 interleaves the + * rate bytes and the mask bytes. This version assumes that the + * rate and mask are in contiguous bytes of the state. + * + * SpoC-128 absorbs bytes using the mask bytes of the state at offsets + * 8, 9, 10, 11, 12, 13, 14, 15, 24, 25, 26, 27, 28, 29, 30, and 31. + * It squeezes bytes using the rate bytes of the state at offsets + * 0, 1, 2, 3, 4, 5, 6, 7, 16, 17, 18, 19, 20, 21, 22, and 23. + * + * This function assumes that bytes 8-15 have been pre-swapped with 16-23 + * so that the rate and mask portions of the state are contiguous. + * + * The sliscp_light256_swap_spoc() function can be used to switch + * between the canonical order and the pre-swapped order. + * + * \sa sliscp_light256_swap_spoc() + */ +void sliscp_light256_permute_spoc(unsigned char block[32], unsigned rounds); + +/** + * \brief Swaps rate bytes in a sLiSCP-light 256-bit block for SpoC-128. + * + * \param block Points to the block to be rate-swapped. + * + * \sa sliscp_light256_permute_spoc() + */ +void sliscp_light256_swap_spoc(unsigned char block[32]); + +/** + * \brief Performs the sLiSCP-light permutation on a 192-bit block. + * + * \param block Points to the block to be permuted. + */ +void sliscp_light192_permute(unsigned char block[24]); + +/** + * \brief Performs the sLiSCP-light permutation on a 320-bit block. + * + * \param block Points to the block to be permuted. + * + * The ACE specification refers to this permutation as "ACE" but that + * can be confused with the name of the AEAD mode so we call this + * permutation "sLiSCP-light-320" instead. + * + * ACE absorbs and squeezes data at the rate bytes 0, 1, 2, 3, 16, 17, 18, 19. + * Efficiency can suffer because of the discontinuity in rate byte positions. + * + * To counteract this, we assume that the input to the permutation has been + * pre-swapped: bytes 4, 5, 6, 7 are swapped with bytes 16, 17, 18, 19 so + * that the rate is contiguous at the start of the state. + * + * The sliscp_light320_swap() function can be used to switch between the + * canonical order and the pre-swapped order. + * + * \sa sliscp_light320_swap() + */ +void sliscp_light320_permute(unsigned char block[40]); + +/** + * \brief Swaps rate bytes in a sLiSCP-light 320-bit block. + * + * \param block Points to the block to be rate-swapped. + * + * \sa sliscp_light320_permute() + */ +void sliscp_light320_swap(unsigned char block[40]); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-util.h b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/spoc.c b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/spoc.c new file mode 100644 index 0000000..1af7d59 --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/spoc.c @@ -0,0 +1,406 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "spoc.h" +#include "internal-sliscp-light.h" +#include "internal-util.h" +#include + +/** + * \brief Size of the state for the internal sLiSCP-light-256 permutation. + */ +#define SPOC_128_STATE_SIZE SLISCP_LIGHT256_STATE_SIZE + +/** + * \brief Rate for absorbing data into the sLiSCP-light-256 state and for + * squeezing data out again. + */ +#define SPOC_128_RATE 16 + +/** + * \brief Size of the state for the internal sLiSCP-light-192 permutation. + */ +#define SPOC_64_STATE_SIZE SLISCP_LIGHT192_STATE_SIZE + +/** + * \brief Rate for absorbing data into the sLiSCP-light-192 state and for + * squeezing data out again. + */ +#define SPOC_64_RATE 8 + +aead_cipher_t const spoc_128_cipher = { + "SpoC-128", + SPOC_KEY_SIZE, + SPOC_NONCE_SIZE, + SPOC_128_TAG_SIZE, + AEAD_FLAG_NONE, + spoc_128_aead_encrypt, + spoc_128_aead_decrypt +}; + +aead_cipher_t const spoc_64_cipher = { + "SpoC-64", + SPOC_KEY_SIZE, + SPOC_NONCE_SIZE, + SPOC_64_TAG_SIZE, + AEAD_FLAG_NONE, + spoc_64_aead_encrypt, + spoc_64_aead_decrypt +}; + +/* Indices of where a rate byte is located to help with padding */ +/* +static unsigned char const spoc_128_rate_posn[16] = { + 0, 1, 2, 3, 4, 5, 6, 7, 16, 17, 18, 19, 20, 21, 22, 23 +}; +static unsigned char const spoc_128_mask_posn[16] = { + 8, 9, 10, 11, 12, 13, 14, 15, 24, 25, 26, 27, 28, 29, 30, 31 +}; +*/ +static unsigned char const spoc_64_rate_posn[8] = { + 0, 1, 2, 3, 12, 13, 14, 15 +}; +static unsigned char const spoc_64_mask_posn[8] = { + 6, 7, 8, 9, 18, 19, 20, 21 +}; + +/** + * \brief Initializes the SpoC-128 state. + * + * \param state sLiSCP-light-256 permutation state. + * \param k Points to the 128-bit key. + * \param npub Points to the 128-bit nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void spoc_128_init + (unsigned char state[SPOC_128_STATE_SIZE], + const unsigned char *k, const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned temp; + + /* Initialize the state by combining the key and nonce */ + memcpy(state, npub, 16); + memcpy(state + 16, k, 16); + + /* Absorb the associated data into the state */ + if (adlen != 0) { + while (adlen >= SPOC_128_RATE) { + sliscp_light256_permute_spoc(state, 18); + lw_xor_block(state + 16, ad, SPOC_128_RATE); + state[0] ^= 0x20; /* domain separation */ + ad += SPOC_128_RATE; + adlen -= SPOC_128_RATE; + } + temp = (unsigned)adlen; + if (temp > 0) { + sliscp_light256_permute_spoc(state, 18); + lw_xor_block(state + 16, ad, temp); + state[temp + 16] ^= 0x80; /* padding */ + state[0] ^= 0x30; /* domain separation */ + } + } +} + +/** + * \brief Initializes the SpoC-64 state. + * + * \param state sLiSCP-light-192 permutation state. + * \param k Points to the 128-bit key. + * \param npub Points to the 128-bit nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void spoc_64_init + (unsigned char state[SPOC_64_STATE_SIZE], + const unsigned char *k, const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned temp; + + /* Initialize the state by interleaving the key and nonce */ + memcpy(state, npub, 4); + state[4] = k[6]; + state[5] = k[7]; + memcpy(state + 6, k, 6); + memcpy(state + 12, npub + 4, 4); + state[16] = k[14]; + state[17] = k[15]; + memcpy(state + 18, k + 8, 6); + sliscp_light192_permute(state); + lw_xor_block(state + 6, npub + 8, 4); + lw_xor_block(state + 18, npub + 12, 4); + + /* Absorb the associated data into the state */ + if (adlen != 0) { + while (adlen >= SPOC_64_RATE) { + sliscp_light192_permute(state); + lw_xor_block(state + 6, ad, 4); + lw_xor_block(state + 18, ad + 4, 4); + state[0] ^= 0x20; /* domain separation */ + ad += SPOC_64_RATE; + adlen -= SPOC_64_RATE; + } + temp = (unsigned)adlen; + if (temp > 0) { + sliscp_light192_permute(state); + state[spoc_64_mask_posn[temp]] ^= 0x80; /* padding */ + state[0] ^= 0x30; /* domain separation */ + while (temp > 0) { + --temp; + state[spoc_64_mask_posn[temp]] ^= ad[temp]; + } + } + } +} + +/** + * \brief Finalizes the SpoC-128 encryption or decryption operation. + * + * \param state sLiSCP-light-256 permutation state. + * \param tag Points to the 16 byte buffer to receive the computed tag. + */ +static void spoc_128_finalize + (unsigned char state[SPOC_128_STATE_SIZE], unsigned char *tag) +{ + /* Pad and permute the state one more time */ + state[0] ^= 0x80; + sliscp_light256_permute_spoc(state, 18); + + /* Copy out the authentication tag */ + memcpy(tag, state + 16, 16); +} + +/** + * \brief Finalizes the SpoC-64 encryption or decryption operation. + * + * \param state sLiSCP-light-192 permutation state. + * \param tag Points to the 16 byte buffer to receive the computed tag. + */ +static void spoc_64_finalize + (unsigned char state[SPOC_64_STATE_SIZE], unsigned char *tag) +{ + /* Pad and permute the state one more time */ + state[0] ^= 0x80; + sliscp_light192_permute(state); + + /* Copy out the authentication tag */ + memcpy(tag, state + 6, 4); + memcpy(tag + 4, state + 18, 4); +} + +int spoc_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[SPOC_128_STATE_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPOC_128_TAG_SIZE; + + /* Initialize the SpoC-128 state and absorb the associated data */ + spoc_128_init(state, k, npub, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen != 0) { + while (mlen >= SPOC_128_RATE) { + sliscp_light256_permute_spoc(state, 18); + lw_xor_block(state + 16, m, SPOC_128_RATE); + lw_xor_block_2_src(c, m, state, SPOC_128_RATE); + state[0] ^= 0x40; /* domain separation */ + c += SPOC_128_RATE; + m += SPOC_128_RATE; + mlen -= SPOC_128_RATE; + } + if (mlen != 0) { + unsigned temp = (unsigned)mlen; + sliscp_light256_permute_spoc(state, 18); + lw_xor_block(state + 16, m, temp); + lw_xor_block_2_src(c, m, state, temp); + state[temp + 16] ^= 0x80; /* padding */ + state[0] ^= 0x50; /* domain separation */ + c += mlen; + } + } + + /* Finalize and generate the authentication tag */ + spoc_128_finalize(state, c); + return 0; +} + +int spoc_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[SPOC_128_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPOC_128_TAG_SIZE) + return -1; + *mlen = clen - SPOC_128_TAG_SIZE; + + /* Initialize the Spoc-128 state and absorb the associated data */ + spoc_128_init(state, k, npub, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPOC_128_TAG_SIZE; + if (clen != 0) { + while (clen >= SPOC_128_RATE) { + sliscp_light256_permute_spoc(state, 18); + lw_xor_block_2_src(m, c, state, SPOC_128_RATE); + lw_xor_block(state + 16, m, SPOC_128_RATE); + state[0] ^= 0x40; /* domain separation */ + c += SPOC_128_RATE; + m += SPOC_128_RATE; + clen -= SPOC_128_RATE; + } + if (clen != 0) { + unsigned temp = (unsigned)clen; + sliscp_light256_permute_spoc(state, 18); + lw_xor_block_2_src(m, c, state, temp); + lw_xor_block(state + 16, m, temp); + state[temp + 16] ^= 0x80; /* padding */ + state[0] ^= 0x50; /* domain separation */ + c += clen; + } + } + + /* Finalize and check the authentication tag */ + spoc_128_finalize(state, state); + return aead_check_tag(mtemp, *mlen, state, c, SPOC_128_TAG_SIZE); +} + +int spoc_64_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[SPOC_64_STATE_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPOC_64_TAG_SIZE; + + /* Initialize the SpoC-64 state and absorb the associated data */ + spoc_64_init(state, k, npub, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen != 0) { + while (mlen >= SPOC_64_RATE) { + sliscp_light192_permute(state); + lw_xor_block(state + 6, m, 4); + lw_xor_block(state + 18, m + 4, 4); + lw_xor_block_2_src(c, m, state, 4); + lw_xor_block_2_src(c + 4, m + 4, state + 12, 4); + state[0] ^= 0x40; /* domain separation */ + c += SPOC_64_RATE; + m += SPOC_64_RATE; + mlen -= SPOC_64_RATE; + } + if (mlen != 0) { + unsigned temp = (unsigned)mlen; + sliscp_light192_permute(state); + state[spoc_64_mask_posn[temp]] ^= 0x80; /* padding */ + while (temp > 0) { + --temp; + unsigned char mbyte = m[temp]; + state[spoc_64_mask_posn[temp]] ^= mbyte; + c[temp] = mbyte ^ state[spoc_64_rate_posn[temp]]; + } + state[0] ^= 0x50; /* domain separation */ + c += mlen; + } + } + + /* Finalize and generate the authentication tag */ + spoc_64_finalize(state, c); + return 0; +} + +int spoc_64_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[SPOC_64_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPOC_64_TAG_SIZE) + return -1; + *mlen = clen - SPOC_64_TAG_SIZE; + + /* Initialize the Spoc-64 state and absorb the associated data */ + spoc_64_init(state, k, npub, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPOC_64_TAG_SIZE; + if (clen != 0) { + while (clen >= SPOC_64_RATE) { + sliscp_light192_permute(state); + lw_xor_block_2_src(m, c, state, 4); + lw_xor_block_2_src(m + 4, c + 4, state + 12, 4); + lw_xor_block(state + 6, m, 4); + lw_xor_block(state + 18, m + 4, 4); + state[0] ^= 0x40; /* domain separation */ + c += SPOC_64_RATE; + m += SPOC_64_RATE; + clen -= SPOC_64_RATE; + } + if (clen != 0) { + unsigned temp = (unsigned)clen; + sliscp_light192_permute(state); + state[spoc_64_mask_posn[temp]] ^= 0x80; /* padding */ + while (temp > 0) { + --temp; + unsigned char mbyte = c[temp] ^ state[spoc_64_rate_posn[temp]]; + state[spoc_64_mask_posn[temp]] ^= mbyte; + m[temp] = mbyte; + } + state[0] ^= 0x50; /* domain separation */ + c += clen; + } + } + + /* Finalize and check the authentication tag */ + spoc_64_finalize(state, state); + return aead_check_tag(mtemp, *mlen, state, c, SPOC_64_TAG_SIZE); +} diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/spoc.h b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/spoc.h new file mode 100644 index 0000000..712c2d0 --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/spoc.h @@ -0,0 +1,204 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SPOC_H +#define LWCRYPTO_SPOC_H + +#include "aead-common.h" + +/** + * \file spoc.h + * \brief SpoC authenticated encryption algorithm. + * + * SpoC is a family of authenticated encryption algorithms with two + * members, SpoC-128 and Spoc-64. The algorithms use a Beetle-like + * sponge construction built on top of the sLiSCP-light permutation. + * + * \li Spoc-128 has a 128-bit key, a 128-bit nonce, and a 128-bit tag. + * It is built around the 256-bit version of the sLiSCP-light permutation. + * This is the primary member of the family. + * \li Spoc-64 has a 128-bit key, a 128-bit nonce, and a 64-bit tag. + * It is built around the 192-bit version of the sLiSCP-light permutation. + * + * Spoc-128 has good performance on small packets (16 bytes or less) + * on 32-bit embedded platforms. + * + * References: https://uwaterloo.ca/communications-security-lab/lwc/spoc + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all SpoC variants. + */ +#define SPOC_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SpoC-128. + */ +#define SPOC_128_TAG_SIZE 16 + +/** + * \brief Size of the authentication tag for SpoC-64. + */ +#define SPOC_64_TAG_SIZE 8 + +/** + * \brief Size of the nonce for all SpoC variants. + */ +#define SPOC_NONCE_SIZE 16 + +/** + * \brief Meta-information block for the SpoC-128 cipher. + */ +extern aead_cipher_t const spoc_128_cipher; + +/** + * \brief Meta-information block for the SpoC-64 cipher. + */ +extern aead_cipher_t const spoc_64_cipher; + +/** + * \brief Encrypts and authenticates a packet with SpoC-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spoc_128_aead_decrypt() + */ +int spoc_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SpoC-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spoc_128_aead_encrypt() + */ +int spoc_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SpoC-64. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spoc_64_aead_decrypt() + */ +int spoc_64_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SpoC-64. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spoc_64_aead_encrypt() + */ +int spoc_64_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/aead-common.c b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/aead-common.h b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/api.h b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/api.h new file mode 100644 index 0000000..4bf8f5c --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 8 +#define CRYPTO_NOOVERLAP 1 diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/encrypt.c b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/encrypt.c new file mode 100644 index 0000000..f8dd710 --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "spoc.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return spoc_64_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return spoc_64_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-light.c b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-light.c new file mode 100644 index 0000000..69b4519 --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-light.c @@ -0,0 +1,408 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-sliscp-light.h" + +/** + * \brief Performs one round of the Simeck-64 block cipher. + * + * \param x Left half of the 64-bit block. + * \param y Right half of the 64-bit block. + */ +#define simeck64_round(x, y) \ + do { \ + (y) ^= (leftRotate5((x)) & (x)) ^ leftRotate1((x)) ^ \ + 0xFFFFFFFEU ^ (_rc & 1); \ + _rc >>= 1; \ + } while (0) + +/** + * \brief Encrypts a 64-bit block with the 8 round version of Simeck-64. + * + * \param x Left half of the 64-bit block. + * \param y Right half of the 64-bit block. + * \param rc Round constants for the 8 rounds, 1 bit per round. + * + * It is assumed that the two halves have already been converted from + * big-endian to host byte order before calling this function. The output + * halves will also be in host byte order. + */ +#define simeck64_box(x, y, rc) \ + do { \ + unsigned char _rc = (rc); \ + simeck64_round(x, y); /* Round 1 */ \ + simeck64_round(y, x); /* Round 2 */ \ + simeck64_round(x, y); /* Round 3 */ \ + simeck64_round(y, x); /* Round 4 */ \ + simeck64_round(x, y); /* Round 5 */ \ + simeck64_round(y, x); /* Round 6 */ \ + simeck64_round(x, y); /* Round 7 */ \ + simeck64_round(y, x); /* Round 8 */ \ + } while (0) + +/* Helper macros for 48-bit left rotations */ +#define leftRotate5_48(x) (((x) << 5) | ((x) >> 19)) +#define leftRotate1_48(x) (((x) << 1) | ((x) >> 23)) + +/** + * \brief Performs one round of the Simeck-48 block cipher. + * + * \param x Left half of the 48-bit block. + * \param y Right half of the 48-bit block. + */ +#define simeck48_round(x, y) \ + do { \ + (y) ^= (leftRotate5_48((x)) & (x)) ^ leftRotate1_48((x)) ^ \ + 0x00FFFFFEU ^ (_rc & 1); \ + (y) &= 0x00FFFFFFU; \ + _rc >>= 1; \ + } while (0) + +/** + * \brief Encrypts a 48-bit block with the 6 round version of Simeck-48. + * + * \param x Left half of the 48-bit block. + * \param y Right half of the 48-bit block. + * \param rc Round constants for the 8 rounds, 1 bit per round. + * + * It is assumed that the two halves have already been converted from + * big-endian to host byte order before calling this function. The output + * halves will also be in host byte order. + */ +#define simeck48_box(x, y, rc) \ + do { \ + unsigned char _rc = (rc); \ + simeck48_round(x, y); /* Round 1 */ \ + simeck48_round(y, x); /* Round 2 */ \ + simeck48_round(x, y); /* Round 3 */ \ + simeck48_round(y, x); /* Round 4 */ \ + simeck48_round(x, y); /* Round 5 */ \ + simeck48_round(y, x); /* Round 6 */ \ + } while (0) + +/* Interleaved rc0, rc1, sc0, and sc1 values for each round */ +static unsigned char const sliscp_light256_RC[18 * 4] = { + 0x0f, 0x47, 0x08, 0x64, 0x04, 0xb2, 0x86, 0x6b, + 0x43, 0xb5, 0xe2, 0x6f, 0xf1, 0x37, 0x89, 0x2c, + 0x44, 0x96, 0xe6, 0xdd, 0x73, 0xee, 0xca, 0x99, + 0xe5, 0x4c, 0x17, 0xea, 0x0b, 0xf5, 0x8e, 0x0f, + 0x47, 0x07, 0x64, 0x04, 0xb2, 0x82, 0x6b, 0x43, + 0xb5, 0xa1, 0x6f, 0xf1, 0x37, 0x78, 0x2c, 0x44, + 0x96, 0xa2, 0xdd, 0x73, 0xee, 0xb9, 0x99, 0xe5, + 0x4c, 0xf2, 0xea, 0x0b, 0xf5, 0x85, 0x0f, 0x47, + 0x07, 0x23, 0x04, 0xb2, 0x82, 0xd9, 0x43, 0xb5 +}; + +void sliscp_light256_permute_spix(unsigned char block[32], unsigned rounds) +{ + const unsigned char *rc = sliscp_light256_RC; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t t0, t1; + + /* Load the block into local state variables */ + x0 = be_load_word32(block); + x1 = be_load_word32(block + 4); + x2 = be_load_word32(block + 8); + x3 = be_load_word32(block + 24); /* Assumes the block is pre-swapped */ + x4 = be_load_word32(block + 16); + x5 = be_load_word32(block + 20); + x6 = be_load_word32(block + 12); + x7 = be_load_word32(block + 28); + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds, rc += 4) { + /* Apply Simeck-64 to two of the 64-bit sub-blocks */ + simeck64_box(x2, x3, rc[0]); + simeck64_box(x6, x7, rc[1]); + + /* Add step constants */ + x0 ^= 0xFFFFFFFFU; + x1 ^= 0xFFFFFF00U ^ rc[2]; + x4 ^= 0xFFFFFFFFU; + x5 ^= 0xFFFFFF00U ^ rc[3]; + + /* Mix the sub-blocks */ + t0 = x0 ^ x2; + t1 = x1 ^ x3; + x0 = x2; + x1 = x3; + x2 = x4 ^ x6; + x3 = x5 ^ x7; + x4 = x6; + x5 = x7; + x6 = t0; + x7 = t1; + } + + /* Store the state back into the block */ + be_store_word32(block, x0); + be_store_word32(block + 4, x1); + be_store_word32(block + 8, x2); + be_store_word32(block + 24, x3); /* Assumes the block is pre-swapped */ + be_store_word32(block + 16, x4); + be_store_word32(block + 20, x5); + be_store_word32(block + 12, x6); + be_store_word32(block + 28, x7); +} + +void sliscp_light256_swap_spix(unsigned char block[32]) +{ + uint32_t t1, t2; + t1 = le_load_word32(block + 12); + t2 = le_load_word32(block + 24); + le_store_word32(block + 24, t1); + le_store_word32(block + 12, t2); +} + +void sliscp_light256_permute_spoc(unsigned char block[32], unsigned rounds) +{ + const unsigned char *rc = sliscp_light256_RC; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t t0, t1; + + /* Load the block into local state variables */ + x0 = be_load_word32(block); + x1 = be_load_word32(block + 4); + x2 = be_load_word32(block + 16); /* Assumes the block is pre-swapped */ + x3 = be_load_word32(block + 20); + x4 = be_load_word32(block + 8); + x5 = be_load_word32(block + 12); + x6 = be_load_word32(block + 24); + x7 = be_load_word32(block + 28); + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds, rc += 4) { + /* Apply Simeck-64 to two of the 64-bit sub-blocks */ + simeck64_box(x2, x3, rc[0]); + simeck64_box(x6, x7, rc[1]); + + /* Add step constants */ + x0 ^= 0xFFFFFFFFU; + x1 ^= 0xFFFFFF00U ^ rc[2]; + x4 ^= 0xFFFFFFFFU; + x5 ^= 0xFFFFFF00U ^ rc[3]; + + /* Mix the sub-blocks */ + t0 = x0 ^ x2; + t1 = x1 ^ x3; + x0 = x2; + x1 = x3; + x2 = x4 ^ x6; + x3 = x5 ^ x7; + x4 = x6; + x5 = x7; + x6 = t0; + x7 = t1; + } + + /* Store the state back into the block */ + be_store_word32(block, x0); + be_store_word32(block + 4, x1); + be_store_word32(block + 16, x2); /* Assumes the block is pre-swapped */ + be_store_word32(block + 20, x3); + be_store_word32(block + 8, x4); + be_store_word32(block + 12, x5); + be_store_word32(block + 24, x6); + be_store_word32(block + 28, x7); +} + +void sliscp_light256_swap_spoc(unsigned char block[32]) +{ + uint64_t t1, t2; + t1 = le_load_word64(block + 8); + t2 = le_load_word64(block + 16); + le_store_word64(block + 16, t1); + le_store_word64(block + 8, t2); +} + +/* Load a big-endian 24-bit word from a byte buffer */ +#define be_load_word24(ptr) \ + ((((uint32_t)((ptr)[0])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[2]))) + +/* Store a big-endian 24-bit word into a byte buffer */ +#define be_store_word24(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 16); \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)_x; \ + } while (0) + +void sliscp_light192_permute(unsigned char block[24]) +{ + /* Interleaved rc0, rc1, sc0, and sc1 values for each round */ + static unsigned char const RC[18 * 4] = { + 0x07, 0x27, 0x08, 0x29, 0x04, 0x34, 0x0c, 0x1d, + 0x06, 0x2e, 0x0a, 0x33, 0x25, 0x19, 0x2f, 0x2a, + 0x17, 0x35, 0x38, 0x1f, 0x1c, 0x0f, 0x24, 0x10, + 0x12, 0x08, 0x36, 0x18, 0x3b, 0x0c, 0x0d, 0x14, + 0x26, 0x0a, 0x2b, 0x1e, 0x15, 0x2f, 0x3e, 0x31, + 0x3f, 0x38, 0x01, 0x09, 0x20, 0x24, 0x21, 0x2d, + 0x30, 0x36, 0x11, 0x1b, 0x28, 0x0d, 0x39, 0x16, + 0x3c, 0x2b, 0x05, 0x3d, 0x22, 0x3e, 0x27, 0x03, + 0x13, 0x01, 0x34, 0x02, 0x1a, 0x21, 0x2e, 0x23 + }; + const unsigned char *rc = RC; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t t0, t1; + unsigned round; + + /* Load the block into local state variables. Each 24-bit block is + * placed into a separate 32-bit word which improves efficiency below */ + x0 = be_load_word24(block); + x1 = be_load_word24(block + 3); + x2 = be_load_word24(block + 6); + x3 = be_load_word24(block + 9); + x4 = be_load_word24(block + 12); + x5 = be_load_word24(block + 15); + x6 = be_load_word24(block + 18); + x7 = be_load_word24(block + 21); + + /* Perform all permutation rounds */ + for (round = 0; round < 18; ++round, rc += 4) { + /* Apply Simeck-48 to two of the 48-bit sub-blocks */ + simeck48_box(x2, x3, rc[0]); + simeck48_box(x6, x7, rc[1]); + + /* Add step constants */ + x0 ^= 0x00FFFFFFU; + x1 ^= 0x00FFFF00U ^ rc[2]; + x4 ^= 0x00FFFFFFU; + x5 ^= 0x00FFFF00U ^ rc[3]; + + /* Mix the sub-blocks */ + t0 = x0 ^ x2; + t1 = x1 ^ x3; + x0 = x2; + x1 = x3; + x2 = x4 ^ x6; + x3 = x5 ^ x7; + x4 = x6; + x5 = x7; + x6 = t0; + x7 = t1; + } + + /* Store the state back into the block */ + be_store_word24(block, x0); + be_store_word24(block + 3, x1); + be_store_word24(block + 6, x2); + be_store_word24(block + 9, x3); + be_store_word24(block + 12, x4); + be_store_word24(block + 15, x5); + be_store_word24(block + 18, x6); + be_store_word24(block + 21, x7); +} + +void sliscp_light320_permute(unsigned char block[40]) +{ + /* Interleaved rc0, rc1, rc2, sc0, sc1, and sc2 values for each round */ + static unsigned char const RC[16 * 6] = { + 0x07, 0x53, 0x43, 0x50, 0x28, 0x14, 0x0a, 0x5d, + 0xe4, 0x5c, 0xae, 0x57, 0x9b, 0x49, 0x5e, 0x91, + 0x48, 0x24, 0xe0, 0x7f, 0xcc, 0x8d, 0xc6, 0x63, + 0xd1, 0xbe, 0x32, 0x53, 0xa9, 0x54, 0x1a, 0x1d, + 0x4e, 0x60, 0x30, 0x18, 0x22, 0x28, 0x75, 0x68, + 0x34, 0x9a, 0xf7, 0x6c, 0x25, 0xe1, 0x70, 0x38, + 0x62, 0x82, 0xfd, 0xf6, 0x7b, 0xbd, 0x96, 0x47, + 0xf9, 0x9d, 0xce, 0x67, 0x71, 0x6b, 0x76, 0x40, + 0x20, 0x10, 0xaa, 0x88, 0xa0, 0x4f, 0x27, 0x13, + 0x2b, 0xdc, 0xb0, 0xbe, 0x5f, 0x2f, 0xe9, 0x8b, + 0x09, 0x5b, 0xad, 0xd6, 0xcf, 0x59, 0x1e, 0xe9, + 0x74, 0xba, 0xb7, 0xc6, 0xad, 0x7f, 0x3f, 0x1f + }; + const unsigned char *rc = RC; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9; + uint32_t t0, t1; + unsigned round; + + /* Load the block into local state variables */ + x0 = be_load_word32(block); + x1 = be_load_word32(block + 16); /* Assumes the block is pre-swapped */ + x2 = be_load_word32(block + 8); + x3 = be_load_word32(block + 12); + x4 = be_load_word32(block + 4); + x5 = be_load_word32(block + 20); + x6 = be_load_word32(block + 24); + x7 = be_load_word32(block + 28); + x8 = be_load_word32(block + 32); + x9 = be_load_word32(block + 36); + + /* Perform all permutation rounds */ + for (round = 0; round < 16; ++round, rc += 6) { + /* Apply Simeck-64 to three of the 64-bit sub-blocks */ + simeck64_box(x0, x1, rc[0]); + simeck64_box(x4, x5, rc[1]); + simeck64_box(x8, x9, rc[2]); + x6 ^= x8; + x7 ^= x9; + x2 ^= x4; + x3 ^= x5; + x8 ^= x0; + x9 ^= x1; + + /* Add step constants */ + x2 ^= 0xFFFFFFFFU; + x3 ^= 0xFFFFFF00U ^ rc[3]; + x6 ^= 0xFFFFFFFFU; + x7 ^= 0xFFFFFF00U ^ rc[4]; + x8 ^= 0xFFFFFFFFU; + x9 ^= 0xFFFFFF00U ^ rc[5]; + + /* Rotate the sub-blocks */ + t0 = x8; + t1 = x9; + x8 = x2; + x9 = x3; + x2 = x4; + x3 = x5; + x4 = x0; + x5 = x1; + x0 = x6; + x1 = x7; + x6 = t0; + x7 = t1; + } + + /* Store the state back into the block */ + be_store_word32(block, x0); + be_store_word32(block + 16, x1); /* Assumes the block is pre-swapped */ + be_store_word32(block + 8, x2); + be_store_word32(block + 12, x3); + be_store_word32(block + 4, x4); + be_store_word32(block + 20, x5); + be_store_word32(block + 24, x6); + be_store_word32(block + 28, x7); + be_store_word32(block + 32, x8); + be_store_word32(block + 36, x9); +} + +void sliscp_light320_swap(unsigned char block[40]) +{ + uint32_t t1, t2; + t1 = le_load_word32(block + 4); + t2 = le_load_word32(block + 16); + le_store_word32(block + 16, t1); + le_store_word32(block + 4, t2); +} diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-light.h b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-light.h new file mode 100644 index 0000000..fa6b9ba --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-light.h @@ -0,0 +1,169 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SLISCP_LIGHT_H +#define LW_INTERNAL_SLISCP_LIGHT_H + +/** + * \file internal-sliscp-light.h + * \brief sLiSCP-light permutation + * + * There are three variants of sLiSCP-light in use in the NIST submissions: + * + * \li sLiSCP-light-256 with a 256-bit block size, used in SPIX and SpoC. + * \li sLiSCP-light-192 with a 192-bit block size, used in SpoC. + * \li sLiSCP-light-320 with a 320-bit block size, used in ACE. + * + * References: https://uwaterloo.ca/communications-security-lab/lwc/ace, + * https://uwaterloo.ca/communications-security-lab/lwc/spix, + * https://uwaterloo.ca/communications-security-lab/lwc/spoc + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the state for sLiSCP-light-256. + */ +#define SLISCP_LIGHT256_STATE_SIZE 32 + +/** + * \brief Size of the state for sLiSCP-light-192. + */ +#define SLISCP_LIGHT192_STATE_SIZE 24 + +/** + * \brief Size of the state for sLiSCP-light-320. + */ +#define SLISCP_LIGHT320_STATE_SIZE 40 + +/** + * \brief Performs the sLiSCP-light permutation on a 256-bit block. + * + * \param block Points to the block to be permuted. + * \param rounds Number of rounds to be performed, usually 9 or 18. + * + * The bytes of the block are assumed to be rearranged to match the + * requirements of the SPIX cipher. SPIX places the rate bytes at + * positions 8, 9, 10, 11, 24, 25, 26, and 27. + * + * This function assumes that bytes 24-27 have been pre-swapped with + * bytes 12-15 so that the rate portion of the state is contiguous. + * + * The sliscp_light256_swap_spix() function can be used to switch + * between the canonical order and the pre-swapped order. + * + * \sa sliscp_light256_swap_spix() + */ +void sliscp_light256_permute_spix(unsigned char block[32], unsigned rounds); + +/** + * \brief Swaps rate bytes in a sLiSCP-light 256-bit block for SPIX. + * + * \param block Points to the block to be rate-swapped. + * + * \sa sliscp_light256_permute_spix() + */ +void sliscp_light256_swap_spix(unsigned char block[32]); + +/** + * \brief Performs the sLiSCP-light permutation on a 256-bit block. + * + * \param block Points to the block to be permuted. + * \param rounds Number of rounds to be performed, usually 9 or 18. + * + * The bytes of the block are assumed to be rearranged to match the + * requirements of the SpoC-128 cipher. SpoC-128 interleaves the + * rate bytes and the mask bytes. This version assumes that the + * rate and mask are in contiguous bytes of the state. + * + * SpoC-128 absorbs bytes using the mask bytes of the state at offsets + * 8, 9, 10, 11, 12, 13, 14, 15, 24, 25, 26, 27, 28, 29, 30, and 31. + * It squeezes bytes using the rate bytes of the state at offsets + * 0, 1, 2, 3, 4, 5, 6, 7, 16, 17, 18, 19, 20, 21, 22, and 23. + * + * This function assumes that bytes 8-15 have been pre-swapped with 16-23 + * so that the rate and mask portions of the state are contiguous. + * + * The sliscp_light256_swap_spoc() function can be used to switch + * between the canonical order and the pre-swapped order. + * + * \sa sliscp_light256_swap_spoc() + */ +void sliscp_light256_permute_spoc(unsigned char block[32], unsigned rounds); + +/** + * \brief Swaps rate bytes in a sLiSCP-light 256-bit block for SpoC-128. + * + * \param block Points to the block to be rate-swapped. + * + * \sa sliscp_light256_permute_spoc() + */ +void sliscp_light256_swap_spoc(unsigned char block[32]); + +/** + * \brief Performs the sLiSCP-light permutation on a 192-bit block. + * + * \param block Points to the block to be permuted. + */ +void sliscp_light192_permute(unsigned char block[24]); + +/** + * \brief Performs the sLiSCP-light permutation on a 320-bit block. + * + * \param block Points to the block to be permuted. + * + * The ACE specification refers to this permutation as "ACE" but that + * can be confused with the name of the AEAD mode so we call this + * permutation "sLiSCP-light-320" instead. + * + * ACE absorbs and squeezes data at the rate bytes 0, 1, 2, 3, 16, 17, 18, 19. + * Efficiency can suffer because of the discontinuity in rate byte positions. + * + * To counteract this, we assume that the input to the permutation has been + * pre-swapped: bytes 4, 5, 6, 7 are swapped with bytes 16, 17, 18, 19 so + * that the rate is contiguous at the start of the state. + * + * The sliscp_light320_swap() function can be used to switch between the + * canonical order and the pre-swapped order. + * + * \sa sliscp_light320_swap() + */ +void sliscp_light320_permute(unsigned char block[40]); + +/** + * \brief Swaps rate bytes in a sLiSCP-light 320-bit block. + * + * \param block Points to the block to be rate-swapped. + * + * \sa sliscp_light320_permute() + */ +void sliscp_light320_swap(unsigned char block[40]); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-util.h b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/spoc.c b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/spoc.c new file mode 100644 index 0000000..1af7d59 --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/spoc.c @@ -0,0 +1,406 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "spoc.h" +#include "internal-sliscp-light.h" +#include "internal-util.h" +#include + +/** + * \brief Size of the state for the internal sLiSCP-light-256 permutation. + */ +#define SPOC_128_STATE_SIZE SLISCP_LIGHT256_STATE_SIZE + +/** + * \brief Rate for absorbing data into the sLiSCP-light-256 state and for + * squeezing data out again. + */ +#define SPOC_128_RATE 16 + +/** + * \brief Size of the state for the internal sLiSCP-light-192 permutation. + */ +#define SPOC_64_STATE_SIZE SLISCP_LIGHT192_STATE_SIZE + +/** + * \brief Rate for absorbing data into the sLiSCP-light-192 state and for + * squeezing data out again. + */ +#define SPOC_64_RATE 8 + +aead_cipher_t const spoc_128_cipher = { + "SpoC-128", + SPOC_KEY_SIZE, + SPOC_NONCE_SIZE, + SPOC_128_TAG_SIZE, + AEAD_FLAG_NONE, + spoc_128_aead_encrypt, + spoc_128_aead_decrypt +}; + +aead_cipher_t const spoc_64_cipher = { + "SpoC-64", + SPOC_KEY_SIZE, + SPOC_NONCE_SIZE, + SPOC_64_TAG_SIZE, + AEAD_FLAG_NONE, + spoc_64_aead_encrypt, + spoc_64_aead_decrypt +}; + +/* Indices of where a rate byte is located to help with padding */ +/* +static unsigned char const spoc_128_rate_posn[16] = { + 0, 1, 2, 3, 4, 5, 6, 7, 16, 17, 18, 19, 20, 21, 22, 23 +}; +static unsigned char const spoc_128_mask_posn[16] = { + 8, 9, 10, 11, 12, 13, 14, 15, 24, 25, 26, 27, 28, 29, 30, 31 +}; +*/ +static unsigned char const spoc_64_rate_posn[8] = { + 0, 1, 2, 3, 12, 13, 14, 15 +}; +static unsigned char const spoc_64_mask_posn[8] = { + 6, 7, 8, 9, 18, 19, 20, 21 +}; + +/** + * \brief Initializes the SpoC-128 state. + * + * \param state sLiSCP-light-256 permutation state. + * \param k Points to the 128-bit key. + * \param npub Points to the 128-bit nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void spoc_128_init + (unsigned char state[SPOC_128_STATE_SIZE], + const unsigned char *k, const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned temp; + + /* Initialize the state by combining the key and nonce */ + memcpy(state, npub, 16); + memcpy(state + 16, k, 16); + + /* Absorb the associated data into the state */ + if (adlen != 0) { + while (adlen >= SPOC_128_RATE) { + sliscp_light256_permute_spoc(state, 18); + lw_xor_block(state + 16, ad, SPOC_128_RATE); + state[0] ^= 0x20; /* domain separation */ + ad += SPOC_128_RATE; + adlen -= SPOC_128_RATE; + } + temp = (unsigned)adlen; + if (temp > 0) { + sliscp_light256_permute_spoc(state, 18); + lw_xor_block(state + 16, ad, temp); + state[temp + 16] ^= 0x80; /* padding */ + state[0] ^= 0x30; /* domain separation */ + } + } +} + +/** + * \brief Initializes the SpoC-64 state. + * + * \param state sLiSCP-light-192 permutation state. + * \param k Points to the 128-bit key. + * \param npub Points to the 128-bit nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void spoc_64_init + (unsigned char state[SPOC_64_STATE_SIZE], + const unsigned char *k, const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned temp; + + /* Initialize the state by interleaving the key and nonce */ + memcpy(state, npub, 4); + state[4] = k[6]; + state[5] = k[7]; + memcpy(state + 6, k, 6); + memcpy(state + 12, npub + 4, 4); + state[16] = k[14]; + state[17] = k[15]; + memcpy(state + 18, k + 8, 6); + sliscp_light192_permute(state); + lw_xor_block(state + 6, npub + 8, 4); + lw_xor_block(state + 18, npub + 12, 4); + + /* Absorb the associated data into the state */ + if (adlen != 0) { + while (adlen >= SPOC_64_RATE) { + sliscp_light192_permute(state); + lw_xor_block(state + 6, ad, 4); + lw_xor_block(state + 18, ad + 4, 4); + state[0] ^= 0x20; /* domain separation */ + ad += SPOC_64_RATE; + adlen -= SPOC_64_RATE; + } + temp = (unsigned)adlen; + if (temp > 0) { + sliscp_light192_permute(state); + state[spoc_64_mask_posn[temp]] ^= 0x80; /* padding */ + state[0] ^= 0x30; /* domain separation */ + while (temp > 0) { + --temp; + state[spoc_64_mask_posn[temp]] ^= ad[temp]; + } + } + } +} + +/** + * \brief Finalizes the SpoC-128 encryption or decryption operation. + * + * \param state sLiSCP-light-256 permutation state. + * \param tag Points to the 16 byte buffer to receive the computed tag. + */ +static void spoc_128_finalize + (unsigned char state[SPOC_128_STATE_SIZE], unsigned char *tag) +{ + /* Pad and permute the state one more time */ + state[0] ^= 0x80; + sliscp_light256_permute_spoc(state, 18); + + /* Copy out the authentication tag */ + memcpy(tag, state + 16, 16); +} + +/** + * \brief Finalizes the SpoC-64 encryption or decryption operation. + * + * \param state sLiSCP-light-192 permutation state. + * \param tag Points to the 16 byte buffer to receive the computed tag. + */ +static void spoc_64_finalize + (unsigned char state[SPOC_64_STATE_SIZE], unsigned char *tag) +{ + /* Pad and permute the state one more time */ + state[0] ^= 0x80; + sliscp_light192_permute(state); + + /* Copy out the authentication tag */ + memcpy(tag, state + 6, 4); + memcpy(tag + 4, state + 18, 4); +} + +int spoc_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[SPOC_128_STATE_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPOC_128_TAG_SIZE; + + /* Initialize the SpoC-128 state and absorb the associated data */ + spoc_128_init(state, k, npub, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen != 0) { + while (mlen >= SPOC_128_RATE) { + sliscp_light256_permute_spoc(state, 18); + lw_xor_block(state + 16, m, SPOC_128_RATE); + lw_xor_block_2_src(c, m, state, SPOC_128_RATE); + state[0] ^= 0x40; /* domain separation */ + c += SPOC_128_RATE; + m += SPOC_128_RATE; + mlen -= SPOC_128_RATE; + } + if (mlen != 0) { + unsigned temp = (unsigned)mlen; + sliscp_light256_permute_spoc(state, 18); + lw_xor_block(state + 16, m, temp); + lw_xor_block_2_src(c, m, state, temp); + state[temp + 16] ^= 0x80; /* padding */ + state[0] ^= 0x50; /* domain separation */ + c += mlen; + } + } + + /* Finalize and generate the authentication tag */ + spoc_128_finalize(state, c); + return 0; +} + +int spoc_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[SPOC_128_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPOC_128_TAG_SIZE) + return -1; + *mlen = clen - SPOC_128_TAG_SIZE; + + /* Initialize the Spoc-128 state and absorb the associated data */ + spoc_128_init(state, k, npub, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPOC_128_TAG_SIZE; + if (clen != 0) { + while (clen >= SPOC_128_RATE) { + sliscp_light256_permute_spoc(state, 18); + lw_xor_block_2_src(m, c, state, SPOC_128_RATE); + lw_xor_block(state + 16, m, SPOC_128_RATE); + state[0] ^= 0x40; /* domain separation */ + c += SPOC_128_RATE; + m += SPOC_128_RATE; + clen -= SPOC_128_RATE; + } + if (clen != 0) { + unsigned temp = (unsigned)clen; + sliscp_light256_permute_spoc(state, 18); + lw_xor_block_2_src(m, c, state, temp); + lw_xor_block(state + 16, m, temp); + state[temp + 16] ^= 0x80; /* padding */ + state[0] ^= 0x50; /* domain separation */ + c += clen; + } + } + + /* Finalize and check the authentication tag */ + spoc_128_finalize(state, state); + return aead_check_tag(mtemp, *mlen, state, c, SPOC_128_TAG_SIZE); +} + +int spoc_64_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[SPOC_64_STATE_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPOC_64_TAG_SIZE; + + /* Initialize the SpoC-64 state and absorb the associated data */ + spoc_64_init(state, k, npub, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen != 0) { + while (mlen >= SPOC_64_RATE) { + sliscp_light192_permute(state); + lw_xor_block(state + 6, m, 4); + lw_xor_block(state + 18, m + 4, 4); + lw_xor_block_2_src(c, m, state, 4); + lw_xor_block_2_src(c + 4, m + 4, state + 12, 4); + state[0] ^= 0x40; /* domain separation */ + c += SPOC_64_RATE; + m += SPOC_64_RATE; + mlen -= SPOC_64_RATE; + } + if (mlen != 0) { + unsigned temp = (unsigned)mlen; + sliscp_light192_permute(state); + state[spoc_64_mask_posn[temp]] ^= 0x80; /* padding */ + while (temp > 0) { + --temp; + unsigned char mbyte = m[temp]; + state[spoc_64_mask_posn[temp]] ^= mbyte; + c[temp] = mbyte ^ state[spoc_64_rate_posn[temp]]; + } + state[0] ^= 0x50; /* domain separation */ + c += mlen; + } + } + + /* Finalize and generate the authentication tag */ + spoc_64_finalize(state, c); + return 0; +} + +int spoc_64_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[SPOC_64_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPOC_64_TAG_SIZE) + return -1; + *mlen = clen - SPOC_64_TAG_SIZE; + + /* Initialize the Spoc-64 state and absorb the associated data */ + spoc_64_init(state, k, npub, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPOC_64_TAG_SIZE; + if (clen != 0) { + while (clen >= SPOC_64_RATE) { + sliscp_light192_permute(state); + lw_xor_block_2_src(m, c, state, 4); + lw_xor_block_2_src(m + 4, c + 4, state + 12, 4); + lw_xor_block(state + 6, m, 4); + lw_xor_block(state + 18, m + 4, 4); + state[0] ^= 0x40; /* domain separation */ + c += SPOC_64_RATE; + m += SPOC_64_RATE; + clen -= SPOC_64_RATE; + } + if (clen != 0) { + unsigned temp = (unsigned)clen; + sliscp_light192_permute(state); + state[spoc_64_mask_posn[temp]] ^= 0x80; /* padding */ + while (temp > 0) { + --temp; + unsigned char mbyte = c[temp] ^ state[spoc_64_rate_posn[temp]]; + state[spoc_64_mask_posn[temp]] ^= mbyte; + m[temp] = mbyte; + } + state[0] ^= 0x50; /* domain separation */ + c += clen; + } + } + + /* Finalize and check the authentication tag */ + spoc_64_finalize(state, state); + return aead_check_tag(mtemp, *mlen, state, c, SPOC_64_TAG_SIZE); +} diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/spoc.h b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/spoc.h new file mode 100644 index 0000000..712c2d0 --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/spoc.h @@ -0,0 +1,204 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SPOC_H +#define LWCRYPTO_SPOC_H + +#include "aead-common.h" + +/** + * \file spoc.h + * \brief SpoC authenticated encryption algorithm. + * + * SpoC is a family of authenticated encryption algorithms with two + * members, SpoC-128 and Spoc-64. The algorithms use a Beetle-like + * sponge construction built on top of the sLiSCP-light permutation. + * + * \li Spoc-128 has a 128-bit key, a 128-bit nonce, and a 128-bit tag. + * It is built around the 256-bit version of the sLiSCP-light permutation. + * This is the primary member of the family. + * \li Spoc-64 has a 128-bit key, a 128-bit nonce, and a 64-bit tag. + * It is built around the 192-bit version of the sLiSCP-light permutation. + * + * Spoc-128 has good performance on small packets (16 bytes or less) + * on 32-bit embedded platforms. + * + * References: https://uwaterloo.ca/communications-security-lab/lwc/spoc + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all SpoC variants. + */ +#define SPOC_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for SpoC-128. + */ +#define SPOC_128_TAG_SIZE 16 + +/** + * \brief Size of the authentication tag for SpoC-64. + */ +#define SPOC_64_TAG_SIZE 8 + +/** + * \brief Size of the nonce for all SpoC variants. + */ +#define SPOC_NONCE_SIZE 16 + +/** + * \brief Meta-information block for the SpoC-128 cipher. + */ +extern aead_cipher_t const spoc_128_cipher; + +/** + * \brief Meta-information block for the SpoC-64 cipher. + */ +extern aead_cipher_t const spoc_64_cipher; + +/** + * \brief Encrypts and authenticates a packet with SpoC-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spoc_128_aead_decrypt() + */ +int spoc_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SpoC-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spoc_128_aead_encrypt() + */ +int spoc_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SpoC-64. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spoc_64_aead_decrypt() + */ +int spoc_64_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SpoC-64. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spoc_64_aead_encrypt() + */ +int spoc_64_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spook/Implementations/crypto_aead/spook128mu384v1/rhys/aead-common.c b/spook/Implementations/crypto_aead/spook128mu384v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128mu384v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/spook/Implementations/crypto_aead/spook128mu384v1/rhys/aead-common.h b/spook/Implementations/crypto_aead/spook128mu384v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128mu384v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spook/Implementations/crypto_aead/spook128mu384v1/rhys/api.h b/spook/Implementations/crypto_aead/spook128mu384v1/rhys/api.h new file mode 100644 index 0000000..fb1dab8 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128mu384v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 32 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/spook/Implementations/crypto_aead/spook128mu384v1/rhys/encrypt.c b/spook/Implementations/crypto_aead/spook128mu384v1/rhys/encrypt.c new file mode 100644 index 0000000..df13efc --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128mu384v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "spook.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return spook_128_384_mu_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return spook_128_384_mu_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/spook/Implementations/crypto_aead/spook128mu384v1/rhys/internal-spook.c b/spook/Implementations/crypto_aead/spook128mu384v1/rhys/internal-spook.c new file mode 100644 index 0000000..0e19216 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128mu384v1/rhys/internal-spook.c @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-spook.h" + +/** + * \brief Number of steps in the Clyde-128 block cipher. + * + * This is also the number of steps in the Shadow-512 and Shadow-384 + * permutations. + */ +#define CLYDE128_STEPS 6 + +/** + * \brief Round constants for the steps of Clyde-128. + */ +static uint8_t const rc[CLYDE128_STEPS][8] = { + {1, 0, 0, 0, 0, 1, 0, 0}, + {0, 0, 1, 0, 0, 0, 0, 1}, + {1, 1, 0, 0, 0, 1, 1, 0}, + {0, 0, 1, 1, 1, 1, 0, 1}, + {1, 0, 1, 0, 0, 1, 0, 1}, + {1, 1, 1, 0, 0, 1, 1, 1} +}; + +void clyde128_encrypt(const unsigned char key[CLYDE128_KEY_SIZE], + const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], + uint32_t output[CLYDE128_BLOCK_SIZE / 4], + const uint32_t input[CLYDE128_BLOCK_SIZE / 4]) +{ + uint32_t k0, k1, k2, k3; + uint32_t t0, t1, t2, t3; + uint32_t s0, s1, s2, s3; + uint32_t c, d; + int step; + + /* Unpack the key, tweak, and state */ + k0 = le_load_word32(key); + k1 = le_load_word32(key + 4); + k2 = le_load_word32(key + 8); + k3 = le_load_word32(key + 12); +#if defined(LW_UTIL_LITTLE_ENDIAN) + t0 = tweak[0]; + t1 = tweak[1]; + t2 = tweak[2]; + t3 = tweak[3]; + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; +#else + t0 = le_load_word32((const unsigned char *)&(tweak[0])); + t1 = le_load_word32((const unsigned char *)&(tweak[1])); + t2 = le_load_word32((const unsigned char *)&(tweak[2])); + t3 = le_load_word32((const unsigned char *)&(tweak[3])); + s0 = le_load_word32((const unsigned char *)&(input[0])); + s1 = le_load_word32((const unsigned char *)&(input[1])); + s2 = le_load_word32((const unsigned char *)&(input[2])); + s3 = le_load_word32((const unsigned char *)&(input[3])); +#endif + + /* Add the initial tweakey to the state */ + s0 ^= k0 ^ t0; + s1 ^= k1 ^ t1; + s2 ^= k2 ^ t2; + s3 ^= k3 ^ t3; + + /* Perform all rounds in pairs */ + for (step = 0; step < CLYDE128_STEPS; ++step) { + /* Perform the two rounds of this step */ + #define clyde128_sbox(s0, s1, s2, s3) \ + do { \ + c = (s0 & s1) ^ s2; \ + d = (s3 & s0) ^ s1; \ + s2 = (c & d) ^ s3; \ + s3 = (c & s3) ^ s0; \ + s0 = d; \ + s1 = c; \ + } while (0) + #define clyde128_lbox(x, y) \ + do { \ + c = x ^ rightRotate12(x); \ + d = y ^ rightRotate12(y); \ + c ^= rightRotate3(c); \ + d ^= rightRotate3(d); \ + x = c ^ leftRotate15(x); \ + y = d ^ leftRotate15(y); \ + c = x ^ leftRotate1(x); \ + d = y ^ leftRotate1(y); \ + x ^= leftRotate6(d); \ + y ^= leftRotate7(c); \ + x ^= rightRotate15(c); \ + y ^= rightRotate15(d); \ + } while (0) + clyde128_sbox(s0, s1, s2, s3); + clyde128_lbox(s0, s1); + clyde128_lbox(s2, s3); + s0 ^= rc[step][0]; + s1 ^= rc[step][1]; + s2 ^= rc[step][2]; + s3 ^= rc[step][3]; + clyde128_sbox(s0, s1, s2, s3); + clyde128_lbox(s0, s1); + clyde128_lbox(s2, s3); + s0 ^= rc[step][4]; + s1 ^= rc[step][5]; + s2 ^= rc[step][6]; + s3 ^= rc[step][7]; + + /* Update the tweakey on the fly and add it to the state */ + c = t2 ^ t0; + d = t3 ^ t1; + t2 = t0; + t3 = t1; + t0 = c; + t1 = d; + s0 ^= k0 ^ t0; + s1 ^= k1 ^ t1; + s2 ^= k2 ^ t2; + s3 ^= k3 ^ t3; + } + + /* Pack the state into the output buffer */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; +#else + le_store_word32((unsigned char *)&(output[0]), s0); + le_store_word32((unsigned char *)&(output[1]), s1); + le_store_word32((unsigned char *)&(output[2]), s2); + le_store_word32((unsigned char *)&(output[3]), s3); +#endif +} + +void clyde128_decrypt(const unsigned char key[CLYDE128_KEY_SIZE], + const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], + uint32_t output[CLYDE128_BLOCK_SIZE / 4], + const unsigned char input[CLYDE128_BLOCK_SIZE]) +{ + uint32_t k0, k1, k2, k3; + uint32_t t0, t1, t2, t3; + uint32_t s0, s1, s2, s3; + uint32_t a, b, d; + int step; + + /* Unpack the key, tweak, and state */ + k0 = le_load_word32(key); + k1 = le_load_word32(key + 4); + k2 = le_load_word32(key + 8); + k3 = le_load_word32(key + 12); +#if defined(LW_UTIL_LITTLE_ENDIAN) + t0 = tweak[0]; + t1 = tweak[1]; + t2 = tweak[2]; + t3 = tweak[3]; +#else + t0 = le_load_word32((const unsigned char *)&(tweak[0])); + t1 = le_load_word32((const unsigned char *)&(tweak[1])); + t2 = le_load_word32((const unsigned char *)&(tweak[2])); + t3 = le_load_word32((const unsigned char *)&(tweak[3])); +#endif + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all rounds in pairs */ + for (step = CLYDE128_STEPS - 1; step >= 0; --step) { + /* Add the tweakey to the state and update the tweakey */ + s0 ^= k0 ^ t0; + s1 ^= k1 ^ t1; + s2 ^= k2 ^ t2; + s3 ^= k3 ^ t3; + a = t2 ^ t0; + b = t3 ^ t1; + t0 = t2; + t1 = t3; + t2 = a; + t3 = b; + + /* Perform the two rounds of this step */ + #define clyde128_inv_sbox(s0, s1, s2, s3) \ + do { \ + d = (s0 & s1) ^ s2; \ + a = (s1 & d) ^ s3; \ + b = (d & a) ^ s0; \ + s2 = (a & b) ^ s1; \ + s0 = a; \ + s1 = b; \ + s3 = d; \ + } while (0) + #define clyde128_inv_lbox(x, y) \ + do { \ + a = x ^ leftRotate7(x); \ + b = y ^ leftRotate7(y); \ + x ^= leftRotate1(a); \ + y ^= leftRotate1(b); \ + x ^= leftRotate12(a); \ + y ^= leftRotate12(b); \ + a = x ^ leftRotate1(x); \ + b = y ^ leftRotate1(y); \ + x ^= leftRotate6(b); \ + y ^= leftRotate7(a); \ + a ^= leftRotate15(x); \ + b ^= leftRotate15(y); \ + x = rightRotate16(a); \ + y = rightRotate16(b); \ + } while (0) + s0 ^= rc[step][4]; + s1 ^= rc[step][5]; + s2 ^= rc[step][6]; + s3 ^= rc[step][7]; + clyde128_inv_lbox(s0, s1); + clyde128_inv_lbox(s2, s3); + clyde128_inv_sbox(s0, s1, s2, s3); + s0 ^= rc[step][0]; + s1 ^= rc[step][1]; + s2 ^= rc[step][2]; + s3 ^= rc[step][3]; + clyde128_inv_lbox(s0, s1); + clyde128_inv_lbox(s2, s3); + clyde128_inv_sbox(s0, s1, s2, s3); + } + + /* Add the tweakey to the state one last time */ + s0 ^= k0 ^ t0; + s1 ^= k1 ^ t1; + s2 ^= k2 ^ t2; + s3 ^= k3 ^ t3; + + /* Pack the state into the output buffer */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; +#else + le_store_word32((unsigned char *)&(output[0]), s0); + le_store_word32((unsigned char *)&(output[1]), s1); + le_store_word32((unsigned char *)&(output[2]), s2); + le_store_word32((unsigned char *)&(output[3]), s3); +#endif +} + +void shadow512(shadow512_state_t *state) +{ + uint32_t s00, s01, s02, s03; + uint32_t s10, s11, s12, s13; + uint32_t s20, s21, s22, s23; + uint32_t s30, s31, s32, s33; + uint32_t c, d, w, x, y, z; + int step; + + /* Unpack the state into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s00 = state->W[0]; + s01 = state->W[1]; + s02 = state->W[2]; + s03 = state->W[3]; + s10 = state->W[4]; + s11 = state->W[5]; + s12 = state->W[6]; + s13 = state->W[7]; + s20 = state->W[8]; + s21 = state->W[9]; + s22 = state->W[10]; + s23 = state->W[11]; + s30 = state->W[12]; + s31 = state->W[13]; + s32 = state->W[14]; + s33 = state->W[15]; +#else + s00 = le_load_word32(state->B); + s01 = le_load_word32(state->B + 4); + s02 = le_load_word32(state->B + 8); + s03 = le_load_word32(state->B + 12); + s10 = le_load_word32(state->B + 16); + s11 = le_load_word32(state->B + 20); + s12 = le_load_word32(state->B + 24); + s13 = le_load_word32(state->B + 28); + s20 = le_load_word32(state->B + 32); + s21 = le_load_word32(state->B + 36); + s22 = le_load_word32(state->B + 40); + s23 = le_load_word32(state->B + 44); + s30 = le_load_word32(state->B + 48); + s31 = le_load_word32(state->B + 52); + s32 = le_load_word32(state->B + 56); + s33 = le_load_word32(state->B + 60); +#endif + + /* Perform all rounds in pairs */ + for (step = 0; step < CLYDE128_STEPS; ++step) { + /* Apply the S-box and L-box to bundle 0 */ + clyde128_sbox(s00, s01, s02, s03); + clyde128_lbox(s00, s01); + clyde128_lbox(s02, s03); + s00 ^= rc[step][0]; + s01 ^= rc[step][1]; + s02 ^= rc[step][2]; + s03 ^= rc[step][3]; + clyde128_sbox(s00, s01, s02, s03); + + /* Apply the S-box and L-box to bundle 1 */ + clyde128_sbox(s10, s11, s12, s13); + clyde128_lbox(s10, s11); + clyde128_lbox(s12, s13); + s10 ^= rc[step][0] << 1; + s11 ^= rc[step][1] << 1; + s12 ^= rc[step][2] << 1; + s13 ^= rc[step][3] << 1; + clyde128_sbox(s10, s11, s12, s13); + + /* Apply the S-box and L-box to bundle 2 */ + clyde128_sbox(s20, s21, s22, s23); + clyde128_lbox(s20, s21); + clyde128_lbox(s22, s23); + s20 ^= rc[step][0] << 2; + s21 ^= rc[step][1] << 2; + s22 ^= rc[step][2] << 2; + s23 ^= rc[step][3] << 2; + clyde128_sbox(s20, s21, s22, s23); + + /* Apply the S-box and L-box to bundle 3 */ + clyde128_sbox(s30, s31, s32, s33); + clyde128_lbox(s30, s31); + clyde128_lbox(s32, s33); + s30 ^= rc[step][0] << 3; + s31 ^= rc[step][1] << 3; + s32 ^= rc[step][2] << 3; + s33 ^= rc[step][3] << 3; + clyde128_sbox(s30, s31, s32, s33); + + /* Apply the diffusion layer to the rows of the state */ + #define shadow512_diffusion_layer(row) \ + do { \ + w = s0##row; \ + x = s1##row; \ + y = s2##row; \ + z = s3##row; \ + c = w ^ x; \ + d = y ^ z; \ + s0##row = x ^ d; \ + s1##row = w ^ d; \ + s2##row = c ^ z; \ + s3##row = c ^ y; \ + } while (0) + shadow512_diffusion_layer(0); + shadow512_diffusion_layer(1); + shadow512_diffusion_layer(2); + shadow512_diffusion_layer(3); + + /* Add round constants to all bundles again */ + s00 ^= rc[step][4]; + s01 ^= rc[step][5]; + s02 ^= rc[step][6]; + s03 ^= rc[step][7]; + s10 ^= rc[step][4] << 1; + s11 ^= rc[step][5] << 1; + s12 ^= rc[step][6] << 1; + s13 ^= rc[step][7] << 1; + s20 ^= rc[step][4] << 2; + s21 ^= rc[step][5] << 2; + s22 ^= rc[step][6] << 2; + s23 ^= rc[step][7] << 2; + s30 ^= rc[step][4] << 3; + s31 ^= rc[step][5] << 3; + s32 ^= rc[step][6] << 3; + s33 ^= rc[step][7] << 3; + } + + /* Pack the local variables back into the state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->W[0] = s00; + state->W[1] = s01; + state->W[2] = s02; + state->W[3] = s03; + state->W[4] = s10; + state->W[5] = s11; + state->W[6] = s12; + state->W[7] = s13; + state->W[8] = s20; + state->W[9] = s21; + state->W[10] = s22; + state->W[11] = s23; + state->W[12] = s30; + state->W[13] = s31; + state->W[14] = s32; + state->W[15] = s33; +#else + le_store_word32(state->B, s00); + le_store_word32(state->B + 4, s01); + le_store_word32(state->B + 8, s02); + le_store_word32(state->B + 12, s03); + le_store_word32(state->B + 16, s10); + le_store_word32(state->B + 20, s11); + le_store_word32(state->B + 24, s12); + le_store_word32(state->B + 28, s13); + le_store_word32(state->B + 32, s20); + le_store_word32(state->B + 36, s21); + le_store_word32(state->B + 40, s22); + le_store_word32(state->B + 44, s23); + le_store_word32(state->B + 48, s30); + le_store_word32(state->B + 52, s31); + le_store_word32(state->B + 56, s32); + le_store_word32(state->B + 60, s33); +#endif +} + +void shadow384(shadow384_state_t *state) +{ + uint32_t s00, s01, s02, s03; + uint32_t s10, s11, s12, s13; + uint32_t s20, s21, s22, s23; + uint32_t c, d, x, y, z; + int step; + + /* Unpack the state into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s00 = state->W[0]; + s01 = state->W[1]; + s02 = state->W[2]; + s03 = state->W[3]; + s10 = state->W[4]; + s11 = state->W[5]; + s12 = state->W[6]; + s13 = state->W[7]; + s20 = state->W[8]; + s21 = state->W[9]; + s22 = state->W[10]; + s23 = state->W[11]; +#else + s00 = le_load_word32(state->B); + s01 = le_load_word32(state->B + 4); + s02 = le_load_word32(state->B + 8); + s03 = le_load_word32(state->B + 12); + s10 = le_load_word32(state->B + 16); + s11 = le_load_word32(state->B + 20); + s12 = le_load_word32(state->B + 24); + s13 = le_load_word32(state->B + 28); + s20 = le_load_word32(state->B + 32); + s21 = le_load_word32(state->B + 36); + s22 = le_load_word32(state->B + 40); + s23 = le_load_word32(state->B + 44); +#endif + + /* Perform all rounds in pairs */ + for (step = 0; step < CLYDE128_STEPS; ++step) { + /* Apply the S-box and L-box to bundle 0 */ + clyde128_sbox(s00, s01, s02, s03); + clyde128_lbox(s00, s01); + clyde128_lbox(s02, s03); + s00 ^= rc[step][0]; + s01 ^= rc[step][1]; + s02 ^= rc[step][2]; + s03 ^= rc[step][3]; + clyde128_sbox(s00, s01, s02, s03); + + /* Apply the S-box and L-box to bundle 1 */ + clyde128_sbox(s10, s11, s12, s13); + clyde128_lbox(s10, s11); + clyde128_lbox(s12, s13); + s10 ^= rc[step][0] << 1; + s11 ^= rc[step][1] << 1; + s12 ^= rc[step][2] << 1; + s13 ^= rc[step][3] << 1; + clyde128_sbox(s10, s11, s12, s13); + + /* Apply the S-box and L-box to bundle 2 */ + clyde128_sbox(s20, s21, s22, s23); + clyde128_lbox(s20, s21); + clyde128_lbox(s22, s23); + s20 ^= rc[step][0] << 2; + s21 ^= rc[step][1] << 2; + s22 ^= rc[step][2] << 2; + s23 ^= rc[step][3] << 2; + clyde128_sbox(s20, s21, s22, s23); + + /* Apply the diffusion layer to the rows of the state */ + #define shadow384_diffusion_layer(row) \ + do { \ + x = s0##row; \ + y = s1##row; \ + z = s2##row; \ + s0##row = x ^ y ^ z; \ + s1##row = x ^ z; \ + s2##row = x ^ y; \ + } while (0) + shadow384_diffusion_layer(0); + shadow384_diffusion_layer(1); + shadow384_diffusion_layer(2); + shadow384_diffusion_layer(3); + + /* Add round constants to all bundles again */ + s00 ^= rc[step][4]; + s01 ^= rc[step][5]; + s02 ^= rc[step][6]; + s03 ^= rc[step][7]; + s10 ^= rc[step][4] << 1; + s11 ^= rc[step][5] << 1; + s12 ^= rc[step][6] << 1; + s13 ^= rc[step][7] << 1; + s20 ^= rc[step][4] << 2; + s21 ^= rc[step][5] << 2; + s22 ^= rc[step][6] << 2; + s23 ^= rc[step][7] << 2; + } + + /* Pack the local variables back into the state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->W[0] = s00; + state->W[1] = s01; + state->W[2] = s02; + state->W[3] = s03; + state->W[4] = s10; + state->W[5] = s11; + state->W[6] = s12; + state->W[7] = s13; + state->W[8] = s20; + state->W[9] = s21; + state->W[10] = s22; + state->W[11] = s23; +#else + le_store_word32(state->B, s00); + le_store_word32(state->B + 4, s01); + le_store_word32(state->B + 8, s02); + le_store_word32(state->B + 12, s03); + le_store_word32(state->B + 16, s10); + le_store_word32(state->B + 20, s11); + le_store_word32(state->B + 24, s12); + le_store_word32(state->B + 28, s13); + le_store_word32(state->B + 32, s20); + le_store_word32(state->B + 36, s21); + le_store_word32(state->B + 40, s22); + le_store_word32(state->B + 44, s23); +#endif +} diff --git a/spook/Implementations/crypto_aead/spook128mu384v1/rhys/internal-spook.h b/spook/Implementations/crypto_aead/spook128mu384v1/rhys/internal-spook.h new file mode 100644 index 0000000..b08ce80 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128mu384v1/rhys/internal-spook.h @@ -0,0 +1,146 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SPOOK_H +#define LW_INTERNAL_SPOOK_H + +#include "internal-util.h" + +/** + * \file internal-spook.h + * \brief Internal implementation details of the Spook AEAD mode. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the block for the Clyde-128 block cipher. + */ +#define CLYDE128_BLOCK_SIZE 16 + +/** + * \brief Size of the key for the Clyde-128 block cipher. + */ +#define CLYDE128_KEY_SIZE 16 + +/** + * \brief Size of the tweak for the Clyde-128 block cipher. + */ +#define CLYDE128_TWEAK_SIZE 16 + +/** + * \brief Size of the state for Shadow-512. + */ +#define SHADOW512_STATE_SIZE 64 + +/** + * \brief Rate to absorb data into or squeeze data out of a Shadow-512 state. + */ +#define SHADOW512_RATE 32 + +/** + * \brief Size of the state for Shadow-384. + */ +#define SHADOW384_STATE_SIZE 48 + +/** + * \brief Rate to absorb data into or squeeze data out of a Shadow-384 state. + */ +#define SHADOW384_RATE 16 + +/** + * \brief Internal state of the Shadow-512 permutation. + */ +typedef union +{ + uint32_t W[SHADOW512_STATE_SIZE / 4]; /**< Words of the state */ + uint8_t B[SHADOW512_STATE_SIZE]; /**< Bytes of the state */ + +} shadow512_state_t; + +/** + * \brief Internal state of the Shadow-384 permutation. + */ +typedef union +{ + uint32_t W[SHADOW384_STATE_SIZE / 4]; /**< Words of the state */ + uint8_t B[SHADOW384_STATE_SIZE]; /**< Bytes of the state */ + +} shadow384_state_t; + +/** + * \brief Encrypts a block with the Clyde-128 block cipher. + * + * \param key Points to the key to encrypt with. + * \param tweak Points to the tweak to encrypt with. + * \param output Output buffer for the ciphertext. + * \param input Input buffer for the plaintext. + * + * \sa clyde128_decrypt() + */ +void clyde128_encrypt(const unsigned char key[CLYDE128_KEY_SIZE], + const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], + uint32_t output[CLYDE128_BLOCK_SIZE / 4], + const uint32_t input[CLYDE128_BLOCK_SIZE / 4]); + +/** + * \brief Decrypts a block with the Clyde-128 block cipher. + * + * \param key Points to the key to decrypt with. + * \param tweak Points to the tweak to decrypt with. + * \param output Output buffer for the plaintext. + * \param input Input buffer for the ciphertext. + * + * \sa clyde128_encrypt() + */ +void clyde128_decrypt(const unsigned char key[CLYDE128_KEY_SIZE], + const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], + uint32_t output[CLYDE128_BLOCK_SIZE / 4], + const unsigned char input[CLYDE128_BLOCK_SIZE]); + +/** + * \brief Performs the Shadow-512 permutation on a state. + * + * \param state The Shadow-512 state which will be in little-endian + * byte order on input and output. + * + * \sa shadow384() + */ +void shadow512(shadow512_state_t *state); + +/** + * \brief Performs the Shadow-384 permutation on a state. + * + * \param state The Shadow-384 state which will be in little-endian + * byte order on input and output. + * + * \sa shadow512() + */ +void shadow384(shadow384_state_t *state); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spook/Implementations/crypto_aead/spook128mu384v1/rhys/internal-util.h b/spook/Implementations/crypto_aead/spook128mu384v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128mu384v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/spook/Implementations/crypto_aead/spook128mu384v1/rhys/spook.c b/spook/Implementations/crypto_aead/spook128mu384v1/rhys/spook.c new file mode 100644 index 0000000..d075b33 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128mu384v1/rhys/spook.c @@ -0,0 +1,552 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "spook.h" +#include "internal-spook.h" +#include "internal-util.h" +#include + +aead_cipher_t const spook_128_512_su_cipher = { + "Spook-128-512-su", + SPOOK_SU_KEY_SIZE, + SPOOK_NONCE_SIZE, + SPOOK_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + spook_128_512_su_aead_encrypt, + spook_128_512_su_aead_decrypt +}; + +aead_cipher_t const spook_128_384_su_cipher = { + "Spook-128-384-su", + SPOOK_SU_KEY_SIZE, + SPOOK_NONCE_SIZE, + SPOOK_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + spook_128_384_su_aead_encrypt, + spook_128_384_su_aead_decrypt +}; + +aead_cipher_t const spook_128_512_mu_cipher = { + "Spook-128-512-mu", + SPOOK_MU_KEY_SIZE, + SPOOK_NONCE_SIZE, + SPOOK_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + spook_128_512_mu_aead_encrypt, + spook_128_512_mu_aead_decrypt +}; + +aead_cipher_t const spook_128_384_mu_cipher = { + "Spook-128-384-mu", + SPOOK_MU_KEY_SIZE, + SPOOK_NONCE_SIZE, + SPOOK_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + spook_128_384_mu_aead_encrypt, + spook_128_384_mu_aead_decrypt +}; + +/** + * \brief Initializes the Shadow-512 sponge state. + * + * \param state The sponge state. + * \param k Points to the key. + * \param klen Length of the key in bytes, either 16 or 32. + * \param npub Public nonce for the state. + */ +static void spook_128_512_init + (shadow512_state_t *state, + const unsigned char *k, unsigned klen, + const unsigned char *npub) +{ + memset(state->B, 0, SHADOW512_STATE_SIZE); + if (klen == SPOOK_MU_KEY_SIZE) { + /* The public tweak is 126 bits in size followed by a 1 bit */ + memcpy(state->B, k + CLYDE128_BLOCK_SIZE, CLYDE128_BLOCK_SIZE); + state->B[CLYDE128_BLOCK_SIZE - 1] &= 0x7F; + state->B[CLYDE128_BLOCK_SIZE - 1] |= 0x40; + } + memcpy(state->B + CLYDE128_BLOCK_SIZE, npub, CLYDE128_BLOCK_SIZE); + clyde128_encrypt(k, state->W, state->W + 12, state->W + 4); + shadow512(state); +} + +/** + * \brief Initializes the Shadow-384 sponge state. + * + * \param state The sponge state. + * \param k Points to the key. + * \param klen Length of the key in bytes, either 16 or 32. + * \param npub Public nonce for the state. + */ +static void spook_128_384_init + (shadow384_state_t *state, + const unsigned char *k, unsigned klen, + const unsigned char *npub) +{ + memset(state->B, 0, SHADOW384_STATE_SIZE); + if (klen == SPOOK_MU_KEY_SIZE) { + /* The public tweak is 126 bits in size followed by a 1 bit */ + memcpy(state->B, k + CLYDE128_BLOCK_SIZE, CLYDE128_BLOCK_SIZE); + state->B[CLYDE128_BLOCK_SIZE - 1] &= 0x7F; + state->B[CLYDE128_BLOCK_SIZE - 1] |= 0x40; + } + memcpy(state->B + CLYDE128_BLOCK_SIZE, npub, CLYDE128_BLOCK_SIZE); + clyde128_encrypt(k, state->W, state->W + 8, state->W + 4); + shadow384(state); +} + +/** + * \brief Absorbs associated data into the Shadow-512 sponge state. + * + * \param state The sponge state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes, must be non-zero. + */ +static void spook_128_512_absorb + (shadow512_state_t *state, + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen >= SHADOW512_RATE) { + lw_xor_block(state->B, ad, SHADOW512_RATE); + shadow512(state); + ad += SHADOW512_RATE; + adlen -= SHADOW512_RATE; + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(state->B, ad, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW512_RATE] ^= 0x02; + shadow512(state); + } +} + +/** + * \brief Absorbs associated data into the Shadow-384 sponge state. + * + * \param state The sponge state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes, must be non-zero. + */ +static void spook_128_384_absorb + (shadow384_state_t *state, + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen >= SHADOW384_RATE) { + lw_xor_block(state->B, ad, SHADOW384_RATE); + shadow384(state); + ad += SHADOW384_RATE; + adlen -= SHADOW384_RATE; + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(state->B, ad, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW384_RATE] ^= 0x02; + shadow384(state); + } +} + +/** + * \brief Encrypts the plaintext with the Shadow-512 sponge state. + * + * \param state The sponge state. + * \param c Points to the ciphertext output buffer. + * \param m Points to the plaintext input buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void spook_128_512_encrypt + (shadow512_state_t *state, unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + state->B[SHADOW512_RATE] ^= 0x01; + while (mlen >= SHADOW512_RATE) { + lw_xor_block_2_dest(c, state->B, m, SHADOW512_RATE); + shadow512(state); + c += SHADOW512_RATE; + m += SHADOW512_RATE; + mlen -= SHADOW512_RATE; + } + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_dest(c, state->B, m, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW512_RATE] ^= 0x02; + shadow512(state); + } +} + +/** + * \brief Encrypts the plaintext with the Shadow-384 sponge state. + * + * \param state The sponge state. + * \param c Points to the ciphertext output buffer. + * \param m Points to the plaintext input buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void spook_128_384_encrypt + (shadow384_state_t *state, unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + state->B[SHADOW384_RATE] ^= 0x01; + while (mlen >= SHADOW384_RATE) { + lw_xor_block_2_dest(c, state->B, m, SHADOW384_RATE); + shadow384(state); + c += SHADOW384_RATE; + m += SHADOW384_RATE; + mlen -= SHADOW384_RATE; + } + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_dest(c, state->B, m, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW384_RATE] ^= 0x02; + shadow384(state); + } +} + +/** + * \brief Decrypts the ciphertext with the Shadow-512 sponge state. + * + * \param state The sponge state. + * \param m Points to the plaintext output buffer. + * \param c Points to the ciphertext input buffer. + * \param clen Number of bytes of ciphertext to be decrypted. + */ +static void spook_128_512_decrypt + (shadow512_state_t *state, unsigned char *m, + const unsigned char *c, unsigned long long clen) +{ + state->B[SHADOW512_RATE] ^= 0x01; + while (clen >= SHADOW512_RATE) { + lw_xor_block_swap(m, state->B, c, SHADOW512_RATE); + shadow512(state); + c += SHADOW512_RATE; + m += SHADOW512_RATE; + clen -= SHADOW512_RATE; + } + if (clen > 0) { + unsigned temp = (unsigned)clen; + lw_xor_block_swap(m, state->B, c, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW512_RATE] ^= 0x02; + shadow512(state); + } +} + +/** + * \brief Decrypts the ciphertext with the Shadow-384 sponge state. + * + * \param state The sponge state. + * \param m Points to the plaintext output buffer. + * \param c Points to the ciphertext input buffer. + * \param clen Number of bytes of ciphertext to be decrypted. + */ +static void spook_128_384_decrypt + (shadow384_state_t *state, unsigned char *m, + const unsigned char *c, unsigned long long clen) +{ + state->B[SHADOW384_RATE] ^= 0x01; + while (clen >= SHADOW384_RATE) { + lw_xor_block_swap(m, state->B, c, SHADOW384_RATE); + shadow384(state); + c += SHADOW384_RATE; + m += SHADOW384_RATE; + clen -= SHADOW384_RATE; + } + if (clen > 0) { + unsigned temp = (unsigned)clen; + lw_xor_block_swap(m, state->B, c, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW384_RATE] ^= 0x02; + shadow384(state); + } +} + +int spook_128_512_su_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + shadow512_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPOOK_TAG_SIZE; + + /* Initialize the Shadow-512 sponge state */ + spook_128_512_init(&state, k, SPOOK_SU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_512_absorb(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + spook_128_512_encrypt(&state, c, m, mlen); + + /* Compute the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_encrypt(k, state.W + 4, state.W, state.W); + memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); + return 0; +} + +int spook_128_512_su_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + shadow512_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPOOK_TAG_SIZE) + return -1; + *mlen = clen - SPOOK_TAG_SIZE; + + /* Initialize the Shadow-512 sponge state */ + spook_128_512_init(&state, k, SPOOK_SU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_512_absorb(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPOOK_TAG_SIZE; + if (clen > 0) + spook_128_512_decrypt(&state, m, c, clen); + + /* Check the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); + return aead_check_tag + (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); +} + +int spook_128_384_su_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + shadow384_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPOOK_TAG_SIZE; + + /* Initialize the Shadow-384 sponge state */ + spook_128_384_init(&state, k, SPOOK_SU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_384_absorb(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + spook_128_384_encrypt(&state, c, m, mlen); + + /* Compute the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_encrypt(k, state.W + 4, state.W, state.W); + memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); + return 0; +} + +int spook_128_384_su_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + shadow384_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPOOK_TAG_SIZE) + return -1; + *mlen = clen - SPOOK_TAG_SIZE; + + /* Initialize the Shadow-384 sponge state */ + spook_128_384_init(&state, k, SPOOK_SU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_384_absorb(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPOOK_TAG_SIZE; + if (clen > 0) + spook_128_384_decrypt(&state, m, c, clen); + + /* Check the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); + return aead_check_tag + (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); +} + +int spook_128_512_mu_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + shadow512_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPOOK_TAG_SIZE; + + /* Initialize the Shadow-512 sponge state */ + spook_128_512_init(&state, k, SPOOK_MU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_512_absorb(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + spook_128_512_encrypt(&state, c, m, mlen); + + /* Compute the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_encrypt(k, state.W + 4, state.W, state.W); + memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); + return 0; +} + +int spook_128_512_mu_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + shadow512_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPOOK_TAG_SIZE) + return -1; + *mlen = clen - SPOOK_TAG_SIZE; + + /* Initialize the Shadow-512 sponge state */ + spook_128_512_init(&state, k, SPOOK_MU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_512_absorb(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPOOK_TAG_SIZE; + if (clen > 0) + spook_128_512_decrypt(&state, m, c, clen); + + /* Check the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); + return aead_check_tag + (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); +} + +int spook_128_384_mu_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + shadow384_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPOOK_TAG_SIZE; + + /* Initialize the Shadow-384 sponge state */ + spook_128_384_init(&state, k, SPOOK_MU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_384_absorb(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + spook_128_384_encrypt(&state, c, m, mlen); + + /* Compute the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_encrypt(k, state.W + 4, state.W, state.W); + memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); + return 0; +} + +int spook_128_384_mu_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + shadow384_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPOOK_TAG_SIZE) + return -1; + *mlen = clen - SPOOK_TAG_SIZE; + + /* Initialize the Shadow-384 sponge state */ + spook_128_384_init(&state, k, SPOOK_MU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_384_absorb(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPOOK_TAG_SIZE; + if (clen > 0) + spook_128_384_decrypt(&state, m, c, clen); + + /* Check the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); + return aead_check_tag + (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); +} diff --git a/spook/Implementations/crypto_aead/spook128mu384v1/rhys/spook.h b/spook/Implementations/crypto_aead/spook128mu384v1/rhys/spook.h new file mode 100644 index 0000000..68b6a25 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128mu384v1/rhys/spook.h @@ -0,0 +1,344 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SPOOK_H +#define LWCRYPTO_SPOOK_H + +#include "aead-common.h" + +/** + * \file spook.h + * \brief Spook authenticated encryption algorithm. + * + * Spook is a family of authenticated encryption algorithms that are + * built around a tweakable block cipher and a permutation. If the + * tweakable block cipher is implemented as a masked block cipher, + * then Spook provides protection against power analysis side channels. + * + * There are four members in the Spook family: + * + * \li Spook-128-512-su with a 128-bit key, a 128-bit nonce, and a 128-bit tag. + * Internally the algorithm uses a 512-bit permutation. This is the primary + * member of the family. + * \li Spook-128-384-su with a 128-bit key, a 128-bit nonce, and a 128-bit tag. + * Internally the algorithm uses a 384-bit permutation. + * \li Spook-128-512-mu with a 128-bit key, a 128-bit public tweak, a 128-bit + * nonce, and a 128-bit tag. Internally the algorithm uses a 512-bit + * permutation. + * \li Spook-128-512-mu with a 128-bit key, a 128-bit public tweak, a 128-bit + * nonce, and a 128-bit tag. Internally the algorithm uses a 384-bit + * permutation. + * + * In this library, the "mu" (multi-user) variants combine the 128-bit key + * and the 128-bit public tweak into a single 256-bit key value. + * Applications can either view this as a cipher with a 256-bit key, + * or they can split the key value into secret and public halves. + * Even with the use of 256-bit keys, Spook only has 128-bit security. + * + * References: https://www.spook.dev/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for the single-user version of Spook. + */ +#define SPOOK_SU_KEY_SIZE 16 + +/** + * \brief Size of the key for the multi-user version of Spook. + */ +#define SPOOK_MU_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for all Spook family members. + */ +#define SPOOK_TAG_SIZE 16 + +/** + * \brief Size of the nonce for all Spook family members. + */ +#define SPOOK_NONCE_SIZE 16 + +/** + * \brief Meta-information block for the Spook-128-512-su cipher. + */ +extern aead_cipher_t const spook_128_512_su_cipher; + +/** + * \brief Meta-information block for the Spook-128-384-su cipher. + */ +extern aead_cipher_t const spook_128_384_su_cipher; + +/** + * \brief Meta-information block for the Spook-128-512-mu cipher. + */ +extern aead_cipher_t const spook_128_512_mu_cipher; + +/** + * \brief Meta-information block for the Spook-128-384-mu cipher. + */ +extern aead_cipher_t const spook_128_384_mu_cipher; + +/** + * \brief Encrypts and authenticates a packet with Spook-128-512-su. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spook_128_512_su_aead_decrypt() + */ +int spook_128_512_su_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Spook-128-512-su. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spook_128_512_su_aead_encrypt() + */ +int spook_128_512_su_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Spook-128-384-su. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spook_128_384_su_aead_decrypt() + */ +int spook_128_384_su_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Spook-128-384-su. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spook_128_384_su_aead_encrypt() + */ +int spook_128_384_su_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Spook-128-512-mu. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spook_128_512_mu_aead_decrypt() + */ +int spook_128_512_mu_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Spook-128-512-mu. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spook_128_512_mu_aead_encrypt() + */ +int spook_128_512_mu_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Spook-128-384-mu. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spook_128_384_mu_aead_decrypt() + */ +int spook_128_384_mu_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Spook-128-384-mu. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spook_128_384_mu_aead_encrypt() + */ +int spook_128_384_mu_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spook/Implementations/crypto_aead/spook128mu512v1/rhys/aead-common.c b/spook/Implementations/crypto_aead/spook128mu512v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128mu512v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/spook/Implementations/crypto_aead/spook128mu512v1/rhys/aead-common.h b/spook/Implementations/crypto_aead/spook128mu512v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128mu512v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spook/Implementations/crypto_aead/spook128mu512v1/rhys/api.h b/spook/Implementations/crypto_aead/spook128mu512v1/rhys/api.h new file mode 100644 index 0000000..fb1dab8 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128mu512v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 32 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/spook/Implementations/crypto_aead/spook128mu512v1/rhys/encrypt.c b/spook/Implementations/crypto_aead/spook128mu512v1/rhys/encrypt.c new file mode 100644 index 0000000..52c6ec8 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128mu512v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "spook.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return spook_128_512_mu_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return spook_128_512_mu_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/spook/Implementations/crypto_aead/spook128mu512v1/rhys/internal-spook.c b/spook/Implementations/crypto_aead/spook128mu512v1/rhys/internal-spook.c new file mode 100644 index 0000000..0e19216 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128mu512v1/rhys/internal-spook.c @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-spook.h" + +/** + * \brief Number of steps in the Clyde-128 block cipher. + * + * This is also the number of steps in the Shadow-512 and Shadow-384 + * permutations. + */ +#define CLYDE128_STEPS 6 + +/** + * \brief Round constants for the steps of Clyde-128. + */ +static uint8_t const rc[CLYDE128_STEPS][8] = { + {1, 0, 0, 0, 0, 1, 0, 0}, + {0, 0, 1, 0, 0, 0, 0, 1}, + {1, 1, 0, 0, 0, 1, 1, 0}, + {0, 0, 1, 1, 1, 1, 0, 1}, + {1, 0, 1, 0, 0, 1, 0, 1}, + {1, 1, 1, 0, 0, 1, 1, 1} +}; + +void clyde128_encrypt(const unsigned char key[CLYDE128_KEY_SIZE], + const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], + uint32_t output[CLYDE128_BLOCK_SIZE / 4], + const uint32_t input[CLYDE128_BLOCK_SIZE / 4]) +{ + uint32_t k0, k1, k2, k3; + uint32_t t0, t1, t2, t3; + uint32_t s0, s1, s2, s3; + uint32_t c, d; + int step; + + /* Unpack the key, tweak, and state */ + k0 = le_load_word32(key); + k1 = le_load_word32(key + 4); + k2 = le_load_word32(key + 8); + k3 = le_load_word32(key + 12); +#if defined(LW_UTIL_LITTLE_ENDIAN) + t0 = tweak[0]; + t1 = tweak[1]; + t2 = tweak[2]; + t3 = tweak[3]; + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; +#else + t0 = le_load_word32((const unsigned char *)&(tweak[0])); + t1 = le_load_word32((const unsigned char *)&(tweak[1])); + t2 = le_load_word32((const unsigned char *)&(tweak[2])); + t3 = le_load_word32((const unsigned char *)&(tweak[3])); + s0 = le_load_word32((const unsigned char *)&(input[0])); + s1 = le_load_word32((const unsigned char *)&(input[1])); + s2 = le_load_word32((const unsigned char *)&(input[2])); + s3 = le_load_word32((const unsigned char *)&(input[3])); +#endif + + /* Add the initial tweakey to the state */ + s0 ^= k0 ^ t0; + s1 ^= k1 ^ t1; + s2 ^= k2 ^ t2; + s3 ^= k3 ^ t3; + + /* Perform all rounds in pairs */ + for (step = 0; step < CLYDE128_STEPS; ++step) { + /* Perform the two rounds of this step */ + #define clyde128_sbox(s0, s1, s2, s3) \ + do { \ + c = (s0 & s1) ^ s2; \ + d = (s3 & s0) ^ s1; \ + s2 = (c & d) ^ s3; \ + s3 = (c & s3) ^ s0; \ + s0 = d; \ + s1 = c; \ + } while (0) + #define clyde128_lbox(x, y) \ + do { \ + c = x ^ rightRotate12(x); \ + d = y ^ rightRotate12(y); \ + c ^= rightRotate3(c); \ + d ^= rightRotate3(d); \ + x = c ^ leftRotate15(x); \ + y = d ^ leftRotate15(y); \ + c = x ^ leftRotate1(x); \ + d = y ^ leftRotate1(y); \ + x ^= leftRotate6(d); \ + y ^= leftRotate7(c); \ + x ^= rightRotate15(c); \ + y ^= rightRotate15(d); \ + } while (0) + clyde128_sbox(s0, s1, s2, s3); + clyde128_lbox(s0, s1); + clyde128_lbox(s2, s3); + s0 ^= rc[step][0]; + s1 ^= rc[step][1]; + s2 ^= rc[step][2]; + s3 ^= rc[step][3]; + clyde128_sbox(s0, s1, s2, s3); + clyde128_lbox(s0, s1); + clyde128_lbox(s2, s3); + s0 ^= rc[step][4]; + s1 ^= rc[step][5]; + s2 ^= rc[step][6]; + s3 ^= rc[step][7]; + + /* Update the tweakey on the fly and add it to the state */ + c = t2 ^ t0; + d = t3 ^ t1; + t2 = t0; + t3 = t1; + t0 = c; + t1 = d; + s0 ^= k0 ^ t0; + s1 ^= k1 ^ t1; + s2 ^= k2 ^ t2; + s3 ^= k3 ^ t3; + } + + /* Pack the state into the output buffer */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; +#else + le_store_word32((unsigned char *)&(output[0]), s0); + le_store_word32((unsigned char *)&(output[1]), s1); + le_store_word32((unsigned char *)&(output[2]), s2); + le_store_word32((unsigned char *)&(output[3]), s3); +#endif +} + +void clyde128_decrypt(const unsigned char key[CLYDE128_KEY_SIZE], + const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], + uint32_t output[CLYDE128_BLOCK_SIZE / 4], + const unsigned char input[CLYDE128_BLOCK_SIZE]) +{ + uint32_t k0, k1, k2, k3; + uint32_t t0, t1, t2, t3; + uint32_t s0, s1, s2, s3; + uint32_t a, b, d; + int step; + + /* Unpack the key, tweak, and state */ + k0 = le_load_word32(key); + k1 = le_load_word32(key + 4); + k2 = le_load_word32(key + 8); + k3 = le_load_word32(key + 12); +#if defined(LW_UTIL_LITTLE_ENDIAN) + t0 = tweak[0]; + t1 = tweak[1]; + t2 = tweak[2]; + t3 = tweak[3]; +#else + t0 = le_load_word32((const unsigned char *)&(tweak[0])); + t1 = le_load_word32((const unsigned char *)&(tweak[1])); + t2 = le_load_word32((const unsigned char *)&(tweak[2])); + t3 = le_load_word32((const unsigned char *)&(tweak[3])); +#endif + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all rounds in pairs */ + for (step = CLYDE128_STEPS - 1; step >= 0; --step) { + /* Add the tweakey to the state and update the tweakey */ + s0 ^= k0 ^ t0; + s1 ^= k1 ^ t1; + s2 ^= k2 ^ t2; + s3 ^= k3 ^ t3; + a = t2 ^ t0; + b = t3 ^ t1; + t0 = t2; + t1 = t3; + t2 = a; + t3 = b; + + /* Perform the two rounds of this step */ + #define clyde128_inv_sbox(s0, s1, s2, s3) \ + do { \ + d = (s0 & s1) ^ s2; \ + a = (s1 & d) ^ s3; \ + b = (d & a) ^ s0; \ + s2 = (a & b) ^ s1; \ + s0 = a; \ + s1 = b; \ + s3 = d; \ + } while (0) + #define clyde128_inv_lbox(x, y) \ + do { \ + a = x ^ leftRotate7(x); \ + b = y ^ leftRotate7(y); \ + x ^= leftRotate1(a); \ + y ^= leftRotate1(b); \ + x ^= leftRotate12(a); \ + y ^= leftRotate12(b); \ + a = x ^ leftRotate1(x); \ + b = y ^ leftRotate1(y); \ + x ^= leftRotate6(b); \ + y ^= leftRotate7(a); \ + a ^= leftRotate15(x); \ + b ^= leftRotate15(y); \ + x = rightRotate16(a); \ + y = rightRotate16(b); \ + } while (0) + s0 ^= rc[step][4]; + s1 ^= rc[step][5]; + s2 ^= rc[step][6]; + s3 ^= rc[step][7]; + clyde128_inv_lbox(s0, s1); + clyde128_inv_lbox(s2, s3); + clyde128_inv_sbox(s0, s1, s2, s3); + s0 ^= rc[step][0]; + s1 ^= rc[step][1]; + s2 ^= rc[step][2]; + s3 ^= rc[step][3]; + clyde128_inv_lbox(s0, s1); + clyde128_inv_lbox(s2, s3); + clyde128_inv_sbox(s0, s1, s2, s3); + } + + /* Add the tweakey to the state one last time */ + s0 ^= k0 ^ t0; + s1 ^= k1 ^ t1; + s2 ^= k2 ^ t2; + s3 ^= k3 ^ t3; + + /* Pack the state into the output buffer */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; +#else + le_store_word32((unsigned char *)&(output[0]), s0); + le_store_word32((unsigned char *)&(output[1]), s1); + le_store_word32((unsigned char *)&(output[2]), s2); + le_store_word32((unsigned char *)&(output[3]), s3); +#endif +} + +void shadow512(shadow512_state_t *state) +{ + uint32_t s00, s01, s02, s03; + uint32_t s10, s11, s12, s13; + uint32_t s20, s21, s22, s23; + uint32_t s30, s31, s32, s33; + uint32_t c, d, w, x, y, z; + int step; + + /* Unpack the state into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s00 = state->W[0]; + s01 = state->W[1]; + s02 = state->W[2]; + s03 = state->W[3]; + s10 = state->W[4]; + s11 = state->W[5]; + s12 = state->W[6]; + s13 = state->W[7]; + s20 = state->W[8]; + s21 = state->W[9]; + s22 = state->W[10]; + s23 = state->W[11]; + s30 = state->W[12]; + s31 = state->W[13]; + s32 = state->W[14]; + s33 = state->W[15]; +#else + s00 = le_load_word32(state->B); + s01 = le_load_word32(state->B + 4); + s02 = le_load_word32(state->B + 8); + s03 = le_load_word32(state->B + 12); + s10 = le_load_word32(state->B + 16); + s11 = le_load_word32(state->B + 20); + s12 = le_load_word32(state->B + 24); + s13 = le_load_word32(state->B + 28); + s20 = le_load_word32(state->B + 32); + s21 = le_load_word32(state->B + 36); + s22 = le_load_word32(state->B + 40); + s23 = le_load_word32(state->B + 44); + s30 = le_load_word32(state->B + 48); + s31 = le_load_word32(state->B + 52); + s32 = le_load_word32(state->B + 56); + s33 = le_load_word32(state->B + 60); +#endif + + /* Perform all rounds in pairs */ + for (step = 0; step < CLYDE128_STEPS; ++step) { + /* Apply the S-box and L-box to bundle 0 */ + clyde128_sbox(s00, s01, s02, s03); + clyde128_lbox(s00, s01); + clyde128_lbox(s02, s03); + s00 ^= rc[step][0]; + s01 ^= rc[step][1]; + s02 ^= rc[step][2]; + s03 ^= rc[step][3]; + clyde128_sbox(s00, s01, s02, s03); + + /* Apply the S-box and L-box to bundle 1 */ + clyde128_sbox(s10, s11, s12, s13); + clyde128_lbox(s10, s11); + clyde128_lbox(s12, s13); + s10 ^= rc[step][0] << 1; + s11 ^= rc[step][1] << 1; + s12 ^= rc[step][2] << 1; + s13 ^= rc[step][3] << 1; + clyde128_sbox(s10, s11, s12, s13); + + /* Apply the S-box and L-box to bundle 2 */ + clyde128_sbox(s20, s21, s22, s23); + clyde128_lbox(s20, s21); + clyde128_lbox(s22, s23); + s20 ^= rc[step][0] << 2; + s21 ^= rc[step][1] << 2; + s22 ^= rc[step][2] << 2; + s23 ^= rc[step][3] << 2; + clyde128_sbox(s20, s21, s22, s23); + + /* Apply the S-box and L-box to bundle 3 */ + clyde128_sbox(s30, s31, s32, s33); + clyde128_lbox(s30, s31); + clyde128_lbox(s32, s33); + s30 ^= rc[step][0] << 3; + s31 ^= rc[step][1] << 3; + s32 ^= rc[step][2] << 3; + s33 ^= rc[step][3] << 3; + clyde128_sbox(s30, s31, s32, s33); + + /* Apply the diffusion layer to the rows of the state */ + #define shadow512_diffusion_layer(row) \ + do { \ + w = s0##row; \ + x = s1##row; \ + y = s2##row; \ + z = s3##row; \ + c = w ^ x; \ + d = y ^ z; \ + s0##row = x ^ d; \ + s1##row = w ^ d; \ + s2##row = c ^ z; \ + s3##row = c ^ y; \ + } while (0) + shadow512_diffusion_layer(0); + shadow512_diffusion_layer(1); + shadow512_diffusion_layer(2); + shadow512_diffusion_layer(3); + + /* Add round constants to all bundles again */ + s00 ^= rc[step][4]; + s01 ^= rc[step][5]; + s02 ^= rc[step][6]; + s03 ^= rc[step][7]; + s10 ^= rc[step][4] << 1; + s11 ^= rc[step][5] << 1; + s12 ^= rc[step][6] << 1; + s13 ^= rc[step][7] << 1; + s20 ^= rc[step][4] << 2; + s21 ^= rc[step][5] << 2; + s22 ^= rc[step][6] << 2; + s23 ^= rc[step][7] << 2; + s30 ^= rc[step][4] << 3; + s31 ^= rc[step][5] << 3; + s32 ^= rc[step][6] << 3; + s33 ^= rc[step][7] << 3; + } + + /* Pack the local variables back into the state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->W[0] = s00; + state->W[1] = s01; + state->W[2] = s02; + state->W[3] = s03; + state->W[4] = s10; + state->W[5] = s11; + state->W[6] = s12; + state->W[7] = s13; + state->W[8] = s20; + state->W[9] = s21; + state->W[10] = s22; + state->W[11] = s23; + state->W[12] = s30; + state->W[13] = s31; + state->W[14] = s32; + state->W[15] = s33; +#else + le_store_word32(state->B, s00); + le_store_word32(state->B + 4, s01); + le_store_word32(state->B + 8, s02); + le_store_word32(state->B + 12, s03); + le_store_word32(state->B + 16, s10); + le_store_word32(state->B + 20, s11); + le_store_word32(state->B + 24, s12); + le_store_word32(state->B + 28, s13); + le_store_word32(state->B + 32, s20); + le_store_word32(state->B + 36, s21); + le_store_word32(state->B + 40, s22); + le_store_word32(state->B + 44, s23); + le_store_word32(state->B + 48, s30); + le_store_word32(state->B + 52, s31); + le_store_word32(state->B + 56, s32); + le_store_word32(state->B + 60, s33); +#endif +} + +void shadow384(shadow384_state_t *state) +{ + uint32_t s00, s01, s02, s03; + uint32_t s10, s11, s12, s13; + uint32_t s20, s21, s22, s23; + uint32_t c, d, x, y, z; + int step; + + /* Unpack the state into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s00 = state->W[0]; + s01 = state->W[1]; + s02 = state->W[2]; + s03 = state->W[3]; + s10 = state->W[4]; + s11 = state->W[5]; + s12 = state->W[6]; + s13 = state->W[7]; + s20 = state->W[8]; + s21 = state->W[9]; + s22 = state->W[10]; + s23 = state->W[11]; +#else + s00 = le_load_word32(state->B); + s01 = le_load_word32(state->B + 4); + s02 = le_load_word32(state->B + 8); + s03 = le_load_word32(state->B + 12); + s10 = le_load_word32(state->B + 16); + s11 = le_load_word32(state->B + 20); + s12 = le_load_word32(state->B + 24); + s13 = le_load_word32(state->B + 28); + s20 = le_load_word32(state->B + 32); + s21 = le_load_word32(state->B + 36); + s22 = le_load_word32(state->B + 40); + s23 = le_load_word32(state->B + 44); +#endif + + /* Perform all rounds in pairs */ + for (step = 0; step < CLYDE128_STEPS; ++step) { + /* Apply the S-box and L-box to bundle 0 */ + clyde128_sbox(s00, s01, s02, s03); + clyde128_lbox(s00, s01); + clyde128_lbox(s02, s03); + s00 ^= rc[step][0]; + s01 ^= rc[step][1]; + s02 ^= rc[step][2]; + s03 ^= rc[step][3]; + clyde128_sbox(s00, s01, s02, s03); + + /* Apply the S-box and L-box to bundle 1 */ + clyde128_sbox(s10, s11, s12, s13); + clyde128_lbox(s10, s11); + clyde128_lbox(s12, s13); + s10 ^= rc[step][0] << 1; + s11 ^= rc[step][1] << 1; + s12 ^= rc[step][2] << 1; + s13 ^= rc[step][3] << 1; + clyde128_sbox(s10, s11, s12, s13); + + /* Apply the S-box and L-box to bundle 2 */ + clyde128_sbox(s20, s21, s22, s23); + clyde128_lbox(s20, s21); + clyde128_lbox(s22, s23); + s20 ^= rc[step][0] << 2; + s21 ^= rc[step][1] << 2; + s22 ^= rc[step][2] << 2; + s23 ^= rc[step][3] << 2; + clyde128_sbox(s20, s21, s22, s23); + + /* Apply the diffusion layer to the rows of the state */ + #define shadow384_diffusion_layer(row) \ + do { \ + x = s0##row; \ + y = s1##row; \ + z = s2##row; \ + s0##row = x ^ y ^ z; \ + s1##row = x ^ z; \ + s2##row = x ^ y; \ + } while (0) + shadow384_diffusion_layer(0); + shadow384_diffusion_layer(1); + shadow384_diffusion_layer(2); + shadow384_diffusion_layer(3); + + /* Add round constants to all bundles again */ + s00 ^= rc[step][4]; + s01 ^= rc[step][5]; + s02 ^= rc[step][6]; + s03 ^= rc[step][7]; + s10 ^= rc[step][4] << 1; + s11 ^= rc[step][5] << 1; + s12 ^= rc[step][6] << 1; + s13 ^= rc[step][7] << 1; + s20 ^= rc[step][4] << 2; + s21 ^= rc[step][5] << 2; + s22 ^= rc[step][6] << 2; + s23 ^= rc[step][7] << 2; + } + + /* Pack the local variables back into the state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->W[0] = s00; + state->W[1] = s01; + state->W[2] = s02; + state->W[3] = s03; + state->W[4] = s10; + state->W[5] = s11; + state->W[6] = s12; + state->W[7] = s13; + state->W[8] = s20; + state->W[9] = s21; + state->W[10] = s22; + state->W[11] = s23; +#else + le_store_word32(state->B, s00); + le_store_word32(state->B + 4, s01); + le_store_word32(state->B + 8, s02); + le_store_word32(state->B + 12, s03); + le_store_word32(state->B + 16, s10); + le_store_word32(state->B + 20, s11); + le_store_word32(state->B + 24, s12); + le_store_word32(state->B + 28, s13); + le_store_word32(state->B + 32, s20); + le_store_word32(state->B + 36, s21); + le_store_word32(state->B + 40, s22); + le_store_word32(state->B + 44, s23); +#endif +} diff --git a/spook/Implementations/crypto_aead/spook128mu512v1/rhys/internal-spook.h b/spook/Implementations/crypto_aead/spook128mu512v1/rhys/internal-spook.h new file mode 100644 index 0000000..b08ce80 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128mu512v1/rhys/internal-spook.h @@ -0,0 +1,146 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SPOOK_H +#define LW_INTERNAL_SPOOK_H + +#include "internal-util.h" + +/** + * \file internal-spook.h + * \brief Internal implementation details of the Spook AEAD mode. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the block for the Clyde-128 block cipher. + */ +#define CLYDE128_BLOCK_SIZE 16 + +/** + * \brief Size of the key for the Clyde-128 block cipher. + */ +#define CLYDE128_KEY_SIZE 16 + +/** + * \brief Size of the tweak for the Clyde-128 block cipher. + */ +#define CLYDE128_TWEAK_SIZE 16 + +/** + * \brief Size of the state for Shadow-512. + */ +#define SHADOW512_STATE_SIZE 64 + +/** + * \brief Rate to absorb data into or squeeze data out of a Shadow-512 state. + */ +#define SHADOW512_RATE 32 + +/** + * \brief Size of the state for Shadow-384. + */ +#define SHADOW384_STATE_SIZE 48 + +/** + * \brief Rate to absorb data into or squeeze data out of a Shadow-384 state. + */ +#define SHADOW384_RATE 16 + +/** + * \brief Internal state of the Shadow-512 permutation. + */ +typedef union +{ + uint32_t W[SHADOW512_STATE_SIZE / 4]; /**< Words of the state */ + uint8_t B[SHADOW512_STATE_SIZE]; /**< Bytes of the state */ + +} shadow512_state_t; + +/** + * \brief Internal state of the Shadow-384 permutation. + */ +typedef union +{ + uint32_t W[SHADOW384_STATE_SIZE / 4]; /**< Words of the state */ + uint8_t B[SHADOW384_STATE_SIZE]; /**< Bytes of the state */ + +} shadow384_state_t; + +/** + * \brief Encrypts a block with the Clyde-128 block cipher. + * + * \param key Points to the key to encrypt with. + * \param tweak Points to the tweak to encrypt with. + * \param output Output buffer for the ciphertext. + * \param input Input buffer for the plaintext. + * + * \sa clyde128_decrypt() + */ +void clyde128_encrypt(const unsigned char key[CLYDE128_KEY_SIZE], + const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], + uint32_t output[CLYDE128_BLOCK_SIZE / 4], + const uint32_t input[CLYDE128_BLOCK_SIZE / 4]); + +/** + * \brief Decrypts a block with the Clyde-128 block cipher. + * + * \param key Points to the key to decrypt with. + * \param tweak Points to the tweak to decrypt with. + * \param output Output buffer for the plaintext. + * \param input Input buffer for the ciphertext. + * + * \sa clyde128_encrypt() + */ +void clyde128_decrypt(const unsigned char key[CLYDE128_KEY_SIZE], + const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], + uint32_t output[CLYDE128_BLOCK_SIZE / 4], + const unsigned char input[CLYDE128_BLOCK_SIZE]); + +/** + * \brief Performs the Shadow-512 permutation on a state. + * + * \param state The Shadow-512 state which will be in little-endian + * byte order on input and output. + * + * \sa shadow384() + */ +void shadow512(shadow512_state_t *state); + +/** + * \brief Performs the Shadow-384 permutation on a state. + * + * \param state The Shadow-384 state which will be in little-endian + * byte order on input and output. + * + * \sa shadow512() + */ +void shadow384(shadow384_state_t *state); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spook/Implementations/crypto_aead/spook128mu512v1/rhys/internal-util.h b/spook/Implementations/crypto_aead/spook128mu512v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128mu512v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/spook/Implementations/crypto_aead/spook128mu512v1/rhys/spook.c b/spook/Implementations/crypto_aead/spook128mu512v1/rhys/spook.c new file mode 100644 index 0000000..d075b33 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128mu512v1/rhys/spook.c @@ -0,0 +1,552 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "spook.h" +#include "internal-spook.h" +#include "internal-util.h" +#include + +aead_cipher_t const spook_128_512_su_cipher = { + "Spook-128-512-su", + SPOOK_SU_KEY_SIZE, + SPOOK_NONCE_SIZE, + SPOOK_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + spook_128_512_su_aead_encrypt, + spook_128_512_su_aead_decrypt +}; + +aead_cipher_t const spook_128_384_su_cipher = { + "Spook-128-384-su", + SPOOK_SU_KEY_SIZE, + SPOOK_NONCE_SIZE, + SPOOK_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + spook_128_384_su_aead_encrypt, + spook_128_384_su_aead_decrypt +}; + +aead_cipher_t const spook_128_512_mu_cipher = { + "Spook-128-512-mu", + SPOOK_MU_KEY_SIZE, + SPOOK_NONCE_SIZE, + SPOOK_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + spook_128_512_mu_aead_encrypt, + spook_128_512_mu_aead_decrypt +}; + +aead_cipher_t const spook_128_384_mu_cipher = { + "Spook-128-384-mu", + SPOOK_MU_KEY_SIZE, + SPOOK_NONCE_SIZE, + SPOOK_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + spook_128_384_mu_aead_encrypt, + spook_128_384_mu_aead_decrypt +}; + +/** + * \brief Initializes the Shadow-512 sponge state. + * + * \param state The sponge state. + * \param k Points to the key. + * \param klen Length of the key in bytes, either 16 or 32. + * \param npub Public nonce for the state. + */ +static void spook_128_512_init + (shadow512_state_t *state, + const unsigned char *k, unsigned klen, + const unsigned char *npub) +{ + memset(state->B, 0, SHADOW512_STATE_SIZE); + if (klen == SPOOK_MU_KEY_SIZE) { + /* The public tweak is 126 bits in size followed by a 1 bit */ + memcpy(state->B, k + CLYDE128_BLOCK_SIZE, CLYDE128_BLOCK_SIZE); + state->B[CLYDE128_BLOCK_SIZE - 1] &= 0x7F; + state->B[CLYDE128_BLOCK_SIZE - 1] |= 0x40; + } + memcpy(state->B + CLYDE128_BLOCK_SIZE, npub, CLYDE128_BLOCK_SIZE); + clyde128_encrypt(k, state->W, state->W + 12, state->W + 4); + shadow512(state); +} + +/** + * \brief Initializes the Shadow-384 sponge state. + * + * \param state The sponge state. + * \param k Points to the key. + * \param klen Length of the key in bytes, either 16 or 32. + * \param npub Public nonce for the state. + */ +static void spook_128_384_init + (shadow384_state_t *state, + const unsigned char *k, unsigned klen, + const unsigned char *npub) +{ + memset(state->B, 0, SHADOW384_STATE_SIZE); + if (klen == SPOOK_MU_KEY_SIZE) { + /* The public tweak is 126 bits in size followed by a 1 bit */ + memcpy(state->B, k + CLYDE128_BLOCK_SIZE, CLYDE128_BLOCK_SIZE); + state->B[CLYDE128_BLOCK_SIZE - 1] &= 0x7F; + state->B[CLYDE128_BLOCK_SIZE - 1] |= 0x40; + } + memcpy(state->B + CLYDE128_BLOCK_SIZE, npub, CLYDE128_BLOCK_SIZE); + clyde128_encrypt(k, state->W, state->W + 8, state->W + 4); + shadow384(state); +} + +/** + * \brief Absorbs associated data into the Shadow-512 sponge state. + * + * \param state The sponge state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes, must be non-zero. + */ +static void spook_128_512_absorb + (shadow512_state_t *state, + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen >= SHADOW512_RATE) { + lw_xor_block(state->B, ad, SHADOW512_RATE); + shadow512(state); + ad += SHADOW512_RATE; + adlen -= SHADOW512_RATE; + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(state->B, ad, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW512_RATE] ^= 0x02; + shadow512(state); + } +} + +/** + * \brief Absorbs associated data into the Shadow-384 sponge state. + * + * \param state The sponge state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes, must be non-zero. + */ +static void spook_128_384_absorb + (shadow384_state_t *state, + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen >= SHADOW384_RATE) { + lw_xor_block(state->B, ad, SHADOW384_RATE); + shadow384(state); + ad += SHADOW384_RATE; + adlen -= SHADOW384_RATE; + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(state->B, ad, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW384_RATE] ^= 0x02; + shadow384(state); + } +} + +/** + * \brief Encrypts the plaintext with the Shadow-512 sponge state. + * + * \param state The sponge state. + * \param c Points to the ciphertext output buffer. + * \param m Points to the plaintext input buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void spook_128_512_encrypt + (shadow512_state_t *state, unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + state->B[SHADOW512_RATE] ^= 0x01; + while (mlen >= SHADOW512_RATE) { + lw_xor_block_2_dest(c, state->B, m, SHADOW512_RATE); + shadow512(state); + c += SHADOW512_RATE; + m += SHADOW512_RATE; + mlen -= SHADOW512_RATE; + } + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_dest(c, state->B, m, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW512_RATE] ^= 0x02; + shadow512(state); + } +} + +/** + * \brief Encrypts the plaintext with the Shadow-384 sponge state. + * + * \param state The sponge state. + * \param c Points to the ciphertext output buffer. + * \param m Points to the plaintext input buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void spook_128_384_encrypt + (shadow384_state_t *state, unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + state->B[SHADOW384_RATE] ^= 0x01; + while (mlen >= SHADOW384_RATE) { + lw_xor_block_2_dest(c, state->B, m, SHADOW384_RATE); + shadow384(state); + c += SHADOW384_RATE; + m += SHADOW384_RATE; + mlen -= SHADOW384_RATE; + } + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_dest(c, state->B, m, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW384_RATE] ^= 0x02; + shadow384(state); + } +} + +/** + * \brief Decrypts the ciphertext with the Shadow-512 sponge state. + * + * \param state The sponge state. + * \param m Points to the plaintext output buffer. + * \param c Points to the ciphertext input buffer. + * \param clen Number of bytes of ciphertext to be decrypted. + */ +static void spook_128_512_decrypt + (shadow512_state_t *state, unsigned char *m, + const unsigned char *c, unsigned long long clen) +{ + state->B[SHADOW512_RATE] ^= 0x01; + while (clen >= SHADOW512_RATE) { + lw_xor_block_swap(m, state->B, c, SHADOW512_RATE); + shadow512(state); + c += SHADOW512_RATE; + m += SHADOW512_RATE; + clen -= SHADOW512_RATE; + } + if (clen > 0) { + unsigned temp = (unsigned)clen; + lw_xor_block_swap(m, state->B, c, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW512_RATE] ^= 0x02; + shadow512(state); + } +} + +/** + * \brief Decrypts the ciphertext with the Shadow-384 sponge state. + * + * \param state The sponge state. + * \param m Points to the plaintext output buffer. + * \param c Points to the ciphertext input buffer. + * \param clen Number of bytes of ciphertext to be decrypted. + */ +static void spook_128_384_decrypt + (shadow384_state_t *state, unsigned char *m, + const unsigned char *c, unsigned long long clen) +{ + state->B[SHADOW384_RATE] ^= 0x01; + while (clen >= SHADOW384_RATE) { + lw_xor_block_swap(m, state->B, c, SHADOW384_RATE); + shadow384(state); + c += SHADOW384_RATE; + m += SHADOW384_RATE; + clen -= SHADOW384_RATE; + } + if (clen > 0) { + unsigned temp = (unsigned)clen; + lw_xor_block_swap(m, state->B, c, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW384_RATE] ^= 0x02; + shadow384(state); + } +} + +int spook_128_512_su_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + shadow512_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPOOK_TAG_SIZE; + + /* Initialize the Shadow-512 sponge state */ + spook_128_512_init(&state, k, SPOOK_SU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_512_absorb(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + spook_128_512_encrypt(&state, c, m, mlen); + + /* Compute the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_encrypt(k, state.W + 4, state.W, state.W); + memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); + return 0; +} + +int spook_128_512_su_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + shadow512_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPOOK_TAG_SIZE) + return -1; + *mlen = clen - SPOOK_TAG_SIZE; + + /* Initialize the Shadow-512 sponge state */ + spook_128_512_init(&state, k, SPOOK_SU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_512_absorb(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPOOK_TAG_SIZE; + if (clen > 0) + spook_128_512_decrypt(&state, m, c, clen); + + /* Check the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); + return aead_check_tag + (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); +} + +int spook_128_384_su_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + shadow384_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPOOK_TAG_SIZE; + + /* Initialize the Shadow-384 sponge state */ + spook_128_384_init(&state, k, SPOOK_SU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_384_absorb(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + spook_128_384_encrypt(&state, c, m, mlen); + + /* Compute the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_encrypt(k, state.W + 4, state.W, state.W); + memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); + return 0; +} + +int spook_128_384_su_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + shadow384_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPOOK_TAG_SIZE) + return -1; + *mlen = clen - SPOOK_TAG_SIZE; + + /* Initialize the Shadow-384 sponge state */ + spook_128_384_init(&state, k, SPOOK_SU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_384_absorb(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPOOK_TAG_SIZE; + if (clen > 0) + spook_128_384_decrypt(&state, m, c, clen); + + /* Check the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); + return aead_check_tag + (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); +} + +int spook_128_512_mu_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + shadow512_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPOOK_TAG_SIZE; + + /* Initialize the Shadow-512 sponge state */ + spook_128_512_init(&state, k, SPOOK_MU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_512_absorb(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + spook_128_512_encrypt(&state, c, m, mlen); + + /* Compute the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_encrypt(k, state.W + 4, state.W, state.W); + memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); + return 0; +} + +int spook_128_512_mu_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + shadow512_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPOOK_TAG_SIZE) + return -1; + *mlen = clen - SPOOK_TAG_SIZE; + + /* Initialize the Shadow-512 sponge state */ + spook_128_512_init(&state, k, SPOOK_MU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_512_absorb(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPOOK_TAG_SIZE; + if (clen > 0) + spook_128_512_decrypt(&state, m, c, clen); + + /* Check the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); + return aead_check_tag + (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); +} + +int spook_128_384_mu_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + shadow384_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPOOK_TAG_SIZE; + + /* Initialize the Shadow-384 sponge state */ + spook_128_384_init(&state, k, SPOOK_MU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_384_absorb(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + spook_128_384_encrypt(&state, c, m, mlen); + + /* Compute the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_encrypt(k, state.W + 4, state.W, state.W); + memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); + return 0; +} + +int spook_128_384_mu_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + shadow384_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPOOK_TAG_SIZE) + return -1; + *mlen = clen - SPOOK_TAG_SIZE; + + /* Initialize the Shadow-384 sponge state */ + spook_128_384_init(&state, k, SPOOK_MU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_384_absorb(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPOOK_TAG_SIZE; + if (clen > 0) + spook_128_384_decrypt(&state, m, c, clen); + + /* Check the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); + return aead_check_tag + (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); +} diff --git a/spook/Implementations/crypto_aead/spook128mu512v1/rhys/spook.h b/spook/Implementations/crypto_aead/spook128mu512v1/rhys/spook.h new file mode 100644 index 0000000..68b6a25 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128mu512v1/rhys/spook.h @@ -0,0 +1,344 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SPOOK_H +#define LWCRYPTO_SPOOK_H + +#include "aead-common.h" + +/** + * \file spook.h + * \brief Spook authenticated encryption algorithm. + * + * Spook is a family of authenticated encryption algorithms that are + * built around a tweakable block cipher and a permutation. If the + * tweakable block cipher is implemented as a masked block cipher, + * then Spook provides protection against power analysis side channels. + * + * There are four members in the Spook family: + * + * \li Spook-128-512-su with a 128-bit key, a 128-bit nonce, and a 128-bit tag. + * Internally the algorithm uses a 512-bit permutation. This is the primary + * member of the family. + * \li Spook-128-384-su with a 128-bit key, a 128-bit nonce, and a 128-bit tag. + * Internally the algorithm uses a 384-bit permutation. + * \li Spook-128-512-mu with a 128-bit key, a 128-bit public tweak, a 128-bit + * nonce, and a 128-bit tag. Internally the algorithm uses a 512-bit + * permutation. + * \li Spook-128-512-mu with a 128-bit key, a 128-bit public tweak, a 128-bit + * nonce, and a 128-bit tag. Internally the algorithm uses a 384-bit + * permutation. + * + * In this library, the "mu" (multi-user) variants combine the 128-bit key + * and the 128-bit public tweak into a single 256-bit key value. + * Applications can either view this as a cipher with a 256-bit key, + * or they can split the key value into secret and public halves. + * Even with the use of 256-bit keys, Spook only has 128-bit security. + * + * References: https://www.spook.dev/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for the single-user version of Spook. + */ +#define SPOOK_SU_KEY_SIZE 16 + +/** + * \brief Size of the key for the multi-user version of Spook. + */ +#define SPOOK_MU_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for all Spook family members. + */ +#define SPOOK_TAG_SIZE 16 + +/** + * \brief Size of the nonce for all Spook family members. + */ +#define SPOOK_NONCE_SIZE 16 + +/** + * \brief Meta-information block for the Spook-128-512-su cipher. + */ +extern aead_cipher_t const spook_128_512_su_cipher; + +/** + * \brief Meta-information block for the Spook-128-384-su cipher. + */ +extern aead_cipher_t const spook_128_384_su_cipher; + +/** + * \brief Meta-information block for the Spook-128-512-mu cipher. + */ +extern aead_cipher_t const spook_128_512_mu_cipher; + +/** + * \brief Meta-information block for the Spook-128-384-mu cipher. + */ +extern aead_cipher_t const spook_128_384_mu_cipher; + +/** + * \brief Encrypts and authenticates a packet with Spook-128-512-su. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spook_128_512_su_aead_decrypt() + */ +int spook_128_512_su_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Spook-128-512-su. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spook_128_512_su_aead_encrypt() + */ +int spook_128_512_su_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Spook-128-384-su. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spook_128_384_su_aead_decrypt() + */ +int spook_128_384_su_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Spook-128-384-su. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spook_128_384_su_aead_encrypt() + */ +int spook_128_384_su_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Spook-128-512-mu. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spook_128_512_mu_aead_decrypt() + */ +int spook_128_512_mu_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Spook-128-512-mu. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spook_128_512_mu_aead_encrypt() + */ +int spook_128_512_mu_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Spook-128-384-mu. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spook_128_384_mu_aead_decrypt() + */ +int spook_128_384_mu_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Spook-128-384-mu. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spook_128_384_mu_aead_encrypt() + */ +int spook_128_384_mu_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spook/Implementations/crypto_aead/spook128su384v1/rhys/aead-common.c b/spook/Implementations/crypto_aead/spook128su384v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128su384v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/spook/Implementations/crypto_aead/spook128su384v1/rhys/aead-common.h b/spook/Implementations/crypto_aead/spook128su384v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128su384v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spook/Implementations/crypto_aead/spook128su384v1/rhys/api.h b/spook/Implementations/crypto_aead/spook128su384v1/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128su384v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/spook/Implementations/crypto_aead/spook128su384v1/rhys/encrypt.c b/spook/Implementations/crypto_aead/spook128su384v1/rhys/encrypt.c new file mode 100644 index 0000000..e61a44a --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128su384v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "spook.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return spook_128_384_su_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return spook_128_384_su_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/spook/Implementations/crypto_aead/spook128su384v1/rhys/internal-spook.c b/spook/Implementations/crypto_aead/spook128su384v1/rhys/internal-spook.c new file mode 100644 index 0000000..0e19216 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128su384v1/rhys/internal-spook.c @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-spook.h" + +/** + * \brief Number of steps in the Clyde-128 block cipher. + * + * This is also the number of steps in the Shadow-512 and Shadow-384 + * permutations. + */ +#define CLYDE128_STEPS 6 + +/** + * \brief Round constants for the steps of Clyde-128. + */ +static uint8_t const rc[CLYDE128_STEPS][8] = { + {1, 0, 0, 0, 0, 1, 0, 0}, + {0, 0, 1, 0, 0, 0, 0, 1}, + {1, 1, 0, 0, 0, 1, 1, 0}, + {0, 0, 1, 1, 1, 1, 0, 1}, + {1, 0, 1, 0, 0, 1, 0, 1}, + {1, 1, 1, 0, 0, 1, 1, 1} +}; + +void clyde128_encrypt(const unsigned char key[CLYDE128_KEY_SIZE], + const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], + uint32_t output[CLYDE128_BLOCK_SIZE / 4], + const uint32_t input[CLYDE128_BLOCK_SIZE / 4]) +{ + uint32_t k0, k1, k2, k3; + uint32_t t0, t1, t2, t3; + uint32_t s0, s1, s2, s3; + uint32_t c, d; + int step; + + /* Unpack the key, tweak, and state */ + k0 = le_load_word32(key); + k1 = le_load_word32(key + 4); + k2 = le_load_word32(key + 8); + k3 = le_load_word32(key + 12); +#if defined(LW_UTIL_LITTLE_ENDIAN) + t0 = tweak[0]; + t1 = tweak[1]; + t2 = tweak[2]; + t3 = tweak[3]; + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; +#else + t0 = le_load_word32((const unsigned char *)&(tweak[0])); + t1 = le_load_word32((const unsigned char *)&(tweak[1])); + t2 = le_load_word32((const unsigned char *)&(tweak[2])); + t3 = le_load_word32((const unsigned char *)&(tweak[3])); + s0 = le_load_word32((const unsigned char *)&(input[0])); + s1 = le_load_word32((const unsigned char *)&(input[1])); + s2 = le_load_word32((const unsigned char *)&(input[2])); + s3 = le_load_word32((const unsigned char *)&(input[3])); +#endif + + /* Add the initial tweakey to the state */ + s0 ^= k0 ^ t0; + s1 ^= k1 ^ t1; + s2 ^= k2 ^ t2; + s3 ^= k3 ^ t3; + + /* Perform all rounds in pairs */ + for (step = 0; step < CLYDE128_STEPS; ++step) { + /* Perform the two rounds of this step */ + #define clyde128_sbox(s0, s1, s2, s3) \ + do { \ + c = (s0 & s1) ^ s2; \ + d = (s3 & s0) ^ s1; \ + s2 = (c & d) ^ s3; \ + s3 = (c & s3) ^ s0; \ + s0 = d; \ + s1 = c; \ + } while (0) + #define clyde128_lbox(x, y) \ + do { \ + c = x ^ rightRotate12(x); \ + d = y ^ rightRotate12(y); \ + c ^= rightRotate3(c); \ + d ^= rightRotate3(d); \ + x = c ^ leftRotate15(x); \ + y = d ^ leftRotate15(y); \ + c = x ^ leftRotate1(x); \ + d = y ^ leftRotate1(y); \ + x ^= leftRotate6(d); \ + y ^= leftRotate7(c); \ + x ^= rightRotate15(c); \ + y ^= rightRotate15(d); \ + } while (0) + clyde128_sbox(s0, s1, s2, s3); + clyde128_lbox(s0, s1); + clyde128_lbox(s2, s3); + s0 ^= rc[step][0]; + s1 ^= rc[step][1]; + s2 ^= rc[step][2]; + s3 ^= rc[step][3]; + clyde128_sbox(s0, s1, s2, s3); + clyde128_lbox(s0, s1); + clyde128_lbox(s2, s3); + s0 ^= rc[step][4]; + s1 ^= rc[step][5]; + s2 ^= rc[step][6]; + s3 ^= rc[step][7]; + + /* Update the tweakey on the fly and add it to the state */ + c = t2 ^ t0; + d = t3 ^ t1; + t2 = t0; + t3 = t1; + t0 = c; + t1 = d; + s0 ^= k0 ^ t0; + s1 ^= k1 ^ t1; + s2 ^= k2 ^ t2; + s3 ^= k3 ^ t3; + } + + /* Pack the state into the output buffer */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; +#else + le_store_word32((unsigned char *)&(output[0]), s0); + le_store_word32((unsigned char *)&(output[1]), s1); + le_store_word32((unsigned char *)&(output[2]), s2); + le_store_word32((unsigned char *)&(output[3]), s3); +#endif +} + +void clyde128_decrypt(const unsigned char key[CLYDE128_KEY_SIZE], + const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], + uint32_t output[CLYDE128_BLOCK_SIZE / 4], + const unsigned char input[CLYDE128_BLOCK_SIZE]) +{ + uint32_t k0, k1, k2, k3; + uint32_t t0, t1, t2, t3; + uint32_t s0, s1, s2, s3; + uint32_t a, b, d; + int step; + + /* Unpack the key, tweak, and state */ + k0 = le_load_word32(key); + k1 = le_load_word32(key + 4); + k2 = le_load_word32(key + 8); + k3 = le_load_word32(key + 12); +#if defined(LW_UTIL_LITTLE_ENDIAN) + t0 = tweak[0]; + t1 = tweak[1]; + t2 = tweak[2]; + t3 = tweak[3]; +#else + t0 = le_load_word32((const unsigned char *)&(tweak[0])); + t1 = le_load_word32((const unsigned char *)&(tweak[1])); + t2 = le_load_word32((const unsigned char *)&(tweak[2])); + t3 = le_load_word32((const unsigned char *)&(tweak[3])); +#endif + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all rounds in pairs */ + for (step = CLYDE128_STEPS - 1; step >= 0; --step) { + /* Add the tweakey to the state and update the tweakey */ + s0 ^= k0 ^ t0; + s1 ^= k1 ^ t1; + s2 ^= k2 ^ t2; + s3 ^= k3 ^ t3; + a = t2 ^ t0; + b = t3 ^ t1; + t0 = t2; + t1 = t3; + t2 = a; + t3 = b; + + /* Perform the two rounds of this step */ + #define clyde128_inv_sbox(s0, s1, s2, s3) \ + do { \ + d = (s0 & s1) ^ s2; \ + a = (s1 & d) ^ s3; \ + b = (d & a) ^ s0; \ + s2 = (a & b) ^ s1; \ + s0 = a; \ + s1 = b; \ + s3 = d; \ + } while (0) + #define clyde128_inv_lbox(x, y) \ + do { \ + a = x ^ leftRotate7(x); \ + b = y ^ leftRotate7(y); \ + x ^= leftRotate1(a); \ + y ^= leftRotate1(b); \ + x ^= leftRotate12(a); \ + y ^= leftRotate12(b); \ + a = x ^ leftRotate1(x); \ + b = y ^ leftRotate1(y); \ + x ^= leftRotate6(b); \ + y ^= leftRotate7(a); \ + a ^= leftRotate15(x); \ + b ^= leftRotate15(y); \ + x = rightRotate16(a); \ + y = rightRotate16(b); \ + } while (0) + s0 ^= rc[step][4]; + s1 ^= rc[step][5]; + s2 ^= rc[step][6]; + s3 ^= rc[step][7]; + clyde128_inv_lbox(s0, s1); + clyde128_inv_lbox(s2, s3); + clyde128_inv_sbox(s0, s1, s2, s3); + s0 ^= rc[step][0]; + s1 ^= rc[step][1]; + s2 ^= rc[step][2]; + s3 ^= rc[step][3]; + clyde128_inv_lbox(s0, s1); + clyde128_inv_lbox(s2, s3); + clyde128_inv_sbox(s0, s1, s2, s3); + } + + /* Add the tweakey to the state one last time */ + s0 ^= k0 ^ t0; + s1 ^= k1 ^ t1; + s2 ^= k2 ^ t2; + s3 ^= k3 ^ t3; + + /* Pack the state into the output buffer */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; +#else + le_store_word32((unsigned char *)&(output[0]), s0); + le_store_word32((unsigned char *)&(output[1]), s1); + le_store_word32((unsigned char *)&(output[2]), s2); + le_store_word32((unsigned char *)&(output[3]), s3); +#endif +} + +void shadow512(shadow512_state_t *state) +{ + uint32_t s00, s01, s02, s03; + uint32_t s10, s11, s12, s13; + uint32_t s20, s21, s22, s23; + uint32_t s30, s31, s32, s33; + uint32_t c, d, w, x, y, z; + int step; + + /* Unpack the state into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s00 = state->W[0]; + s01 = state->W[1]; + s02 = state->W[2]; + s03 = state->W[3]; + s10 = state->W[4]; + s11 = state->W[5]; + s12 = state->W[6]; + s13 = state->W[7]; + s20 = state->W[8]; + s21 = state->W[9]; + s22 = state->W[10]; + s23 = state->W[11]; + s30 = state->W[12]; + s31 = state->W[13]; + s32 = state->W[14]; + s33 = state->W[15]; +#else + s00 = le_load_word32(state->B); + s01 = le_load_word32(state->B + 4); + s02 = le_load_word32(state->B + 8); + s03 = le_load_word32(state->B + 12); + s10 = le_load_word32(state->B + 16); + s11 = le_load_word32(state->B + 20); + s12 = le_load_word32(state->B + 24); + s13 = le_load_word32(state->B + 28); + s20 = le_load_word32(state->B + 32); + s21 = le_load_word32(state->B + 36); + s22 = le_load_word32(state->B + 40); + s23 = le_load_word32(state->B + 44); + s30 = le_load_word32(state->B + 48); + s31 = le_load_word32(state->B + 52); + s32 = le_load_word32(state->B + 56); + s33 = le_load_word32(state->B + 60); +#endif + + /* Perform all rounds in pairs */ + for (step = 0; step < CLYDE128_STEPS; ++step) { + /* Apply the S-box and L-box to bundle 0 */ + clyde128_sbox(s00, s01, s02, s03); + clyde128_lbox(s00, s01); + clyde128_lbox(s02, s03); + s00 ^= rc[step][0]; + s01 ^= rc[step][1]; + s02 ^= rc[step][2]; + s03 ^= rc[step][3]; + clyde128_sbox(s00, s01, s02, s03); + + /* Apply the S-box and L-box to bundle 1 */ + clyde128_sbox(s10, s11, s12, s13); + clyde128_lbox(s10, s11); + clyde128_lbox(s12, s13); + s10 ^= rc[step][0] << 1; + s11 ^= rc[step][1] << 1; + s12 ^= rc[step][2] << 1; + s13 ^= rc[step][3] << 1; + clyde128_sbox(s10, s11, s12, s13); + + /* Apply the S-box and L-box to bundle 2 */ + clyde128_sbox(s20, s21, s22, s23); + clyde128_lbox(s20, s21); + clyde128_lbox(s22, s23); + s20 ^= rc[step][0] << 2; + s21 ^= rc[step][1] << 2; + s22 ^= rc[step][2] << 2; + s23 ^= rc[step][3] << 2; + clyde128_sbox(s20, s21, s22, s23); + + /* Apply the S-box and L-box to bundle 3 */ + clyde128_sbox(s30, s31, s32, s33); + clyde128_lbox(s30, s31); + clyde128_lbox(s32, s33); + s30 ^= rc[step][0] << 3; + s31 ^= rc[step][1] << 3; + s32 ^= rc[step][2] << 3; + s33 ^= rc[step][3] << 3; + clyde128_sbox(s30, s31, s32, s33); + + /* Apply the diffusion layer to the rows of the state */ + #define shadow512_diffusion_layer(row) \ + do { \ + w = s0##row; \ + x = s1##row; \ + y = s2##row; \ + z = s3##row; \ + c = w ^ x; \ + d = y ^ z; \ + s0##row = x ^ d; \ + s1##row = w ^ d; \ + s2##row = c ^ z; \ + s3##row = c ^ y; \ + } while (0) + shadow512_diffusion_layer(0); + shadow512_diffusion_layer(1); + shadow512_diffusion_layer(2); + shadow512_diffusion_layer(3); + + /* Add round constants to all bundles again */ + s00 ^= rc[step][4]; + s01 ^= rc[step][5]; + s02 ^= rc[step][6]; + s03 ^= rc[step][7]; + s10 ^= rc[step][4] << 1; + s11 ^= rc[step][5] << 1; + s12 ^= rc[step][6] << 1; + s13 ^= rc[step][7] << 1; + s20 ^= rc[step][4] << 2; + s21 ^= rc[step][5] << 2; + s22 ^= rc[step][6] << 2; + s23 ^= rc[step][7] << 2; + s30 ^= rc[step][4] << 3; + s31 ^= rc[step][5] << 3; + s32 ^= rc[step][6] << 3; + s33 ^= rc[step][7] << 3; + } + + /* Pack the local variables back into the state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->W[0] = s00; + state->W[1] = s01; + state->W[2] = s02; + state->W[3] = s03; + state->W[4] = s10; + state->W[5] = s11; + state->W[6] = s12; + state->W[7] = s13; + state->W[8] = s20; + state->W[9] = s21; + state->W[10] = s22; + state->W[11] = s23; + state->W[12] = s30; + state->W[13] = s31; + state->W[14] = s32; + state->W[15] = s33; +#else + le_store_word32(state->B, s00); + le_store_word32(state->B + 4, s01); + le_store_word32(state->B + 8, s02); + le_store_word32(state->B + 12, s03); + le_store_word32(state->B + 16, s10); + le_store_word32(state->B + 20, s11); + le_store_word32(state->B + 24, s12); + le_store_word32(state->B + 28, s13); + le_store_word32(state->B + 32, s20); + le_store_word32(state->B + 36, s21); + le_store_word32(state->B + 40, s22); + le_store_word32(state->B + 44, s23); + le_store_word32(state->B + 48, s30); + le_store_word32(state->B + 52, s31); + le_store_word32(state->B + 56, s32); + le_store_word32(state->B + 60, s33); +#endif +} + +void shadow384(shadow384_state_t *state) +{ + uint32_t s00, s01, s02, s03; + uint32_t s10, s11, s12, s13; + uint32_t s20, s21, s22, s23; + uint32_t c, d, x, y, z; + int step; + + /* Unpack the state into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s00 = state->W[0]; + s01 = state->W[1]; + s02 = state->W[2]; + s03 = state->W[3]; + s10 = state->W[4]; + s11 = state->W[5]; + s12 = state->W[6]; + s13 = state->W[7]; + s20 = state->W[8]; + s21 = state->W[9]; + s22 = state->W[10]; + s23 = state->W[11]; +#else + s00 = le_load_word32(state->B); + s01 = le_load_word32(state->B + 4); + s02 = le_load_word32(state->B + 8); + s03 = le_load_word32(state->B + 12); + s10 = le_load_word32(state->B + 16); + s11 = le_load_word32(state->B + 20); + s12 = le_load_word32(state->B + 24); + s13 = le_load_word32(state->B + 28); + s20 = le_load_word32(state->B + 32); + s21 = le_load_word32(state->B + 36); + s22 = le_load_word32(state->B + 40); + s23 = le_load_word32(state->B + 44); +#endif + + /* Perform all rounds in pairs */ + for (step = 0; step < CLYDE128_STEPS; ++step) { + /* Apply the S-box and L-box to bundle 0 */ + clyde128_sbox(s00, s01, s02, s03); + clyde128_lbox(s00, s01); + clyde128_lbox(s02, s03); + s00 ^= rc[step][0]; + s01 ^= rc[step][1]; + s02 ^= rc[step][2]; + s03 ^= rc[step][3]; + clyde128_sbox(s00, s01, s02, s03); + + /* Apply the S-box and L-box to bundle 1 */ + clyde128_sbox(s10, s11, s12, s13); + clyde128_lbox(s10, s11); + clyde128_lbox(s12, s13); + s10 ^= rc[step][0] << 1; + s11 ^= rc[step][1] << 1; + s12 ^= rc[step][2] << 1; + s13 ^= rc[step][3] << 1; + clyde128_sbox(s10, s11, s12, s13); + + /* Apply the S-box and L-box to bundle 2 */ + clyde128_sbox(s20, s21, s22, s23); + clyde128_lbox(s20, s21); + clyde128_lbox(s22, s23); + s20 ^= rc[step][0] << 2; + s21 ^= rc[step][1] << 2; + s22 ^= rc[step][2] << 2; + s23 ^= rc[step][3] << 2; + clyde128_sbox(s20, s21, s22, s23); + + /* Apply the diffusion layer to the rows of the state */ + #define shadow384_diffusion_layer(row) \ + do { \ + x = s0##row; \ + y = s1##row; \ + z = s2##row; \ + s0##row = x ^ y ^ z; \ + s1##row = x ^ z; \ + s2##row = x ^ y; \ + } while (0) + shadow384_diffusion_layer(0); + shadow384_diffusion_layer(1); + shadow384_diffusion_layer(2); + shadow384_diffusion_layer(3); + + /* Add round constants to all bundles again */ + s00 ^= rc[step][4]; + s01 ^= rc[step][5]; + s02 ^= rc[step][6]; + s03 ^= rc[step][7]; + s10 ^= rc[step][4] << 1; + s11 ^= rc[step][5] << 1; + s12 ^= rc[step][6] << 1; + s13 ^= rc[step][7] << 1; + s20 ^= rc[step][4] << 2; + s21 ^= rc[step][5] << 2; + s22 ^= rc[step][6] << 2; + s23 ^= rc[step][7] << 2; + } + + /* Pack the local variables back into the state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->W[0] = s00; + state->W[1] = s01; + state->W[2] = s02; + state->W[3] = s03; + state->W[4] = s10; + state->W[5] = s11; + state->W[6] = s12; + state->W[7] = s13; + state->W[8] = s20; + state->W[9] = s21; + state->W[10] = s22; + state->W[11] = s23; +#else + le_store_word32(state->B, s00); + le_store_word32(state->B + 4, s01); + le_store_word32(state->B + 8, s02); + le_store_word32(state->B + 12, s03); + le_store_word32(state->B + 16, s10); + le_store_word32(state->B + 20, s11); + le_store_word32(state->B + 24, s12); + le_store_word32(state->B + 28, s13); + le_store_word32(state->B + 32, s20); + le_store_word32(state->B + 36, s21); + le_store_word32(state->B + 40, s22); + le_store_word32(state->B + 44, s23); +#endif +} diff --git a/spook/Implementations/crypto_aead/spook128su384v1/rhys/internal-spook.h b/spook/Implementations/crypto_aead/spook128su384v1/rhys/internal-spook.h new file mode 100644 index 0000000..b08ce80 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128su384v1/rhys/internal-spook.h @@ -0,0 +1,146 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SPOOK_H +#define LW_INTERNAL_SPOOK_H + +#include "internal-util.h" + +/** + * \file internal-spook.h + * \brief Internal implementation details of the Spook AEAD mode. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the block for the Clyde-128 block cipher. + */ +#define CLYDE128_BLOCK_SIZE 16 + +/** + * \brief Size of the key for the Clyde-128 block cipher. + */ +#define CLYDE128_KEY_SIZE 16 + +/** + * \brief Size of the tweak for the Clyde-128 block cipher. + */ +#define CLYDE128_TWEAK_SIZE 16 + +/** + * \brief Size of the state for Shadow-512. + */ +#define SHADOW512_STATE_SIZE 64 + +/** + * \brief Rate to absorb data into or squeeze data out of a Shadow-512 state. + */ +#define SHADOW512_RATE 32 + +/** + * \brief Size of the state for Shadow-384. + */ +#define SHADOW384_STATE_SIZE 48 + +/** + * \brief Rate to absorb data into or squeeze data out of a Shadow-384 state. + */ +#define SHADOW384_RATE 16 + +/** + * \brief Internal state of the Shadow-512 permutation. + */ +typedef union +{ + uint32_t W[SHADOW512_STATE_SIZE / 4]; /**< Words of the state */ + uint8_t B[SHADOW512_STATE_SIZE]; /**< Bytes of the state */ + +} shadow512_state_t; + +/** + * \brief Internal state of the Shadow-384 permutation. + */ +typedef union +{ + uint32_t W[SHADOW384_STATE_SIZE / 4]; /**< Words of the state */ + uint8_t B[SHADOW384_STATE_SIZE]; /**< Bytes of the state */ + +} shadow384_state_t; + +/** + * \brief Encrypts a block with the Clyde-128 block cipher. + * + * \param key Points to the key to encrypt with. + * \param tweak Points to the tweak to encrypt with. + * \param output Output buffer for the ciphertext. + * \param input Input buffer for the plaintext. + * + * \sa clyde128_decrypt() + */ +void clyde128_encrypt(const unsigned char key[CLYDE128_KEY_SIZE], + const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], + uint32_t output[CLYDE128_BLOCK_SIZE / 4], + const uint32_t input[CLYDE128_BLOCK_SIZE / 4]); + +/** + * \brief Decrypts a block with the Clyde-128 block cipher. + * + * \param key Points to the key to decrypt with. + * \param tweak Points to the tweak to decrypt with. + * \param output Output buffer for the plaintext. + * \param input Input buffer for the ciphertext. + * + * \sa clyde128_encrypt() + */ +void clyde128_decrypt(const unsigned char key[CLYDE128_KEY_SIZE], + const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], + uint32_t output[CLYDE128_BLOCK_SIZE / 4], + const unsigned char input[CLYDE128_BLOCK_SIZE]); + +/** + * \brief Performs the Shadow-512 permutation on a state. + * + * \param state The Shadow-512 state which will be in little-endian + * byte order on input and output. + * + * \sa shadow384() + */ +void shadow512(shadow512_state_t *state); + +/** + * \brief Performs the Shadow-384 permutation on a state. + * + * \param state The Shadow-384 state which will be in little-endian + * byte order on input and output. + * + * \sa shadow512() + */ +void shadow384(shadow384_state_t *state); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spook/Implementations/crypto_aead/spook128su384v1/rhys/internal-util.h b/spook/Implementations/crypto_aead/spook128su384v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128su384v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/spook/Implementations/crypto_aead/spook128su384v1/rhys/spook.c b/spook/Implementations/crypto_aead/spook128su384v1/rhys/spook.c new file mode 100644 index 0000000..d075b33 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128su384v1/rhys/spook.c @@ -0,0 +1,552 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "spook.h" +#include "internal-spook.h" +#include "internal-util.h" +#include + +aead_cipher_t const spook_128_512_su_cipher = { + "Spook-128-512-su", + SPOOK_SU_KEY_SIZE, + SPOOK_NONCE_SIZE, + SPOOK_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + spook_128_512_su_aead_encrypt, + spook_128_512_su_aead_decrypt +}; + +aead_cipher_t const spook_128_384_su_cipher = { + "Spook-128-384-su", + SPOOK_SU_KEY_SIZE, + SPOOK_NONCE_SIZE, + SPOOK_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + spook_128_384_su_aead_encrypt, + spook_128_384_su_aead_decrypt +}; + +aead_cipher_t const spook_128_512_mu_cipher = { + "Spook-128-512-mu", + SPOOK_MU_KEY_SIZE, + SPOOK_NONCE_SIZE, + SPOOK_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + spook_128_512_mu_aead_encrypt, + spook_128_512_mu_aead_decrypt +}; + +aead_cipher_t const spook_128_384_mu_cipher = { + "Spook-128-384-mu", + SPOOK_MU_KEY_SIZE, + SPOOK_NONCE_SIZE, + SPOOK_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + spook_128_384_mu_aead_encrypt, + spook_128_384_mu_aead_decrypt +}; + +/** + * \brief Initializes the Shadow-512 sponge state. + * + * \param state The sponge state. + * \param k Points to the key. + * \param klen Length of the key in bytes, either 16 or 32. + * \param npub Public nonce for the state. + */ +static void spook_128_512_init + (shadow512_state_t *state, + const unsigned char *k, unsigned klen, + const unsigned char *npub) +{ + memset(state->B, 0, SHADOW512_STATE_SIZE); + if (klen == SPOOK_MU_KEY_SIZE) { + /* The public tweak is 126 bits in size followed by a 1 bit */ + memcpy(state->B, k + CLYDE128_BLOCK_SIZE, CLYDE128_BLOCK_SIZE); + state->B[CLYDE128_BLOCK_SIZE - 1] &= 0x7F; + state->B[CLYDE128_BLOCK_SIZE - 1] |= 0x40; + } + memcpy(state->B + CLYDE128_BLOCK_SIZE, npub, CLYDE128_BLOCK_SIZE); + clyde128_encrypt(k, state->W, state->W + 12, state->W + 4); + shadow512(state); +} + +/** + * \brief Initializes the Shadow-384 sponge state. + * + * \param state The sponge state. + * \param k Points to the key. + * \param klen Length of the key in bytes, either 16 or 32. + * \param npub Public nonce for the state. + */ +static void spook_128_384_init + (shadow384_state_t *state, + const unsigned char *k, unsigned klen, + const unsigned char *npub) +{ + memset(state->B, 0, SHADOW384_STATE_SIZE); + if (klen == SPOOK_MU_KEY_SIZE) { + /* The public tweak is 126 bits in size followed by a 1 bit */ + memcpy(state->B, k + CLYDE128_BLOCK_SIZE, CLYDE128_BLOCK_SIZE); + state->B[CLYDE128_BLOCK_SIZE - 1] &= 0x7F; + state->B[CLYDE128_BLOCK_SIZE - 1] |= 0x40; + } + memcpy(state->B + CLYDE128_BLOCK_SIZE, npub, CLYDE128_BLOCK_SIZE); + clyde128_encrypt(k, state->W, state->W + 8, state->W + 4); + shadow384(state); +} + +/** + * \brief Absorbs associated data into the Shadow-512 sponge state. + * + * \param state The sponge state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes, must be non-zero. + */ +static void spook_128_512_absorb + (shadow512_state_t *state, + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen >= SHADOW512_RATE) { + lw_xor_block(state->B, ad, SHADOW512_RATE); + shadow512(state); + ad += SHADOW512_RATE; + adlen -= SHADOW512_RATE; + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(state->B, ad, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW512_RATE] ^= 0x02; + shadow512(state); + } +} + +/** + * \brief Absorbs associated data into the Shadow-384 sponge state. + * + * \param state The sponge state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes, must be non-zero. + */ +static void spook_128_384_absorb + (shadow384_state_t *state, + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen >= SHADOW384_RATE) { + lw_xor_block(state->B, ad, SHADOW384_RATE); + shadow384(state); + ad += SHADOW384_RATE; + adlen -= SHADOW384_RATE; + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(state->B, ad, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW384_RATE] ^= 0x02; + shadow384(state); + } +} + +/** + * \brief Encrypts the plaintext with the Shadow-512 sponge state. + * + * \param state The sponge state. + * \param c Points to the ciphertext output buffer. + * \param m Points to the plaintext input buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void spook_128_512_encrypt + (shadow512_state_t *state, unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + state->B[SHADOW512_RATE] ^= 0x01; + while (mlen >= SHADOW512_RATE) { + lw_xor_block_2_dest(c, state->B, m, SHADOW512_RATE); + shadow512(state); + c += SHADOW512_RATE; + m += SHADOW512_RATE; + mlen -= SHADOW512_RATE; + } + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_dest(c, state->B, m, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW512_RATE] ^= 0x02; + shadow512(state); + } +} + +/** + * \brief Encrypts the plaintext with the Shadow-384 sponge state. + * + * \param state The sponge state. + * \param c Points to the ciphertext output buffer. + * \param m Points to the plaintext input buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void spook_128_384_encrypt + (shadow384_state_t *state, unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + state->B[SHADOW384_RATE] ^= 0x01; + while (mlen >= SHADOW384_RATE) { + lw_xor_block_2_dest(c, state->B, m, SHADOW384_RATE); + shadow384(state); + c += SHADOW384_RATE; + m += SHADOW384_RATE; + mlen -= SHADOW384_RATE; + } + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_dest(c, state->B, m, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW384_RATE] ^= 0x02; + shadow384(state); + } +} + +/** + * \brief Decrypts the ciphertext with the Shadow-512 sponge state. + * + * \param state The sponge state. + * \param m Points to the plaintext output buffer. + * \param c Points to the ciphertext input buffer. + * \param clen Number of bytes of ciphertext to be decrypted. + */ +static void spook_128_512_decrypt + (shadow512_state_t *state, unsigned char *m, + const unsigned char *c, unsigned long long clen) +{ + state->B[SHADOW512_RATE] ^= 0x01; + while (clen >= SHADOW512_RATE) { + lw_xor_block_swap(m, state->B, c, SHADOW512_RATE); + shadow512(state); + c += SHADOW512_RATE; + m += SHADOW512_RATE; + clen -= SHADOW512_RATE; + } + if (clen > 0) { + unsigned temp = (unsigned)clen; + lw_xor_block_swap(m, state->B, c, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW512_RATE] ^= 0x02; + shadow512(state); + } +} + +/** + * \brief Decrypts the ciphertext with the Shadow-384 sponge state. + * + * \param state The sponge state. + * \param m Points to the plaintext output buffer. + * \param c Points to the ciphertext input buffer. + * \param clen Number of bytes of ciphertext to be decrypted. + */ +static void spook_128_384_decrypt + (shadow384_state_t *state, unsigned char *m, + const unsigned char *c, unsigned long long clen) +{ + state->B[SHADOW384_RATE] ^= 0x01; + while (clen >= SHADOW384_RATE) { + lw_xor_block_swap(m, state->B, c, SHADOW384_RATE); + shadow384(state); + c += SHADOW384_RATE; + m += SHADOW384_RATE; + clen -= SHADOW384_RATE; + } + if (clen > 0) { + unsigned temp = (unsigned)clen; + lw_xor_block_swap(m, state->B, c, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW384_RATE] ^= 0x02; + shadow384(state); + } +} + +int spook_128_512_su_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + shadow512_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPOOK_TAG_SIZE; + + /* Initialize the Shadow-512 sponge state */ + spook_128_512_init(&state, k, SPOOK_SU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_512_absorb(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + spook_128_512_encrypt(&state, c, m, mlen); + + /* Compute the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_encrypt(k, state.W + 4, state.W, state.W); + memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); + return 0; +} + +int spook_128_512_su_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + shadow512_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPOOK_TAG_SIZE) + return -1; + *mlen = clen - SPOOK_TAG_SIZE; + + /* Initialize the Shadow-512 sponge state */ + spook_128_512_init(&state, k, SPOOK_SU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_512_absorb(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPOOK_TAG_SIZE; + if (clen > 0) + spook_128_512_decrypt(&state, m, c, clen); + + /* Check the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); + return aead_check_tag + (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); +} + +int spook_128_384_su_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + shadow384_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPOOK_TAG_SIZE; + + /* Initialize the Shadow-384 sponge state */ + spook_128_384_init(&state, k, SPOOK_SU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_384_absorb(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + spook_128_384_encrypt(&state, c, m, mlen); + + /* Compute the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_encrypt(k, state.W + 4, state.W, state.W); + memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); + return 0; +} + +int spook_128_384_su_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + shadow384_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPOOK_TAG_SIZE) + return -1; + *mlen = clen - SPOOK_TAG_SIZE; + + /* Initialize the Shadow-384 sponge state */ + spook_128_384_init(&state, k, SPOOK_SU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_384_absorb(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPOOK_TAG_SIZE; + if (clen > 0) + spook_128_384_decrypt(&state, m, c, clen); + + /* Check the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); + return aead_check_tag + (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); +} + +int spook_128_512_mu_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + shadow512_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPOOK_TAG_SIZE; + + /* Initialize the Shadow-512 sponge state */ + spook_128_512_init(&state, k, SPOOK_MU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_512_absorb(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + spook_128_512_encrypt(&state, c, m, mlen); + + /* Compute the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_encrypt(k, state.W + 4, state.W, state.W); + memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); + return 0; +} + +int spook_128_512_mu_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + shadow512_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPOOK_TAG_SIZE) + return -1; + *mlen = clen - SPOOK_TAG_SIZE; + + /* Initialize the Shadow-512 sponge state */ + spook_128_512_init(&state, k, SPOOK_MU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_512_absorb(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPOOK_TAG_SIZE; + if (clen > 0) + spook_128_512_decrypt(&state, m, c, clen); + + /* Check the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); + return aead_check_tag + (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); +} + +int spook_128_384_mu_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + shadow384_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPOOK_TAG_SIZE; + + /* Initialize the Shadow-384 sponge state */ + spook_128_384_init(&state, k, SPOOK_MU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_384_absorb(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + spook_128_384_encrypt(&state, c, m, mlen); + + /* Compute the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_encrypt(k, state.W + 4, state.W, state.W); + memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); + return 0; +} + +int spook_128_384_mu_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + shadow384_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPOOK_TAG_SIZE) + return -1; + *mlen = clen - SPOOK_TAG_SIZE; + + /* Initialize the Shadow-384 sponge state */ + spook_128_384_init(&state, k, SPOOK_MU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_384_absorb(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPOOK_TAG_SIZE; + if (clen > 0) + spook_128_384_decrypt(&state, m, c, clen); + + /* Check the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); + return aead_check_tag + (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); +} diff --git a/spook/Implementations/crypto_aead/spook128su384v1/rhys/spook.h b/spook/Implementations/crypto_aead/spook128su384v1/rhys/spook.h new file mode 100644 index 0000000..68b6a25 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128su384v1/rhys/spook.h @@ -0,0 +1,344 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SPOOK_H +#define LWCRYPTO_SPOOK_H + +#include "aead-common.h" + +/** + * \file spook.h + * \brief Spook authenticated encryption algorithm. + * + * Spook is a family of authenticated encryption algorithms that are + * built around a tweakable block cipher and a permutation. If the + * tweakable block cipher is implemented as a masked block cipher, + * then Spook provides protection against power analysis side channels. + * + * There are four members in the Spook family: + * + * \li Spook-128-512-su with a 128-bit key, a 128-bit nonce, and a 128-bit tag. + * Internally the algorithm uses a 512-bit permutation. This is the primary + * member of the family. + * \li Spook-128-384-su with a 128-bit key, a 128-bit nonce, and a 128-bit tag. + * Internally the algorithm uses a 384-bit permutation. + * \li Spook-128-512-mu with a 128-bit key, a 128-bit public tweak, a 128-bit + * nonce, and a 128-bit tag. Internally the algorithm uses a 512-bit + * permutation. + * \li Spook-128-512-mu with a 128-bit key, a 128-bit public tweak, a 128-bit + * nonce, and a 128-bit tag. Internally the algorithm uses a 384-bit + * permutation. + * + * In this library, the "mu" (multi-user) variants combine the 128-bit key + * and the 128-bit public tweak into a single 256-bit key value. + * Applications can either view this as a cipher with a 256-bit key, + * or they can split the key value into secret and public halves. + * Even with the use of 256-bit keys, Spook only has 128-bit security. + * + * References: https://www.spook.dev/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for the single-user version of Spook. + */ +#define SPOOK_SU_KEY_SIZE 16 + +/** + * \brief Size of the key for the multi-user version of Spook. + */ +#define SPOOK_MU_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for all Spook family members. + */ +#define SPOOK_TAG_SIZE 16 + +/** + * \brief Size of the nonce for all Spook family members. + */ +#define SPOOK_NONCE_SIZE 16 + +/** + * \brief Meta-information block for the Spook-128-512-su cipher. + */ +extern aead_cipher_t const spook_128_512_su_cipher; + +/** + * \brief Meta-information block for the Spook-128-384-su cipher. + */ +extern aead_cipher_t const spook_128_384_su_cipher; + +/** + * \brief Meta-information block for the Spook-128-512-mu cipher. + */ +extern aead_cipher_t const spook_128_512_mu_cipher; + +/** + * \brief Meta-information block for the Spook-128-384-mu cipher. + */ +extern aead_cipher_t const spook_128_384_mu_cipher; + +/** + * \brief Encrypts and authenticates a packet with Spook-128-512-su. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spook_128_512_su_aead_decrypt() + */ +int spook_128_512_su_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Spook-128-512-su. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spook_128_512_su_aead_encrypt() + */ +int spook_128_512_su_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Spook-128-384-su. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spook_128_384_su_aead_decrypt() + */ +int spook_128_384_su_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Spook-128-384-su. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spook_128_384_su_aead_encrypt() + */ +int spook_128_384_su_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Spook-128-512-mu. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spook_128_512_mu_aead_decrypt() + */ +int spook_128_512_mu_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Spook-128-512-mu. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spook_128_512_mu_aead_encrypt() + */ +int spook_128_512_mu_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Spook-128-384-mu. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spook_128_384_mu_aead_decrypt() + */ +int spook_128_384_mu_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Spook-128-384-mu. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spook_128_384_mu_aead_encrypt() + */ +int spook_128_384_mu_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spook/Implementations/crypto_aead/spook128su512v1/rhys/aead-common.c b/spook/Implementations/crypto_aead/spook128su512v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128su512v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/spook/Implementations/crypto_aead/spook128su512v1/rhys/aead-common.h b/spook/Implementations/crypto_aead/spook128su512v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128su512v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spook/Implementations/crypto_aead/spook128su512v1/rhys/api.h b/spook/Implementations/crypto_aead/spook128su512v1/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128su512v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/spook/Implementations/crypto_aead/spook128su512v1/rhys/encrypt.c b/spook/Implementations/crypto_aead/spook128su512v1/rhys/encrypt.c new file mode 100644 index 0000000..0d3db2e --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128su512v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "spook.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return spook_128_512_su_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return spook_128_512_su_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/spook/Implementations/crypto_aead/spook128su512v1/rhys/internal-spook.c b/spook/Implementations/crypto_aead/spook128su512v1/rhys/internal-spook.c new file mode 100644 index 0000000..0e19216 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128su512v1/rhys/internal-spook.c @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-spook.h" + +/** + * \brief Number of steps in the Clyde-128 block cipher. + * + * This is also the number of steps in the Shadow-512 and Shadow-384 + * permutations. + */ +#define CLYDE128_STEPS 6 + +/** + * \brief Round constants for the steps of Clyde-128. + */ +static uint8_t const rc[CLYDE128_STEPS][8] = { + {1, 0, 0, 0, 0, 1, 0, 0}, + {0, 0, 1, 0, 0, 0, 0, 1}, + {1, 1, 0, 0, 0, 1, 1, 0}, + {0, 0, 1, 1, 1, 1, 0, 1}, + {1, 0, 1, 0, 0, 1, 0, 1}, + {1, 1, 1, 0, 0, 1, 1, 1} +}; + +void clyde128_encrypt(const unsigned char key[CLYDE128_KEY_SIZE], + const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], + uint32_t output[CLYDE128_BLOCK_SIZE / 4], + const uint32_t input[CLYDE128_BLOCK_SIZE / 4]) +{ + uint32_t k0, k1, k2, k3; + uint32_t t0, t1, t2, t3; + uint32_t s0, s1, s2, s3; + uint32_t c, d; + int step; + + /* Unpack the key, tweak, and state */ + k0 = le_load_word32(key); + k1 = le_load_word32(key + 4); + k2 = le_load_word32(key + 8); + k3 = le_load_word32(key + 12); +#if defined(LW_UTIL_LITTLE_ENDIAN) + t0 = tweak[0]; + t1 = tweak[1]; + t2 = tweak[2]; + t3 = tweak[3]; + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; +#else + t0 = le_load_word32((const unsigned char *)&(tweak[0])); + t1 = le_load_word32((const unsigned char *)&(tweak[1])); + t2 = le_load_word32((const unsigned char *)&(tweak[2])); + t3 = le_load_word32((const unsigned char *)&(tweak[3])); + s0 = le_load_word32((const unsigned char *)&(input[0])); + s1 = le_load_word32((const unsigned char *)&(input[1])); + s2 = le_load_word32((const unsigned char *)&(input[2])); + s3 = le_load_word32((const unsigned char *)&(input[3])); +#endif + + /* Add the initial tweakey to the state */ + s0 ^= k0 ^ t0; + s1 ^= k1 ^ t1; + s2 ^= k2 ^ t2; + s3 ^= k3 ^ t3; + + /* Perform all rounds in pairs */ + for (step = 0; step < CLYDE128_STEPS; ++step) { + /* Perform the two rounds of this step */ + #define clyde128_sbox(s0, s1, s2, s3) \ + do { \ + c = (s0 & s1) ^ s2; \ + d = (s3 & s0) ^ s1; \ + s2 = (c & d) ^ s3; \ + s3 = (c & s3) ^ s0; \ + s0 = d; \ + s1 = c; \ + } while (0) + #define clyde128_lbox(x, y) \ + do { \ + c = x ^ rightRotate12(x); \ + d = y ^ rightRotate12(y); \ + c ^= rightRotate3(c); \ + d ^= rightRotate3(d); \ + x = c ^ leftRotate15(x); \ + y = d ^ leftRotate15(y); \ + c = x ^ leftRotate1(x); \ + d = y ^ leftRotate1(y); \ + x ^= leftRotate6(d); \ + y ^= leftRotate7(c); \ + x ^= rightRotate15(c); \ + y ^= rightRotate15(d); \ + } while (0) + clyde128_sbox(s0, s1, s2, s3); + clyde128_lbox(s0, s1); + clyde128_lbox(s2, s3); + s0 ^= rc[step][0]; + s1 ^= rc[step][1]; + s2 ^= rc[step][2]; + s3 ^= rc[step][3]; + clyde128_sbox(s0, s1, s2, s3); + clyde128_lbox(s0, s1); + clyde128_lbox(s2, s3); + s0 ^= rc[step][4]; + s1 ^= rc[step][5]; + s2 ^= rc[step][6]; + s3 ^= rc[step][7]; + + /* Update the tweakey on the fly and add it to the state */ + c = t2 ^ t0; + d = t3 ^ t1; + t2 = t0; + t3 = t1; + t0 = c; + t1 = d; + s0 ^= k0 ^ t0; + s1 ^= k1 ^ t1; + s2 ^= k2 ^ t2; + s3 ^= k3 ^ t3; + } + + /* Pack the state into the output buffer */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; +#else + le_store_word32((unsigned char *)&(output[0]), s0); + le_store_word32((unsigned char *)&(output[1]), s1); + le_store_word32((unsigned char *)&(output[2]), s2); + le_store_word32((unsigned char *)&(output[3]), s3); +#endif +} + +void clyde128_decrypt(const unsigned char key[CLYDE128_KEY_SIZE], + const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], + uint32_t output[CLYDE128_BLOCK_SIZE / 4], + const unsigned char input[CLYDE128_BLOCK_SIZE]) +{ + uint32_t k0, k1, k2, k3; + uint32_t t0, t1, t2, t3; + uint32_t s0, s1, s2, s3; + uint32_t a, b, d; + int step; + + /* Unpack the key, tweak, and state */ + k0 = le_load_word32(key); + k1 = le_load_word32(key + 4); + k2 = le_load_word32(key + 8); + k3 = le_load_word32(key + 12); +#if defined(LW_UTIL_LITTLE_ENDIAN) + t0 = tweak[0]; + t1 = tweak[1]; + t2 = tweak[2]; + t3 = tweak[3]; +#else + t0 = le_load_word32((const unsigned char *)&(tweak[0])); + t1 = le_load_word32((const unsigned char *)&(tweak[1])); + t2 = le_load_word32((const unsigned char *)&(tweak[2])); + t3 = le_load_word32((const unsigned char *)&(tweak[3])); +#endif + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Perform all rounds in pairs */ + for (step = CLYDE128_STEPS - 1; step >= 0; --step) { + /* Add the tweakey to the state and update the tweakey */ + s0 ^= k0 ^ t0; + s1 ^= k1 ^ t1; + s2 ^= k2 ^ t2; + s3 ^= k3 ^ t3; + a = t2 ^ t0; + b = t3 ^ t1; + t0 = t2; + t1 = t3; + t2 = a; + t3 = b; + + /* Perform the two rounds of this step */ + #define clyde128_inv_sbox(s0, s1, s2, s3) \ + do { \ + d = (s0 & s1) ^ s2; \ + a = (s1 & d) ^ s3; \ + b = (d & a) ^ s0; \ + s2 = (a & b) ^ s1; \ + s0 = a; \ + s1 = b; \ + s3 = d; \ + } while (0) + #define clyde128_inv_lbox(x, y) \ + do { \ + a = x ^ leftRotate7(x); \ + b = y ^ leftRotate7(y); \ + x ^= leftRotate1(a); \ + y ^= leftRotate1(b); \ + x ^= leftRotate12(a); \ + y ^= leftRotate12(b); \ + a = x ^ leftRotate1(x); \ + b = y ^ leftRotate1(y); \ + x ^= leftRotate6(b); \ + y ^= leftRotate7(a); \ + a ^= leftRotate15(x); \ + b ^= leftRotate15(y); \ + x = rightRotate16(a); \ + y = rightRotate16(b); \ + } while (0) + s0 ^= rc[step][4]; + s1 ^= rc[step][5]; + s2 ^= rc[step][6]; + s3 ^= rc[step][7]; + clyde128_inv_lbox(s0, s1); + clyde128_inv_lbox(s2, s3); + clyde128_inv_sbox(s0, s1, s2, s3); + s0 ^= rc[step][0]; + s1 ^= rc[step][1]; + s2 ^= rc[step][2]; + s3 ^= rc[step][3]; + clyde128_inv_lbox(s0, s1); + clyde128_inv_lbox(s2, s3); + clyde128_inv_sbox(s0, s1, s2, s3); + } + + /* Add the tweakey to the state one last time */ + s0 ^= k0 ^ t0; + s1 ^= k1 ^ t1; + s2 ^= k2 ^ t2; + s3 ^= k3 ^ t3; + + /* Pack the state into the output buffer */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; +#else + le_store_word32((unsigned char *)&(output[0]), s0); + le_store_word32((unsigned char *)&(output[1]), s1); + le_store_word32((unsigned char *)&(output[2]), s2); + le_store_word32((unsigned char *)&(output[3]), s3); +#endif +} + +void shadow512(shadow512_state_t *state) +{ + uint32_t s00, s01, s02, s03; + uint32_t s10, s11, s12, s13; + uint32_t s20, s21, s22, s23; + uint32_t s30, s31, s32, s33; + uint32_t c, d, w, x, y, z; + int step; + + /* Unpack the state into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s00 = state->W[0]; + s01 = state->W[1]; + s02 = state->W[2]; + s03 = state->W[3]; + s10 = state->W[4]; + s11 = state->W[5]; + s12 = state->W[6]; + s13 = state->W[7]; + s20 = state->W[8]; + s21 = state->W[9]; + s22 = state->W[10]; + s23 = state->W[11]; + s30 = state->W[12]; + s31 = state->W[13]; + s32 = state->W[14]; + s33 = state->W[15]; +#else + s00 = le_load_word32(state->B); + s01 = le_load_word32(state->B + 4); + s02 = le_load_word32(state->B + 8); + s03 = le_load_word32(state->B + 12); + s10 = le_load_word32(state->B + 16); + s11 = le_load_word32(state->B + 20); + s12 = le_load_word32(state->B + 24); + s13 = le_load_word32(state->B + 28); + s20 = le_load_word32(state->B + 32); + s21 = le_load_word32(state->B + 36); + s22 = le_load_word32(state->B + 40); + s23 = le_load_word32(state->B + 44); + s30 = le_load_word32(state->B + 48); + s31 = le_load_word32(state->B + 52); + s32 = le_load_word32(state->B + 56); + s33 = le_load_word32(state->B + 60); +#endif + + /* Perform all rounds in pairs */ + for (step = 0; step < CLYDE128_STEPS; ++step) { + /* Apply the S-box and L-box to bundle 0 */ + clyde128_sbox(s00, s01, s02, s03); + clyde128_lbox(s00, s01); + clyde128_lbox(s02, s03); + s00 ^= rc[step][0]; + s01 ^= rc[step][1]; + s02 ^= rc[step][2]; + s03 ^= rc[step][3]; + clyde128_sbox(s00, s01, s02, s03); + + /* Apply the S-box and L-box to bundle 1 */ + clyde128_sbox(s10, s11, s12, s13); + clyde128_lbox(s10, s11); + clyde128_lbox(s12, s13); + s10 ^= rc[step][0] << 1; + s11 ^= rc[step][1] << 1; + s12 ^= rc[step][2] << 1; + s13 ^= rc[step][3] << 1; + clyde128_sbox(s10, s11, s12, s13); + + /* Apply the S-box and L-box to bundle 2 */ + clyde128_sbox(s20, s21, s22, s23); + clyde128_lbox(s20, s21); + clyde128_lbox(s22, s23); + s20 ^= rc[step][0] << 2; + s21 ^= rc[step][1] << 2; + s22 ^= rc[step][2] << 2; + s23 ^= rc[step][3] << 2; + clyde128_sbox(s20, s21, s22, s23); + + /* Apply the S-box and L-box to bundle 3 */ + clyde128_sbox(s30, s31, s32, s33); + clyde128_lbox(s30, s31); + clyde128_lbox(s32, s33); + s30 ^= rc[step][0] << 3; + s31 ^= rc[step][1] << 3; + s32 ^= rc[step][2] << 3; + s33 ^= rc[step][3] << 3; + clyde128_sbox(s30, s31, s32, s33); + + /* Apply the diffusion layer to the rows of the state */ + #define shadow512_diffusion_layer(row) \ + do { \ + w = s0##row; \ + x = s1##row; \ + y = s2##row; \ + z = s3##row; \ + c = w ^ x; \ + d = y ^ z; \ + s0##row = x ^ d; \ + s1##row = w ^ d; \ + s2##row = c ^ z; \ + s3##row = c ^ y; \ + } while (0) + shadow512_diffusion_layer(0); + shadow512_diffusion_layer(1); + shadow512_diffusion_layer(2); + shadow512_diffusion_layer(3); + + /* Add round constants to all bundles again */ + s00 ^= rc[step][4]; + s01 ^= rc[step][5]; + s02 ^= rc[step][6]; + s03 ^= rc[step][7]; + s10 ^= rc[step][4] << 1; + s11 ^= rc[step][5] << 1; + s12 ^= rc[step][6] << 1; + s13 ^= rc[step][7] << 1; + s20 ^= rc[step][4] << 2; + s21 ^= rc[step][5] << 2; + s22 ^= rc[step][6] << 2; + s23 ^= rc[step][7] << 2; + s30 ^= rc[step][4] << 3; + s31 ^= rc[step][5] << 3; + s32 ^= rc[step][6] << 3; + s33 ^= rc[step][7] << 3; + } + + /* Pack the local variables back into the state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->W[0] = s00; + state->W[1] = s01; + state->W[2] = s02; + state->W[3] = s03; + state->W[4] = s10; + state->W[5] = s11; + state->W[6] = s12; + state->W[7] = s13; + state->W[8] = s20; + state->W[9] = s21; + state->W[10] = s22; + state->W[11] = s23; + state->W[12] = s30; + state->W[13] = s31; + state->W[14] = s32; + state->W[15] = s33; +#else + le_store_word32(state->B, s00); + le_store_word32(state->B + 4, s01); + le_store_word32(state->B + 8, s02); + le_store_word32(state->B + 12, s03); + le_store_word32(state->B + 16, s10); + le_store_word32(state->B + 20, s11); + le_store_word32(state->B + 24, s12); + le_store_word32(state->B + 28, s13); + le_store_word32(state->B + 32, s20); + le_store_word32(state->B + 36, s21); + le_store_word32(state->B + 40, s22); + le_store_word32(state->B + 44, s23); + le_store_word32(state->B + 48, s30); + le_store_word32(state->B + 52, s31); + le_store_word32(state->B + 56, s32); + le_store_word32(state->B + 60, s33); +#endif +} + +void shadow384(shadow384_state_t *state) +{ + uint32_t s00, s01, s02, s03; + uint32_t s10, s11, s12, s13; + uint32_t s20, s21, s22, s23; + uint32_t c, d, x, y, z; + int step; + + /* Unpack the state into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s00 = state->W[0]; + s01 = state->W[1]; + s02 = state->W[2]; + s03 = state->W[3]; + s10 = state->W[4]; + s11 = state->W[5]; + s12 = state->W[6]; + s13 = state->W[7]; + s20 = state->W[8]; + s21 = state->W[9]; + s22 = state->W[10]; + s23 = state->W[11]; +#else + s00 = le_load_word32(state->B); + s01 = le_load_word32(state->B + 4); + s02 = le_load_word32(state->B + 8); + s03 = le_load_word32(state->B + 12); + s10 = le_load_word32(state->B + 16); + s11 = le_load_word32(state->B + 20); + s12 = le_load_word32(state->B + 24); + s13 = le_load_word32(state->B + 28); + s20 = le_load_word32(state->B + 32); + s21 = le_load_word32(state->B + 36); + s22 = le_load_word32(state->B + 40); + s23 = le_load_word32(state->B + 44); +#endif + + /* Perform all rounds in pairs */ + for (step = 0; step < CLYDE128_STEPS; ++step) { + /* Apply the S-box and L-box to bundle 0 */ + clyde128_sbox(s00, s01, s02, s03); + clyde128_lbox(s00, s01); + clyde128_lbox(s02, s03); + s00 ^= rc[step][0]; + s01 ^= rc[step][1]; + s02 ^= rc[step][2]; + s03 ^= rc[step][3]; + clyde128_sbox(s00, s01, s02, s03); + + /* Apply the S-box and L-box to bundle 1 */ + clyde128_sbox(s10, s11, s12, s13); + clyde128_lbox(s10, s11); + clyde128_lbox(s12, s13); + s10 ^= rc[step][0] << 1; + s11 ^= rc[step][1] << 1; + s12 ^= rc[step][2] << 1; + s13 ^= rc[step][3] << 1; + clyde128_sbox(s10, s11, s12, s13); + + /* Apply the S-box and L-box to bundle 2 */ + clyde128_sbox(s20, s21, s22, s23); + clyde128_lbox(s20, s21); + clyde128_lbox(s22, s23); + s20 ^= rc[step][0] << 2; + s21 ^= rc[step][1] << 2; + s22 ^= rc[step][2] << 2; + s23 ^= rc[step][3] << 2; + clyde128_sbox(s20, s21, s22, s23); + + /* Apply the diffusion layer to the rows of the state */ + #define shadow384_diffusion_layer(row) \ + do { \ + x = s0##row; \ + y = s1##row; \ + z = s2##row; \ + s0##row = x ^ y ^ z; \ + s1##row = x ^ z; \ + s2##row = x ^ y; \ + } while (0) + shadow384_diffusion_layer(0); + shadow384_diffusion_layer(1); + shadow384_diffusion_layer(2); + shadow384_diffusion_layer(3); + + /* Add round constants to all bundles again */ + s00 ^= rc[step][4]; + s01 ^= rc[step][5]; + s02 ^= rc[step][6]; + s03 ^= rc[step][7]; + s10 ^= rc[step][4] << 1; + s11 ^= rc[step][5] << 1; + s12 ^= rc[step][6] << 1; + s13 ^= rc[step][7] << 1; + s20 ^= rc[step][4] << 2; + s21 ^= rc[step][5] << 2; + s22 ^= rc[step][6] << 2; + s23 ^= rc[step][7] << 2; + } + + /* Pack the local variables back into the state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->W[0] = s00; + state->W[1] = s01; + state->W[2] = s02; + state->W[3] = s03; + state->W[4] = s10; + state->W[5] = s11; + state->W[6] = s12; + state->W[7] = s13; + state->W[8] = s20; + state->W[9] = s21; + state->W[10] = s22; + state->W[11] = s23; +#else + le_store_word32(state->B, s00); + le_store_word32(state->B + 4, s01); + le_store_word32(state->B + 8, s02); + le_store_word32(state->B + 12, s03); + le_store_word32(state->B + 16, s10); + le_store_word32(state->B + 20, s11); + le_store_word32(state->B + 24, s12); + le_store_word32(state->B + 28, s13); + le_store_word32(state->B + 32, s20); + le_store_word32(state->B + 36, s21); + le_store_word32(state->B + 40, s22); + le_store_word32(state->B + 44, s23); +#endif +} diff --git a/spook/Implementations/crypto_aead/spook128su512v1/rhys/internal-spook.h b/spook/Implementations/crypto_aead/spook128su512v1/rhys/internal-spook.h new file mode 100644 index 0000000..b08ce80 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128su512v1/rhys/internal-spook.h @@ -0,0 +1,146 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SPOOK_H +#define LW_INTERNAL_SPOOK_H + +#include "internal-util.h" + +/** + * \file internal-spook.h + * \brief Internal implementation details of the Spook AEAD mode. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the block for the Clyde-128 block cipher. + */ +#define CLYDE128_BLOCK_SIZE 16 + +/** + * \brief Size of the key for the Clyde-128 block cipher. + */ +#define CLYDE128_KEY_SIZE 16 + +/** + * \brief Size of the tweak for the Clyde-128 block cipher. + */ +#define CLYDE128_TWEAK_SIZE 16 + +/** + * \brief Size of the state for Shadow-512. + */ +#define SHADOW512_STATE_SIZE 64 + +/** + * \brief Rate to absorb data into or squeeze data out of a Shadow-512 state. + */ +#define SHADOW512_RATE 32 + +/** + * \brief Size of the state for Shadow-384. + */ +#define SHADOW384_STATE_SIZE 48 + +/** + * \brief Rate to absorb data into or squeeze data out of a Shadow-384 state. + */ +#define SHADOW384_RATE 16 + +/** + * \brief Internal state of the Shadow-512 permutation. + */ +typedef union +{ + uint32_t W[SHADOW512_STATE_SIZE / 4]; /**< Words of the state */ + uint8_t B[SHADOW512_STATE_SIZE]; /**< Bytes of the state */ + +} shadow512_state_t; + +/** + * \brief Internal state of the Shadow-384 permutation. + */ +typedef union +{ + uint32_t W[SHADOW384_STATE_SIZE / 4]; /**< Words of the state */ + uint8_t B[SHADOW384_STATE_SIZE]; /**< Bytes of the state */ + +} shadow384_state_t; + +/** + * \brief Encrypts a block with the Clyde-128 block cipher. + * + * \param key Points to the key to encrypt with. + * \param tweak Points to the tweak to encrypt with. + * \param output Output buffer for the ciphertext. + * \param input Input buffer for the plaintext. + * + * \sa clyde128_decrypt() + */ +void clyde128_encrypt(const unsigned char key[CLYDE128_KEY_SIZE], + const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], + uint32_t output[CLYDE128_BLOCK_SIZE / 4], + const uint32_t input[CLYDE128_BLOCK_SIZE / 4]); + +/** + * \brief Decrypts a block with the Clyde-128 block cipher. + * + * \param key Points to the key to decrypt with. + * \param tweak Points to the tweak to decrypt with. + * \param output Output buffer for the plaintext. + * \param input Input buffer for the ciphertext. + * + * \sa clyde128_encrypt() + */ +void clyde128_decrypt(const unsigned char key[CLYDE128_KEY_SIZE], + const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], + uint32_t output[CLYDE128_BLOCK_SIZE / 4], + const unsigned char input[CLYDE128_BLOCK_SIZE]); + +/** + * \brief Performs the Shadow-512 permutation on a state. + * + * \param state The Shadow-512 state which will be in little-endian + * byte order on input and output. + * + * \sa shadow384() + */ +void shadow512(shadow512_state_t *state); + +/** + * \brief Performs the Shadow-384 permutation on a state. + * + * \param state The Shadow-384 state which will be in little-endian + * byte order on input and output. + * + * \sa shadow512() + */ +void shadow384(shadow384_state_t *state); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spook/Implementations/crypto_aead/spook128su512v1/rhys/internal-util.h b/spook/Implementations/crypto_aead/spook128su512v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128su512v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/spook/Implementations/crypto_aead/spook128su512v1/rhys/spook.c b/spook/Implementations/crypto_aead/spook128su512v1/rhys/spook.c new file mode 100644 index 0000000..d075b33 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128su512v1/rhys/spook.c @@ -0,0 +1,552 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "spook.h" +#include "internal-spook.h" +#include "internal-util.h" +#include + +aead_cipher_t const spook_128_512_su_cipher = { + "Spook-128-512-su", + SPOOK_SU_KEY_SIZE, + SPOOK_NONCE_SIZE, + SPOOK_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + spook_128_512_su_aead_encrypt, + spook_128_512_su_aead_decrypt +}; + +aead_cipher_t const spook_128_384_su_cipher = { + "Spook-128-384-su", + SPOOK_SU_KEY_SIZE, + SPOOK_NONCE_SIZE, + SPOOK_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + spook_128_384_su_aead_encrypt, + spook_128_384_su_aead_decrypt +}; + +aead_cipher_t const spook_128_512_mu_cipher = { + "Spook-128-512-mu", + SPOOK_MU_KEY_SIZE, + SPOOK_NONCE_SIZE, + SPOOK_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + spook_128_512_mu_aead_encrypt, + spook_128_512_mu_aead_decrypt +}; + +aead_cipher_t const spook_128_384_mu_cipher = { + "Spook-128-384-mu", + SPOOK_MU_KEY_SIZE, + SPOOK_NONCE_SIZE, + SPOOK_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + spook_128_384_mu_aead_encrypt, + spook_128_384_mu_aead_decrypt +}; + +/** + * \brief Initializes the Shadow-512 sponge state. + * + * \param state The sponge state. + * \param k Points to the key. + * \param klen Length of the key in bytes, either 16 or 32. + * \param npub Public nonce for the state. + */ +static void spook_128_512_init + (shadow512_state_t *state, + const unsigned char *k, unsigned klen, + const unsigned char *npub) +{ + memset(state->B, 0, SHADOW512_STATE_SIZE); + if (klen == SPOOK_MU_KEY_SIZE) { + /* The public tweak is 126 bits in size followed by a 1 bit */ + memcpy(state->B, k + CLYDE128_BLOCK_SIZE, CLYDE128_BLOCK_SIZE); + state->B[CLYDE128_BLOCK_SIZE - 1] &= 0x7F; + state->B[CLYDE128_BLOCK_SIZE - 1] |= 0x40; + } + memcpy(state->B + CLYDE128_BLOCK_SIZE, npub, CLYDE128_BLOCK_SIZE); + clyde128_encrypt(k, state->W, state->W + 12, state->W + 4); + shadow512(state); +} + +/** + * \brief Initializes the Shadow-384 sponge state. + * + * \param state The sponge state. + * \param k Points to the key. + * \param klen Length of the key in bytes, either 16 or 32. + * \param npub Public nonce for the state. + */ +static void spook_128_384_init + (shadow384_state_t *state, + const unsigned char *k, unsigned klen, + const unsigned char *npub) +{ + memset(state->B, 0, SHADOW384_STATE_SIZE); + if (klen == SPOOK_MU_KEY_SIZE) { + /* The public tweak is 126 bits in size followed by a 1 bit */ + memcpy(state->B, k + CLYDE128_BLOCK_SIZE, CLYDE128_BLOCK_SIZE); + state->B[CLYDE128_BLOCK_SIZE - 1] &= 0x7F; + state->B[CLYDE128_BLOCK_SIZE - 1] |= 0x40; + } + memcpy(state->B + CLYDE128_BLOCK_SIZE, npub, CLYDE128_BLOCK_SIZE); + clyde128_encrypt(k, state->W, state->W + 8, state->W + 4); + shadow384(state); +} + +/** + * \brief Absorbs associated data into the Shadow-512 sponge state. + * + * \param state The sponge state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes, must be non-zero. + */ +static void spook_128_512_absorb + (shadow512_state_t *state, + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen >= SHADOW512_RATE) { + lw_xor_block(state->B, ad, SHADOW512_RATE); + shadow512(state); + ad += SHADOW512_RATE; + adlen -= SHADOW512_RATE; + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(state->B, ad, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW512_RATE] ^= 0x02; + shadow512(state); + } +} + +/** + * \brief Absorbs associated data into the Shadow-384 sponge state. + * + * \param state The sponge state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes, must be non-zero. + */ +static void spook_128_384_absorb + (shadow384_state_t *state, + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen >= SHADOW384_RATE) { + lw_xor_block(state->B, ad, SHADOW384_RATE); + shadow384(state); + ad += SHADOW384_RATE; + adlen -= SHADOW384_RATE; + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + lw_xor_block(state->B, ad, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW384_RATE] ^= 0x02; + shadow384(state); + } +} + +/** + * \brief Encrypts the plaintext with the Shadow-512 sponge state. + * + * \param state The sponge state. + * \param c Points to the ciphertext output buffer. + * \param m Points to the plaintext input buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void spook_128_512_encrypt + (shadow512_state_t *state, unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + state->B[SHADOW512_RATE] ^= 0x01; + while (mlen >= SHADOW512_RATE) { + lw_xor_block_2_dest(c, state->B, m, SHADOW512_RATE); + shadow512(state); + c += SHADOW512_RATE; + m += SHADOW512_RATE; + mlen -= SHADOW512_RATE; + } + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_dest(c, state->B, m, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW512_RATE] ^= 0x02; + shadow512(state); + } +} + +/** + * \brief Encrypts the plaintext with the Shadow-384 sponge state. + * + * \param state The sponge state. + * \param c Points to the ciphertext output buffer. + * \param m Points to the plaintext input buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void spook_128_384_encrypt + (shadow384_state_t *state, unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + state->B[SHADOW384_RATE] ^= 0x01; + while (mlen >= SHADOW384_RATE) { + lw_xor_block_2_dest(c, state->B, m, SHADOW384_RATE); + shadow384(state); + c += SHADOW384_RATE; + m += SHADOW384_RATE; + mlen -= SHADOW384_RATE; + } + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_dest(c, state->B, m, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW384_RATE] ^= 0x02; + shadow384(state); + } +} + +/** + * \brief Decrypts the ciphertext with the Shadow-512 sponge state. + * + * \param state The sponge state. + * \param m Points to the plaintext output buffer. + * \param c Points to the ciphertext input buffer. + * \param clen Number of bytes of ciphertext to be decrypted. + */ +static void spook_128_512_decrypt + (shadow512_state_t *state, unsigned char *m, + const unsigned char *c, unsigned long long clen) +{ + state->B[SHADOW512_RATE] ^= 0x01; + while (clen >= SHADOW512_RATE) { + lw_xor_block_swap(m, state->B, c, SHADOW512_RATE); + shadow512(state); + c += SHADOW512_RATE; + m += SHADOW512_RATE; + clen -= SHADOW512_RATE; + } + if (clen > 0) { + unsigned temp = (unsigned)clen; + lw_xor_block_swap(m, state->B, c, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW512_RATE] ^= 0x02; + shadow512(state); + } +} + +/** + * \brief Decrypts the ciphertext with the Shadow-384 sponge state. + * + * \param state The sponge state. + * \param m Points to the plaintext output buffer. + * \param c Points to the ciphertext input buffer. + * \param clen Number of bytes of ciphertext to be decrypted. + */ +static void spook_128_384_decrypt + (shadow384_state_t *state, unsigned char *m, + const unsigned char *c, unsigned long long clen) +{ + state->B[SHADOW384_RATE] ^= 0x01; + while (clen >= SHADOW384_RATE) { + lw_xor_block_swap(m, state->B, c, SHADOW384_RATE); + shadow384(state); + c += SHADOW384_RATE; + m += SHADOW384_RATE; + clen -= SHADOW384_RATE; + } + if (clen > 0) { + unsigned temp = (unsigned)clen; + lw_xor_block_swap(m, state->B, c, temp); + state->B[temp] ^= 0x01; + state->B[SHADOW384_RATE] ^= 0x02; + shadow384(state); + } +} + +int spook_128_512_su_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + shadow512_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPOOK_TAG_SIZE; + + /* Initialize the Shadow-512 sponge state */ + spook_128_512_init(&state, k, SPOOK_SU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_512_absorb(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + spook_128_512_encrypt(&state, c, m, mlen); + + /* Compute the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_encrypt(k, state.W + 4, state.W, state.W); + memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); + return 0; +} + +int spook_128_512_su_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + shadow512_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPOOK_TAG_SIZE) + return -1; + *mlen = clen - SPOOK_TAG_SIZE; + + /* Initialize the Shadow-512 sponge state */ + spook_128_512_init(&state, k, SPOOK_SU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_512_absorb(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPOOK_TAG_SIZE; + if (clen > 0) + spook_128_512_decrypt(&state, m, c, clen); + + /* Check the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); + return aead_check_tag + (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); +} + +int spook_128_384_su_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + shadow384_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPOOK_TAG_SIZE; + + /* Initialize the Shadow-384 sponge state */ + spook_128_384_init(&state, k, SPOOK_SU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_384_absorb(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + spook_128_384_encrypt(&state, c, m, mlen); + + /* Compute the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_encrypt(k, state.W + 4, state.W, state.W); + memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); + return 0; +} + +int spook_128_384_su_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + shadow384_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPOOK_TAG_SIZE) + return -1; + *mlen = clen - SPOOK_TAG_SIZE; + + /* Initialize the Shadow-384 sponge state */ + spook_128_384_init(&state, k, SPOOK_SU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_384_absorb(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPOOK_TAG_SIZE; + if (clen > 0) + spook_128_384_decrypt(&state, m, c, clen); + + /* Check the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); + return aead_check_tag + (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); +} + +int spook_128_512_mu_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + shadow512_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPOOK_TAG_SIZE; + + /* Initialize the Shadow-512 sponge state */ + spook_128_512_init(&state, k, SPOOK_MU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_512_absorb(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + spook_128_512_encrypt(&state, c, m, mlen); + + /* Compute the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_encrypt(k, state.W + 4, state.W, state.W); + memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); + return 0; +} + +int spook_128_512_mu_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + shadow512_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPOOK_TAG_SIZE) + return -1; + *mlen = clen - SPOOK_TAG_SIZE; + + /* Initialize the Shadow-512 sponge state */ + spook_128_512_init(&state, k, SPOOK_MU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_512_absorb(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPOOK_TAG_SIZE; + if (clen > 0) + spook_128_512_decrypt(&state, m, c, clen); + + /* Check the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); + return aead_check_tag + (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); +} + +int spook_128_384_mu_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + shadow384_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SPOOK_TAG_SIZE; + + /* Initialize the Shadow-384 sponge state */ + spook_128_384_init(&state, k, SPOOK_MU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_384_absorb(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) + spook_128_384_encrypt(&state, c, m, mlen); + + /* Compute the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_encrypt(k, state.W + 4, state.W, state.W); + memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); + return 0; +} + +int spook_128_384_mu_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + shadow384_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SPOOK_TAG_SIZE) + return -1; + *mlen = clen - SPOOK_TAG_SIZE; + + /* Initialize the Shadow-384 sponge state */ + spook_128_384_init(&state, k, SPOOK_MU_KEY_SIZE, npub); + + /* Process the associated data */ + if (adlen > 0) + spook_128_384_absorb(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SPOOK_TAG_SIZE; + if (clen > 0) + spook_128_384_decrypt(&state, m, c, clen); + + /* Check the authentication tag */ + state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; + clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); + return aead_check_tag + (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); +} diff --git a/spook/Implementations/crypto_aead/spook128su512v1/rhys/spook.h b/spook/Implementations/crypto_aead/spook128su512v1/rhys/spook.h new file mode 100644 index 0000000..68b6a25 --- /dev/null +++ b/spook/Implementations/crypto_aead/spook128su512v1/rhys/spook.h @@ -0,0 +1,344 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SPOOK_H +#define LWCRYPTO_SPOOK_H + +#include "aead-common.h" + +/** + * \file spook.h + * \brief Spook authenticated encryption algorithm. + * + * Spook is a family of authenticated encryption algorithms that are + * built around a tweakable block cipher and a permutation. If the + * tweakable block cipher is implemented as a masked block cipher, + * then Spook provides protection against power analysis side channels. + * + * There are four members in the Spook family: + * + * \li Spook-128-512-su with a 128-bit key, a 128-bit nonce, and a 128-bit tag. + * Internally the algorithm uses a 512-bit permutation. This is the primary + * member of the family. + * \li Spook-128-384-su with a 128-bit key, a 128-bit nonce, and a 128-bit tag. + * Internally the algorithm uses a 384-bit permutation. + * \li Spook-128-512-mu with a 128-bit key, a 128-bit public tweak, a 128-bit + * nonce, and a 128-bit tag. Internally the algorithm uses a 512-bit + * permutation. + * \li Spook-128-512-mu with a 128-bit key, a 128-bit public tweak, a 128-bit + * nonce, and a 128-bit tag. Internally the algorithm uses a 384-bit + * permutation. + * + * In this library, the "mu" (multi-user) variants combine the 128-bit key + * and the 128-bit public tweak into a single 256-bit key value. + * Applications can either view this as a cipher with a 256-bit key, + * or they can split the key value into secret and public halves. + * Even with the use of 256-bit keys, Spook only has 128-bit security. + * + * References: https://www.spook.dev/ + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for the single-user version of Spook. + */ +#define SPOOK_SU_KEY_SIZE 16 + +/** + * \brief Size of the key for the multi-user version of Spook. + */ +#define SPOOK_MU_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for all Spook family members. + */ +#define SPOOK_TAG_SIZE 16 + +/** + * \brief Size of the nonce for all Spook family members. + */ +#define SPOOK_NONCE_SIZE 16 + +/** + * \brief Meta-information block for the Spook-128-512-su cipher. + */ +extern aead_cipher_t const spook_128_512_su_cipher; + +/** + * \brief Meta-information block for the Spook-128-384-su cipher. + */ +extern aead_cipher_t const spook_128_384_su_cipher; + +/** + * \brief Meta-information block for the Spook-128-512-mu cipher. + */ +extern aead_cipher_t const spook_128_512_mu_cipher; + +/** + * \brief Meta-information block for the Spook-128-384-mu cipher. + */ +extern aead_cipher_t const spook_128_384_mu_cipher; + +/** + * \brief Encrypts and authenticates a packet with Spook-128-512-su. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spook_128_512_su_aead_decrypt() + */ +int spook_128_512_su_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Spook-128-512-su. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spook_128_512_su_aead_encrypt() + */ +int spook_128_512_su_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Spook-128-384-su. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spook_128_384_su_aead_decrypt() + */ +int spook_128_384_su_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Spook-128-384-su. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spook_128_384_su_aead_encrypt() + */ +int spook_128_384_su_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Spook-128-512-mu. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spook_128_512_mu_aead_decrypt() + */ +int spook_128_512_mu_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Spook-128-512-mu. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spook_128_512_mu_aead_encrypt() + */ +int spook_128_512_mu_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Spook-128-384-mu. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa spook_128_384_mu_aead_decrypt() + */ +int spook_128_384_mu_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Spook-128-384-mu. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa spook_128_384_mu_aead_encrypt() + */ +int spook_128_384_mu_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/aead-common.c b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/aead-common.h b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/api.h b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/encrypt.c b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/encrypt.c new file mode 100644 index 0000000..2f166ad --- /dev/null +++ b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "subterranean.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return subterranean_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return subterranean_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/internal-subterranean.c b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/internal-subterranean.c new file mode 100644 index 0000000..1cb64e2 --- /dev/null +++ b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/internal-subterranean.c @@ -0,0 +1,441 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-subterranean.h" +#include + +void subterranean_round(subterranean_state_t *state) +{ + uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8; + uint32_t t0, t1; + + /* Load the state up into local variables */ + x0 = state->x[0]; + x1 = state->x[1]; + x2 = state->x[2]; + x3 = state->x[3]; + x4 = state->x[4]; + x5 = state->x[5]; + x6 = state->x[6]; + x7 = state->x[7]; + x8 = state->x[8]; + + /* Step chi: s[i] = s[i] ^ (~(s[i+1) & s[i+2]) */ + #define CHI(a, b) \ + do { \ + t0 = ((a) >> 1) | ((b) << 31); \ + t1 = ((a) >> 2) | ((b) << 30); \ + (a) ^= (~t0) & t1; \ + } while (0) + x8 ^= (x0 << 1); + CHI(x0, x1); CHI(x1, x2); + CHI(x2, x3); CHI(x3, x4); + CHI(x4, x5); CHI(x5, x6); + CHI(x6, x7); CHI(x7, x8); + x8 ^= (~(x8 >> 1)) & (x8 >> 2); + + /* Step itoa: invert s[0] */ + x0 ^= 1U; + + /* Step theta: s[i] = s[i] ^ s[i + 3] ^ s[i + 8] */ + #define THETA(a, b) \ + do { \ + t0 = ((a) >> 3) | ((b) << 29); \ + t1 = ((a) >> 8) | ((b) << 24); \ + (a) ^= t0 ^ t1; \ + } while (0) + x8 = (x8 & 1U) ^ (x0 << 1); + THETA(x0, x1); THETA(x1, x2); + THETA(x2, x3); THETA(x3, x4); + THETA(x4, x5); THETA(x5, x6); + THETA(x6, x7); THETA(x7, x8); + x8 ^= (x8 >> 3) ^ (x8 >> 8); + + /* Step pi: permute the bits with the rule s[i] = s[(i * 12) % 257]. + * BCP = bit copy, BUP = move bit up, BDN = move bit down */ + #define BCP(x, bit) ((x) & (((uint32_t)1) << (bit))) + #define BUP(x, from, to) \ + (((x) << ((to) - (from))) & (((uint32_t)1) << (to))) + #define BDN(x, from, to) \ + (((x) >> ((from) - (to))) & (((uint32_t)1) << (to))) + state->x[0] = BCP(x0, 0) ^ BDN(x0, 12, 1) ^ BDN(x0, 24, 2) ^ + BDN(x1, 4, 3) ^ BDN(x1, 16, 4) ^ BDN(x1, 28, 5) ^ + BDN(x2, 8, 6) ^ BDN(x2, 20, 7) ^ BUP(x3, 0, 8) ^ + BDN(x3, 12, 9) ^ BDN(x3, 24, 10) ^ BUP(x4, 4, 11) ^ + BDN(x4, 16, 12) ^ BDN(x4, 28, 13) ^ BUP(x5, 8, 14) ^ + BDN(x5, 20, 15) ^ BUP(x6, 0, 16) ^ BUP(x6, 12, 17) ^ + BDN(x6, 24, 18) ^ BUP(x7, 4, 19) ^ BUP(x7, 16, 20) ^ + BDN(x7, 28, 21) ^ BUP(x0, 7, 22) ^ BUP(x0, 19, 23) ^ + BDN(x0, 31, 24) ^ BUP(x1, 11, 25) ^ BUP(x1, 23, 26) ^ + BUP(x2, 3, 27) ^ BUP(x2, 15, 28) ^ BUP(x2, 27, 29) ^ + BUP(x3, 7, 30) ^ BUP(x3, 19, 31); + state->x[1] = BDN(x3, 31, 0) ^ BDN(x4, 11, 1) ^ BDN(x4, 23, 2) ^ + BCP(x5, 3) ^ BDN(x5, 15, 4) ^ BDN(x5, 27, 5) ^ + BDN(x6, 7, 6) ^ BDN(x6, 19, 7) ^ BDN(x6, 31, 8) ^ + BDN(x7, 11, 9) ^ BDN(x7, 23, 10) ^ BUP(x0, 2, 11) ^ + BDN(x0, 14, 12) ^ BDN(x0, 26, 13) ^ BUP(x1, 6, 14) ^ + BDN(x1, 18, 15) ^ BDN(x1, 30, 16) ^ BUP(x2, 10, 17) ^ + BDN(x2, 22, 18) ^ BUP(x3, 2, 19) ^ BUP(x3, 14, 20) ^ + BDN(x3, 26, 21) ^ BUP(x4, 6, 22) ^ BUP(x4, 18, 23) ^ + BDN(x4, 30, 24) ^ BUP(x5, 10, 25) ^ BUP(x5, 22, 26) ^ + BUP(x6, 2, 27) ^ BUP(x6, 14, 28) ^ BUP(x6, 26, 29) ^ + BUP(x7, 6, 30) ^ BUP(x7, 18, 31); + state->x[2] = BDN(x7, 30, 0) ^ BDN(x0, 9, 1) ^ BDN(x0, 21, 2) ^ + BUP(x1, 1, 3) ^ BDN(x1, 13, 4) ^ BDN(x1, 25, 5) ^ + BUP(x2, 5, 6) ^ BDN(x2, 17, 7) ^ BDN(x2, 29, 8) ^ + BCP(x3, 9) ^ BDN(x3, 21, 10) ^ BUP(x4, 1, 11) ^ + BDN(x4, 13, 12) ^ BDN(x4, 25, 13) ^ BUP(x5, 5, 14) ^ + BDN(x5, 17, 15) ^ BDN(x5, 29, 16) ^ BUP(x6, 9, 17) ^ + BDN(x6, 21, 18) ^ BUP(x7, 1, 19) ^ BUP(x7, 13, 20) ^ + BDN(x7, 25, 21) ^ BUP(x0, 4, 22) ^ BUP(x0, 16, 23) ^ + BDN(x0, 28, 24) ^ BUP(x1, 8, 25) ^ BUP(x1, 20, 26) ^ + BUP(x2, 0, 27) ^ BUP(x2, 12, 28) ^ BUP(x2, 24, 29) ^ + BUP(x3, 4, 30) ^ BUP(x3, 16, 31); + state->x[3] = BDN(x3, 28, 0) ^ BDN(x4, 8, 1) ^ BDN(x4, 20, 2) ^ + BUP(x5, 0, 3) ^ BDN(x5, 12, 4) ^ BDN(x5, 24, 5) ^ + BUP(x6, 4, 6) ^ BDN(x6, 16, 7) ^ BDN(x6, 28, 8) ^ + BUP(x7, 8, 9) ^ BDN(x7, 20, 10) ^ BUP(x8, 0, 11) ^ + BUP(x0, 11, 12) ^ BDN(x0, 23, 13) ^ BUP(x1, 3, 14) ^ + BCP(x1, 15) ^ BDN(x1, 27, 16) ^ BUP(x2, 7, 17) ^ + BDN(x2, 19, 18) ^ BDN(x2, 31, 19) ^ BUP(x3, 11, 20) ^ + BDN(x3, 23, 21) ^ BUP(x4, 3, 22) ^ BUP(x4, 15, 23) ^ + BDN(x4, 27, 24) ^ BUP(x5, 7, 25) ^ BUP(x5, 19, 26) ^ + BDN(x5, 31, 27) ^ BUP(x6, 11, 28) ^ BUP(x6, 23, 29) ^ + BUP(x7, 3, 30) ^ BUP(x7, 15, 31); + state->x[4] = BDN(x7, 27, 0) ^ BDN(x0, 6, 1) ^ BDN(x0, 18, 2) ^ + BDN(x0, 30, 3) ^ BDN(x1, 10, 4) ^ BDN(x1, 22, 5) ^ + BUP(x2, 2, 6) ^ BDN(x2, 14, 7) ^ BDN(x2, 26, 8) ^ + BUP(x3, 6, 9) ^ BDN(x3, 18, 10) ^ BDN(x3, 30, 11) ^ + BUP(x4, 10, 12) ^ BDN(x4, 22, 13) ^ BUP(x5, 2, 14) ^ + BUP(x5, 14, 15) ^ BDN(x5, 26, 16) ^ BUP(x6, 6, 17) ^ + BCP(x6, 18) ^ BDN(x6, 30, 19) ^ BUP(x7, 10, 20) ^ + BDN(x7, 22, 21) ^ BUP(x0, 1, 22) ^ BUP(x0, 13, 23) ^ + BDN(x0, 25, 24) ^ BUP(x1, 5, 25) ^ BUP(x1, 17, 26) ^ + BDN(x1, 29, 27) ^ BUP(x2, 9, 28) ^ BUP(x2, 21, 29) ^ + BUP(x3, 1, 30) ^ BUP(x3, 13, 31); + state->x[5] = BDN(x3, 25, 0) ^ BDN(x4, 5, 1) ^ BDN(x4, 17, 2) ^ + BDN(x4, 29, 3) ^ BDN(x5, 9, 4) ^ BDN(x5, 21, 5) ^ + BUP(x6, 1, 6) ^ BDN(x6, 13, 7) ^ BDN(x6, 25, 8) ^ + BUP(x7, 5, 9) ^ BDN(x7, 17, 10) ^ BDN(x7, 29, 11) ^ + BUP(x0, 8, 12) ^ BDN(x0, 20, 13) ^ BUP(x1, 0, 14) ^ + BUP(x1, 12, 15) ^ BDN(x1, 24, 16) ^ BUP(x2, 4, 17) ^ + BUP(x2, 16, 18) ^ BDN(x2, 28, 19) ^ BUP(x3, 8, 20) ^ + BUP(x3, 20, 21) ^ BUP(x4, 0, 22) ^ BUP(x4, 12, 23) ^ + BCP(x4, 24) ^ BUP(x5, 4, 25) ^ BUP(x5, 16, 26) ^ + BDN(x5, 28, 27) ^ BUP(x6, 8, 28) ^ BUP(x6, 20, 29) ^ + BUP(x7, 0, 30) ^ BUP(x7, 12, 31); + state->x[6] = BDN(x7, 24, 0) ^ BDN(x0, 3, 1) ^ BDN(x0, 15, 2) ^ + BDN(x0, 27, 3) ^ BDN(x1, 7, 4) ^ BDN(x1, 19, 5) ^ + BDN(x1, 31, 6) ^ BDN(x2, 11, 7) ^ BDN(x2, 23, 8) ^ + BUP(x3, 3, 9) ^ BDN(x3, 15, 10) ^ BDN(x3, 27, 11) ^ + BUP(x4, 7, 12) ^ BDN(x4, 19, 13) ^ BDN(x4, 31, 14) ^ + BUP(x5, 11, 15) ^ BDN(x5, 23, 16) ^ BUP(x6, 3, 17) ^ + BUP(x6, 15, 18) ^ BDN(x6, 27, 19) ^ BUP(x7, 7, 20) ^ + BUP(x7, 19, 21) ^ BDN(x7, 31, 22) ^ BUP(x0, 10, 23) ^ + BUP(x0, 22, 24) ^ BUP(x1, 2, 25) ^ BUP(x1, 14, 26) ^ + BUP(x1, 26, 27) ^ BUP(x2, 6, 28) ^ BUP(x2, 18, 29) ^ + BCP(x2, 30) ^ BUP(x3, 10, 31); + state->x[7] = BDN(x3, 22, 0) ^ BDN(x4, 2, 1) ^ BDN(x4, 14, 2) ^ + BDN(x4, 26, 3) ^ BDN(x5, 6, 4) ^ BDN(x5, 18, 5) ^ + BDN(x5, 30, 6) ^ BDN(x6, 10, 7) ^ BDN(x6, 22, 8) ^ + BUP(x7, 2, 9) ^ BDN(x7, 14, 10) ^ BDN(x7, 26, 11) ^ + BUP(x0, 5, 12) ^ BDN(x0, 17, 13) ^ BDN(x0, 29, 14) ^ + BUP(x1, 9, 15) ^ BDN(x1, 21, 16) ^ BUP(x2, 1, 17) ^ + BUP(x2, 13, 18) ^ BDN(x2, 25, 19) ^ BUP(x3, 5, 20) ^ + BUP(x3, 17, 21) ^ BDN(x3, 29, 22) ^ BUP(x4, 9, 23) ^ + BUP(x4, 21, 24) ^ BUP(x5, 1, 25) ^ BUP(x5, 13, 26) ^ + BUP(x5, 25, 27) ^ BUP(x6, 5, 28) ^ BUP(x6, 17, 29) ^ + BUP(x6, 29, 30) ^ BUP(x7, 9, 31); + state->x[8] = BDN(x7, 21, 0); +} + +void subterranean_blank(subterranean_state_t *state) +{ + unsigned round; + for (round = 0; round < 8; ++round) { + subterranean_round(state); + state->x[0] ^= 0x02; /* padding for an empty block is in state bit 1 */ + } +} + +void subterranean_duplex_0(subterranean_state_t *state) +{ + subterranean_round(state); + state->x[0] ^= 0x02; /* padding for an empty block is in state bit 1 */ +} + +void subterranean_duplex_1(subterranean_state_t *state, unsigned char data) +{ + uint32_t x = data; + + /* Perform a single Subterranean round before absorbing the bits */ + subterranean_round(state); + + /* Rearrange the bits and absorb them into the state */ + state->x[0] ^= (x << 1) & 0x00000002U; + state->x[1] ^= x & 0x00000008U; + state->x[2] ^= 0x00000001U; /* 9th padding bit is always 1 */ + state->x[4] ^= ((x << 6) & 0x00000100U) ^ ((x << 1) & 0x00000040U); + state->x[5] ^= (x << 15) & 0x00010000U; + state->x[6] ^= (x >> 1) & 0x00000020U; + state->x[7] ^= ((x << 21) & 0x02000000U) ^ ((x << 3) & 0x00000400U); +} + +void subterranean_duplex_word(subterranean_state_t *state, uint32_t x) +{ + uint32_t y; + + /* Perform a single Subterranean round before absorbing the bits */ + subterranean_round(state); + + /* To absorb the word into the state, we first rearrange the source + * bits to be in the right target bit positions. Then we mask and + * XOR them into the relevant words of the state. + * + * Some of the source bits end up in the same target bit but a different + * word so we have to permute the input word twice to get all the source + * bits into the locations we want for masking and XOR'ing. + * + * Permutations generated with "http://programming.sirrida.de/calcperm.php". + */ + + /* P1 = [1 16 8 3 25 * * 10 0 21 * 24 2 31 15 6 * 11 9 19 * * 29 * 4 * 30 12 * 22 17 5] */ + y = (x & 0x00080008U) + | ((x & 0x00004001U) << 1) + | ((x & 0x00000080U) << 3) + | ((x & 0x04000000U) << 4) + | leftRotate6(x & 0x80000004U) + | ((x & 0x00400000U) << 7) + | leftRotate12(x & 0x01000200U) + | ((x & 0x00000800U) << 13) + | ((x & 0x00000002U) << 15) + | ((x & 0x08000000U) >> 15) + | ((x & 0x00002000U) << 18) + | ((x & 0x40000000U) >> 13) + | ((x & 0x00000010U) << 21) + | ((x & 0x00001000U) >> 10) + | ((x & 0x00048000U) >> 9) + | ((x & 0x00000100U) >> 8) + | ((x & 0x20000000U) >> 7) + | ((x & 0x00020000U) >> 6); + + /* P2 = [* * * * * 6 5 * * * 31 * * * * * 17 * * * 0 9 * 15 * 30 * * 1 * * *] */ + x = ((x & 0x00010020U) << 1) + | leftRotate5(x & 0x12000000U) + | ((x & 0x00100000U) >> 20) + | ((x & 0x00200000U) >> 12) + | ((x & 0x00000400U) << 21) + | ((x & 0x00800000U) >> 8) + | ((x & 0x00000040U) >> 1); + + /* Integrate the rearranged bits into the state */ + state->x[0] ^= (y & 0x40428816U); + state->x[1] ^= (y & 0x00000008U); + state->x[2] ^= (y & 0x80000041U); + state->x[3] ^= (x & 0x00008000U); + state->x[4] ^= (y & 0x00001300U) ^ (x & 0x00000041U); + state->x[5] ^= (y & 0x21010020U) ^ (x & 0x40000200U); + state->x[6] ^= (y & 0x00280000U) ^ (x & 0x80000020U); + state->x[7] ^= (y & 0x02000400U) ^ (x & 0x00020002U); +} + +void subterranean_duplex_n + (subterranean_state_t *state, const unsigned char *data, unsigned len) +{ + switch (len) { + case 0: + subterranean_duplex_0(state); + break; + case 1: + subterranean_duplex_1(state, data[0]); + break; + case 2: + /* Load 16 bits and add the padding bit to the 17th bit */ + subterranean_duplex_word + (state, ((uint32_t)(data[0]) | + (((uint32_t)(data[1])) << 8) | + 0x10000U)); + break; + case 3: + /* Load 24 bits and add the padding bit to the 25th bit */ + subterranean_duplex_word + (state, ((uint32_t)(data[0]) | + (((uint32_t)(data[1])) << 8) | + (((uint32_t)(data[2])) << 16) | + 0x01000000U)); + break; + default: + /* Load 32 bits and add the padding bit to the 33rd bit */ + subterranean_duplex_word(state, le_load_word32(data)); + state->x[8] ^= 0x00000001U; + break; + } +} + +uint32_t subterranean_extract(subterranean_state_t *state) +{ + uint32_t x, y; + + /* We need to extract 64 bits from the state, and then XOR the two + * halves together to get the result. + * + * Extract words from the state and permute the bits into the target + * bit order. Then mask off the unnecessary bits and combine. + * + * Permutations generated with "http://programming.sirrida.de/calcperm.php". + */ + + /* P0 = [* 0 12 * 24 * * * 4 * * 17 * * * 14 16 30 * * * * 29 7 * * * * * * 26 *] */ + x = state->x[0]; + x = (x & 0x00010000U) + | ((x & 0x00000800U) << 6) + | ((x & 0x00400000U) << 7) + | ((x & 0x00000004U) << 10) + | ((x & 0x00020000U) << 13) + | ((x & 0x00800000U) >> 16) + | ((x & 0x00000010U) << 20) + | ((x & 0x40000100U) >> 4) + | ((x & 0x00008002U) >> 1); + y = x & 0x65035091U; + + /* P1 = [28 * 10 3 * * * * * * * * 9 * 19 * * * * * * * * * * * * * 6 * * *] */ + x = state->x[1]; + x = (x & 0x00000008U) + | ((x & 0x00004000U) << 5) + | ((x & 0x00000004U) << 8) + | ((x & 0x10000000U) >> 22) + | ((x & 0x00000001U) << 28) + | ((x & 0x00001000U) >> 3); + y ^= x & 0x10080648U; + + /* P2 = [8 * * 25 22 * 15 * * 11 * * * * * * * 1 * * * * * * 21 * * * 31 * * 13] */ + x = state->x[2]; + x = ((x & 0x00000200U) << 2) + | ((x & 0x10000000U) << 3) + | ((x & 0x00000001U) << 8) + | ((x & 0x00000040U) << 9) + | ((x & 0x80000000U) >> 18) + | ((x & 0x00020000U) >> 16) + | ((x & 0x00000010U) << 18) + | ((x & 0x00000008U) << 22) + | ((x & 0x01000000U) >> 3); + y ^= x & 0x8260a902U; + + /* P3 = [* * * * * * * * * * * * * * * 23 * * * * * 27 * * 18 2 * 5 * * * *] */ + x = state->x[3]; + x = ((x & 0x00200000U) << 6) + | ((x & 0x00008000U) << 8) + | ((x & 0x02000000U) >> 23) + | ((x & 0x08000000U) >> 22) + | ((x & 0x01000000U) >> 6); + y ^= x & 0x08840024U; + + /* P4 = [20 20 * * * * 5 * 2 18 * * 27 * * * * * 23 * * * * * * * * * * * * *] */ + x = state->x[4]; + y ^= (x << 20) & 0x00100000U; /* Handle duplicated bit 20 separately */ + x = ((x & 0x00040000U) << 5) + | ((x & 0x00000200U) << 9) + | ((x & 0x00001000U) << 15) + | ((x & 0x00000002U) << 19) + | ((x & 0x00000100U) >> 6) + | ((x & 0x00000040U) >> 1); + y ^= x & 0x08940024U; + + /* P5 = [* * 13 * * 31 * * * 21 * * * * * * 1 * * * * * * * 11 * * 15 * 22 25 *] */ + x = state->x[5]; + x = ((x & 0x00000004U) << 11) + | ((x & 0x00000200U) << 12) + | ((x & 0x00010000U) >> 15) + | ((x & 0x01000000U) >> 13) + | ((x & 0x08000000U) >> 12) + | ((x & 0x20000000U) >> 7) + | ((x & 0x00000020U) << 26) + | ((x & 0x40000000U) >> 5); + y ^= x & 0x8260a802U; + + /* P6 = [* 8 * * * 6 * * * * * * * * * * * * * 19 * 9 * * * * * * * * 3 10] */ + x = state->x[6]; + x = (x & 0x00080000U) + | ((x & 0x00000020U) << 1) + | ((x & 0x40000000U) >> 27) + | ((x & 0x00000002U) << 7) + | ((x & 0x80000000U) >> 21) + | ((x & 0x00200000U) >> 12); + y ^= x & 0x00080748U; + + /* P7 = [* 28 * 26 * * * * * * 7 29 * * * * 30 16 14 * * * 17 * * 4 * * * 24 * 12] */ + x = state->x[7]; + x = ((x & 0x02000000U) >> 21) + | ((x & 0x80000000U) >> 19) + | ((x & 0x00010000U) << 14) + | ((x & 0x00000800U) << 18) + | ((x & 0x00000008U) << 23) + | leftRotate27(x & 0x20400002U) + | ((x & 0x00040000U) >> 4) + | ((x & 0x00000400U) >> 3) + | ((x & 0x00020000U) >> 1); + y ^= x & 0x75035090U; + + /* Word 8 has a single bit - XOR it directly into the result and return */ + return y ^ state->x[8]; +} + +void subterranean_absorb + (subterranean_state_t *state, const unsigned char *data, + unsigned long long len) +{ + while (len >= 4) { + subterranean_duplex_4(state, data); + data += 4; + len -= 4; + } + subterranean_duplex_n(state, data, (unsigned)len); +} + +void subterranean_squeeze + (subterranean_state_t *state, unsigned char *data, unsigned len) +{ + uint32_t word; + while (len > 4) { + word = subterranean_extract(state); + subterranean_duplex_0(state); + le_store_word32(data, word); + data += 4; + len -= 4; + } + if (len == 4) { + word = subterranean_extract(state); + le_store_word32(data, word); + } else if (len == 1) { + word = subterranean_extract(state); + data[0] = (unsigned char)word; + } else if (len == 2) { + word = subterranean_extract(state); + data[0] = (unsigned char)word; + data[1] = (unsigned char)(word >> 8); + } else if (len == 3) { + word = subterranean_extract(state); + data[0] = (unsigned char)word; + data[1] = (unsigned char)(word >> 8); + data[2] = (unsigned char)(word >> 16); + } +} diff --git a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/internal-subterranean.h b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/internal-subterranean.h new file mode 100644 index 0000000..71cebb2 --- /dev/null +++ b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/internal-subterranean.h @@ -0,0 +1,144 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SUBTERRANEAN_H +#define LW_INTERNAL_SUBTERRANEAN_H + +#include "internal-util.h" + +/** + * \file internal-subterranean.h + * \brief Internal implementation of the Subterranean block operation. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Representation of the 257-bit state of Subterranean. + * + * The 257-bit state is represented as nine 32-bit words with only a single + * bit in the last word. + */ +typedef struct +{ + uint32_t x[9]; /**< State words */ + +} subterranean_state_t; + +/** + * \brief Performs a single Subterranean round. + * + * \param state Subterranean state to be transformed. + */ +void subterranean_round(subterranean_state_t *state); + +/** + * \brief Performs 8 Subterranean rounds with no absorption or squeezing + * of data; i.e. data input and output is "blanked". + * + * \param state Subterranean state to be transformed. + */ +void subterranean_blank(subterranean_state_t *state); + +/** + * \brief Performs a single Subterranean round and absorbs 0 bytes. + * + * \param state Subterranean state to be transformed. + */ +void subterranean_duplex_0(subterranean_state_t *state); + +/** + * \brief Performs a single Subterranean round and absorbs one byte. + * + * \param state Subterranean state to be transformed. + * \param data The single byte to be absorbed. + */ +void subterranean_duplex_1(subterranean_state_t *state, unsigned char data); + +/** + * \brief Absorbs a 32-bit word into the Subterranean state. + * + * \param state Subterranean state to be transformed. + * \param x The word to absorb into the state. + */ +void subterranean_duplex_word(subterranean_state_t *state, uint32_t x); + +/** + * \brief Performs a single Subterranean round and absorbs four bytes. + * + * \param state Subterranean state to be transformed. + * \param data Points to the four data bytes to be absorbed. + */ +#define subterranean_duplex_4(state, data) \ + do { \ + subterranean_duplex_word((state), le_load_word32((data))); \ + (state)->x[8] ^= 1; \ + } while (0) + +/** + * \brief Performs a single Subterranean round and absorbs between + * zero and four bytes. + * + * \param state Subterranean state to be transformed. + * \param data Points to the data bytes to be absorbed. + * \param len Length of the data to be absorbed. + */ +void subterranean_duplex_n + (subterranean_state_t *state, const unsigned char *data, unsigned len); + +/** + * \brief Extracts 32 bits of output from the Subterranean state. + * + * \param state Subterranean state to extract the output from. + * + * \return Returns the 32-bit word that was extracted. + */ +uint32_t subterranean_extract(subterranean_state_t *state); + +/** + * \brief Absorbs an arbitrary amount of data, four bytes at a time. + * + * \param state Subterranean state to be transformed. + * \param data Points to the bytes to be absorbed. + * \param len Number of bytes to absorb. + */ +void subterranean_absorb + (subterranean_state_t *state, const unsigned char *data, + unsigned long long len); + +/** + * \brief Squeezes an arbitrary amount of data out of a Subterranean state. + * + * \param state Subterranean state to extract the output from. + * \param data Points to the data buffer to receive the output. + * \param len Number of bytes to be extracted. + */ +void subterranean_squeeze + (subterranean_state_t *state, unsigned char *data, unsigned len); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/internal-util.h b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/subterranean.c b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/subterranean.c new file mode 100644 index 0000000..1bc9fc4 --- /dev/null +++ b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/subterranean.c @@ -0,0 +1,228 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "subterranean.h" +#include "internal-subterranean.h" +#include + +aead_cipher_t const subterranean_cipher = { + "Subterranean", + SUBTERRANEAN_KEY_SIZE, + SUBTERRANEAN_NONCE_SIZE, + SUBTERRANEAN_TAG_SIZE, + AEAD_FLAG_NONE, + subterranean_aead_encrypt, + subterranean_aead_decrypt +}; + +aead_hash_algorithm_t const subterranean_hash_algorithm = { + "Subterranean-Hash", + sizeof(subterranean_hash_state_t), + SUBTERRANEAN_HASH_SIZE, + AEAD_FLAG_NONE, + subterranean_hash, + (aead_hash_init_t)subterranean_hash_init, + (aead_hash_update_t)subterranean_hash_update, + (aead_hash_finalize_t)subterranean_hash_finalize, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +int subterranean_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + subterranean_state_t state; + uint32_t x1, x2; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SUBTERRANEAN_TAG_SIZE; + + /* Initialize the state and absorb the key and nonce */ + memset(&state, 0, sizeof(state)); + subterranean_absorb(&state, k, SUBTERRANEAN_KEY_SIZE); + subterranean_absorb(&state, npub, SUBTERRANEAN_NONCE_SIZE); + subterranean_blank(&state); + + /* Absorb the associated data into the state */ + subterranean_absorb(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + while (mlen >= 4) { + x1 = le_load_word32(m); + x2 = subterranean_extract(&state) ^ x1; + subterranean_duplex_word(&state, x1); + state.x[8] ^= 1; /* padding for 32-bit blocks */ + le_store_word32(c, x2); + c += 4; + m += 4; + mlen -= 4; + } + switch ((unsigned char)mlen) { + default: + subterranean_duplex_0(&state); + break; + case 1: + x2 = subterranean_extract(&state) ^ m[0]; + subterranean_duplex_n(&state, m, 1); + c[0] = (unsigned char)x2; + break; + case 2: + x2 = subterranean_extract(&state) ^ m[0] ^ (((uint32_t)(m[1])) << 8); + subterranean_duplex_n(&state, m, 2); + c[0] = (unsigned char)x2; + c[1] = (unsigned char)(x2 >> 8); + break; + case 3: + x2 = subterranean_extract(&state) ^ + m[0] ^ (((uint32_t)(m[1])) << 8) ^ (((uint32_t)(m[2])) << 16); + subterranean_duplex_n(&state, m, 3); + c[0] = (unsigned char)x2; + c[1] = (unsigned char)(x2 >> 8); + c[2] = (unsigned char)(x2 >> 16); + break; + } + + /* Generate the authentication tag */ + subterranean_blank(&state); + subterranean_squeeze(&state, c + mlen, SUBTERRANEAN_TAG_SIZE); + return 0; +} + +int subterranean_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + subterranean_state_t state; + unsigned char *mtemp = m; + unsigned char tag[SUBTERRANEAN_TAG_SIZE]; + uint32_t x; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SUBTERRANEAN_TAG_SIZE) + return -1; + *mlen = clen - SUBTERRANEAN_TAG_SIZE; + + /* Initialize the state and absorb the key and nonce */ + memset(&state, 0, sizeof(state)); + subterranean_absorb(&state, k, SUBTERRANEAN_KEY_SIZE); + subterranean_absorb(&state, npub, SUBTERRANEAN_NONCE_SIZE); + subterranean_blank(&state); + + /* Absorb the associated data into the state */ + subterranean_absorb(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SUBTERRANEAN_TAG_SIZE; + while (clen >= 4) { + x = le_load_word32(c); + x ^= subterranean_extract(&state); + subterranean_duplex_word(&state, x); + state.x[8] ^= 1; /* padding for 32-bit blocks */ + le_store_word32(m, x); + c += 4; + m += 4; + clen -= 4; + } + switch ((unsigned char)clen) { + default: + subterranean_duplex_0(&state); + break; + case 1: + m[0] = (unsigned char)(subterranean_extract(&state) ^ c[0]); + subterranean_duplex_1(&state, m[0]); + break; + case 2: + x = subterranean_extract(&state) ^ c[0] ^ (((uint32_t)(c[1])) << 8); + m[0] = (unsigned char)x; + m[1] = (unsigned char)(x >> 8); + subterranean_duplex_word(&state, (x & 0xFFFFU) | 0x10000U); + break; + case 3: + x = subterranean_extract(&state) ^ + c[0] ^ (((uint32_t)(c[1])) << 8) ^ (((uint32_t)(c[2])) << 16); + m[0] = (unsigned char)x; + m[1] = (unsigned char)(x >> 8); + m[2] = (unsigned char)(x >> 16); + subterranean_duplex_word(&state, (x & 0x00FFFFFFU) | 0x01000000U); + break; + } + + /* Check the authentication tag */ + subterranean_blank(&state); + subterranean_squeeze(&state, tag, sizeof(tag)); + return aead_check_tag(mtemp, *mlen, tag, c + clen, SUBTERRANEAN_TAG_SIZE); +} + +int subterranean_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + subterranean_state_t state; + memset(&state, 0, sizeof(state)); + while (inlen > 0) { + subterranean_duplex_1(&state, *in++); + subterranean_duplex_0(&state); + --inlen; + } + subterranean_duplex_0(&state); + subterranean_duplex_0(&state); + subterranean_blank(&state); + subterranean_squeeze(&state, out, SUBTERRANEAN_HASH_SIZE); + return 0; +} + +void subterranean_hash_init(subterranean_hash_state_t *state) +{ + memset(state, 0, sizeof(subterranean_hash_state_t)); +} + +void subterranean_hash_update + (subterranean_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + subterranean_state_t *st = (subterranean_state_t *)state; + while (inlen > 0) { + subterranean_duplex_1(st, *in++); + subterranean_duplex_0(st); + --inlen; + } +} + +void subterranean_hash_finalize + (subterranean_hash_state_t *state, unsigned char *out) +{ + subterranean_state_t *st = (subterranean_state_t *)state; + subterranean_duplex_0(st); + subterranean_duplex_0(st); + subterranean_blank(st); + subterranean_squeeze(st, out, SUBTERRANEAN_HASH_SIZE); +} diff --git a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/subterranean.h b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/subterranean.h new file mode 100644 index 0000000..148e5e8 --- /dev/null +++ b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/subterranean.h @@ -0,0 +1,200 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SUBTERRANEAN_H +#define LWCRYPTO_SUBTERRANEAN_H + +#include "aead-common.h" + +/** + * \file subterranean.h + * \brief Subterranean authenticated encryption algorithm. + * + * Subterranean (technically "Subterranean 2.0") is a family of + * algorithms built around the 257-bit Subterranean permutation: + * + * \li Subterranean is an authenticated encryption algorithm with a 128-bit + * key, a 128-bit nonce, and a 128-bit tag. + * \li Subterranean-Hash is a hash algorithm with a 256-bit output. + * + * The Subterranean permutation is intended for hardware implementation. + * It is not structured for efficient software implementation. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for Subterranean. + */ +#define SUBTERRANEAN_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Subterranean. + */ +#define SUBTERRANEAN_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Subterranean. + */ +#define SUBTERRANEAN_NONCE_SIZE 16 + +/** + * \brief Size of the hash output for Subterranean-Hash. + */ +#define SUBTERRANEAN_HASH_SIZE 32 + +/** + * \brief Meta-information block for the Subterranean cipher. + */ +extern aead_cipher_t const subterranean_cipher; + +/** + * \brief Meta-information block for the SUBTERRANEAN hash algorithm. + */ +extern aead_hash_algorithm_t const subterranean_hash_algorithm; + +/** + * \brief State information for the Subterreaan incremental hash mode. + */ +typedef union +{ + unsigned char state[40]; /**< Current hash state */ + unsigned long long align; /**< For alignment of this structure */ + +} subterranean_hash_state_t; + +/** + * \brief Encrypts and authenticates a packet with Subterranean. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa subterranean_aead_decrypt() + */ +int subterranean_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Subterranean. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa subterranean_aead_encrypt() + */ +int subterranean_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with Subterranean. + * + * \param out Buffer to receive the hash output which must be at least + * SUBTERRANEAN_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + * + * \sa subterranean_hash_init() + */ +int subterranean_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a Subterranean hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa subterranean_hash_update(), subterranean_hash_finalize(), + * subterranean_hash() + */ +void subterranean_hash_init(subterranean_hash_state_t *state); + +/** + * \brief Updates a Subterranean state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + * + * \sa subterranean_hash_init(), subterranean_hash_finalize() + */ +void subterranean_hash_update + (subterranean_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Returns the final hash value from a Subterranean hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the 32-byte hash value. + * + * \sa subterranean_hash_init(), subterranean_hash_update() + */ +void subterranean_hash_finalize + (subterranean_hash_state_t *state, unsigned char *out); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/aead-common.c b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/aead-common.h b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/api.h b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/api.h new file mode 100644 index 0000000..4bd426b --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 0 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/encrypt.c b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/encrypt.c new file mode 100644 index 0000000..50af7fb --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "sundae-gift.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return sundae_gift_0_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return sundae_gift_0_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128.c b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128.c new file mode 100644 index 0000000..681dbc8 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128.c @@ -0,0 +1,849 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-gift128.h" +#include "internal-util.h" + +/* Round constants for GIFT-128 in the fixsliced representation */ +static uint32_t const GIFT128_RC[40] = { + 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, + 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, + 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, + 0x03020180, 0x8000002b, 0x10080880, 0x60014000, 0x01400002, 0x02020080, + 0x80000021, 0x10000080, 0x0001c000, 0x51000002, 0x03010180, 0x8000002e, + 0x10088800, 0x60012000, 0x40500002, 0x01030080, 0x80000006, 0x10008808, + 0xc001a000, 0x14500002, 0x01020181, 0x8000001a +}; + +/** + * \brief Swaps bits within two words. + * + * \param a The first word. + * \param b The second word. + * \param mask Mask for the bits to shift. + * \param shift Shift amount in bits. + */ +#define gift128b_swap_move(a, b, mask, shift) \ + do { \ + uint32_t tmp = ((b) ^ ((a) >> (shift))) & (mask); \ + (b) ^= tmp; \ + (a) ^= tmp << (shift); \ + } while (0) + +/** + * \brief Derives the next 10 fixsliced keys in the key schedule. + * + * \param next Points to the buffer to receive the next 10 keys. + * \param prev Points to the buffer holding the previous 10 keys. + * + * The \a next and \a prev buffers are allowed to be the same. + */ +#define gift128b_derive_keys(next, prev) \ + do { \ + /* Key 0 */ \ + uint32_t s = (prev)[0]; \ + uint32_t t = (prev)[1]; \ + gift128b_swap_move(t, t, 0x00003333U, 16); \ + gift128b_swap_move(t, t, 0x55554444U, 1); \ + (next)[0] = t; \ + /* Key 1 */ \ + s = leftRotate8(s & 0x33333333U) | leftRotate16(s & 0xCCCCCCCCU); \ + gift128b_swap_move(s, s, 0x55551100U, 1); \ + (next)[1] = s; \ + /* Key 2 */ \ + s = (prev)[2]; \ + t = (prev)[3]; \ + (next)[2] = ((t >> 4) & 0x0F000F00U) | ((t & 0x0F000F00U) << 4) | \ + ((t >> 6) & 0x00030003U) | ((t & 0x003F003FU) << 2); \ + /* Key 3 */ \ + (next)[3] = ((s >> 6) & 0x03000300U) | ((s & 0x3F003F00U) << 2) | \ + ((s >> 5) & 0x00070007U) | ((s & 0x001F001FU) << 3); \ + /* Key 4 */ \ + s = (prev)[4]; \ + t = (prev)[5]; \ + (next)[4] = leftRotate8(t & 0xAAAAAAAAU) | \ + leftRotate16(t & 0x55555555U); \ + /* Key 5 */ \ + (next)[5] = leftRotate8(s & 0x55555555U) | \ + leftRotate12(s & 0xAAAAAAAAU); \ + /* Key 6 */ \ + s = (prev)[6]; \ + t = (prev)[7]; \ + (next)[6] = ((t >> 2) & 0x03030303U) | ((t & 0x03030303U) << 2) | \ + ((t >> 1) & 0x70707070U) | ((t & 0x10101010U) << 3); \ + /* Key 7 */ \ + (next)[7] = ((s >> 18) & 0x00003030U) | ((s & 0x01010101U) << 3) | \ + ((s >> 14) & 0x0000C0C0U) | ((s & 0x0000E0E0U) << 15) | \ + ((s >> 1) & 0x07070707U) | ((s & 0x00001010U) << 19); \ + /* Key 8 */ \ + s = (prev)[8]; \ + t = (prev)[9]; \ + (next)[8] = ((t >> 4) & 0x0FFF0000U) | ((t & 0x000F0000U) << 12) | \ + ((t >> 8) & 0x000000FFU) | ((t & 0x000000FFU) << 8); \ + /* Key 9 */ \ + (next)[9] = ((s >> 6) & 0x03FF0000U) | ((s & 0x003F0000U) << 10) | \ + ((s >> 4) & 0x00000FFFU) | ((s & 0x0000000FU) << 12); \ + } while (0) + +/** + * \brief Compute the round keys for GIFT-128 in the fixsliced representation. + * + * \param ks Points to the key schedule to initialize. + * \param k0 First key word. + * \param k1 Second key word. + * \param k2 Third key word. + * \param k3 Fourth key word. + */ +static void gift128b_compute_round_keys + (gift128b_key_schedule_t *ks, + uint32_t k0, uint32_t k1, uint32_t k2, uint32_t k3) +{ + unsigned index; + uint32_t temp; + + /* Set the regular key with k0 and k3 pre-swapped for the round function */ + ks->k[0] = k3; + ks->k[1] = k1; + ks->k[2] = k2; + ks->k[3] = k0; + + /* Pre-compute the keys for rounds 3..10 and permute into fixsliced form */ + for (index = 4; index < 20; index += 2) { + ks->k[index] = ks->k[index - 3]; + temp = ks->k[index - 4]; + temp = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + ks->k[index + 1] = temp; + } + for (index = 0; index < 20; index += 10) { + /* Keys 0 and 10 */ + temp = ks->k[index]; + gift128b_swap_move(temp, temp, 0x00550055U, 9); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index] = temp; + + /* Keys 1 and 11 */ + temp = ks->k[index + 1]; + gift128b_swap_move(temp, temp, 0x00550055U, 9); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 1] = temp; + + /* Keys 2 and 12 */ + temp = ks->k[index + 2]; + gift128b_swap_move(temp, temp, 0x11111111U, 3); + gift128b_swap_move(temp, temp, 0x03030303U, 6); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 2] = temp; + + /* Keys 3 and 13 */ + temp = ks->k[index + 3]; + gift128b_swap_move(temp, temp, 0x11111111U, 3); + gift128b_swap_move(temp, temp, 0x03030303U, 6); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 3] = temp; + + /* Keys 4 and 14 */ + temp = ks->k[index + 4]; + gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 4] = temp; + + /* Keys 5 and 15 */ + temp = ks->k[index + 5]; + gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 5] = temp; + + /* Keys 6 and 16 */ + temp = ks->k[index + 6]; + gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); + gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 6] = temp; + + /* Keys 7 and 17 */ + temp = ks->k[index + 7]; + gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); + gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 7] = temp; + + /* Keys 8, 9, 18, and 19 do not need any adjustment */ + } + + /* Derive the fixsliced keys for the remaining rounds 11..40 */ + for (index = 20; index < 80; index += 10) { + gift128b_derive_keys(ks->k + index, ks->k + index - 20); + } +} + +int gift128b_init + (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len) +{ + if (!ks || !key || key_len != 16) + return 0; + gift128b_compute_round_keys + (ks, be_load_word32(key), be_load_word32(key + 4), + be_load_word32(key + 8), be_load_word32(key + 12)); + return 1; +} + +/** + * \brief Performs the GIFT-128 S-box on the bit-sliced state. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_sbox(s0, s1, s2, s3) \ + do { \ + s1 ^= s0 & s2; \ + s0 ^= s1 & s3; \ + s2 ^= s0 | s1; \ + s3 ^= s2; \ + s1 ^= s3; \ + s3 ^= 0xFFFFFFFFU; \ + s2 ^= s0 & s1; \ + } while (0) + +/** + * \brief Performs the inverse of the GIFT-128 S-box on the bit-sliced state. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_sbox(s0, s1, s2, s3) \ + do { \ + s2 ^= s3 & s1; \ + s0 ^= 0xFFFFFFFFU; \ + s1 ^= s0; \ + s0 ^= s2; \ + s2 ^= s3 | s1; \ + s3 ^= s1 & s0; \ + s1 ^= s3 & s2; \ + } while (0) + +/** + * \brief Permutes the GIFT-128 state between the 1st and 2nd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_1(s0, s1, s2, s3) \ + do { \ + s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ + s2 = ((s2 >> 3) & 0x11111111U) | ((s2 & 0x77777777U) << 1); \ + s3 = ((s3 >> 1) & 0x77777777U) | ((s3 & 0x11111111U) << 3); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 2nd and 3rd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_2(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 4) & 0x0FFF0FFFU) | ((s0 & 0x000F000FU) << 12); \ + s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ + s2 = ((s2 >> 12) & 0x000F000FU) | ((s2 & 0x0FFF0FFFU) << 4); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 3rd and 4th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_3(s0, s1, s2, s3) \ + do { \ + gift128b_swap_move(s1, s1, 0x55555555U, 1); \ + s2 = leftRotate16(s2); \ + gift128b_swap_move(s2, s2, 0x00005555U, 1); \ + s3 = leftRotate16(s3); \ + gift128b_swap_move(s3, s3, 0x55550000U, 1); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 4th and 5th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_4(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 6) & 0x03030303U) | ((s0 & 0x3F3F3F3FU) << 2); \ + s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ + s2 = ((s2 >> 2) & 0x3F3F3F3FU) | ((s2 & 0x03030303U) << 6); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 5th and 1st mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_5(s0, s1, s2, s3) \ + do { \ + s1 = leftRotate16(s1); \ + s2 = rightRotate8(s2); \ + s3 = leftRotate8(s3); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 1st and 2nd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_1(s0, s1, s2, s3) \ + do { \ + s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ + s2 = ((s2 >> 1) & 0x77777777U) | ((s2 & 0x11111111U) << 3); \ + s3 = ((s3 >> 3) & 0x11111111U) | ((s3 & 0x77777777U) << 1); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 2nd and 3rd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_2(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 12) & 0x000F000FU) | ((s0 & 0x0FFF0FFFU) << 4); \ + s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ + s2 = ((s2 >> 4) & 0x0FFF0FFFU) | ((s2 & 0x000F000FU) << 12); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 3rd and 4th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_3(s0, s1, s2, s3) \ + do { \ + gift128b_swap_move(s1, s1, 0x55555555U, 1); \ + gift128b_swap_move(s2, s2, 0x00005555U, 1); \ + s2 = leftRotate16(s2); \ + gift128b_swap_move(s3, s3, 0x55550000U, 1); \ + s3 = leftRotate16(s3); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 4th and 5th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_4(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 2) & 0x3F3F3F3FU) | ((s0 & 0x03030303U) << 6); \ + s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ + s2 = ((s2 >> 6) & 0x03030303U) | ((s2 & 0x3F3F3F3FU) << 2); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 5th and 1st mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_5(s0, s1, s2, s3) \ + do { \ + s1 = leftRotate16(s1); \ + s2 = leftRotate8(s2); \ + s3 = rightRotate8(s3); \ + } while (0); + +/** + * \brief Performs five fixsliced encryption rounds for GIFT-128. + * + * \param rk Points to the 10 round keys for these rounds. + * \param rc Points to the round constants for these rounds. + * + * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. + * + * The permutation is restructured so that one of the words each round + * does not need to be permuted, with the others rotating left, up, right, + * and down to keep the bits in line with their non-moving counterparts. + * This reduces the number of shifts required significantly. + * + * At the end of five rounds, the bit ordering will return to the + * original position. We then repeat the process for the next 5 rounds. + */ +#define gift128b_encrypt_5_rounds(rk, rc) \ + do { \ + /* 1st round - S-box, rotate left, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_1(s0, s1, s2, s3); \ + s1 ^= (rk)[0]; \ + s2 ^= (rk)[1]; \ + s0 ^= (rc)[0]; \ + \ + /* 2nd round - S-box, rotate up, add round key */ \ + gift128b_sbox(s3, s1, s2, s0); \ + gift128b_permute_state_2(s0, s1, s2, s3); \ + s1 ^= (rk)[2]; \ + s2 ^= (rk)[3]; \ + s3 ^= (rc)[1]; \ + \ + /* 3rd round - S-box, swap columns, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_3(s0, s1, s2, s3); \ + s1 ^= (rk)[4]; \ + s2 ^= (rk)[5]; \ + s0 ^= (rc)[2]; \ + \ + /* 4th round - S-box, rotate left and swap rows, add round key */ \ + gift128b_sbox(s3, s1, s2, s0); \ + gift128b_permute_state_4(s0, s1, s2, s3); \ + s1 ^= (rk)[6]; \ + s2 ^= (rk)[7]; \ + s3 ^= (rc)[3]; \ + \ + /* 5th round - S-box, rotate up, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_5(s0, s1, s2, s3); \ + s1 ^= (rk)[8]; \ + s2 ^= (rk)[9]; \ + s0 ^= (rc)[4]; \ + \ + /* Swap s0 and s3 in preparation for the next 1st round */ \ + s0 ^= s3; \ + s3 ^= s0; \ + s0 ^= s3; \ + } while (0) + +/** + * \brief Performs five fixsliced decryption rounds for GIFT-128. + * + * \param rk Points to the 10 round keys for these rounds. + * \param rc Points to the round constants for these rounds. + * + * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. + */ +#define gift128b_decrypt_5_rounds(rk, rc) \ + do { \ + /* Swap s0 and s3 in preparation for the next 5th round */ \ + s0 ^= s3; \ + s3 ^= s0; \ + s0 ^= s3; \ + \ + /* 5th round - S-box, rotate down, add round key */ \ + s1 ^= (rk)[8]; \ + s2 ^= (rk)[9]; \ + s0 ^= (rc)[4]; \ + gift128b_inv_permute_state_5(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + \ + /* 4th round - S-box, rotate right and swap rows, add round key */ \ + s1 ^= (rk)[6]; \ + s2 ^= (rk)[7]; \ + s3 ^= (rc)[3]; \ + gift128b_inv_permute_state_4(s0, s1, s2, s3); \ + gift128b_inv_sbox(s0, s1, s2, s3); \ + \ + /* 3rd round - S-box, swap columns, add round key */ \ + s1 ^= (rk)[4]; \ + s2 ^= (rk)[5]; \ + s0 ^= (rc)[2]; \ + gift128b_inv_permute_state_3(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + \ + /* 2nd round - S-box, rotate down, add round key */ \ + s1 ^= (rk)[2]; \ + s2 ^= (rk)[3]; \ + s3 ^= (rc)[1]; \ + gift128b_inv_permute_state_2(s0, s1, s2, s3); \ + gift128b_inv_sbox(s0, s1, s2, s3); \ + \ + /* 1st round - S-box, rotate right, add round key */ \ + s1 ^= (rk)[0]; \ + s2 ^= (rk)[1]; \ + s0 ^= (rc)[0]; \ + gift128b_inv_permute_state_1(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + } while (0) + +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into local variables */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; +} + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +int gift128n_init + (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len) +{ + /* Use the little-endian key byte order from the HYENA submission */ + if (!ks || !key || key_len != 16) + return 0; + gift128b_compute_round_keys + (ks, le_load_word32(key + 12), le_load_word32(key + 8), + le_load_word32(key + 4), le_load_word32(key)); + return 1; +} + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/** + * \brief Converts the GIFT-128 nibble-based representation into word-based. + * + * \param output Output buffer to write the word-based version to. + * \param input Input buffer to read the nibble-based version from. + * + * The \a input and \a output buffers can be the same buffer. + */ +static void gift128n_to_words + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input buffer into 32-bit words. We use the nibble order + * from the HYENA submission to NIST which is byte-reversed with respect + * to the nibble order of the original GIFT-128 paper. Nibble zero is in + * the first byte instead of the last, which means little-endian order. */ + s0 = le_load_word32(input + 12); + s1 = le_load_word32(input + 8); + s2 = le_load_word32(input + 4); + s3 = le_load_word32(input); + + /* Rearrange the bits so that bits 0..3 of each nibble are + * scattered to bytes 0..3 of each word. The permutation is: + * + * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 + * + * Generated with "http://programming.sirrida.de/calcperm.php". + */ + #define PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + PERM_WORDS(s0); + PERM_WORDS(s1); + PERM_WORDS(s2); + PERM_WORDS(s3); + + /* Rearrange the bytes and write them to the output buffer */ + output[0] = (uint8_t)s0; + output[1] = (uint8_t)s1; + output[2] = (uint8_t)s2; + output[3] = (uint8_t)s3; + output[4] = (uint8_t)(s0 >> 8); + output[5] = (uint8_t)(s1 >> 8); + output[6] = (uint8_t)(s2 >> 8); + output[7] = (uint8_t)(s3 >> 8); + output[8] = (uint8_t)(s0 >> 16); + output[9] = (uint8_t)(s1 >> 16); + output[10] = (uint8_t)(s2 >> 16); + output[11] = (uint8_t)(s3 >> 16); + output[12] = (uint8_t)(s0 >> 24); + output[13] = (uint8_t)(s1 >> 24); + output[14] = (uint8_t)(s2 >> 24); + output[15] = (uint8_t)(s3 >> 24); +} + +/** + * \brief Converts the GIFT-128 word-based representation into nibble-based. + * + * \param output Output buffer to write the nibble-based version to. + * \param input Input buffer to read the word-based version from. + */ +static void gift128n_to_nibbles + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input bytes and rearrange them so that s0 contains the + * most significant nibbles and s3 contains the least significant */ + s0 = (((uint32_t)(input[12])) << 24) | + (((uint32_t)(input[8])) << 16) | + (((uint32_t)(input[4])) << 8) | + ((uint32_t)(input[0])); + s1 = (((uint32_t)(input[13])) << 24) | + (((uint32_t)(input[9])) << 16) | + (((uint32_t)(input[5])) << 8) | + ((uint32_t)(input[1])); + s2 = (((uint32_t)(input[14])) << 24) | + (((uint32_t)(input[10])) << 16) | + (((uint32_t)(input[6])) << 8) | + ((uint32_t)(input[2])); + s3 = (((uint32_t)(input[15])) << 24) | + (((uint32_t)(input[11])) << 16) | + (((uint32_t)(input[7])) << 8) | + ((uint32_t)(input[3])); + + /* Apply the inverse of PERM_WORDS() from the function above */ + #define INV_PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x00aa00aa, 7); \ + bit_permute_step(x, 0x0000cccc, 14); \ + bit_permute_step(x, 0x00f000f0, 4); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + INV_PERM_WORDS(s0); + INV_PERM_WORDS(s1); + INV_PERM_WORDS(s2); + INV_PERM_WORDS(s3); + + /* Store the result into the output buffer as 32-bit words */ + le_store_word32(output + 12, s0); + le_store_word32(output + 8, s1); + le_store_word32(output + 4, s2); + le_store_word32(output, s3); +} + +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_encrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_decrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +/* 4-bit tweak values expanded to 32-bit */ +static uint32_t const GIFT128_tweaks[16] = { + 0x00000000, 0xe1e1e1e1, 0xd2d2d2d2, 0x33333333, + 0xb4b4b4b4, 0x55555555, 0x66666666, 0x87878787, + 0x78787878, 0x99999999, 0xaaaaaaaa, 0x4b4b4b4b, + 0xcccccccc, 0x2d2d2d2d, 0x1e1e1e1e, 0xffffffff +}; + +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak) +{ + uint32_t s0, s1, s2, s3, tword; + + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + tword = GIFT128_tweaks[tweak]; + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +void gift128t_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak) +{ + uint32_t s0, s1, s2, s3, tword; + + /* Copy the ciphertext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the first we add the tweak value to the state */ + tword = GIFT128_tweaks[tweak]; + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + + /* Pack the state into the plaintext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128.h b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128.h new file mode 100644 index 0000000..1ac40e5 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128.h @@ -0,0 +1,229 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_GIFT128_H +#define LW_INTERNAL_GIFT128_H + +/** + * \file internal-gift128.h + * \brief GIFT-128 block cipher. + * + * There are three versions of GIFT-128 in use within the second round + * submissions to the NIST lightweight cryptography competition. + * + * The most efficient version for 32-bit software implementation is the + * GIFT-128-b bit-sliced version from GIFT-COFB and SUNDAE-GIFT. + * + * The second is the nibble-based version from HYENA. We implement the + * HYENA version as a wrapper around the bit-sliced version. + * + * The third version is a variant on the HYENA nibble-based version that + * includes a 4-bit tweak value for domain separation. It is used by + * the ESTATE submission to NIST. + * + * Technically there is a fourth version of GIFT-128 which is the one that + * appeared in the original GIFT-128 paper. It is almost the same as the + * HYENA version except that the byte ordering is big-endian instead of + * HYENA's little-endian. The original version of GIFT-128 doesn't appear + * in any of the NIST submissions so we don't bother with it in this library. + * + * References: https://eprint.iacr.org/2017/622.pdf, + * https://giftcipher.github.io/gift/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a GIFT-128 block in bytes. + */ +#define GIFT128_BLOCK_SIZE 16 + +/** + * \brief Number of round keys for the fixsliced representation of GIFT-128. + */ +#define GIFT128_ROUND_KEYS 80 + +/** + * \brief Structure of the key schedule for GIFT-128 (bit-sliced). + */ +typedef struct +{ + /** Pre-computed round keys in the fixsliced form */ + uint32_t k[GIFT128_ROUND_KEYS]; + +} gift128b_key_schedule_t; + +/** + * \brief Initializes the key schedule for GIFT-128 (bit-sliced). + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int gift128b_init + (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced and pre-loaded). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version assumes that the input has already been pre-loaded from + * big-endian into host byte order in the supplied word array. The output + * is delivered in the same way. + */ +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]); + +/** + * \brief Decrypts a 128-bit block with GIFT-128 (bit-sliced). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + */ +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Structure of the key schedule for GIFT-128 (nibble-based). + */ +typedef gift128b_key_schedule_t gift128n_key_schedule_t; + +/** + * \brief Initializes the key schedule for GIFT-128 (nibble-based). + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int gift128n_init + (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with GIFT-128 (nibble-based). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + */ +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tweak 4-bit tweak value. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This variant of GIFT-128 is used by the ESTATE submission to the + * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to + * some of the rounds to provide domain separation. If the tweak is + * zero, then this function is identical to gift128n_encrypt(). + */ +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak); + +/** + * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tweak 4-bit tweak value. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This variant of GIFT-128 is used by the ESTATE submission to the + * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to + * some of the rounds to provide domain separation. If the tweak is + * zero, then this function is identical to gift128n_encrypt(). + */ +void gift128t_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-util.h b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/sundae-gift.c b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/sundae-gift.c new file mode 100644 index 0000000..984a4db --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/sundae-gift.c @@ -0,0 +1,358 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "sundae-gift.h" +#include "internal-gift128.h" +#include "internal-util.h" +#include + +aead_cipher_t const sundae_gift_0_cipher = { + "SUNDAE-GIFT-0", + SUNDAE_GIFT_KEY_SIZE, + SUNDAE_GIFT_0_NONCE_SIZE, + SUNDAE_GIFT_TAG_SIZE, + AEAD_FLAG_NONE, + sundae_gift_0_aead_encrypt, + sundae_gift_0_aead_decrypt +}; + +aead_cipher_t const sundae_gift_64_cipher = { + "SUNDAE-GIFT-64", + SUNDAE_GIFT_KEY_SIZE, + SUNDAE_GIFT_64_NONCE_SIZE, + SUNDAE_GIFT_TAG_SIZE, + AEAD_FLAG_NONE, + sundae_gift_64_aead_encrypt, + sundae_gift_64_aead_decrypt +}; + +aead_cipher_t const sundae_gift_96_cipher = { + "SUNDAE-GIFT-96", + SUNDAE_GIFT_KEY_SIZE, + SUNDAE_GIFT_96_NONCE_SIZE, + SUNDAE_GIFT_TAG_SIZE, + AEAD_FLAG_NONE, + sundae_gift_96_aead_encrypt, + sundae_gift_96_aead_decrypt +}; + +aead_cipher_t const sundae_gift_128_cipher = { + "SUNDAE-GIFT-128", + SUNDAE_GIFT_KEY_SIZE, + SUNDAE_GIFT_128_NONCE_SIZE, + SUNDAE_GIFT_TAG_SIZE, + AEAD_FLAG_NONE, + sundae_gift_128_aead_encrypt, + sundae_gift_128_aead_decrypt +}; + +/* Multiply a block value by 2 in the special byte field */ +STATIC_INLINE void sundae_gift_multiply(unsigned char B[16]) +{ + unsigned char B0 = B[0]; + unsigned index; + for (index = 0; index < 15; ++index) + B[index] = B[index + 1]; + B[15] = B0; + B[10] ^= B0; + B[12] ^= B0; + B[14] ^= B0; +} + +/* Compute a MAC over the concatenation of two data buffers */ +static void sundae_gift_aead_mac + (const gift128b_key_schedule_t *ks, unsigned char V[16], + const unsigned char *data1, unsigned data1len, + const unsigned char *data2, unsigned long data2len) +{ + unsigned len; + + /* Nothing to do if the input is empty */ + if (!data1len && !data2len) + return; + + /* Format the first block. We assume that data1len <= 16 + * as it is will be the nonce if it is non-zero in length */ + lw_xor_block(V, data1, data1len); + len = 16 - data1len; + if (len > data2len) + len = (unsigned)data2len; + lw_xor_block(V + data1len, data2, len); + data2 += len; + data2len -= len; + len += data1len; + + /* Process as many full blocks as we can, except the last */ + while (data2len > 0) { + gift128b_encrypt(ks, V, V); + len = 16; + if (len > data2len) + len = (unsigned)data2len; + lw_xor_block(V, data2, len); + data2 += len; + data2len -= len; + } + + /* Pad and process the last block */ + if (len < 16) { + V[len] ^= 0x80; + sundae_gift_multiply(V); + gift128b_encrypt(ks, V, V); + } else { + sundae_gift_multiply(V); + sundae_gift_multiply(V); + gift128b_encrypt(ks, V, V); + } +} + +static int sundae_gift_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, unsigned npublen, + const unsigned char *k, unsigned char domainsep) +{ + gift128b_key_schedule_t ks; + unsigned char V[16]; + unsigned char T[16]; + unsigned char P[16]; + + /* Compute the length of the output ciphertext */ + *clen = mlen + SUNDAE_GIFT_TAG_SIZE; + + /* Set the key schedule */ + if (!gift128b_init(&ks, k, SUNDAE_GIFT_KEY_SIZE)) + return -1; + + /* Format and encrypt the initial domain separation block */ + if (adlen > 0) + domainsep |= 0x80; + if (mlen > 0) + domainsep |= 0x40; + V[0] = domainsep; + memset(V + 1, 0, sizeof(V) - 1); + gift128b_encrypt(&ks, T, V); + + /* Authenticate the nonce and the associated data */ + sundae_gift_aead_mac(&ks, T, npub, npublen, ad, adlen); + + /* Authenticate the plaintext */ + sundae_gift_aead_mac(&ks, T, 0, 0, m, mlen); + + /* Encrypt the plaintext to produce the ciphertext. We need to be + * careful how we manage the data because we could be doing in-place + * encryption. In SUNDAE-GIFT, the first 16 bytes of the ciphertext + * is the tag rather than the last 16 bytes in other algorithms. + * We need to swap the plaintext for the current block with the + * ciphertext or tag from the previous block */ + memcpy(V, T, 16); + while (mlen >= 16) { + gift128b_encrypt(&ks, V, V); + lw_xor_block_2_src(P, V, m, 16); + memcpy(c, T, 16); + memcpy(T, P, 16); + c += 16; + m += 16; + mlen -= 16; + } + if (mlen > 0) { + unsigned leftover = (unsigned)mlen; + gift128b_encrypt(&ks, V, V); + lw_xor_block(V, m, leftover); + memcpy(c, T, 16); + memcpy(c + 16, V, leftover); + } else { + memcpy(c, T, 16); + } + return 0; +} + +static int sundae_gift_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, unsigned npublen, + const unsigned char *k, unsigned char domainsep) +{ + gift128b_key_schedule_t ks; + unsigned char V[16]; + unsigned char T[16]; + unsigned char *mtemp; + unsigned long len; + + /* Bail out if the ciphertext is too short */ + if (clen < SUNDAE_GIFT_TAG_SIZE) + return -1; + len = *mlen = clen - SUNDAE_GIFT_TAG_SIZE; + + /* Set the key schedule */ + if (!gift128b_init(&ks, k, SUNDAE_GIFT_KEY_SIZE)) + return -1; + + /* Decrypt the ciphertext to produce the plaintext, using the + * tag as the initialization vector for the decryption process */ + memcpy(T, c, SUNDAE_GIFT_TAG_SIZE); + c += SUNDAE_GIFT_TAG_SIZE; + mtemp = m; + memcpy(V, T, 16); + while (len >= 16) { + gift128b_encrypt(&ks, V, V); + lw_xor_block_2_src(mtemp, c, V, 16); + c += 16; + mtemp += 16; + len -= 16; + } + if (len > 0) { + gift128b_encrypt(&ks, V, V); + lw_xor_block_2_src(mtemp, c, V, (unsigned)len); + } + + /* Format and encrypt the initial domain separation block */ + if (adlen > 0) + domainsep |= 0x80; + if (clen > SUNDAE_GIFT_TAG_SIZE) + domainsep |= 0x40; + V[0] = domainsep; + memset(V + 1, 0, sizeof(V) - 1); + gift128b_encrypt(&ks, V, V); + + /* Authenticate the nonce and the associated data */ + sundae_gift_aead_mac(&ks, V, npub, npublen, ad, adlen); + + /* Authenticate the plaintext */ + sundae_gift_aead_mac(&ks, V, 0, 0, m, *mlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, T, V, 16); +} + +int sundae_gift_0_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + (void)npub; + return sundae_gift_aead_encrypt + (c, clen, m, mlen, ad, adlen, 0, 0, k, 0x00); +} + +int sundae_gift_0_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + (void)npub; + return sundae_gift_aead_decrypt + (m, mlen, c, clen, ad, adlen, 0, 0, k, 0x00); +} + +int sundae_gift_64_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_encrypt + (c, clen, m, mlen, ad, adlen, + npub, SUNDAE_GIFT_64_NONCE_SIZE, k, 0x90); +} + +int sundae_gift_64_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_decrypt + (m, mlen, c, clen, ad, adlen, + npub, SUNDAE_GIFT_64_NONCE_SIZE, k, 0x90); +} + +int sundae_gift_96_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_encrypt + (c, clen, m, mlen, ad, adlen, + npub, SUNDAE_GIFT_96_NONCE_SIZE, k, 0xA0); +} + +int sundae_gift_96_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_decrypt + (m, mlen, c, clen, ad, adlen, + npub, SUNDAE_GIFT_96_NONCE_SIZE, k, 0xA0); +} + +int sundae_gift_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_encrypt + (c, clen, m, mlen, ad, adlen, + npub, SUNDAE_GIFT_128_NONCE_SIZE, k, 0xB0); +} + +int sundae_gift_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_decrypt + (m, mlen, c, clen, ad, adlen, + npub, SUNDAE_GIFT_128_NONCE_SIZE, k, 0xB0); +} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/sundae-gift.h b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/sundae-gift.h new file mode 100644 index 0000000..9040dd5 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/sundae-gift.h @@ -0,0 +1,341 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SUNDAE_GIFT_H +#define LWCRYPTO_SUNDAE_GIFT_H + +#include "aead-common.h" + +/** + * \file sundae-gift.h + * \brief SUNDAE-GIFT encryption algorithm family. + * + * The SUNDAE-GIFT family consists of several related algorithms: + * + * \li SUNDAE-GIFT-0 with a 128-bit key, a 0-bit nonce, and 128-bit tag. + * \li SUNDAE-GIFT-64 with a 128-bit key, a 64-bit nonce, and 128-bit tag. + * \li SUNDAE-GIFT-96 with a 128-bit key, a 96-bit nonce, and 128-bit tag. + * This is the primary member of the family. + * \li SUNDAE-GIFT-128 with a 128-bit key, a 128-bit nonce, and 128-bit tag. + * + * SUNDAE-GIFT is resistant against nonce reuse as long as the combination + * of the associated data and plaintext is unique. + * + * If a nonce is reused (or there is no nonce in the case of SUNDAE-GIFT-0), + * then two packets with the same associated data and plaintext will encrypt + * to the same ciphertext. This will leak that the same plaintext has been + * sent for a second time but will not reveal the plaintext itself. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all SUNDAE-GIFT family members. + */ +#define SUNDAE_GIFT_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for all SUNDAE-GIFT family members. + */ +#define SUNDAE_GIFT_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SUNDAE-GIFT-0. + */ +#define SUNDAE_GIFT_0_NONCE_SIZE 0 + +/** + * \brief Size of the nonce for SUNDAE-GIFT-64. + */ +#define SUNDAE_GIFT_64_NONCE_SIZE 8 + +/** + * \brief Size of the nonce for SUNDAE-GIFT-96. + */ +#define SUNDAE_GIFT_96_NONCE_SIZE 12 + +/** + * \brief Size of the nonce for SUNDAE-GIFT-128. + */ +#define SUNDAE_GIFT_128_NONCE_SIZE 16 + +/** + * \brief Meta-information block for the SUNDAE-GIFT-0 cipher. + */ +extern aead_cipher_t const sundae_gift_0_cipher; + +/** + * \brief Meta-information block for the SUNDAE-GIFT-64 cipher. + */ +extern aead_cipher_t const sundae_gift_64_cipher; + +/** + * \brief Meta-information block for the SUNDAE-GIFT-96 cipher. + */ +extern aead_cipher_t const sundae_gift_96_cipher; + +/** + * \brief Meta-information block for the SUNDAE-GIFT-128 cipher. + */ +extern aead_cipher_t const sundae_gift_128_cipher; + +/** + * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-0. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce - not used by this algorithm. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa sundae_gift_0_aead_decrypt() + */ +int sundae_gift_0_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-0. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce - not used by this algorithm. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa sundae_gift_0_aead_encrypt() + */ +int sundae_gift_0_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-64. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 8 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa sundae_gift_64_aead_decrypt() + */ +int sundae_gift_64_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-64. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 8 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa sundae_gift_64_aead_encrypt() + */ +int sundae_gift_64_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-96. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa sundae_gift_96_aead_decrypt() + */ +int sundae_gift_96_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-96. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa sundae_gift_96_aead_encrypt() + */ +int sundae_gift_96_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa sundae_gift_128_aead_decrypt() + */ +int sundae_gift_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-12896. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa sundae_gift_128_aead_encrypt() + */ +int sundae_gift_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/aead-common.c b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/aead-common.h b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/api.h b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/encrypt.c b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/encrypt.c new file mode 100644 index 0000000..b177c18 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "sundae-gift.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return sundae_gift_128_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return sundae_gift_128_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128.c b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128.c new file mode 100644 index 0000000..681dbc8 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128.c @@ -0,0 +1,849 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-gift128.h" +#include "internal-util.h" + +/* Round constants for GIFT-128 in the fixsliced representation */ +static uint32_t const GIFT128_RC[40] = { + 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, + 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, + 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, + 0x03020180, 0x8000002b, 0x10080880, 0x60014000, 0x01400002, 0x02020080, + 0x80000021, 0x10000080, 0x0001c000, 0x51000002, 0x03010180, 0x8000002e, + 0x10088800, 0x60012000, 0x40500002, 0x01030080, 0x80000006, 0x10008808, + 0xc001a000, 0x14500002, 0x01020181, 0x8000001a +}; + +/** + * \brief Swaps bits within two words. + * + * \param a The first word. + * \param b The second word. + * \param mask Mask for the bits to shift. + * \param shift Shift amount in bits. + */ +#define gift128b_swap_move(a, b, mask, shift) \ + do { \ + uint32_t tmp = ((b) ^ ((a) >> (shift))) & (mask); \ + (b) ^= tmp; \ + (a) ^= tmp << (shift); \ + } while (0) + +/** + * \brief Derives the next 10 fixsliced keys in the key schedule. + * + * \param next Points to the buffer to receive the next 10 keys. + * \param prev Points to the buffer holding the previous 10 keys. + * + * The \a next and \a prev buffers are allowed to be the same. + */ +#define gift128b_derive_keys(next, prev) \ + do { \ + /* Key 0 */ \ + uint32_t s = (prev)[0]; \ + uint32_t t = (prev)[1]; \ + gift128b_swap_move(t, t, 0x00003333U, 16); \ + gift128b_swap_move(t, t, 0x55554444U, 1); \ + (next)[0] = t; \ + /* Key 1 */ \ + s = leftRotate8(s & 0x33333333U) | leftRotate16(s & 0xCCCCCCCCU); \ + gift128b_swap_move(s, s, 0x55551100U, 1); \ + (next)[1] = s; \ + /* Key 2 */ \ + s = (prev)[2]; \ + t = (prev)[3]; \ + (next)[2] = ((t >> 4) & 0x0F000F00U) | ((t & 0x0F000F00U) << 4) | \ + ((t >> 6) & 0x00030003U) | ((t & 0x003F003FU) << 2); \ + /* Key 3 */ \ + (next)[3] = ((s >> 6) & 0x03000300U) | ((s & 0x3F003F00U) << 2) | \ + ((s >> 5) & 0x00070007U) | ((s & 0x001F001FU) << 3); \ + /* Key 4 */ \ + s = (prev)[4]; \ + t = (prev)[5]; \ + (next)[4] = leftRotate8(t & 0xAAAAAAAAU) | \ + leftRotate16(t & 0x55555555U); \ + /* Key 5 */ \ + (next)[5] = leftRotate8(s & 0x55555555U) | \ + leftRotate12(s & 0xAAAAAAAAU); \ + /* Key 6 */ \ + s = (prev)[6]; \ + t = (prev)[7]; \ + (next)[6] = ((t >> 2) & 0x03030303U) | ((t & 0x03030303U) << 2) | \ + ((t >> 1) & 0x70707070U) | ((t & 0x10101010U) << 3); \ + /* Key 7 */ \ + (next)[7] = ((s >> 18) & 0x00003030U) | ((s & 0x01010101U) << 3) | \ + ((s >> 14) & 0x0000C0C0U) | ((s & 0x0000E0E0U) << 15) | \ + ((s >> 1) & 0x07070707U) | ((s & 0x00001010U) << 19); \ + /* Key 8 */ \ + s = (prev)[8]; \ + t = (prev)[9]; \ + (next)[8] = ((t >> 4) & 0x0FFF0000U) | ((t & 0x000F0000U) << 12) | \ + ((t >> 8) & 0x000000FFU) | ((t & 0x000000FFU) << 8); \ + /* Key 9 */ \ + (next)[9] = ((s >> 6) & 0x03FF0000U) | ((s & 0x003F0000U) << 10) | \ + ((s >> 4) & 0x00000FFFU) | ((s & 0x0000000FU) << 12); \ + } while (0) + +/** + * \brief Compute the round keys for GIFT-128 in the fixsliced representation. + * + * \param ks Points to the key schedule to initialize. + * \param k0 First key word. + * \param k1 Second key word. + * \param k2 Third key word. + * \param k3 Fourth key word. + */ +static void gift128b_compute_round_keys + (gift128b_key_schedule_t *ks, + uint32_t k0, uint32_t k1, uint32_t k2, uint32_t k3) +{ + unsigned index; + uint32_t temp; + + /* Set the regular key with k0 and k3 pre-swapped for the round function */ + ks->k[0] = k3; + ks->k[1] = k1; + ks->k[2] = k2; + ks->k[3] = k0; + + /* Pre-compute the keys for rounds 3..10 and permute into fixsliced form */ + for (index = 4; index < 20; index += 2) { + ks->k[index] = ks->k[index - 3]; + temp = ks->k[index - 4]; + temp = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + ks->k[index + 1] = temp; + } + for (index = 0; index < 20; index += 10) { + /* Keys 0 and 10 */ + temp = ks->k[index]; + gift128b_swap_move(temp, temp, 0x00550055U, 9); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index] = temp; + + /* Keys 1 and 11 */ + temp = ks->k[index + 1]; + gift128b_swap_move(temp, temp, 0x00550055U, 9); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 1] = temp; + + /* Keys 2 and 12 */ + temp = ks->k[index + 2]; + gift128b_swap_move(temp, temp, 0x11111111U, 3); + gift128b_swap_move(temp, temp, 0x03030303U, 6); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 2] = temp; + + /* Keys 3 and 13 */ + temp = ks->k[index + 3]; + gift128b_swap_move(temp, temp, 0x11111111U, 3); + gift128b_swap_move(temp, temp, 0x03030303U, 6); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 3] = temp; + + /* Keys 4 and 14 */ + temp = ks->k[index + 4]; + gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 4] = temp; + + /* Keys 5 and 15 */ + temp = ks->k[index + 5]; + gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 5] = temp; + + /* Keys 6 and 16 */ + temp = ks->k[index + 6]; + gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); + gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 6] = temp; + + /* Keys 7 and 17 */ + temp = ks->k[index + 7]; + gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); + gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 7] = temp; + + /* Keys 8, 9, 18, and 19 do not need any adjustment */ + } + + /* Derive the fixsliced keys for the remaining rounds 11..40 */ + for (index = 20; index < 80; index += 10) { + gift128b_derive_keys(ks->k + index, ks->k + index - 20); + } +} + +int gift128b_init + (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len) +{ + if (!ks || !key || key_len != 16) + return 0; + gift128b_compute_round_keys + (ks, be_load_word32(key), be_load_word32(key + 4), + be_load_word32(key + 8), be_load_word32(key + 12)); + return 1; +} + +/** + * \brief Performs the GIFT-128 S-box on the bit-sliced state. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_sbox(s0, s1, s2, s3) \ + do { \ + s1 ^= s0 & s2; \ + s0 ^= s1 & s3; \ + s2 ^= s0 | s1; \ + s3 ^= s2; \ + s1 ^= s3; \ + s3 ^= 0xFFFFFFFFU; \ + s2 ^= s0 & s1; \ + } while (0) + +/** + * \brief Performs the inverse of the GIFT-128 S-box on the bit-sliced state. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_sbox(s0, s1, s2, s3) \ + do { \ + s2 ^= s3 & s1; \ + s0 ^= 0xFFFFFFFFU; \ + s1 ^= s0; \ + s0 ^= s2; \ + s2 ^= s3 | s1; \ + s3 ^= s1 & s0; \ + s1 ^= s3 & s2; \ + } while (0) + +/** + * \brief Permutes the GIFT-128 state between the 1st and 2nd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_1(s0, s1, s2, s3) \ + do { \ + s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ + s2 = ((s2 >> 3) & 0x11111111U) | ((s2 & 0x77777777U) << 1); \ + s3 = ((s3 >> 1) & 0x77777777U) | ((s3 & 0x11111111U) << 3); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 2nd and 3rd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_2(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 4) & 0x0FFF0FFFU) | ((s0 & 0x000F000FU) << 12); \ + s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ + s2 = ((s2 >> 12) & 0x000F000FU) | ((s2 & 0x0FFF0FFFU) << 4); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 3rd and 4th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_3(s0, s1, s2, s3) \ + do { \ + gift128b_swap_move(s1, s1, 0x55555555U, 1); \ + s2 = leftRotate16(s2); \ + gift128b_swap_move(s2, s2, 0x00005555U, 1); \ + s3 = leftRotate16(s3); \ + gift128b_swap_move(s3, s3, 0x55550000U, 1); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 4th and 5th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_4(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 6) & 0x03030303U) | ((s0 & 0x3F3F3F3FU) << 2); \ + s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ + s2 = ((s2 >> 2) & 0x3F3F3F3FU) | ((s2 & 0x03030303U) << 6); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 5th and 1st mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_5(s0, s1, s2, s3) \ + do { \ + s1 = leftRotate16(s1); \ + s2 = rightRotate8(s2); \ + s3 = leftRotate8(s3); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 1st and 2nd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_1(s0, s1, s2, s3) \ + do { \ + s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ + s2 = ((s2 >> 1) & 0x77777777U) | ((s2 & 0x11111111U) << 3); \ + s3 = ((s3 >> 3) & 0x11111111U) | ((s3 & 0x77777777U) << 1); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 2nd and 3rd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_2(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 12) & 0x000F000FU) | ((s0 & 0x0FFF0FFFU) << 4); \ + s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ + s2 = ((s2 >> 4) & 0x0FFF0FFFU) | ((s2 & 0x000F000FU) << 12); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 3rd and 4th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_3(s0, s1, s2, s3) \ + do { \ + gift128b_swap_move(s1, s1, 0x55555555U, 1); \ + gift128b_swap_move(s2, s2, 0x00005555U, 1); \ + s2 = leftRotate16(s2); \ + gift128b_swap_move(s3, s3, 0x55550000U, 1); \ + s3 = leftRotate16(s3); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 4th and 5th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_4(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 2) & 0x3F3F3F3FU) | ((s0 & 0x03030303U) << 6); \ + s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ + s2 = ((s2 >> 6) & 0x03030303U) | ((s2 & 0x3F3F3F3FU) << 2); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 5th and 1st mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_5(s0, s1, s2, s3) \ + do { \ + s1 = leftRotate16(s1); \ + s2 = leftRotate8(s2); \ + s3 = rightRotate8(s3); \ + } while (0); + +/** + * \brief Performs five fixsliced encryption rounds for GIFT-128. + * + * \param rk Points to the 10 round keys for these rounds. + * \param rc Points to the round constants for these rounds. + * + * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. + * + * The permutation is restructured so that one of the words each round + * does not need to be permuted, with the others rotating left, up, right, + * and down to keep the bits in line with their non-moving counterparts. + * This reduces the number of shifts required significantly. + * + * At the end of five rounds, the bit ordering will return to the + * original position. We then repeat the process for the next 5 rounds. + */ +#define gift128b_encrypt_5_rounds(rk, rc) \ + do { \ + /* 1st round - S-box, rotate left, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_1(s0, s1, s2, s3); \ + s1 ^= (rk)[0]; \ + s2 ^= (rk)[1]; \ + s0 ^= (rc)[0]; \ + \ + /* 2nd round - S-box, rotate up, add round key */ \ + gift128b_sbox(s3, s1, s2, s0); \ + gift128b_permute_state_2(s0, s1, s2, s3); \ + s1 ^= (rk)[2]; \ + s2 ^= (rk)[3]; \ + s3 ^= (rc)[1]; \ + \ + /* 3rd round - S-box, swap columns, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_3(s0, s1, s2, s3); \ + s1 ^= (rk)[4]; \ + s2 ^= (rk)[5]; \ + s0 ^= (rc)[2]; \ + \ + /* 4th round - S-box, rotate left and swap rows, add round key */ \ + gift128b_sbox(s3, s1, s2, s0); \ + gift128b_permute_state_4(s0, s1, s2, s3); \ + s1 ^= (rk)[6]; \ + s2 ^= (rk)[7]; \ + s3 ^= (rc)[3]; \ + \ + /* 5th round - S-box, rotate up, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_5(s0, s1, s2, s3); \ + s1 ^= (rk)[8]; \ + s2 ^= (rk)[9]; \ + s0 ^= (rc)[4]; \ + \ + /* Swap s0 and s3 in preparation for the next 1st round */ \ + s0 ^= s3; \ + s3 ^= s0; \ + s0 ^= s3; \ + } while (0) + +/** + * \brief Performs five fixsliced decryption rounds for GIFT-128. + * + * \param rk Points to the 10 round keys for these rounds. + * \param rc Points to the round constants for these rounds. + * + * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. + */ +#define gift128b_decrypt_5_rounds(rk, rc) \ + do { \ + /* Swap s0 and s3 in preparation for the next 5th round */ \ + s0 ^= s3; \ + s3 ^= s0; \ + s0 ^= s3; \ + \ + /* 5th round - S-box, rotate down, add round key */ \ + s1 ^= (rk)[8]; \ + s2 ^= (rk)[9]; \ + s0 ^= (rc)[4]; \ + gift128b_inv_permute_state_5(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + \ + /* 4th round - S-box, rotate right and swap rows, add round key */ \ + s1 ^= (rk)[6]; \ + s2 ^= (rk)[7]; \ + s3 ^= (rc)[3]; \ + gift128b_inv_permute_state_4(s0, s1, s2, s3); \ + gift128b_inv_sbox(s0, s1, s2, s3); \ + \ + /* 3rd round - S-box, swap columns, add round key */ \ + s1 ^= (rk)[4]; \ + s2 ^= (rk)[5]; \ + s0 ^= (rc)[2]; \ + gift128b_inv_permute_state_3(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + \ + /* 2nd round - S-box, rotate down, add round key */ \ + s1 ^= (rk)[2]; \ + s2 ^= (rk)[3]; \ + s3 ^= (rc)[1]; \ + gift128b_inv_permute_state_2(s0, s1, s2, s3); \ + gift128b_inv_sbox(s0, s1, s2, s3); \ + \ + /* 1st round - S-box, rotate right, add round key */ \ + s1 ^= (rk)[0]; \ + s2 ^= (rk)[1]; \ + s0 ^= (rc)[0]; \ + gift128b_inv_permute_state_1(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + } while (0) + +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into local variables */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; +} + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +int gift128n_init + (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len) +{ + /* Use the little-endian key byte order from the HYENA submission */ + if (!ks || !key || key_len != 16) + return 0; + gift128b_compute_round_keys + (ks, le_load_word32(key + 12), le_load_word32(key + 8), + le_load_word32(key + 4), le_load_word32(key)); + return 1; +} + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/** + * \brief Converts the GIFT-128 nibble-based representation into word-based. + * + * \param output Output buffer to write the word-based version to. + * \param input Input buffer to read the nibble-based version from. + * + * The \a input and \a output buffers can be the same buffer. + */ +static void gift128n_to_words + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input buffer into 32-bit words. We use the nibble order + * from the HYENA submission to NIST which is byte-reversed with respect + * to the nibble order of the original GIFT-128 paper. Nibble zero is in + * the first byte instead of the last, which means little-endian order. */ + s0 = le_load_word32(input + 12); + s1 = le_load_word32(input + 8); + s2 = le_load_word32(input + 4); + s3 = le_load_word32(input); + + /* Rearrange the bits so that bits 0..3 of each nibble are + * scattered to bytes 0..3 of each word. The permutation is: + * + * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 + * + * Generated with "http://programming.sirrida.de/calcperm.php". + */ + #define PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + PERM_WORDS(s0); + PERM_WORDS(s1); + PERM_WORDS(s2); + PERM_WORDS(s3); + + /* Rearrange the bytes and write them to the output buffer */ + output[0] = (uint8_t)s0; + output[1] = (uint8_t)s1; + output[2] = (uint8_t)s2; + output[3] = (uint8_t)s3; + output[4] = (uint8_t)(s0 >> 8); + output[5] = (uint8_t)(s1 >> 8); + output[6] = (uint8_t)(s2 >> 8); + output[7] = (uint8_t)(s3 >> 8); + output[8] = (uint8_t)(s0 >> 16); + output[9] = (uint8_t)(s1 >> 16); + output[10] = (uint8_t)(s2 >> 16); + output[11] = (uint8_t)(s3 >> 16); + output[12] = (uint8_t)(s0 >> 24); + output[13] = (uint8_t)(s1 >> 24); + output[14] = (uint8_t)(s2 >> 24); + output[15] = (uint8_t)(s3 >> 24); +} + +/** + * \brief Converts the GIFT-128 word-based representation into nibble-based. + * + * \param output Output buffer to write the nibble-based version to. + * \param input Input buffer to read the word-based version from. + */ +static void gift128n_to_nibbles + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input bytes and rearrange them so that s0 contains the + * most significant nibbles and s3 contains the least significant */ + s0 = (((uint32_t)(input[12])) << 24) | + (((uint32_t)(input[8])) << 16) | + (((uint32_t)(input[4])) << 8) | + ((uint32_t)(input[0])); + s1 = (((uint32_t)(input[13])) << 24) | + (((uint32_t)(input[9])) << 16) | + (((uint32_t)(input[5])) << 8) | + ((uint32_t)(input[1])); + s2 = (((uint32_t)(input[14])) << 24) | + (((uint32_t)(input[10])) << 16) | + (((uint32_t)(input[6])) << 8) | + ((uint32_t)(input[2])); + s3 = (((uint32_t)(input[15])) << 24) | + (((uint32_t)(input[11])) << 16) | + (((uint32_t)(input[7])) << 8) | + ((uint32_t)(input[3])); + + /* Apply the inverse of PERM_WORDS() from the function above */ + #define INV_PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x00aa00aa, 7); \ + bit_permute_step(x, 0x0000cccc, 14); \ + bit_permute_step(x, 0x00f000f0, 4); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + INV_PERM_WORDS(s0); + INV_PERM_WORDS(s1); + INV_PERM_WORDS(s2); + INV_PERM_WORDS(s3); + + /* Store the result into the output buffer as 32-bit words */ + le_store_word32(output + 12, s0); + le_store_word32(output + 8, s1); + le_store_word32(output + 4, s2); + le_store_word32(output, s3); +} + +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_encrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_decrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +/* 4-bit tweak values expanded to 32-bit */ +static uint32_t const GIFT128_tweaks[16] = { + 0x00000000, 0xe1e1e1e1, 0xd2d2d2d2, 0x33333333, + 0xb4b4b4b4, 0x55555555, 0x66666666, 0x87878787, + 0x78787878, 0x99999999, 0xaaaaaaaa, 0x4b4b4b4b, + 0xcccccccc, 0x2d2d2d2d, 0x1e1e1e1e, 0xffffffff +}; + +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak) +{ + uint32_t s0, s1, s2, s3, tword; + + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + tword = GIFT128_tweaks[tweak]; + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +void gift128t_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak) +{ + uint32_t s0, s1, s2, s3, tword; + + /* Copy the ciphertext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the first we add the tweak value to the state */ + tword = GIFT128_tweaks[tweak]; + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + + /* Pack the state into the plaintext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128.h b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128.h new file mode 100644 index 0000000..1ac40e5 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128.h @@ -0,0 +1,229 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_GIFT128_H +#define LW_INTERNAL_GIFT128_H + +/** + * \file internal-gift128.h + * \brief GIFT-128 block cipher. + * + * There are three versions of GIFT-128 in use within the second round + * submissions to the NIST lightweight cryptography competition. + * + * The most efficient version for 32-bit software implementation is the + * GIFT-128-b bit-sliced version from GIFT-COFB and SUNDAE-GIFT. + * + * The second is the nibble-based version from HYENA. We implement the + * HYENA version as a wrapper around the bit-sliced version. + * + * The third version is a variant on the HYENA nibble-based version that + * includes a 4-bit tweak value for domain separation. It is used by + * the ESTATE submission to NIST. + * + * Technically there is a fourth version of GIFT-128 which is the one that + * appeared in the original GIFT-128 paper. It is almost the same as the + * HYENA version except that the byte ordering is big-endian instead of + * HYENA's little-endian. The original version of GIFT-128 doesn't appear + * in any of the NIST submissions so we don't bother with it in this library. + * + * References: https://eprint.iacr.org/2017/622.pdf, + * https://giftcipher.github.io/gift/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a GIFT-128 block in bytes. + */ +#define GIFT128_BLOCK_SIZE 16 + +/** + * \brief Number of round keys for the fixsliced representation of GIFT-128. + */ +#define GIFT128_ROUND_KEYS 80 + +/** + * \brief Structure of the key schedule for GIFT-128 (bit-sliced). + */ +typedef struct +{ + /** Pre-computed round keys in the fixsliced form */ + uint32_t k[GIFT128_ROUND_KEYS]; + +} gift128b_key_schedule_t; + +/** + * \brief Initializes the key schedule for GIFT-128 (bit-sliced). + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int gift128b_init + (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced and pre-loaded). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version assumes that the input has already been pre-loaded from + * big-endian into host byte order in the supplied word array. The output + * is delivered in the same way. + */ +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]); + +/** + * \brief Decrypts a 128-bit block with GIFT-128 (bit-sliced). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + */ +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Structure of the key schedule for GIFT-128 (nibble-based). + */ +typedef gift128b_key_schedule_t gift128n_key_schedule_t; + +/** + * \brief Initializes the key schedule for GIFT-128 (nibble-based). + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int gift128n_init + (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with GIFT-128 (nibble-based). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + */ +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tweak 4-bit tweak value. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This variant of GIFT-128 is used by the ESTATE submission to the + * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to + * some of the rounds to provide domain separation. If the tweak is + * zero, then this function is identical to gift128n_encrypt(). + */ +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak); + +/** + * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tweak 4-bit tweak value. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This variant of GIFT-128 is used by the ESTATE submission to the + * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to + * some of the rounds to provide domain separation. If the tweak is + * zero, then this function is identical to gift128n_encrypt(). + */ +void gift128t_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-util.h b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/sundae-gift.c b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/sundae-gift.c new file mode 100644 index 0000000..984a4db --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/sundae-gift.c @@ -0,0 +1,358 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "sundae-gift.h" +#include "internal-gift128.h" +#include "internal-util.h" +#include + +aead_cipher_t const sundae_gift_0_cipher = { + "SUNDAE-GIFT-0", + SUNDAE_GIFT_KEY_SIZE, + SUNDAE_GIFT_0_NONCE_SIZE, + SUNDAE_GIFT_TAG_SIZE, + AEAD_FLAG_NONE, + sundae_gift_0_aead_encrypt, + sundae_gift_0_aead_decrypt +}; + +aead_cipher_t const sundae_gift_64_cipher = { + "SUNDAE-GIFT-64", + SUNDAE_GIFT_KEY_SIZE, + SUNDAE_GIFT_64_NONCE_SIZE, + SUNDAE_GIFT_TAG_SIZE, + AEAD_FLAG_NONE, + sundae_gift_64_aead_encrypt, + sundae_gift_64_aead_decrypt +}; + +aead_cipher_t const sundae_gift_96_cipher = { + "SUNDAE-GIFT-96", + SUNDAE_GIFT_KEY_SIZE, + SUNDAE_GIFT_96_NONCE_SIZE, + SUNDAE_GIFT_TAG_SIZE, + AEAD_FLAG_NONE, + sundae_gift_96_aead_encrypt, + sundae_gift_96_aead_decrypt +}; + +aead_cipher_t const sundae_gift_128_cipher = { + "SUNDAE-GIFT-128", + SUNDAE_GIFT_KEY_SIZE, + SUNDAE_GIFT_128_NONCE_SIZE, + SUNDAE_GIFT_TAG_SIZE, + AEAD_FLAG_NONE, + sundae_gift_128_aead_encrypt, + sundae_gift_128_aead_decrypt +}; + +/* Multiply a block value by 2 in the special byte field */ +STATIC_INLINE void sundae_gift_multiply(unsigned char B[16]) +{ + unsigned char B0 = B[0]; + unsigned index; + for (index = 0; index < 15; ++index) + B[index] = B[index + 1]; + B[15] = B0; + B[10] ^= B0; + B[12] ^= B0; + B[14] ^= B0; +} + +/* Compute a MAC over the concatenation of two data buffers */ +static void sundae_gift_aead_mac + (const gift128b_key_schedule_t *ks, unsigned char V[16], + const unsigned char *data1, unsigned data1len, + const unsigned char *data2, unsigned long data2len) +{ + unsigned len; + + /* Nothing to do if the input is empty */ + if (!data1len && !data2len) + return; + + /* Format the first block. We assume that data1len <= 16 + * as it is will be the nonce if it is non-zero in length */ + lw_xor_block(V, data1, data1len); + len = 16 - data1len; + if (len > data2len) + len = (unsigned)data2len; + lw_xor_block(V + data1len, data2, len); + data2 += len; + data2len -= len; + len += data1len; + + /* Process as many full blocks as we can, except the last */ + while (data2len > 0) { + gift128b_encrypt(ks, V, V); + len = 16; + if (len > data2len) + len = (unsigned)data2len; + lw_xor_block(V, data2, len); + data2 += len; + data2len -= len; + } + + /* Pad and process the last block */ + if (len < 16) { + V[len] ^= 0x80; + sundae_gift_multiply(V); + gift128b_encrypt(ks, V, V); + } else { + sundae_gift_multiply(V); + sundae_gift_multiply(V); + gift128b_encrypt(ks, V, V); + } +} + +static int sundae_gift_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, unsigned npublen, + const unsigned char *k, unsigned char domainsep) +{ + gift128b_key_schedule_t ks; + unsigned char V[16]; + unsigned char T[16]; + unsigned char P[16]; + + /* Compute the length of the output ciphertext */ + *clen = mlen + SUNDAE_GIFT_TAG_SIZE; + + /* Set the key schedule */ + if (!gift128b_init(&ks, k, SUNDAE_GIFT_KEY_SIZE)) + return -1; + + /* Format and encrypt the initial domain separation block */ + if (adlen > 0) + domainsep |= 0x80; + if (mlen > 0) + domainsep |= 0x40; + V[0] = domainsep; + memset(V + 1, 0, sizeof(V) - 1); + gift128b_encrypt(&ks, T, V); + + /* Authenticate the nonce and the associated data */ + sundae_gift_aead_mac(&ks, T, npub, npublen, ad, adlen); + + /* Authenticate the plaintext */ + sundae_gift_aead_mac(&ks, T, 0, 0, m, mlen); + + /* Encrypt the plaintext to produce the ciphertext. We need to be + * careful how we manage the data because we could be doing in-place + * encryption. In SUNDAE-GIFT, the first 16 bytes of the ciphertext + * is the tag rather than the last 16 bytes in other algorithms. + * We need to swap the plaintext for the current block with the + * ciphertext or tag from the previous block */ + memcpy(V, T, 16); + while (mlen >= 16) { + gift128b_encrypt(&ks, V, V); + lw_xor_block_2_src(P, V, m, 16); + memcpy(c, T, 16); + memcpy(T, P, 16); + c += 16; + m += 16; + mlen -= 16; + } + if (mlen > 0) { + unsigned leftover = (unsigned)mlen; + gift128b_encrypt(&ks, V, V); + lw_xor_block(V, m, leftover); + memcpy(c, T, 16); + memcpy(c + 16, V, leftover); + } else { + memcpy(c, T, 16); + } + return 0; +} + +static int sundae_gift_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, unsigned npublen, + const unsigned char *k, unsigned char domainsep) +{ + gift128b_key_schedule_t ks; + unsigned char V[16]; + unsigned char T[16]; + unsigned char *mtemp; + unsigned long len; + + /* Bail out if the ciphertext is too short */ + if (clen < SUNDAE_GIFT_TAG_SIZE) + return -1; + len = *mlen = clen - SUNDAE_GIFT_TAG_SIZE; + + /* Set the key schedule */ + if (!gift128b_init(&ks, k, SUNDAE_GIFT_KEY_SIZE)) + return -1; + + /* Decrypt the ciphertext to produce the plaintext, using the + * tag as the initialization vector for the decryption process */ + memcpy(T, c, SUNDAE_GIFT_TAG_SIZE); + c += SUNDAE_GIFT_TAG_SIZE; + mtemp = m; + memcpy(V, T, 16); + while (len >= 16) { + gift128b_encrypt(&ks, V, V); + lw_xor_block_2_src(mtemp, c, V, 16); + c += 16; + mtemp += 16; + len -= 16; + } + if (len > 0) { + gift128b_encrypt(&ks, V, V); + lw_xor_block_2_src(mtemp, c, V, (unsigned)len); + } + + /* Format and encrypt the initial domain separation block */ + if (adlen > 0) + domainsep |= 0x80; + if (clen > SUNDAE_GIFT_TAG_SIZE) + domainsep |= 0x40; + V[0] = domainsep; + memset(V + 1, 0, sizeof(V) - 1); + gift128b_encrypt(&ks, V, V); + + /* Authenticate the nonce and the associated data */ + sundae_gift_aead_mac(&ks, V, npub, npublen, ad, adlen); + + /* Authenticate the plaintext */ + sundae_gift_aead_mac(&ks, V, 0, 0, m, *mlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, T, V, 16); +} + +int sundae_gift_0_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + (void)npub; + return sundae_gift_aead_encrypt + (c, clen, m, mlen, ad, adlen, 0, 0, k, 0x00); +} + +int sundae_gift_0_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + (void)npub; + return sundae_gift_aead_decrypt + (m, mlen, c, clen, ad, adlen, 0, 0, k, 0x00); +} + +int sundae_gift_64_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_encrypt + (c, clen, m, mlen, ad, adlen, + npub, SUNDAE_GIFT_64_NONCE_SIZE, k, 0x90); +} + +int sundae_gift_64_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_decrypt + (m, mlen, c, clen, ad, adlen, + npub, SUNDAE_GIFT_64_NONCE_SIZE, k, 0x90); +} + +int sundae_gift_96_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_encrypt + (c, clen, m, mlen, ad, adlen, + npub, SUNDAE_GIFT_96_NONCE_SIZE, k, 0xA0); +} + +int sundae_gift_96_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_decrypt + (m, mlen, c, clen, ad, adlen, + npub, SUNDAE_GIFT_96_NONCE_SIZE, k, 0xA0); +} + +int sundae_gift_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_encrypt + (c, clen, m, mlen, ad, adlen, + npub, SUNDAE_GIFT_128_NONCE_SIZE, k, 0xB0); +} + +int sundae_gift_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_decrypt + (m, mlen, c, clen, ad, adlen, + npub, SUNDAE_GIFT_128_NONCE_SIZE, k, 0xB0); +} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/sundae-gift.h b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/sundae-gift.h new file mode 100644 index 0000000..9040dd5 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/sundae-gift.h @@ -0,0 +1,341 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SUNDAE_GIFT_H +#define LWCRYPTO_SUNDAE_GIFT_H + +#include "aead-common.h" + +/** + * \file sundae-gift.h + * \brief SUNDAE-GIFT encryption algorithm family. + * + * The SUNDAE-GIFT family consists of several related algorithms: + * + * \li SUNDAE-GIFT-0 with a 128-bit key, a 0-bit nonce, and 128-bit tag. + * \li SUNDAE-GIFT-64 with a 128-bit key, a 64-bit nonce, and 128-bit tag. + * \li SUNDAE-GIFT-96 with a 128-bit key, a 96-bit nonce, and 128-bit tag. + * This is the primary member of the family. + * \li SUNDAE-GIFT-128 with a 128-bit key, a 128-bit nonce, and 128-bit tag. + * + * SUNDAE-GIFT is resistant against nonce reuse as long as the combination + * of the associated data and plaintext is unique. + * + * If a nonce is reused (or there is no nonce in the case of SUNDAE-GIFT-0), + * then two packets with the same associated data and plaintext will encrypt + * to the same ciphertext. This will leak that the same plaintext has been + * sent for a second time but will not reveal the plaintext itself. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all SUNDAE-GIFT family members. + */ +#define SUNDAE_GIFT_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for all SUNDAE-GIFT family members. + */ +#define SUNDAE_GIFT_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SUNDAE-GIFT-0. + */ +#define SUNDAE_GIFT_0_NONCE_SIZE 0 + +/** + * \brief Size of the nonce for SUNDAE-GIFT-64. + */ +#define SUNDAE_GIFT_64_NONCE_SIZE 8 + +/** + * \brief Size of the nonce for SUNDAE-GIFT-96. + */ +#define SUNDAE_GIFT_96_NONCE_SIZE 12 + +/** + * \brief Size of the nonce for SUNDAE-GIFT-128. + */ +#define SUNDAE_GIFT_128_NONCE_SIZE 16 + +/** + * \brief Meta-information block for the SUNDAE-GIFT-0 cipher. + */ +extern aead_cipher_t const sundae_gift_0_cipher; + +/** + * \brief Meta-information block for the SUNDAE-GIFT-64 cipher. + */ +extern aead_cipher_t const sundae_gift_64_cipher; + +/** + * \brief Meta-information block for the SUNDAE-GIFT-96 cipher. + */ +extern aead_cipher_t const sundae_gift_96_cipher; + +/** + * \brief Meta-information block for the SUNDAE-GIFT-128 cipher. + */ +extern aead_cipher_t const sundae_gift_128_cipher; + +/** + * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-0. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce - not used by this algorithm. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa sundae_gift_0_aead_decrypt() + */ +int sundae_gift_0_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-0. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce - not used by this algorithm. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa sundae_gift_0_aead_encrypt() + */ +int sundae_gift_0_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-64. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 8 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa sundae_gift_64_aead_decrypt() + */ +int sundae_gift_64_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-64. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 8 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa sundae_gift_64_aead_encrypt() + */ +int sundae_gift_64_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-96. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa sundae_gift_96_aead_decrypt() + */ +int sundae_gift_96_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-96. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa sundae_gift_96_aead_encrypt() + */ +int sundae_gift_96_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa sundae_gift_128_aead_decrypt() + */ +int sundae_gift_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-12896. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa sundae_gift_128_aead_encrypt() + */ +int sundae_gift_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/aead-common.c b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/aead-common.h b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/api.h b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/api.h new file mode 100644 index 0000000..6656888 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 8 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/encrypt.c b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/encrypt.c new file mode 100644 index 0000000..c6f2a7d --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "sundae-gift.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return sundae_gift_64_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return sundae_gift_64_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128.c b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128.c new file mode 100644 index 0000000..681dbc8 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128.c @@ -0,0 +1,849 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-gift128.h" +#include "internal-util.h" + +/* Round constants for GIFT-128 in the fixsliced representation */ +static uint32_t const GIFT128_RC[40] = { + 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, + 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, + 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, + 0x03020180, 0x8000002b, 0x10080880, 0x60014000, 0x01400002, 0x02020080, + 0x80000021, 0x10000080, 0x0001c000, 0x51000002, 0x03010180, 0x8000002e, + 0x10088800, 0x60012000, 0x40500002, 0x01030080, 0x80000006, 0x10008808, + 0xc001a000, 0x14500002, 0x01020181, 0x8000001a +}; + +/** + * \brief Swaps bits within two words. + * + * \param a The first word. + * \param b The second word. + * \param mask Mask for the bits to shift. + * \param shift Shift amount in bits. + */ +#define gift128b_swap_move(a, b, mask, shift) \ + do { \ + uint32_t tmp = ((b) ^ ((a) >> (shift))) & (mask); \ + (b) ^= tmp; \ + (a) ^= tmp << (shift); \ + } while (0) + +/** + * \brief Derives the next 10 fixsliced keys in the key schedule. + * + * \param next Points to the buffer to receive the next 10 keys. + * \param prev Points to the buffer holding the previous 10 keys. + * + * The \a next and \a prev buffers are allowed to be the same. + */ +#define gift128b_derive_keys(next, prev) \ + do { \ + /* Key 0 */ \ + uint32_t s = (prev)[0]; \ + uint32_t t = (prev)[1]; \ + gift128b_swap_move(t, t, 0x00003333U, 16); \ + gift128b_swap_move(t, t, 0x55554444U, 1); \ + (next)[0] = t; \ + /* Key 1 */ \ + s = leftRotate8(s & 0x33333333U) | leftRotate16(s & 0xCCCCCCCCU); \ + gift128b_swap_move(s, s, 0x55551100U, 1); \ + (next)[1] = s; \ + /* Key 2 */ \ + s = (prev)[2]; \ + t = (prev)[3]; \ + (next)[2] = ((t >> 4) & 0x0F000F00U) | ((t & 0x0F000F00U) << 4) | \ + ((t >> 6) & 0x00030003U) | ((t & 0x003F003FU) << 2); \ + /* Key 3 */ \ + (next)[3] = ((s >> 6) & 0x03000300U) | ((s & 0x3F003F00U) << 2) | \ + ((s >> 5) & 0x00070007U) | ((s & 0x001F001FU) << 3); \ + /* Key 4 */ \ + s = (prev)[4]; \ + t = (prev)[5]; \ + (next)[4] = leftRotate8(t & 0xAAAAAAAAU) | \ + leftRotate16(t & 0x55555555U); \ + /* Key 5 */ \ + (next)[5] = leftRotate8(s & 0x55555555U) | \ + leftRotate12(s & 0xAAAAAAAAU); \ + /* Key 6 */ \ + s = (prev)[6]; \ + t = (prev)[7]; \ + (next)[6] = ((t >> 2) & 0x03030303U) | ((t & 0x03030303U) << 2) | \ + ((t >> 1) & 0x70707070U) | ((t & 0x10101010U) << 3); \ + /* Key 7 */ \ + (next)[7] = ((s >> 18) & 0x00003030U) | ((s & 0x01010101U) << 3) | \ + ((s >> 14) & 0x0000C0C0U) | ((s & 0x0000E0E0U) << 15) | \ + ((s >> 1) & 0x07070707U) | ((s & 0x00001010U) << 19); \ + /* Key 8 */ \ + s = (prev)[8]; \ + t = (prev)[9]; \ + (next)[8] = ((t >> 4) & 0x0FFF0000U) | ((t & 0x000F0000U) << 12) | \ + ((t >> 8) & 0x000000FFU) | ((t & 0x000000FFU) << 8); \ + /* Key 9 */ \ + (next)[9] = ((s >> 6) & 0x03FF0000U) | ((s & 0x003F0000U) << 10) | \ + ((s >> 4) & 0x00000FFFU) | ((s & 0x0000000FU) << 12); \ + } while (0) + +/** + * \brief Compute the round keys for GIFT-128 in the fixsliced representation. + * + * \param ks Points to the key schedule to initialize. + * \param k0 First key word. + * \param k1 Second key word. + * \param k2 Third key word. + * \param k3 Fourth key word. + */ +static void gift128b_compute_round_keys + (gift128b_key_schedule_t *ks, + uint32_t k0, uint32_t k1, uint32_t k2, uint32_t k3) +{ + unsigned index; + uint32_t temp; + + /* Set the regular key with k0 and k3 pre-swapped for the round function */ + ks->k[0] = k3; + ks->k[1] = k1; + ks->k[2] = k2; + ks->k[3] = k0; + + /* Pre-compute the keys for rounds 3..10 and permute into fixsliced form */ + for (index = 4; index < 20; index += 2) { + ks->k[index] = ks->k[index - 3]; + temp = ks->k[index - 4]; + temp = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + ks->k[index + 1] = temp; + } + for (index = 0; index < 20; index += 10) { + /* Keys 0 and 10 */ + temp = ks->k[index]; + gift128b_swap_move(temp, temp, 0x00550055U, 9); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index] = temp; + + /* Keys 1 and 11 */ + temp = ks->k[index + 1]; + gift128b_swap_move(temp, temp, 0x00550055U, 9); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 1] = temp; + + /* Keys 2 and 12 */ + temp = ks->k[index + 2]; + gift128b_swap_move(temp, temp, 0x11111111U, 3); + gift128b_swap_move(temp, temp, 0x03030303U, 6); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 2] = temp; + + /* Keys 3 and 13 */ + temp = ks->k[index + 3]; + gift128b_swap_move(temp, temp, 0x11111111U, 3); + gift128b_swap_move(temp, temp, 0x03030303U, 6); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 3] = temp; + + /* Keys 4 and 14 */ + temp = ks->k[index + 4]; + gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 4] = temp; + + /* Keys 5 and 15 */ + temp = ks->k[index + 5]; + gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 5] = temp; + + /* Keys 6 and 16 */ + temp = ks->k[index + 6]; + gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); + gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 6] = temp; + + /* Keys 7 and 17 */ + temp = ks->k[index + 7]; + gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); + gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 7] = temp; + + /* Keys 8, 9, 18, and 19 do not need any adjustment */ + } + + /* Derive the fixsliced keys for the remaining rounds 11..40 */ + for (index = 20; index < 80; index += 10) { + gift128b_derive_keys(ks->k + index, ks->k + index - 20); + } +} + +int gift128b_init + (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len) +{ + if (!ks || !key || key_len != 16) + return 0; + gift128b_compute_round_keys + (ks, be_load_word32(key), be_load_word32(key + 4), + be_load_word32(key + 8), be_load_word32(key + 12)); + return 1; +} + +/** + * \brief Performs the GIFT-128 S-box on the bit-sliced state. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_sbox(s0, s1, s2, s3) \ + do { \ + s1 ^= s0 & s2; \ + s0 ^= s1 & s3; \ + s2 ^= s0 | s1; \ + s3 ^= s2; \ + s1 ^= s3; \ + s3 ^= 0xFFFFFFFFU; \ + s2 ^= s0 & s1; \ + } while (0) + +/** + * \brief Performs the inverse of the GIFT-128 S-box on the bit-sliced state. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_sbox(s0, s1, s2, s3) \ + do { \ + s2 ^= s3 & s1; \ + s0 ^= 0xFFFFFFFFU; \ + s1 ^= s0; \ + s0 ^= s2; \ + s2 ^= s3 | s1; \ + s3 ^= s1 & s0; \ + s1 ^= s3 & s2; \ + } while (0) + +/** + * \brief Permutes the GIFT-128 state between the 1st and 2nd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_1(s0, s1, s2, s3) \ + do { \ + s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ + s2 = ((s2 >> 3) & 0x11111111U) | ((s2 & 0x77777777U) << 1); \ + s3 = ((s3 >> 1) & 0x77777777U) | ((s3 & 0x11111111U) << 3); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 2nd and 3rd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_2(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 4) & 0x0FFF0FFFU) | ((s0 & 0x000F000FU) << 12); \ + s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ + s2 = ((s2 >> 12) & 0x000F000FU) | ((s2 & 0x0FFF0FFFU) << 4); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 3rd and 4th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_3(s0, s1, s2, s3) \ + do { \ + gift128b_swap_move(s1, s1, 0x55555555U, 1); \ + s2 = leftRotate16(s2); \ + gift128b_swap_move(s2, s2, 0x00005555U, 1); \ + s3 = leftRotate16(s3); \ + gift128b_swap_move(s3, s3, 0x55550000U, 1); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 4th and 5th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_4(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 6) & 0x03030303U) | ((s0 & 0x3F3F3F3FU) << 2); \ + s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ + s2 = ((s2 >> 2) & 0x3F3F3F3FU) | ((s2 & 0x03030303U) << 6); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 5th and 1st mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_5(s0, s1, s2, s3) \ + do { \ + s1 = leftRotate16(s1); \ + s2 = rightRotate8(s2); \ + s3 = leftRotate8(s3); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 1st and 2nd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_1(s0, s1, s2, s3) \ + do { \ + s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ + s2 = ((s2 >> 1) & 0x77777777U) | ((s2 & 0x11111111U) << 3); \ + s3 = ((s3 >> 3) & 0x11111111U) | ((s3 & 0x77777777U) << 1); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 2nd and 3rd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_2(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 12) & 0x000F000FU) | ((s0 & 0x0FFF0FFFU) << 4); \ + s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ + s2 = ((s2 >> 4) & 0x0FFF0FFFU) | ((s2 & 0x000F000FU) << 12); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 3rd and 4th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_3(s0, s1, s2, s3) \ + do { \ + gift128b_swap_move(s1, s1, 0x55555555U, 1); \ + gift128b_swap_move(s2, s2, 0x00005555U, 1); \ + s2 = leftRotate16(s2); \ + gift128b_swap_move(s3, s3, 0x55550000U, 1); \ + s3 = leftRotate16(s3); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 4th and 5th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_4(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 2) & 0x3F3F3F3FU) | ((s0 & 0x03030303U) << 6); \ + s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ + s2 = ((s2 >> 6) & 0x03030303U) | ((s2 & 0x3F3F3F3FU) << 2); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 5th and 1st mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_5(s0, s1, s2, s3) \ + do { \ + s1 = leftRotate16(s1); \ + s2 = leftRotate8(s2); \ + s3 = rightRotate8(s3); \ + } while (0); + +/** + * \brief Performs five fixsliced encryption rounds for GIFT-128. + * + * \param rk Points to the 10 round keys for these rounds. + * \param rc Points to the round constants for these rounds. + * + * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. + * + * The permutation is restructured so that one of the words each round + * does not need to be permuted, with the others rotating left, up, right, + * and down to keep the bits in line with their non-moving counterparts. + * This reduces the number of shifts required significantly. + * + * At the end of five rounds, the bit ordering will return to the + * original position. We then repeat the process for the next 5 rounds. + */ +#define gift128b_encrypt_5_rounds(rk, rc) \ + do { \ + /* 1st round - S-box, rotate left, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_1(s0, s1, s2, s3); \ + s1 ^= (rk)[0]; \ + s2 ^= (rk)[1]; \ + s0 ^= (rc)[0]; \ + \ + /* 2nd round - S-box, rotate up, add round key */ \ + gift128b_sbox(s3, s1, s2, s0); \ + gift128b_permute_state_2(s0, s1, s2, s3); \ + s1 ^= (rk)[2]; \ + s2 ^= (rk)[3]; \ + s3 ^= (rc)[1]; \ + \ + /* 3rd round - S-box, swap columns, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_3(s0, s1, s2, s3); \ + s1 ^= (rk)[4]; \ + s2 ^= (rk)[5]; \ + s0 ^= (rc)[2]; \ + \ + /* 4th round - S-box, rotate left and swap rows, add round key */ \ + gift128b_sbox(s3, s1, s2, s0); \ + gift128b_permute_state_4(s0, s1, s2, s3); \ + s1 ^= (rk)[6]; \ + s2 ^= (rk)[7]; \ + s3 ^= (rc)[3]; \ + \ + /* 5th round - S-box, rotate up, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_5(s0, s1, s2, s3); \ + s1 ^= (rk)[8]; \ + s2 ^= (rk)[9]; \ + s0 ^= (rc)[4]; \ + \ + /* Swap s0 and s3 in preparation for the next 1st round */ \ + s0 ^= s3; \ + s3 ^= s0; \ + s0 ^= s3; \ + } while (0) + +/** + * \brief Performs five fixsliced decryption rounds for GIFT-128. + * + * \param rk Points to the 10 round keys for these rounds. + * \param rc Points to the round constants for these rounds. + * + * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. + */ +#define gift128b_decrypt_5_rounds(rk, rc) \ + do { \ + /* Swap s0 and s3 in preparation for the next 5th round */ \ + s0 ^= s3; \ + s3 ^= s0; \ + s0 ^= s3; \ + \ + /* 5th round - S-box, rotate down, add round key */ \ + s1 ^= (rk)[8]; \ + s2 ^= (rk)[9]; \ + s0 ^= (rc)[4]; \ + gift128b_inv_permute_state_5(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + \ + /* 4th round - S-box, rotate right and swap rows, add round key */ \ + s1 ^= (rk)[6]; \ + s2 ^= (rk)[7]; \ + s3 ^= (rc)[3]; \ + gift128b_inv_permute_state_4(s0, s1, s2, s3); \ + gift128b_inv_sbox(s0, s1, s2, s3); \ + \ + /* 3rd round - S-box, swap columns, add round key */ \ + s1 ^= (rk)[4]; \ + s2 ^= (rk)[5]; \ + s0 ^= (rc)[2]; \ + gift128b_inv_permute_state_3(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + \ + /* 2nd round - S-box, rotate down, add round key */ \ + s1 ^= (rk)[2]; \ + s2 ^= (rk)[3]; \ + s3 ^= (rc)[1]; \ + gift128b_inv_permute_state_2(s0, s1, s2, s3); \ + gift128b_inv_sbox(s0, s1, s2, s3); \ + \ + /* 1st round - S-box, rotate right, add round key */ \ + s1 ^= (rk)[0]; \ + s2 ^= (rk)[1]; \ + s0 ^= (rc)[0]; \ + gift128b_inv_permute_state_1(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + } while (0) + +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into local variables */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; +} + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +int gift128n_init + (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len) +{ + /* Use the little-endian key byte order from the HYENA submission */ + if (!ks || !key || key_len != 16) + return 0; + gift128b_compute_round_keys + (ks, le_load_word32(key + 12), le_load_word32(key + 8), + le_load_word32(key + 4), le_load_word32(key)); + return 1; +} + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/** + * \brief Converts the GIFT-128 nibble-based representation into word-based. + * + * \param output Output buffer to write the word-based version to. + * \param input Input buffer to read the nibble-based version from. + * + * The \a input and \a output buffers can be the same buffer. + */ +static void gift128n_to_words + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input buffer into 32-bit words. We use the nibble order + * from the HYENA submission to NIST which is byte-reversed with respect + * to the nibble order of the original GIFT-128 paper. Nibble zero is in + * the first byte instead of the last, which means little-endian order. */ + s0 = le_load_word32(input + 12); + s1 = le_load_word32(input + 8); + s2 = le_load_word32(input + 4); + s3 = le_load_word32(input); + + /* Rearrange the bits so that bits 0..3 of each nibble are + * scattered to bytes 0..3 of each word. The permutation is: + * + * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 + * + * Generated with "http://programming.sirrida.de/calcperm.php". + */ + #define PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + PERM_WORDS(s0); + PERM_WORDS(s1); + PERM_WORDS(s2); + PERM_WORDS(s3); + + /* Rearrange the bytes and write them to the output buffer */ + output[0] = (uint8_t)s0; + output[1] = (uint8_t)s1; + output[2] = (uint8_t)s2; + output[3] = (uint8_t)s3; + output[4] = (uint8_t)(s0 >> 8); + output[5] = (uint8_t)(s1 >> 8); + output[6] = (uint8_t)(s2 >> 8); + output[7] = (uint8_t)(s3 >> 8); + output[8] = (uint8_t)(s0 >> 16); + output[9] = (uint8_t)(s1 >> 16); + output[10] = (uint8_t)(s2 >> 16); + output[11] = (uint8_t)(s3 >> 16); + output[12] = (uint8_t)(s0 >> 24); + output[13] = (uint8_t)(s1 >> 24); + output[14] = (uint8_t)(s2 >> 24); + output[15] = (uint8_t)(s3 >> 24); +} + +/** + * \brief Converts the GIFT-128 word-based representation into nibble-based. + * + * \param output Output buffer to write the nibble-based version to. + * \param input Input buffer to read the word-based version from. + */ +static void gift128n_to_nibbles + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input bytes and rearrange them so that s0 contains the + * most significant nibbles and s3 contains the least significant */ + s0 = (((uint32_t)(input[12])) << 24) | + (((uint32_t)(input[8])) << 16) | + (((uint32_t)(input[4])) << 8) | + ((uint32_t)(input[0])); + s1 = (((uint32_t)(input[13])) << 24) | + (((uint32_t)(input[9])) << 16) | + (((uint32_t)(input[5])) << 8) | + ((uint32_t)(input[1])); + s2 = (((uint32_t)(input[14])) << 24) | + (((uint32_t)(input[10])) << 16) | + (((uint32_t)(input[6])) << 8) | + ((uint32_t)(input[2])); + s3 = (((uint32_t)(input[15])) << 24) | + (((uint32_t)(input[11])) << 16) | + (((uint32_t)(input[7])) << 8) | + ((uint32_t)(input[3])); + + /* Apply the inverse of PERM_WORDS() from the function above */ + #define INV_PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x00aa00aa, 7); \ + bit_permute_step(x, 0x0000cccc, 14); \ + bit_permute_step(x, 0x00f000f0, 4); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + INV_PERM_WORDS(s0); + INV_PERM_WORDS(s1); + INV_PERM_WORDS(s2); + INV_PERM_WORDS(s3); + + /* Store the result into the output buffer as 32-bit words */ + le_store_word32(output + 12, s0); + le_store_word32(output + 8, s1); + le_store_word32(output + 4, s2); + le_store_word32(output, s3); +} + +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_encrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_decrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +/* 4-bit tweak values expanded to 32-bit */ +static uint32_t const GIFT128_tweaks[16] = { + 0x00000000, 0xe1e1e1e1, 0xd2d2d2d2, 0x33333333, + 0xb4b4b4b4, 0x55555555, 0x66666666, 0x87878787, + 0x78787878, 0x99999999, 0xaaaaaaaa, 0x4b4b4b4b, + 0xcccccccc, 0x2d2d2d2d, 0x1e1e1e1e, 0xffffffff +}; + +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak) +{ + uint32_t s0, s1, s2, s3, tword; + + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + tword = GIFT128_tweaks[tweak]; + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +void gift128t_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak) +{ + uint32_t s0, s1, s2, s3, tword; + + /* Copy the ciphertext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the first we add the tweak value to the state */ + tword = GIFT128_tweaks[tweak]; + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + + /* Pack the state into the plaintext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128.h b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128.h new file mode 100644 index 0000000..1ac40e5 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128.h @@ -0,0 +1,229 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_GIFT128_H +#define LW_INTERNAL_GIFT128_H + +/** + * \file internal-gift128.h + * \brief GIFT-128 block cipher. + * + * There are three versions of GIFT-128 in use within the second round + * submissions to the NIST lightweight cryptography competition. + * + * The most efficient version for 32-bit software implementation is the + * GIFT-128-b bit-sliced version from GIFT-COFB and SUNDAE-GIFT. + * + * The second is the nibble-based version from HYENA. We implement the + * HYENA version as a wrapper around the bit-sliced version. + * + * The third version is a variant on the HYENA nibble-based version that + * includes a 4-bit tweak value for domain separation. It is used by + * the ESTATE submission to NIST. + * + * Technically there is a fourth version of GIFT-128 which is the one that + * appeared in the original GIFT-128 paper. It is almost the same as the + * HYENA version except that the byte ordering is big-endian instead of + * HYENA's little-endian. The original version of GIFT-128 doesn't appear + * in any of the NIST submissions so we don't bother with it in this library. + * + * References: https://eprint.iacr.org/2017/622.pdf, + * https://giftcipher.github.io/gift/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a GIFT-128 block in bytes. + */ +#define GIFT128_BLOCK_SIZE 16 + +/** + * \brief Number of round keys for the fixsliced representation of GIFT-128. + */ +#define GIFT128_ROUND_KEYS 80 + +/** + * \brief Structure of the key schedule for GIFT-128 (bit-sliced). + */ +typedef struct +{ + /** Pre-computed round keys in the fixsliced form */ + uint32_t k[GIFT128_ROUND_KEYS]; + +} gift128b_key_schedule_t; + +/** + * \brief Initializes the key schedule for GIFT-128 (bit-sliced). + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int gift128b_init + (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced and pre-loaded). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version assumes that the input has already been pre-loaded from + * big-endian into host byte order in the supplied word array. The output + * is delivered in the same way. + */ +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]); + +/** + * \brief Decrypts a 128-bit block with GIFT-128 (bit-sliced). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + */ +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Structure of the key schedule for GIFT-128 (nibble-based). + */ +typedef gift128b_key_schedule_t gift128n_key_schedule_t; + +/** + * \brief Initializes the key schedule for GIFT-128 (nibble-based). + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int gift128n_init + (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with GIFT-128 (nibble-based). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + */ +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tweak 4-bit tweak value. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This variant of GIFT-128 is used by the ESTATE submission to the + * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to + * some of the rounds to provide domain separation. If the tweak is + * zero, then this function is identical to gift128n_encrypt(). + */ +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak); + +/** + * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tweak 4-bit tweak value. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This variant of GIFT-128 is used by the ESTATE submission to the + * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to + * some of the rounds to provide domain separation. If the tweak is + * zero, then this function is identical to gift128n_encrypt(). + */ +void gift128t_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-util.h b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/sundae-gift.c b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/sundae-gift.c new file mode 100644 index 0000000..984a4db --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/sundae-gift.c @@ -0,0 +1,358 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "sundae-gift.h" +#include "internal-gift128.h" +#include "internal-util.h" +#include + +aead_cipher_t const sundae_gift_0_cipher = { + "SUNDAE-GIFT-0", + SUNDAE_GIFT_KEY_SIZE, + SUNDAE_GIFT_0_NONCE_SIZE, + SUNDAE_GIFT_TAG_SIZE, + AEAD_FLAG_NONE, + sundae_gift_0_aead_encrypt, + sundae_gift_0_aead_decrypt +}; + +aead_cipher_t const sundae_gift_64_cipher = { + "SUNDAE-GIFT-64", + SUNDAE_GIFT_KEY_SIZE, + SUNDAE_GIFT_64_NONCE_SIZE, + SUNDAE_GIFT_TAG_SIZE, + AEAD_FLAG_NONE, + sundae_gift_64_aead_encrypt, + sundae_gift_64_aead_decrypt +}; + +aead_cipher_t const sundae_gift_96_cipher = { + "SUNDAE-GIFT-96", + SUNDAE_GIFT_KEY_SIZE, + SUNDAE_GIFT_96_NONCE_SIZE, + SUNDAE_GIFT_TAG_SIZE, + AEAD_FLAG_NONE, + sundae_gift_96_aead_encrypt, + sundae_gift_96_aead_decrypt +}; + +aead_cipher_t const sundae_gift_128_cipher = { + "SUNDAE-GIFT-128", + SUNDAE_GIFT_KEY_SIZE, + SUNDAE_GIFT_128_NONCE_SIZE, + SUNDAE_GIFT_TAG_SIZE, + AEAD_FLAG_NONE, + sundae_gift_128_aead_encrypt, + sundae_gift_128_aead_decrypt +}; + +/* Multiply a block value by 2 in the special byte field */ +STATIC_INLINE void sundae_gift_multiply(unsigned char B[16]) +{ + unsigned char B0 = B[0]; + unsigned index; + for (index = 0; index < 15; ++index) + B[index] = B[index + 1]; + B[15] = B0; + B[10] ^= B0; + B[12] ^= B0; + B[14] ^= B0; +} + +/* Compute a MAC over the concatenation of two data buffers */ +static void sundae_gift_aead_mac + (const gift128b_key_schedule_t *ks, unsigned char V[16], + const unsigned char *data1, unsigned data1len, + const unsigned char *data2, unsigned long data2len) +{ + unsigned len; + + /* Nothing to do if the input is empty */ + if (!data1len && !data2len) + return; + + /* Format the first block. We assume that data1len <= 16 + * as it is will be the nonce if it is non-zero in length */ + lw_xor_block(V, data1, data1len); + len = 16 - data1len; + if (len > data2len) + len = (unsigned)data2len; + lw_xor_block(V + data1len, data2, len); + data2 += len; + data2len -= len; + len += data1len; + + /* Process as many full blocks as we can, except the last */ + while (data2len > 0) { + gift128b_encrypt(ks, V, V); + len = 16; + if (len > data2len) + len = (unsigned)data2len; + lw_xor_block(V, data2, len); + data2 += len; + data2len -= len; + } + + /* Pad and process the last block */ + if (len < 16) { + V[len] ^= 0x80; + sundae_gift_multiply(V); + gift128b_encrypt(ks, V, V); + } else { + sundae_gift_multiply(V); + sundae_gift_multiply(V); + gift128b_encrypt(ks, V, V); + } +} + +static int sundae_gift_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, unsigned npublen, + const unsigned char *k, unsigned char domainsep) +{ + gift128b_key_schedule_t ks; + unsigned char V[16]; + unsigned char T[16]; + unsigned char P[16]; + + /* Compute the length of the output ciphertext */ + *clen = mlen + SUNDAE_GIFT_TAG_SIZE; + + /* Set the key schedule */ + if (!gift128b_init(&ks, k, SUNDAE_GIFT_KEY_SIZE)) + return -1; + + /* Format and encrypt the initial domain separation block */ + if (adlen > 0) + domainsep |= 0x80; + if (mlen > 0) + domainsep |= 0x40; + V[0] = domainsep; + memset(V + 1, 0, sizeof(V) - 1); + gift128b_encrypt(&ks, T, V); + + /* Authenticate the nonce and the associated data */ + sundae_gift_aead_mac(&ks, T, npub, npublen, ad, adlen); + + /* Authenticate the plaintext */ + sundae_gift_aead_mac(&ks, T, 0, 0, m, mlen); + + /* Encrypt the plaintext to produce the ciphertext. We need to be + * careful how we manage the data because we could be doing in-place + * encryption. In SUNDAE-GIFT, the first 16 bytes of the ciphertext + * is the tag rather than the last 16 bytes in other algorithms. + * We need to swap the plaintext for the current block with the + * ciphertext or tag from the previous block */ + memcpy(V, T, 16); + while (mlen >= 16) { + gift128b_encrypt(&ks, V, V); + lw_xor_block_2_src(P, V, m, 16); + memcpy(c, T, 16); + memcpy(T, P, 16); + c += 16; + m += 16; + mlen -= 16; + } + if (mlen > 0) { + unsigned leftover = (unsigned)mlen; + gift128b_encrypt(&ks, V, V); + lw_xor_block(V, m, leftover); + memcpy(c, T, 16); + memcpy(c + 16, V, leftover); + } else { + memcpy(c, T, 16); + } + return 0; +} + +static int sundae_gift_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, unsigned npublen, + const unsigned char *k, unsigned char domainsep) +{ + gift128b_key_schedule_t ks; + unsigned char V[16]; + unsigned char T[16]; + unsigned char *mtemp; + unsigned long len; + + /* Bail out if the ciphertext is too short */ + if (clen < SUNDAE_GIFT_TAG_SIZE) + return -1; + len = *mlen = clen - SUNDAE_GIFT_TAG_SIZE; + + /* Set the key schedule */ + if (!gift128b_init(&ks, k, SUNDAE_GIFT_KEY_SIZE)) + return -1; + + /* Decrypt the ciphertext to produce the plaintext, using the + * tag as the initialization vector for the decryption process */ + memcpy(T, c, SUNDAE_GIFT_TAG_SIZE); + c += SUNDAE_GIFT_TAG_SIZE; + mtemp = m; + memcpy(V, T, 16); + while (len >= 16) { + gift128b_encrypt(&ks, V, V); + lw_xor_block_2_src(mtemp, c, V, 16); + c += 16; + mtemp += 16; + len -= 16; + } + if (len > 0) { + gift128b_encrypt(&ks, V, V); + lw_xor_block_2_src(mtemp, c, V, (unsigned)len); + } + + /* Format and encrypt the initial domain separation block */ + if (adlen > 0) + domainsep |= 0x80; + if (clen > SUNDAE_GIFT_TAG_SIZE) + domainsep |= 0x40; + V[0] = domainsep; + memset(V + 1, 0, sizeof(V) - 1); + gift128b_encrypt(&ks, V, V); + + /* Authenticate the nonce and the associated data */ + sundae_gift_aead_mac(&ks, V, npub, npublen, ad, adlen); + + /* Authenticate the plaintext */ + sundae_gift_aead_mac(&ks, V, 0, 0, m, *mlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, T, V, 16); +} + +int sundae_gift_0_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + (void)npub; + return sundae_gift_aead_encrypt + (c, clen, m, mlen, ad, adlen, 0, 0, k, 0x00); +} + +int sundae_gift_0_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + (void)npub; + return sundae_gift_aead_decrypt + (m, mlen, c, clen, ad, adlen, 0, 0, k, 0x00); +} + +int sundae_gift_64_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_encrypt + (c, clen, m, mlen, ad, adlen, + npub, SUNDAE_GIFT_64_NONCE_SIZE, k, 0x90); +} + +int sundae_gift_64_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_decrypt + (m, mlen, c, clen, ad, adlen, + npub, SUNDAE_GIFT_64_NONCE_SIZE, k, 0x90); +} + +int sundae_gift_96_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_encrypt + (c, clen, m, mlen, ad, adlen, + npub, SUNDAE_GIFT_96_NONCE_SIZE, k, 0xA0); +} + +int sundae_gift_96_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_decrypt + (m, mlen, c, clen, ad, adlen, + npub, SUNDAE_GIFT_96_NONCE_SIZE, k, 0xA0); +} + +int sundae_gift_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_encrypt + (c, clen, m, mlen, ad, adlen, + npub, SUNDAE_GIFT_128_NONCE_SIZE, k, 0xB0); +} + +int sundae_gift_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_decrypt + (m, mlen, c, clen, ad, adlen, + npub, SUNDAE_GIFT_128_NONCE_SIZE, k, 0xB0); +} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/sundae-gift.h b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/sundae-gift.h new file mode 100644 index 0000000..9040dd5 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/sundae-gift.h @@ -0,0 +1,341 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SUNDAE_GIFT_H +#define LWCRYPTO_SUNDAE_GIFT_H + +#include "aead-common.h" + +/** + * \file sundae-gift.h + * \brief SUNDAE-GIFT encryption algorithm family. + * + * The SUNDAE-GIFT family consists of several related algorithms: + * + * \li SUNDAE-GIFT-0 with a 128-bit key, a 0-bit nonce, and 128-bit tag. + * \li SUNDAE-GIFT-64 with a 128-bit key, a 64-bit nonce, and 128-bit tag. + * \li SUNDAE-GIFT-96 with a 128-bit key, a 96-bit nonce, and 128-bit tag. + * This is the primary member of the family. + * \li SUNDAE-GIFT-128 with a 128-bit key, a 128-bit nonce, and 128-bit tag. + * + * SUNDAE-GIFT is resistant against nonce reuse as long as the combination + * of the associated data and plaintext is unique. + * + * If a nonce is reused (or there is no nonce in the case of SUNDAE-GIFT-0), + * then two packets with the same associated data and plaintext will encrypt + * to the same ciphertext. This will leak that the same plaintext has been + * sent for a second time but will not reveal the plaintext itself. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all SUNDAE-GIFT family members. + */ +#define SUNDAE_GIFT_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for all SUNDAE-GIFT family members. + */ +#define SUNDAE_GIFT_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SUNDAE-GIFT-0. + */ +#define SUNDAE_GIFT_0_NONCE_SIZE 0 + +/** + * \brief Size of the nonce for SUNDAE-GIFT-64. + */ +#define SUNDAE_GIFT_64_NONCE_SIZE 8 + +/** + * \brief Size of the nonce for SUNDAE-GIFT-96. + */ +#define SUNDAE_GIFT_96_NONCE_SIZE 12 + +/** + * \brief Size of the nonce for SUNDAE-GIFT-128. + */ +#define SUNDAE_GIFT_128_NONCE_SIZE 16 + +/** + * \brief Meta-information block for the SUNDAE-GIFT-0 cipher. + */ +extern aead_cipher_t const sundae_gift_0_cipher; + +/** + * \brief Meta-information block for the SUNDAE-GIFT-64 cipher. + */ +extern aead_cipher_t const sundae_gift_64_cipher; + +/** + * \brief Meta-information block for the SUNDAE-GIFT-96 cipher. + */ +extern aead_cipher_t const sundae_gift_96_cipher; + +/** + * \brief Meta-information block for the SUNDAE-GIFT-128 cipher. + */ +extern aead_cipher_t const sundae_gift_128_cipher; + +/** + * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-0. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce - not used by this algorithm. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa sundae_gift_0_aead_decrypt() + */ +int sundae_gift_0_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-0. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce - not used by this algorithm. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa sundae_gift_0_aead_encrypt() + */ +int sundae_gift_0_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-64. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 8 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa sundae_gift_64_aead_decrypt() + */ +int sundae_gift_64_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-64. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 8 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa sundae_gift_64_aead_encrypt() + */ +int sundae_gift_64_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-96. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa sundae_gift_96_aead_decrypt() + */ +int sundae_gift_96_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-96. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa sundae_gift_96_aead_encrypt() + */ +int sundae_gift_96_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa sundae_gift_128_aead_decrypt() + */ +int sundae_gift_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-12896. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa sundae_gift_128_aead_encrypt() + */ +int sundae_gift_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/aead-common.c b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/aead-common.h b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/api.h b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/api.h new file mode 100644 index 0000000..c3c0a27 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 12 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/encrypt.c b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/encrypt.c new file mode 100644 index 0000000..a358142 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "sundae-gift.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return sundae_gift_96_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return sundae_gift_96_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128.c b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128.c new file mode 100644 index 0000000..681dbc8 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128.c @@ -0,0 +1,849 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-gift128.h" +#include "internal-util.h" + +/* Round constants for GIFT-128 in the fixsliced representation */ +static uint32_t const GIFT128_RC[40] = { + 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, + 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, + 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, + 0x03020180, 0x8000002b, 0x10080880, 0x60014000, 0x01400002, 0x02020080, + 0x80000021, 0x10000080, 0x0001c000, 0x51000002, 0x03010180, 0x8000002e, + 0x10088800, 0x60012000, 0x40500002, 0x01030080, 0x80000006, 0x10008808, + 0xc001a000, 0x14500002, 0x01020181, 0x8000001a +}; + +/** + * \brief Swaps bits within two words. + * + * \param a The first word. + * \param b The second word. + * \param mask Mask for the bits to shift. + * \param shift Shift amount in bits. + */ +#define gift128b_swap_move(a, b, mask, shift) \ + do { \ + uint32_t tmp = ((b) ^ ((a) >> (shift))) & (mask); \ + (b) ^= tmp; \ + (a) ^= tmp << (shift); \ + } while (0) + +/** + * \brief Derives the next 10 fixsliced keys in the key schedule. + * + * \param next Points to the buffer to receive the next 10 keys. + * \param prev Points to the buffer holding the previous 10 keys. + * + * The \a next and \a prev buffers are allowed to be the same. + */ +#define gift128b_derive_keys(next, prev) \ + do { \ + /* Key 0 */ \ + uint32_t s = (prev)[0]; \ + uint32_t t = (prev)[1]; \ + gift128b_swap_move(t, t, 0x00003333U, 16); \ + gift128b_swap_move(t, t, 0x55554444U, 1); \ + (next)[0] = t; \ + /* Key 1 */ \ + s = leftRotate8(s & 0x33333333U) | leftRotate16(s & 0xCCCCCCCCU); \ + gift128b_swap_move(s, s, 0x55551100U, 1); \ + (next)[1] = s; \ + /* Key 2 */ \ + s = (prev)[2]; \ + t = (prev)[3]; \ + (next)[2] = ((t >> 4) & 0x0F000F00U) | ((t & 0x0F000F00U) << 4) | \ + ((t >> 6) & 0x00030003U) | ((t & 0x003F003FU) << 2); \ + /* Key 3 */ \ + (next)[3] = ((s >> 6) & 0x03000300U) | ((s & 0x3F003F00U) << 2) | \ + ((s >> 5) & 0x00070007U) | ((s & 0x001F001FU) << 3); \ + /* Key 4 */ \ + s = (prev)[4]; \ + t = (prev)[5]; \ + (next)[4] = leftRotate8(t & 0xAAAAAAAAU) | \ + leftRotate16(t & 0x55555555U); \ + /* Key 5 */ \ + (next)[5] = leftRotate8(s & 0x55555555U) | \ + leftRotate12(s & 0xAAAAAAAAU); \ + /* Key 6 */ \ + s = (prev)[6]; \ + t = (prev)[7]; \ + (next)[6] = ((t >> 2) & 0x03030303U) | ((t & 0x03030303U) << 2) | \ + ((t >> 1) & 0x70707070U) | ((t & 0x10101010U) << 3); \ + /* Key 7 */ \ + (next)[7] = ((s >> 18) & 0x00003030U) | ((s & 0x01010101U) << 3) | \ + ((s >> 14) & 0x0000C0C0U) | ((s & 0x0000E0E0U) << 15) | \ + ((s >> 1) & 0x07070707U) | ((s & 0x00001010U) << 19); \ + /* Key 8 */ \ + s = (prev)[8]; \ + t = (prev)[9]; \ + (next)[8] = ((t >> 4) & 0x0FFF0000U) | ((t & 0x000F0000U) << 12) | \ + ((t >> 8) & 0x000000FFU) | ((t & 0x000000FFU) << 8); \ + /* Key 9 */ \ + (next)[9] = ((s >> 6) & 0x03FF0000U) | ((s & 0x003F0000U) << 10) | \ + ((s >> 4) & 0x00000FFFU) | ((s & 0x0000000FU) << 12); \ + } while (0) + +/** + * \brief Compute the round keys for GIFT-128 in the fixsliced representation. + * + * \param ks Points to the key schedule to initialize. + * \param k0 First key word. + * \param k1 Second key word. + * \param k2 Third key word. + * \param k3 Fourth key word. + */ +static void gift128b_compute_round_keys + (gift128b_key_schedule_t *ks, + uint32_t k0, uint32_t k1, uint32_t k2, uint32_t k3) +{ + unsigned index; + uint32_t temp; + + /* Set the regular key with k0 and k3 pre-swapped for the round function */ + ks->k[0] = k3; + ks->k[1] = k1; + ks->k[2] = k2; + ks->k[3] = k0; + + /* Pre-compute the keys for rounds 3..10 and permute into fixsliced form */ + for (index = 4; index < 20; index += 2) { + ks->k[index] = ks->k[index - 3]; + temp = ks->k[index - 4]; + temp = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + ks->k[index + 1] = temp; + } + for (index = 0; index < 20; index += 10) { + /* Keys 0 and 10 */ + temp = ks->k[index]; + gift128b_swap_move(temp, temp, 0x00550055U, 9); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index] = temp; + + /* Keys 1 and 11 */ + temp = ks->k[index + 1]; + gift128b_swap_move(temp, temp, 0x00550055U, 9); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 1] = temp; + + /* Keys 2 and 12 */ + temp = ks->k[index + 2]; + gift128b_swap_move(temp, temp, 0x11111111U, 3); + gift128b_swap_move(temp, temp, 0x03030303U, 6); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 2] = temp; + + /* Keys 3 and 13 */ + temp = ks->k[index + 3]; + gift128b_swap_move(temp, temp, 0x11111111U, 3); + gift128b_swap_move(temp, temp, 0x03030303U, 6); + gift128b_swap_move(temp, temp, 0x000F000FU, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 3] = temp; + + /* Keys 4 and 14 */ + temp = ks->k[index + 4]; + gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 4] = temp; + + /* Keys 5 and 15 */ + temp = ks->k[index + 5]; + gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); + gift128b_swap_move(temp, temp, 0x00003333U, 18); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 5] = temp; + + /* Keys 6 and 16 */ + temp = ks->k[index + 6]; + gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); + gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 6] = temp; + + /* Keys 7 and 17 */ + temp = ks->k[index + 7]; + gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); + gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); + gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); + gift128b_swap_move(temp, temp, 0x000000FFU, 24); + ks->k[index + 7] = temp; + + /* Keys 8, 9, 18, and 19 do not need any adjustment */ + } + + /* Derive the fixsliced keys for the remaining rounds 11..40 */ + for (index = 20; index < 80; index += 10) { + gift128b_derive_keys(ks->k + index, ks->k + index - 20); + } +} + +int gift128b_init + (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len) +{ + if (!ks || !key || key_len != 16) + return 0; + gift128b_compute_round_keys + (ks, be_load_word32(key), be_load_word32(key + 4), + be_load_word32(key + 8), be_load_word32(key + 12)); + return 1; +} + +/** + * \brief Performs the GIFT-128 S-box on the bit-sliced state. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_sbox(s0, s1, s2, s3) \ + do { \ + s1 ^= s0 & s2; \ + s0 ^= s1 & s3; \ + s2 ^= s0 | s1; \ + s3 ^= s2; \ + s1 ^= s3; \ + s3 ^= 0xFFFFFFFFU; \ + s2 ^= s0 & s1; \ + } while (0) + +/** + * \brief Performs the inverse of the GIFT-128 S-box on the bit-sliced state. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_sbox(s0, s1, s2, s3) \ + do { \ + s2 ^= s3 & s1; \ + s0 ^= 0xFFFFFFFFU; \ + s1 ^= s0; \ + s0 ^= s2; \ + s2 ^= s3 | s1; \ + s3 ^= s1 & s0; \ + s1 ^= s3 & s2; \ + } while (0) + +/** + * \brief Permutes the GIFT-128 state between the 1st and 2nd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_1(s0, s1, s2, s3) \ + do { \ + s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ + s2 = ((s2 >> 3) & 0x11111111U) | ((s2 & 0x77777777U) << 1); \ + s3 = ((s3 >> 1) & 0x77777777U) | ((s3 & 0x11111111U) << 3); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 2nd and 3rd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_2(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 4) & 0x0FFF0FFFU) | ((s0 & 0x000F000FU) << 12); \ + s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ + s2 = ((s2 >> 12) & 0x000F000FU) | ((s2 & 0x0FFF0FFFU) << 4); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 3rd and 4th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_3(s0, s1, s2, s3) \ + do { \ + gift128b_swap_move(s1, s1, 0x55555555U, 1); \ + s2 = leftRotate16(s2); \ + gift128b_swap_move(s2, s2, 0x00005555U, 1); \ + s3 = leftRotate16(s3); \ + gift128b_swap_move(s3, s3, 0x55550000U, 1); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 4th and 5th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_4(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 6) & 0x03030303U) | ((s0 & 0x3F3F3F3FU) << 2); \ + s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ + s2 = ((s2 >> 2) & 0x3F3F3F3FU) | ((s2 & 0x03030303U) << 6); \ + } while (0); + +/** + * \brief Permutes the GIFT-128 state between the 5th and 1st mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_permute_state_5(s0, s1, s2, s3) \ + do { \ + s1 = leftRotate16(s1); \ + s2 = rightRotate8(s2); \ + s3 = leftRotate8(s3); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 1st and 2nd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_1(s0, s1, s2, s3) \ + do { \ + s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ + s2 = ((s2 >> 1) & 0x77777777U) | ((s2 & 0x11111111U) << 3); \ + s3 = ((s3 >> 3) & 0x11111111U) | ((s3 & 0x77777777U) << 1); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 2nd and 3rd mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_2(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 12) & 0x000F000FU) | ((s0 & 0x0FFF0FFFU) << 4); \ + s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ + s2 = ((s2 >> 4) & 0x0FFF0FFFU) | ((s2 & 0x000F000FU) << 12); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 3rd and 4th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_3(s0, s1, s2, s3) \ + do { \ + gift128b_swap_move(s1, s1, 0x55555555U, 1); \ + gift128b_swap_move(s2, s2, 0x00005555U, 1); \ + s2 = leftRotate16(s2); \ + gift128b_swap_move(s3, s3, 0x55550000U, 1); \ + s3 = leftRotate16(s3); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 4th and 5th mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_4(s0, s1, s2, s3) \ + do { \ + s0 = ((s0 >> 2) & 0x3F3F3F3FU) | ((s0 & 0x03030303U) << 6); \ + s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ + s2 = ((s2 >> 6) & 0x03030303U) | ((s2 & 0x3F3F3F3FU) << 2); \ + } while (0); + +/** + * \brief Inverts the GIFT-128 state between the 5th and 1st mini-rounds. + * + * \param s0 First word of the bit-sliced state. + * \param s1 Second word of the bit-sliced state. + * \param s2 Third word of the bit-sliced state. + * \param s3 Fourth word of the bit-sliced state. + */ +#define gift128b_inv_permute_state_5(s0, s1, s2, s3) \ + do { \ + s1 = leftRotate16(s1); \ + s2 = leftRotate8(s2); \ + s3 = rightRotate8(s3); \ + } while (0); + +/** + * \brief Performs five fixsliced encryption rounds for GIFT-128. + * + * \param rk Points to the 10 round keys for these rounds. + * \param rc Points to the round constants for these rounds. + * + * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. + * + * The permutation is restructured so that one of the words each round + * does not need to be permuted, with the others rotating left, up, right, + * and down to keep the bits in line with their non-moving counterparts. + * This reduces the number of shifts required significantly. + * + * At the end of five rounds, the bit ordering will return to the + * original position. We then repeat the process for the next 5 rounds. + */ +#define gift128b_encrypt_5_rounds(rk, rc) \ + do { \ + /* 1st round - S-box, rotate left, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_1(s0, s1, s2, s3); \ + s1 ^= (rk)[0]; \ + s2 ^= (rk)[1]; \ + s0 ^= (rc)[0]; \ + \ + /* 2nd round - S-box, rotate up, add round key */ \ + gift128b_sbox(s3, s1, s2, s0); \ + gift128b_permute_state_2(s0, s1, s2, s3); \ + s1 ^= (rk)[2]; \ + s2 ^= (rk)[3]; \ + s3 ^= (rc)[1]; \ + \ + /* 3rd round - S-box, swap columns, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_3(s0, s1, s2, s3); \ + s1 ^= (rk)[4]; \ + s2 ^= (rk)[5]; \ + s0 ^= (rc)[2]; \ + \ + /* 4th round - S-box, rotate left and swap rows, add round key */ \ + gift128b_sbox(s3, s1, s2, s0); \ + gift128b_permute_state_4(s0, s1, s2, s3); \ + s1 ^= (rk)[6]; \ + s2 ^= (rk)[7]; \ + s3 ^= (rc)[3]; \ + \ + /* 5th round - S-box, rotate up, add round key */ \ + gift128b_sbox(s0, s1, s2, s3); \ + gift128b_permute_state_5(s0, s1, s2, s3); \ + s1 ^= (rk)[8]; \ + s2 ^= (rk)[9]; \ + s0 ^= (rc)[4]; \ + \ + /* Swap s0 and s3 in preparation for the next 1st round */ \ + s0 ^= s3; \ + s3 ^= s0; \ + s0 ^= s3; \ + } while (0) + +/** + * \brief Performs five fixsliced decryption rounds for GIFT-128. + * + * \param rk Points to the 10 round keys for these rounds. + * \param rc Points to the round constants for these rounds. + * + * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. + */ +#define gift128b_decrypt_5_rounds(rk, rc) \ + do { \ + /* Swap s0 and s3 in preparation for the next 5th round */ \ + s0 ^= s3; \ + s3 ^= s0; \ + s0 ^= s3; \ + \ + /* 5th round - S-box, rotate down, add round key */ \ + s1 ^= (rk)[8]; \ + s2 ^= (rk)[9]; \ + s0 ^= (rc)[4]; \ + gift128b_inv_permute_state_5(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + \ + /* 4th round - S-box, rotate right and swap rows, add round key */ \ + s1 ^= (rk)[6]; \ + s2 ^= (rk)[7]; \ + s3 ^= (rc)[3]; \ + gift128b_inv_permute_state_4(s0, s1, s2, s3); \ + gift128b_inv_sbox(s0, s1, s2, s3); \ + \ + /* 3rd round - S-box, swap columns, add round key */ \ + s1 ^= (rk)[4]; \ + s2 ^= (rk)[5]; \ + s0 ^= (rc)[2]; \ + gift128b_inv_permute_state_3(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + \ + /* 2nd round - S-box, rotate down, add round key */ \ + s1 ^= (rk)[2]; \ + s2 ^= (rk)[3]; \ + s3 ^= (rc)[1]; \ + gift128b_inv_permute_state_2(s0, s1, s2, s3); \ + gift128b_inv_sbox(s0, s1, s2, s3); \ + \ + /* 1st round - S-box, rotate right, add round key */ \ + s1 ^= (rk)[0]; \ + s2 ^= (rk)[1]; \ + s0 ^= (rc)[0]; \ + gift128b_inv_permute_state_1(s0, s1, s2, s3); \ + gift128b_inv_sbox(s3, s1, s2, s0); \ + } while (0) + +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into local variables */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; +} + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +int gift128n_init + (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len) +{ + /* Use the little-endian key byte order from the HYENA submission */ + if (!ks || !key || key_len != 16) + return 0; + gift128b_compute_round_keys + (ks, le_load_word32(key + 12), le_load_word32(key + 8), + le_load_word32(key + 4), le_load_word32(key)); + return 1; +} + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/** + * \brief Converts the GIFT-128 nibble-based representation into word-based. + * + * \param output Output buffer to write the word-based version to. + * \param input Input buffer to read the nibble-based version from. + * + * The \a input and \a output buffers can be the same buffer. + */ +static void gift128n_to_words + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input buffer into 32-bit words. We use the nibble order + * from the HYENA submission to NIST which is byte-reversed with respect + * to the nibble order of the original GIFT-128 paper. Nibble zero is in + * the first byte instead of the last, which means little-endian order. */ + s0 = le_load_word32(input + 12); + s1 = le_load_word32(input + 8); + s2 = le_load_word32(input + 4); + s3 = le_load_word32(input); + + /* Rearrange the bits so that bits 0..3 of each nibble are + * scattered to bytes 0..3 of each word. The permutation is: + * + * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 + * + * Generated with "http://programming.sirrida.de/calcperm.php". + */ + #define PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + PERM_WORDS(s0); + PERM_WORDS(s1); + PERM_WORDS(s2); + PERM_WORDS(s3); + + /* Rearrange the bytes and write them to the output buffer */ + output[0] = (uint8_t)s0; + output[1] = (uint8_t)s1; + output[2] = (uint8_t)s2; + output[3] = (uint8_t)s3; + output[4] = (uint8_t)(s0 >> 8); + output[5] = (uint8_t)(s1 >> 8); + output[6] = (uint8_t)(s2 >> 8); + output[7] = (uint8_t)(s3 >> 8); + output[8] = (uint8_t)(s0 >> 16); + output[9] = (uint8_t)(s1 >> 16); + output[10] = (uint8_t)(s2 >> 16); + output[11] = (uint8_t)(s3 >> 16); + output[12] = (uint8_t)(s0 >> 24); + output[13] = (uint8_t)(s1 >> 24); + output[14] = (uint8_t)(s2 >> 24); + output[15] = (uint8_t)(s3 >> 24); +} + +/** + * \brief Converts the GIFT-128 word-based representation into nibble-based. + * + * \param output Output buffer to write the nibble-based version to. + * \param input Input buffer to read the word-based version from. + */ +static void gift128n_to_nibbles + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input bytes and rearrange them so that s0 contains the + * most significant nibbles and s3 contains the least significant */ + s0 = (((uint32_t)(input[12])) << 24) | + (((uint32_t)(input[8])) << 16) | + (((uint32_t)(input[4])) << 8) | + ((uint32_t)(input[0])); + s1 = (((uint32_t)(input[13])) << 24) | + (((uint32_t)(input[9])) << 16) | + (((uint32_t)(input[5])) << 8) | + ((uint32_t)(input[1])); + s2 = (((uint32_t)(input[14])) << 24) | + (((uint32_t)(input[10])) << 16) | + (((uint32_t)(input[6])) << 8) | + ((uint32_t)(input[2])); + s3 = (((uint32_t)(input[15])) << 24) | + (((uint32_t)(input[11])) << 16) | + (((uint32_t)(input[7])) << 8) | + ((uint32_t)(input[3])); + + /* Apply the inverse of PERM_WORDS() from the function above */ + #define INV_PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x00aa00aa, 7); \ + bit_permute_step(x, 0x0000cccc, 14); \ + bit_permute_step(x, 0x00f000f0, 4); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + INV_PERM_WORDS(s0); + INV_PERM_WORDS(s1); + INV_PERM_WORDS(s2); + INV_PERM_WORDS(s3); + + /* Store the result into the output buffer as 32-bit words */ + le_store_word32(output + 12, s0); + le_store_word32(output + 8, s1); + le_store_word32(output + 4, s2); + le_store_word32(output, s3); +} + +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_encrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_decrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +/* 4-bit tweak values expanded to 32-bit */ +static uint32_t const GIFT128_tweaks[16] = { + 0x00000000, 0xe1e1e1e1, 0xd2d2d2d2, 0x33333333, + 0xb4b4b4b4, 0x55555555, 0x66666666, 0x87878787, + 0x78787878, 0x99999999, 0xaaaaaaaa, 0x4b4b4b4b, + 0xcccccccc, 0x2d2d2d2d, 0x1e1e1e1e, 0xffffffff +}; + +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak) +{ + uint32_t s0, s1, s2, s3, tword; + + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + tword = GIFT128_tweaks[tweak]; + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + s0 ^= tword; + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +void gift128t_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak) +{ + uint32_t s0, s1, s2, s3, tword; + + /* Copy the ciphertext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the first we add the tweak value to the state */ + tword = GIFT128_tweaks[tweak]; + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); + s0 ^= tword; + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + + /* Pack the state into the plaintext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128.h b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128.h new file mode 100644 index 0000000..1ac40e5 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128.h @@ -0,0 +1,229 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_GIFT128_H +#define LW_INTERNAL_GIFT128_H + +/** + * \file internal-gift128.h + * \brief GIFT-128 block cipher. + * + * There are three versions of GIFT-128 in use within the second round + * submissions to the NIST lightweight cryptography competition. + * + * The most efficient version for 32-bit software implementation is the + * GIFT-128-b bit-sliced version from GIFT-COFB and SUNDAE-GIFT. + * + * The second is the nibble-based version from HYENA. We implement the + * HYENA version as a wrapper around the bit-sliced version. + * + * The third version is a variant on the HYENA nibble-based version that + * includes a 4-bit tweak value for domain separation. It is used by + * the ESTATE submission to NIST. + * + * Technically there is a fourth version of GIFT-128 which is the one that + * appeared in the original GIFT-128 paper. It is almost the same as the + * HYENA version except that the byte ordering is big-endian instead of + * HYENA's little-endian. The original version of GIFT-128 doesn't appear + * in any of the NIST submissions so we don't bother with it in this library. + * + * References: https://eprint.iacr.org/2017/622.pdf, + * https://giftcipher.github.io/gift/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of a GIFT-128 block in bytes. + */ +#define GIFT128_BLOCK_SIZE 16 + +/** + * \brief Number of round keys for the fixsliced representation of GIFT-128. + */ +#define GIFT128_ROUND_KEYS 80 + +/** + * \brief Structure of the key schedule for GIFT-128 (bit-sliced). + */ +typedef struct +{ + /** Pre-computed round keys in the fixsliced form */ + uint32_t k[GIFT128_ROUND_KEYS]; + +} gift128b_key_schedule_t; + +/** + * \brief Initializes the key schedule for GIFT-128 (bit-sliced). + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int gift128b_init + (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced and pre-loaded). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version assumes that the input has already been pre-loaded from + * big-endian into host byte order in the supplied word array. The output + * is delivered in the same way. + */ +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]); + +/** + * \brief Decrypts a 128-bit block with GIFT-128 (bit-sliced). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + */ +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Structure of the key schedule for GIFT-128 (nibble-based). + */ +typedef gift128b_key_schedule_t gift128n_key_schedule_t; + +/** + * \brief Initializes the key schedule for GIFT-128 (nibble-based). + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + * \param key_len Length of the key data, which must be 16. + * + * \return Non-zero on success or zero if there is something wrong + * with the parameters. + */ +int gift128n_init + (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len); + +/** + * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with GIFT-128 (nibble-based). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + */ +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tweak 4-bit tweak value. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This variant of GIFT-128 is used by the ESTATE submission to the + * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to + * some of the rounds to provide domain separation. If the tweak is + * zero, then this function is identical to gift128n_encrypt(). + */ +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak); + +/** + * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). + * + * \param ks Points to the GIFT-128 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tweak 4-bit tweak value. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This variant of GIFT-128 is used by the ESTATE submission to the + * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to + * some of the rounds to provide domain separation. If the tweak is + * zero, then this function is identical to gift128n_encrypt(). + */ +void gift128t_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, unsigned char tweak); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-util.h b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/sundae-gift.c b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/sundae-gift.c new file mode 100644 index 0000000..984a4db --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/sundae-gift.c @@ -0,0 +1,358 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "sundae-gift.h" +#include "internal-gift128.h" +#include "internal-util.h" +#include + +aead_cipher_t const sundae_gift_0_cipher = { + "SUNDAE-GIFT-0", + SUNDAE_GIFT_KEY_SIZE, + SUNDAE_GIFT_0_NONCE_SIZE, + SUNDAE_GIFT_TAG_SIZE, + AEAD_FLAG_NONE, + sundae_gift_0_aead_encrypt, + sundae_gift_0_aead_decrypt +}; + +aead_cipher_t const sundae_gift_64_cipher = { + "SUNDAE-GIFT-64", + SUNDAE_GIFT_KEY_SIZE, + SUNDAE_GIFT_64_NONCE_SIZE, + SUNDAE_GIFT_TAG_SIZE, + AEAD_FLAG_NONE, + sundae_gift_64_aead_encrypt, + sundae_gift_64_aead_decrypt +}; + +aead_cipher_t const sundae_gift_96_cipher = { + "SUNDAE-GIFT-96", + SUNDAE_GIFT_KEY_SIZE, + SUNDAE_GIFT_96_NONCE_SIZE, + SUNDAE_GIFT_TAG_SIZE, + AEAD_FLAG_NONE, + sundae_gift_96_aead_encrypt, + sundae_gift_96_aead_decrypt +}; + +aead_cipher_t const sundae_gift_128_cipher = { + "SUNDAE-GIFT-128", + SUNDAE_GIFT_KEY_SIZE, + SUNDAE_GIFT_128_NONCE_SIZE, + SUNDAE_GIFT_TAG_SIZE, + AEAD_FLAG_NONE, + sundae_gift_128_aead_encrypt, + sundae_gift_128_aead_decrypt +}; + +/* Multiply a block value by 2 in the special byte field */ +STATIC_INLINE void sundae_gift_multiply(unsigned char B[16]) +{ + unsigned char B0 = B[0]; + unsigned index; + for (index = 0; index < 15; ++index) + B[index] = B[index + 1]; + B[15] = B0; + B[10] ^= B0; + B[12] ^= B0; + B[14] ^= B0; +} + +/* Compute a MAC over the concatenation of two data buffers */ +static void sundae_gift_aead_mac + (const gift128b_key_schedule_t *ks, unsigned char V[16], + const unsigned char *data1, unsigned data1len, + const unsigned char *data2, unsigned long data2len) +{ + unsigned len; + + /* Nothing to do if the input is empty */ + if (!data1len && !data2len) + return; + + /* Format the first block. We assume that data1len <= 16 + * as it is will be the nonce if it is non-zero in length */ + lw_xor_block(V, data1, data1len); + len = 16 - data1len; + if (len > data2len) + len = (unsigned)data2len; + lw_xor_block(V + data1len, data2, len); + data2 += len; + data2len -= len; + len += data1len; + + /* Process as many full blocks as we can, except the last */ + while (data2len > 0) { + gift128b_encrypt(ks, V, V); + len = 16; + if (len > data2len) + len = (unsigned)data2len; + lw_xor_block(V, data2, len); + data2 += len; + data2len -= len; + } + + /* Pad and process the last block */ + if (len < 16) { + V[len] ^= 0x80; + sundae_gift_multiply(V); + gift128b_encrypt(ks, V, V); + } else { + sundae_gift_multiply(V); + sundae_gift_multiply(V); + gift128b_encrypt(ks, V, V); + } +} + +static int sundae_gift_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, unsigned npublen, + const unsigned char *k, unsigned char domainsep) +{ + gift128b_key_schedule_t ks; + unsigned char V[16]; + unsigned char T[16]; + unsigned char P[16]; + + /* Compute the length of the output ciphertext */ + *clen = mlen + SUNDAE_GIFT_TAG_SIZE; + + /* Set the key schedule */ + if (!gift128b_init(&ks, k, SUNDAE_GIFT_KEY_SIZE)) + return -1; + + /* Format and encrypt the initial domain separation block */ + if (adlen > 0) + domainsep |= 0x80; + if (mlen > 0) + domainsep |= 0x40; + V[0] = domainsep; + memset(V + 1, 0, sizeof(V) - 1); + gift128b_encrypt(&ks, T, V); + + /* Authenticate the nonce and the associated data */ + sundae_gift_aead_mac(&ks, T, npub, npublen, ad, adlen); + + /* Authenticate the plaintext */ + sundae_gift_aead_mac(&ks, T, 0, 0, m, mlen); + + /* Encrypt the plaintext to produce the ciphertext. We need to be + * careful how we manage the data because we could be doing in-place + * encryption. In SUNDAE-GIFT, the first 16 bytes of the ciphertext + * is the tag rather than the last 16 bytes in other algorithms. + * We need to swap the plaintext for the current block with the + * ciphertext or tag from the previous block */ + memcpy(V, T, 16); + while (mlen >= 16) { + gift128b_encrypt(&ks, V, V); + lw_xor_block_2_src(P, V, m, 16); + memcpy(c, T, 16); + memcpy(T, P, 16); + c += 16; + m += 16; + mlen -= 16; + } + if (mlen > 0) { + unsigned leftover = (unsigned)mlen; + gift128b_encrypt(&ks, V, V); + lw_xor_block(V, m, leftover); + memcpy(c, T, 16); + memcpy(c + 16, V, leftover); + } else { + memcpy(c, T, 16); + } + return 0; +} + +static int sundae_gift_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, unsigned npublen, + const unsigned char *k, unsigned char domainsep) +{ + gift128b_key_schedule_t ks; + unsigned char V[16]; + unsigned char T[16]; + unsigned char *mtemp; + unsigned long len; + + /* Bail out if the ciphertext is too short */ + if (clen < SUNDAE_GIFT_TAG_SIZE) + return -1; + len = *mlen = clen - SUNDAE_GIFT_TAG_SIZE; + + /* Set the key schedule */ + if (!gift128b_init(&ks, k, SUNDAE_GIFT_KEY_SIZE)) + return -1; + + /* Decrypt the ciphertext to produce the plaintext, using the + * tag as the initialization vector for the decryption process */ + memcpy(T, c, SUNDAE_GIFT_TAG_SIZE); + c += SUNDAE_GIFT_TAG_SIZE; + mtemp = m; + memcpy(V, T, 16); + while (len >= 16) { + gift128b_encrypt(&ks, V, V); + lw_xor_block_2_src(mtemp, c, V, 16); + c += 16; + mtemp += 16; + len -= 16; + } + if (len > 0) { + gift128b_encrypt(&ks, V, V); + lw_xor_block_2_src(mtemp, c, V, (unsigned)len); + } + + /* Format and encrypt the initial domain separation block */ + if (adlen > 0) + domainsep |= 0x80; + if (clen > SUNDAE_GIFT_TAG_SIZE) + domainsep |= 0x40; + V[0] = domainsep; + memset(V + 1, 0, sizeof(V) - 1); + gift128b_encrypt(&ks, V, V); + + /* Authenticate the nonce and the associated data */ + sundae_gift_aead_mac(&ks, V, npub, npublen, ad, adlen); + + /* Authenticate the plaintext */ + sundae_gift_aead_mac(&ks, V, 0, 0, m, *mlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, T, V, 16); +} + +int sundae_gift_0_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + (void)npub; + return sundae_gift_aead_encrypt + (c, clen, m, mlen, ad, adlen, 0, 0, k, 0x00); +} + +int sundae_gift_0_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + (void)npub; + return sundae_gift_aead_decrypt + (m, mlen, c, clen, ad, adlen, 0, 0, k, 0x00); +} + +int sundae_gift_64_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_encrypt + (c, clen, m, mlen, ad, adlen, + npub, SUNDAE_GIFT_64_NONCE_SIZE, k, 0x90); +} + +int sundae_gift_64_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_decrypt + (m, mlen, c, clen, ad, adlen, + npub, SUNDAE_GIFT_64_NONCE_SIZE, k, 0x90); +} + +int sundae_gift_96_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_encrypt + (c, clen, m, mlen, ad, adlen, + npub, SUNDAE_GIFT_96_NONCE_SIZE, k, 0xA0); +} + +int sundae_gift_96_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_decrypt + (m, mlen, c, clen, ad, adlen, + npub, SUNDAE_GIFT_96_NONCE_SIZE, k, 0xA0); +} + +int sundae_gift_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_encrypt + (c, clen, m, mlen, ad, adlen, + npub, SUNDAE_GIFT_128_NONCE_SIZE, k, 0xB0); +} + +int sundae_gift_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + (void)nsec; + return sundae_gift_aead_decrypt + (m, mlen, c, clen, ad, adlen, + npub, SUNDAE_GIFT_128_NONCE_SIZE, k, 0xB0); +} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/sundae-gift.h b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/sundae-gift.h new file mode 100644 index 0000000..9040dd5 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/sundae-gift.h @@ -0,0 +1,341 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SUNDAE_GIFT_H +#define LWCRYPTO_SUNDAE_GIFT_H + +#include "aead-common.h" + +/** + * \file sundae-gift.h + * \brief SUNDAE-GIFT encryption algorithm family. + * + * The SUNDAE-GIFT family consists of several related algorithms: + * + * \li SUNDAE-GIFT-0 with a 128-bit key, a 0-bit nonce, and 128-bit tag. + * \li SUNDAE-GIFT-64 with a 128-bit key, a 64-bit nonce, and 128-bit tag. + * \li SUNDAE-GIFT-96 with a 128-bit key, a 96-bit nonce, and 128-bit tag. + * This is the primary member of the family. + * \li SUNDAE-GIFT-128 with a 128-bit key, a 128-bit nonce, and 128-bit tag. + * + * SUNDAE-GIFT is resistant against nonce reuse as long as the combination + * of the associated data and plaintext is unique. + * + * If a nonce is reused (or there is no nonce in the case of SUNDAE-GIFT-0), + * then two packets with the same associated data and plaintext will encrypt + * to the same ciphertext. This will leak that the same plaintext has been + * sent for a second time but will not reveal the plaintext itself. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for all SUNDAE-GIFT family members. + */ +#define SUNDAE_GIFT_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for all SUNDAE-GIFT family members. + */ +#define SUNDAE_GIFT_TAG_SIZE 16 + +/** + * \brief Size of the nonce for SUNDAE-GIFT-0. + */ +#define SUNDAE_GIFT_0_NONCE_SIZE 0 + +/** + * \brief Size of the nonce for SUNDAE-GIFT-64. + */ +#define SUNDAE_GIFT_64_NONCE_SIZE 8 + +/** + * \brief Size of the nonce for SUNDAE-GIFT-96. + */ +#define SUNDAE_GIFT_96_NONCE_SIZE 12 + +/** + * \brief Size of the nonce for SUNDAE-GIFT-128. + */ +#define SUNDAE_GIFT_128_NONCE_SIZE 16 + +/** + * \brief Meta-information block for the SUNDAE-GIFT-0 cipher. + */ +extern aead_cipher_t const sundae_gift_0_cipher; + +/** + * \brief Meta-information block for the SUNDAE-GIFT-64 cipher. + */ +extern aead_cipher_t const sundae_gift_64_cipher; + +/** + * \brief Meta-information block for the SUNDAE-GIFT-96 cipher. + */ +extern aead_cipher_t const sundae_gift_96_cipher; + +/** + * \brief Meta-information block for the SUNDAE-GIFT-128 cipher. + */ +extern aead_cipher_t const sundae_gift_128_cipher; + +/** + * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-0. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce - not used by this algorithm. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa sundae_gift_0_aead_decrypt() + */ +int sundae_gift_0_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-0. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce - not used by this algorithm. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa sundae_gift_0_aead_encrypt() + */ +int sundae_gift_0_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-64. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 8 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa sundae_gift_64_aead_decrypt() + */ +int sundae_gift_64_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-64. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 8 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa sundae_gift_64_aead_encrypt() + */ +int sundae_gift_64_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-96. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa sundae_gift_96_aead_decrypt() + */ +int sundae_gift_96_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-96. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa sundae_gift_96_aead_encrypt() + */ +int sundae_gift_96_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa sundae_gift_128_aead_decrypt() + */ +int sundae_gift_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-12896. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa sundae_gift_128_aead_encrypt() + */ +int sundae_gift_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/aead-common.c b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/aead-common.h b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/api.h b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/api.h new file mode 100644 index 0000000..32c9622 --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 12 +#define CRYPTO_ABYTES 8 +#define CRYPTO_NOOVERLAP 1 diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/encrypt.c b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/encrypt.c new file mode 100644 index 0000000..832ac67 --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "tinyjambu.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return tiny_jambu_128_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return tiny_jambu_128_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-tinyjambu.c b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-tinyjambu.c new file mode 100644 index 0000000..7308718 --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-tinyjambu.c @@ -0,0 +1,66 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-tinyjambu.h" + +void tiny_jambu_permutation + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, unsigned rounds) +{ + uint32_t t1, t2, t3, t4; + unsigned round; + + /* Load the state into local variables */ + uint32_t s0 = state[0]; + uint32_t s1 = state[1]; + uint32_t s2 = state[2]; + uint32_t s3 = state[3]; + + /* Perform all permutation rounds. Each round consists of 128 steps, + * which can be performed 32 at a time plus a rotation. After four + * sets of 32 steps, the rotation order returns to the original position. + * So we can hide the rotations by doing 128 steps each round */ + for (round = 0; round < rounds; ++round) { + /* Get the key words to use during this round */ + const uint32_t *k = &(key[(round * 4) % key_words]); + + /* Perform the 128 steps of this round in groups of 32 */ + #define tiny_jambu_steps_32(s0, s1, s2, s3, offset) \ + do { \ + t1 = (s1 >> 15) | (s2 << 17); \ + t2 = (s2 >> 6) | (s3 << 26); \ + t3 = (s2 >> 21) | (s3 << 11); \ + t4 = (s2 >> 27) | (s3 << 5); \ + s0 ^= t1 ^ (~(t2 & t3)) ^ t4 ^ k[offset]; \ + } while (0) + tiny_jambu_steps_32(s0, s1, s2, s3, 0); + tiny_jambu_steps_32(s1, s2, s3, s0, 1); + tiny_jambu_steps_32(s2, s3, s0, s1, 2); + tiny_jambu_steps_32(s3, s0, s1, s2, 3); + } + + /* Store the local variables back to the state */ + state[0] = s0; + state[1] = s1; + state[2] = s2; + state[3] = s3; +} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-tinyjambu.h b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-tinyjambu.h new file mode 100644 index 0000000..f3bc599 --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-tinyjambu.h @@ -0,0 +1,72 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_TINYJAMBU_H +#define LW_INTERNAL_TINYJAMBU_H + +#include "internal-util.h" + +/** + * \file internal-tinyjambu.h + * \brief Internal implementation of the TinyJAMBU permutation. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the TinyJAMBU state in 32-bit words. + */ +#define TINY_JAMBU_STATE_SIZE 4 + +/** + * \brief Converts a number of steps into a number of rounds, where each + * round consists of 128 steps. + * + * \param steps The number of steps to perform; 384, 1024, 1152, or 1280. + * + * \return The number of rounds corresponding to \a steps. + */ +#define TINYJAMBU_ROUNDS(steps) ((steps) / 128) + +/** + * \brief Perform the TinyJAMBU permutation. + * + * \param state TinyJAMBU state to be permuted. + * \param key Points to the key words. + * \param key_words The number of words in the key. + * \param rounds The number of rounds to perform. + * + * The number of key words should be 4 for TinyJAMBU-128, 12 for TinyJAMBU-192, + * and 8 for TinuJAMBU-256. The TinyJAMBU-192 key is duplicated so that the + * \a key_words parameter is a multiple of 4. + */ +void tiny_jambu_permutation + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, unsigned rounds); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-util.h b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/tinyjambu.c b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/tinyjambu.c new file mode 100644 index 0000000..09fc41d --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/tinyjambu.c @@ -0,0 +1,487 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "tinyjambu.h" +#include "internal-tinyjambu.h" +#include + +aead_cipher_t const tiny_jambu_128_cipher = { + "TinyJAMBU-128", + TINY_JAMBU_128_KEY_SIZE, + TINY_JAMBU_NONCE_SIZE, + TINY_JAMBU_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + tiny_jambu_128_aead_encrypt, + tiny_jambu_128_aead_decrypt +}; + +aead_cipher_t const tiny_jambu_192_cipher = { + "TinyJAMBU-192", + TINY_JAMBU_192_KEY_SIZE, + TINY_JAMBU_NONCE_SIZE, + TINY_JAMBU_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + tiny_jambu_192_aead_encrypt, + tiny_jambu_192_aead_decrypt +}; + +aead_cipher_t const tiny_jambu_256_cipher = { + "TinyJAMBU-256", + TINY_JAMBU_256_KEY_SIZE, + TINY_JAMBU_NONCE_SIZE, + TINY_JAMBU_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + tiny_jambu_256_aead_encrypt, + tiny_jambu_256_aead_decrypt +}; + +/** + * \brief Set up the TinyJAMBU state with the key and the nonce. + * + * \param state TinyJAMBU state to be permuted. + * \param key Points to the key words. + * \param key_words The number of words in the key. + * \param rounds The number of rounds to perform to absorb the key. + * \param nonce Points to the nonce. + * + * \sa tiny_jambu_permutation() + */ +static void tiny_jambu_setup + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, unsigned rounds, const unsigned char *nonce) +{ + /* Initialize the state with the key */ + memset(state, 0, TINY_JAMBU_STATE_SIZE * sizeof(uint32_t)); + tiny_jambu_permutation(state, key, key_words, rounds); + + /* Absorb the three 32-bit words of the 96-bit nonce */ + state[1] ^= 0x10; /* Domain separator for the nonce */ + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= le_load_word32(nonce); + state[1] ^= 0x10; + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= le_load_word32(nonce + 4); + state[1] ^= 0x10; + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= le_load_word32(nonce + 8); +} + +/** + * \brief Processes the associated data for TinyJAMBU. + * + * \param state TinyJAMBU state to be permuted. + * \param key Points to the key words. + * \param key_words The number of words in the key. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void tiny_jambu_process_ad + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, const unsigned char *ad, unsigned long long adlen) +{ + /* Process as many full 32-bit words as we can */ + while (adlen >= 4) { + state[1] ^= 0x30; /* Domain separator for associated data */ + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= le_load_word32(ad); + ad += 4; + adlen -= 4; + } + + /* Handle the left-over associated data bytes, if any */ + if (adlen == 1) { + state[1] ^= 0x30; + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= ad[0]; + state[1] ^= 0x01; + } else if (adlen == 2) { + state[1] ^= 0x30; + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= le_load_word16(ad); + state[1] ^= 0x02; + } else if (adlen == 3) { + state[1] ^= 0x30; + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= le_load_word16(ad) | (((uint32_t)(ad[2])) << 16); + state[1] ^= 0x03; + } +} + +/** + * \brief Encrypts the plaintext with TinyJAMBU to produce the ciphertext. + * + * \param state TinyJAMBU state to be permuted. + * \param key Points to the key words. + * \param key_words The number of words in the key. + * \param rounds The number of rounds to perform to process the plaintext. + * \param c Points to the ciphertext output buffer. + * \param m Points to the plaintext input buffer. + * \param mlen Length of the plaintext in bytes. + */ +static void tiny_jambu_encrypt + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, unsigned rounds, unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + uint32_t data; + + /* Process as many full 32-bit words as we can */ + while (mlen >= 4) { + state[1] ^= 0x50; /* Domain separator for message data */ + tiny_jambu_permutation(state, key, key_words, rounds); + data = le_load_word32(m); + state[3] ^= data; + data ^= state[2]; + le_store_word32(c, data); + c += 4; + m += 4; + mlen -= 4; + } + + /* Handle the left-over plaintext data bytes, if any */ + if (mlen == 1) { + state[1] ^= 0x50; + tiny_jambu_permutation(state, key, key_words, rounds); + data = m[0]; + state[3] ^= data; + state[1] ^= 0x01; + c[0] = (uint8_t)(state[2] ^ data); + } else if (mlen == 2) { + state[1] ^= 0x50; + tiny_jambu_permutation(state, key, key_words, rounds); + data = le_load_word16(m); + state[3] ^= data; + state[1] ^= 0x02; + data ^= state[2]; + c[0] = (uint8_t)data; + c[1] = (uint8_t)(data >> 8); + } else if (mlen == 3) { + state[1] ^= 0x50; + tiny_jambu_permutation(state, key, key_words, rounds); + data = le_load_word16(m) | (((uint32_t)(m[2])) << 16); + state[3] ^= data; + state[1] ^= 0x03; + data ^= state[2]; + c[0] = (uint8_t)data; + c[1] = (uint8_t)(data >> 8); + c[2] = (uint8_t)(data >> 16); + } +} + +/** + * \brief Decrypts the ciphertext with TinyJAMBU to produce the plaintext. + * + * \param state TinyJAMBU state to be permuted. + * \param key Points to the key words. + * \param key_words The number of words in the key. + * \param rounds The number of rounds to perform to process the ciphertext. + * \param m Points to the plaintext output buffer. + * \param c Points to the ciphertext input buffer. + * \param mlen Length of the plaintext in bytes. + */ +static void tiny_jambu_decrypt + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, unsigned rounds, unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + uint32_t data; + + /* Process as many full 32-bit words as we can */ + while (mlen >= 4) { + state[1] ^= 0x50; /* Domain separator for message data */ + tiny_jambu_permutation(state, key, key_words, rounds); + data = le_load_word32(c) ^ state[2]; + state[3] ^= data; + le_store_word32(m, data); + c += 4; + m += 4; + mlen -= 4; + } + + /* Handle the left-over ciphertext data bytes, if any */ + if (mlen == 1) { + state[1] ^= 0x50; + tiny_jambu_permutation(state, key, key_words, rounds); + data = (c[0] ^ state[2]) & 0xFFU; + state[3] ^= data; + state[1] ^= 0x01; + m[0] = (uint8_t)data; + } else if (mlen == 2) { + state[1] ^= 0x50; + tiny_jambu_permutation(state, key, key_words, rounds); + data = (le_load_word16(c) ^ state[2]) & 0xFFFFU; + state[3] ^= data; + state[1] ^= 0x02; + m[0] = (uint8_t)data; + m[1] = (uint8_t)(data >> 8); + } else if (mlen == 3) { + state[1] ^= 0x50; + tiny_jambu_permutation(state, key, key_words, rounds); + data = le_load_word16(c) | (((uint32_t)(c[2])) << 16); + data = (data ^ state[2]) & 0xFFFFFFU; + state[3] ^= data; + state[1] ^= 0x03; + m[0] = (uint8_t)data; + m[1] = (uint8_t)(data >> 8); + m[2] = (uint8_t)(data >> 16); + } +} + +/** + * \brief Generates the final authentication tag for TinyJAMBU. + * + * \param state TinyJAMBU state to be permuted. + * \param key Points to the key words. + * \param key_words The number of words in the key. + * \param rounds The number of rounds to perform to generate the tag. + * \param tag Buffer to receive the tag. + */ +static void tiny_jambu_generate_tag + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, unsigned rounds, unsigned char *tag) +{ + state[1] ^= 0x70; /* Domain separator for finalization */ + tiny_jambu_permutation(state, key, key_words, rounds); + le_store_word32(tag, state[2]); + state[1] ^= 0x70; + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + le_store_word32(tag + 4, state[2]); +} + +int tiny_jambu_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t state[TINY_JAMBU_STATE_SIZE]; + uint32_t key[4]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + TINY_JAMBU_TAG_SIZE; + + /* Unpack the key */ + key[0] = le_load_word32(k); + key[1] = le_load_word32(k + 4); + key[2] = le_load_word32(k + 8); + key[3] = le_load_word32(k + 12); + + /* Set up the TinyJAMBU state with the key, nonce, and associated data */ + tiny_jambu_setup(state, key, 4, TINYJAMBU_ROUNDS(1024), npub); + tiny_jambu_process_ad(state, key, 4, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + tiny_jambu_encrypt(state, key, 4, TINYJAMBU_ROUNDS(1024), c, m, mlen); + + /* Generate the authentication tag */ + tiny_jambu_generate_tag(state, key, 4, TINYJAMBU_ROUNDS(1024), c + mlen); + return 0; +} + +int tiny_jambu_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t state[TINY_JAMBU_STATE_SIZE]; + uint32_t key[4]; + unsigned char tag[TINY_JAMBU_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < TINY_JAMBU_TAG_SIZE) + return -1; + *mlen = clen - TINY_JAMBU_TAG_SIZE; + + /* Unpack the key */ + key[0] = le_load_word32(k); + key[1] = le_load_word32(k + 4); + key[2] = le_load_word32(k + 8); + key[3] = le_load_word32(k + 12); + + /* Set up the TinyJAMBU state with the key, nonce, and associated data */ + tiny_jambu_setup(state, key, 4, TINYJAMBU_ROUNDS(1024), npub); + tiny_jambu_process_ad(state, key, 4, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + tiny_jambu_decrypt(state, key, 4, TINYJAMBU_ROUNDS(1024), m, c, *mlen); + + /* Check the authentication tag */ + tiny_jambu_generate_tag(state, key, 4, TINYJAMBU_ROUNDS(1024), tag); + return aead_check_tag(m, *mlen, tag, c + *mlen, TINY_JAMBU_TAG_SIZE); +} + +int tiny_jambu_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t state[TINY_JAMBU_STATE_SIZE]; + uint32_t key[12]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + TINY_JAMBU_TAG_SIZE; + + /* Unpack the key and duplicate it to make the length a multiple of 4 */ + key[6] = key[0] = le_load_word32(k); + key[7] = key[1] = le_load_word32(k + 4); + key[8] = key[2] = le_load_word32(k + 8); + key[9] = key[3] = le_load_word32(k + 12); + key[10] = key[4] = le_load_word32(k + 16); + key[11] = key[5] = le_load_word32(k + 20); + + /* Set up the TinyJAMBU state with the key, nonce, and associated data */ + tiny_jambu_setup(state, key, 12, TINYJAMBU_ROUNDS(1152), npub); + tiny_jambu_process_ad(state, key, 12, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + tiny_jambu_encrypt(state, key, 12, TINYJAMBU_ROUNDS(1152), c, m, mlen); + + /* Generate the authentication tag */ + tiny_jambu_generate_tag(state, key, 12, TINYJAMBU_ROUNDS(1152), c + mlen); + return 0; +} + +int tiny_jambu_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t state[TINY_JAMBU_STATE_SIZE]; + uint32_t key[12]; + unsigned char tag[TINY_JAMBU_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < TINY_JAMBU_TAG_SIZE) + return -1; + *mlen = clen - TINY_JAMBU_TAG_SIZE; + + /* Unpack the key and duplicate it to make the length a multiple of 4 */ + key[6] = key[0] = le_load_word32(k); + key[7] = key[1] = le_load_word32(k + 4); + key[8] = key[2] = le_load_word32(k + 8); + key[9] = key[3] = le_load_word32(k + 12); + key[10] = key[4] = le_load_word32(k + 16); + key[11] = key[5] = le_load_word32(k + 20); + + /* Set up the TinyJAMBU state with the key, nonce, and associated data */ + tiny_jambu_setup(state, key, 12, TINYJAMBU_ROUNDS(1152), npub); + tiny_jambu_process_ad(state, key, 12, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + tiny_jambu_decrypt(state, key, 12, TINYJAMBU_ROUNDS(1152), m, c, *mlen); + + /* Check the authentication tag */ + tiny_jambu_generate_tag(state, key, 12, TINYJAMBU_ROUNDS(1152), tag); + return aead_check_tag(m, *mlen, tag, c + *mlen, TINY_JAMBU_TAG_SIZE); +} + +int tiny_jambu_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t state[TINY_JAMBU_STATE_SIZE]; + uint32_t key[8]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + TINY_JAMBU_TAG_SIZE; + + /* Unpack the key */ + key[0] = le_load_word32(k); + key[1] = le_load_word32(k + 4); + key[2] = le_load_word32(k + 8); + key[3] = le_load_word32(k + 12); + key[4] = le_load_word32(k + 16); + key[5] = le_load_word32(k + 20); + key[6] = le_load_word32(k + 24); + key[7] = le_load_word32(k + 28); + + /* Set up the TinyJAMBU state with the key, nonce, and associated data */ + tiny_jambu_setup(state, key, 8, TINYJAMBU_ROUNDS(1280), npub); + tiny_jambu_process_ad(state, key, 8, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + tiny_jambu_encrypt(state, key, 8, TINYJAMBU_ROUNDS(1280), c, m, mlen); + + /* Generate the authentication tag */ + tiny_jambu_generate_tag(state, key, 8, TINYJAMBU_ROUNDS(1280), c + mlen); + return 0; +} + +int tiny_jambu_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t state[TINY_JAMBU_STATE_SIZE]; + uint32_t key[8]; + unsigned char tag[TINY_JAMBU_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < TINY_JAMBU_TAG_SIZE) + return -1; + *mlen = clen - TINY_JAMBU_TAG_SIZE; + + /* Unpack the key */ + key[0] = le_load_word32(k); + key[1] = le_load_word32(k + 4); + key[2] = le_load_word32(k + 8); + key[3] = le_load_word32(k + 12); + key[4] = le_load_word32(k + 16); + key[5] = le_load_word32(k + 20); + key[6] = le_load_word32(k + 24); + key[7] = le_load_word32(k + 28); + + /* Set up the TinyJAMBU state with the key, nonce, and associated data */ + tiny_jambu_setup(state, key, 8, TINYJAMBU_ROUNDS(1280), npub); + tiny_jambu_process_ad(state, key, 8, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + tiny_jambu_decrypt(state, key, 8, TINYJAMBU_ROUNDS(1280), m, c, *mlen); + + /* Check the authentication tag */ + tiny_jambu_generate_tag(state, key, 8, TINYJAMBU_ROUNDS(1280), tag); + return aead_check_tag(m, *mlen, tag, c + *mlen, TINY_JAMBU_TAG_SIZE); +} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/tinyjambu.h b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/tinyjambu.h new file mode 100644 index 0000000..cb304ff --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/tinyjambu.h @@ -0,0 +1,270 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_TINYJAMBU_H +#define LWCRYPTO_TINYJAMBU_H + +#include "aead-common.h" + +/** + * \file tinyjambu.h + * \brief TinyJAMBU authenticated encryption algorithm. + * + * TinyJAMBU is a family of encryption algorithms that are built around a + * lightweight 128-bit permutation. There are three variants of TinyJAMBU + * with different key sizes: + * + * \li TinyJAMBU-128 with a 128-bit key, a 96-bit nonce, and a 64-bit tag. + * This is the primary member of the family. + * \li TinyJAMBU-192 with a 192-bit key, a 96-bit nonce, and a 64-bit tag. + * \li TinyJAMBU-256 with a 256-bit key, a 96-bit nonce, and a 64-bit tag. + * + * TinyJAMBU has one of the smallest RAM and flash memory footprints + * out of all the algorithms in this library. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for TinyJAMBU-128. + */ +#define TINY_JAMBU_128_KEY_SIZE 16 + +/** + * \brief Size of the key for TinyJAMBU-192. + */ +#define TINY_JAMBU_192_KEY_SIZE 24 + +/** + * \brief Size of the key for TinyJAMBU-256. + */ +#define TINY_JAMBU_256_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for all TinyJAMBU variants. + */ +#define TINY_JAMBU_TAG_SIZE 8 + +/** + * \brief Size of the nonce for all TinyJAMBU variants. + */ +#define TINY_JAMBU_NONCE_SIZE 12 + +/** + * \brief Meta-information block for the TinyJAMBU-128 cipher. + */ +extern aead_cipher_t const tiny_jambu_128_cipher; + +/** + * \brief Meta-information block for the TinyJAMBU-192 cipher. + */ +extern aead_cipher_t const tiny_jambu_192_cipher; + +/** + * \brief Meta-information block for the TinyJAMBU-256 cipher. + */ +extern aead_cipher_t const tiny_jambu_256_cipher; + +/** + * \brief Encrypts and authenticates a packet with TinyJAMBU-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa tiny_jambu_128_aead_decrypt() + */ +int tiny_jambu_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with TinyJAMBU-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa tiny_jambu_128_aead_encrypt() + */ +int tiny_jambu_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with TinyJAMBU-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 24 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa tiny_jambu_192_aead_decrypt() + */ +int tiny_jambu_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with TinyJAMBU-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 24 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa tiny_jambu_192_aead_encrypt() + */ +int tiny_jambu_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with TinyJAMBU-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 32 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa tiny_jambu_256_aead_decrypt() + */ +int tiny_jambu_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with TinyJAMBU-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 32 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa tiny_jambu_256_aead_encrypt() + */ +int tiny_jambu_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/aead-common.c b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/aead-common.h b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/api.h b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/api.h new file mode 100644 index 0000000..1ee99ed --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 24 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 12 +#define CRYPTO_ABYTES 8 +#define CRYPTO_NOOVERLAP 1 diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/encrypt.c b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/encrypt.c new file mode 100644 index 0000000..62a5dde --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "tinyjambu.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return tiny_jambu_192_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return tiny_jambu_192_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-tinyjambu.c b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-tinyjambu.c new file mode 100644 index 0000000..7308718 --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-tinyjambu.c @@ -0,0 +1,66 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-tinyjambu.h" + +void tiny_jambu_permutation + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, unsigned rounds) +{ + uint32_t t1, t2, t3, t4; + unsigned round; + + /* Load the state into local variables */ + uint32_t s0 = state[0]; + uint32_t s1 = state[1]; + uint32_t s2 = state[2]; + uint32_t s3 = state[3]; + + /* Perform all permutation rounds. Each round consists of 128 steps, + * which can be performed 32 at a time plus a rotation. After four + * sets of 32 steps, the rotation order returns to the original position. + * So we can hide the rotations by doing 128 steps each round */ + for (round = 0; round < rounds; ++round) { + /* Get the key words to use during this round */ + const uint32_t *k = &(key[(round * 4) % key_words]); + + /* Perform the 128 steps of this round in groups of 32 */ + #define tiny_jambu_steps_32(s0, s1, s2, s3, offset) \ + do { \ + t1 = (s1 >> 15) | (s2 << 17); \ + t2 = (s2 >> 6) | (s3 << 26); \ + t3 = (s2 >> 21) | (s3 << 11); \ + t4 = (s2 >> 27) | (s3 << 5); \ + s0 ^= t1 ^ (~(t2 & t3)) ^ t4 ^ k[offset]; \ + } while (0) + tiny_jambu_steps_32(s0, s1, s2, s3, 0); + tiny_jambu_steps_32(s1, s2, s3, s0, 1); + tiny_jambu_steps_32(s2, s3, s0, s1, 2); + tiny_jambu_steps_32(s3, s0, s1, s2, 3); + } + + /* Store the local variables back to the state */ + state[0] = s0; + state[1] = s1; + state[2] = s2; + state[3] = s3; +} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-tinyjambu.h b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-tinyjambu.h new file mode 100644 index 0000000..f3bc599 --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-tinyjambu.h @@ -0,0 +1,72 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_TINYJAMBU_H +#define LW_INTERNAL_TINYJAMBU_H + +#include "internal-util.h" + +/** + * \file internal-tinyjambu.h + * \brief Internal implementation of the TinyJAMBU permutation. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the TinyJAMBU state in 32-bit words. + */ +#define TINY_JAMBU_STATE_SIZE 4 + +/** + * \brief Converts a number of steps into a number of rounds, where each + * round consists of 128 steps. + * + * \param steps The number of steps to perform; 384, 1024, 1152, or 1280. + * + * \return The number of rounds corresponding to \a steps. + */ +#define TINYJAMBU_ROUNDS(steps) ((steps) / 128) + +/** + * \brief Perform the TinyJAMBU permutation. + * + * \param state TinyJAMBU state to be permuted. + * \param key Points to the key words. + * \param key_words The number of words in the key. + * \param rounds The number of rounds to perform. + * + * The number of key words should be 4 for TinyJAMBU-128, 12 for TinyJAMBU-192, + * and 8 for TinuJAMBU-256. The TinyJAMBU-192 key is duplicated so that the + * \a key_words parameter is a multiple of 4. + */ +void tiny_jambu_permutation + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, unsigned rounds); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-util.h b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/tinyjambu.c b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/tinyjambu.c new file mode 100644 index 0000000..09fc41d --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/tinyjambu.c @@ -0,0 +1,487 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "tinyjambu.h" +#include "internal-tinyjambu.h" +#include + +aead_cipher_t const tiny_jambu_128_cipher = { + "TinyJAMBU-128", + TINY_JAMBU_128_KEY_SIZE, + TINY_JAMBU_NONCE_SIZE, + TINY_JAMBU_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + tiny_jambu_128_aead_encrypt, + tiny_jambu_128_aead_decrypt +}; + +aead_cipher_t const tiny_jambu_192_cipher = { + "TinyJAMBU-192", + TINY_JAMBU_192_KEY_SIZE, + TINY_JAMBU_NONCE_SIZE, + TINY_JAMBU_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + tiny_jambu_192_aead_encrypt, + tiny_jambu_192_aead_decrypt +}; + +aead_cipher_t const tiny_jambu_256_cipher = { + "TinyJAMBU-256", + TINY_JAMBU_256_KEY_SIZE, + TINY_JAMBU_NONCE_SIZE, + TINY_JAMBU_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + tiny_jambu_256_aead_encrypt, + tiny_jambu_256_aead_decrypt +}; + +/** + * \brief Set up the TinyJAMBU state with the key and the nonce. + * + * \param state TinyJAMBU state to be permuted. + * \param key Points to the key words. + * \param key_words The number of words in the key. + * \param rounds The number of rounds to perform to absorb the key. + * \param nonce Points to the nonce. + * + * \sa tiny_jambu_permutation() + */ +static void tiny_jambu_setup + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, unsigned rounds, const unsigned char *nonce) +{ + /* Initialize the state with the key */ + memset(state, 0, TINY_JAMBU_STATE_SIZE * sizeof(uint32_t)); + tiny_jambu_permutation(state, key, key_words, rounds); + + /* Absorb the three 32-bit words of the 96-bit nonce */ + state[1] ^= 0x10; /* Domain separator for the nonce */ + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= le_load_word32(nonce); + state[1] ^= 0x10; + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= le_load_word32(nonce + 4); + state[1] ^= 0x10; + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= le_load_word32(nonce + 8); +} + +/** + * \brief Processes the associated data for TinyJAMBU. + * + * \param state TinyJAMBU state to be permuted. + * \param key Points to the key words. + * \param key_words The number of words in the key. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void tiny_jambu_process_ad + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, const unsigned char *ad, unsigned long long adlen) +{ + /* Process as many full 32-bit words as we can */ + while (adlen >= 4) { + state[1] ^= 0x30; /* Domain separator for associated data */ + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= le_load_word32(ad); + ad += 4; + adlen -= 4; + } + + /* Handle the left-over associated data bytes, if any */ + if (adlen == 1) { + state[1] ^= 0x30; + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= ad[0]; + state[1] ^= 0x01; + } else if (adlen == 2) { + state[1] ^= 0x30; + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= le_load_word16(ad); + state[1] ^= 0x02; + } else if (adlen == 3) { + state[1] ^= 0x30; + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= le_load_word16(ad) | (((uint32_t)(ad[2])) << 16); + state[1] ^= 0x03; + } +} + +/** + * \brief Encrypts the plaintext with TinyJAMBU to produce the ciphertext. + * + * \param state TinyJAMBU state to be permuted. + * \param key Points to the key words. + * \param key_words The number of words in the key. + * \param rounds The number of rounds to perform to process the plaintext. + * \param c Points to the ciphertext output buffer. + * \param m Points to the plaintext input buffer. + * \param mlen Length of the plaintext in bytes. + */ +static void tiny_jambu_encrypt + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, unsigned rounds, unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + uint32_t data; + + /* Process as many full 32-bit words as we can */ + while (mlen >= 4) { + state[1] ^= 0x50; /* Domain separator for message data */ + tiny_jambu_permutation(state, key, key_words, rounds); + data = le_load_word32(m); + state[3] ^= data; + data ^= state[2]; + le_store_word32(c, data); + c += 4; + m += 4; + mlen -= 4; + } + + /* Handle the left-over plaintext data bytes, if any */ + if (mlen == 1) { + state[1] ^= 0x50; + tiny_jambu_permutation(state, key, key_words, rounds); + data = m[0]; + state[3] ^= data; + state[1] ^= 0x01; + c[0] = (uint8_t)(state[2] ^ data); + } else if (mlen == 2) { + state[1] ^= 0x50; + tiny_jambu_permutation(state, key, key_words, rounds); + data = le_load_word16(m); + state[3] ^= data; + state[1] ^= 0x02; + data ^= state[2]; + c[0] = (uint8_t)data; + c[1] = (uint8_t)(data >> 8); + } else if (mlen == 3) { + state[1] ^= 0x50; + tiny_jambu_permutation(state, key, key_words, rounds); + data = le_load_word16(m) | (((uint32_t)(m[2])) << 16); + state[3] ^= data; + state[1] ^= 0x03; + data ^= state[2]; + c[0] = (uint8_t)data; + c[1] = (uint8_t)(data >> 8); + c[2] = (uint8_t)(data >> 16); + } +} + +/** + * \brief Decrypts the ciphertext with TinyJAMBU to produce the plaintext. + * + * \param state TinyJAMBU state to be permuted. + * \param key Points to the key words. + * \param key_words The number of words in the key. + * \param rounds The number of rounds to perform to process the ciphertext. + * \param m Points to the plaintext output buffer. + * \param c Points to the ciphertext input buffer. + * \param mlen Length of the plaintext in bytes. + */ +static void tiny_jambu_decrypt + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, unsigned rounds, unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + uint32_t data; + + /* Process as many full 32-bit words as we can */ + while (mlen >= 4) { + state[1] ^= 0x50; /* Domain separator for message data */ + tiny_jambu_permutation(state, key, key_words, rounds); + data = le_load_word32(c) ^ state[2]; + state[3] ^= data; + le_store_word32(m, data); + c += 4; + m += 4; + mlen -= 4; + } + + /* Handle the left-over ciphertext data bytes, if any */ + if (mlen == 1) { + state[1] ^= 0x50; + tiny_jambu_permutation(state, key, key_words, rounds); + data = (c[0] ^ state[2]) & 0xFFU; + state[3] ^= data; + state[1] ^= 0x01; + m[0] = (uint8_t)data; + } else if (mlen == 2) { + state[1] ^= 0x50; + tiny_jambu_permutation(state, key, key_words, rounds); + data = (le_load_word16(c) ^ state[2]) & 0xFFFFU; + state[3] ^= data; + state[1] ^= 0x02; + m[0] = (uint8_t)data; + m[1] = (uint8_t)(data >> 8); + } else if (mlen == 3) { + state[1] ^= 0x50; + tiny_jambu_permutation(state, key, key_words, rounds); + data = le_load_word16(c) | (((uint32_t)(c[2])) << 16); + data = (data ^ state[2]) & 0xFFFFFFU; + state[3] ^= data; + state[1] ^= 0x03; + m[0] = (uint8_t)data; + m[1] = (uint8_t)(data >> 8); + m[2] = (uint8_t)(data >> 16); + } +} + +/** + * \brief Generates the final authentication tag for TinyJAMBU. + * + * \param state TinyJAMBU state to be permuted. + * \param key Points to the key words. + * \param key_words The number of words in the key. + * \param rounds The number of rounds to perform to generate the tag. + * \param tag Buffer to receive the tag. + */ +static void tiny_jambu_generate_tag + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, unsigned rounds, unsigned char *tag) +{ + state[1] ^= 0x70; /* Domain separator for finalization */ + tiny_jambu_permutation(state, key, key_words, rounds); + le_store_word32(tag, state[2]); + state[1] ^= 0x70; + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + le_store_word32(tag + 4, state[2]); +} + +int tiny_jambu_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t state[TINY_JAMBU_STATE_SIZE]; + uint32_t key[4]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + TINY_JAMBU_TAG_SIZE; + + /* Unpack the key */ + key[0] = le_load_word32(k); + key[1] = le_load_word32(k + 4); + key[2] = le_load_word32(k + 8); + key[3] = le_load_word32(k + 12); + + /* Set up the TinyJAMBU state with the key, nonce, and associated data */ + tiny_jambu_setup(state, key, 4, TINYJAMBU_ROUNDS(1024), npub); + tiny_jambu_process_ad(state, key, 4, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + tiny_jambu_encrypt(state, key, 4, TINYJAMBU_ROUNDS(1024), c, m, mlen); + + /* Generate the authentication tag */ + tiny_jambu_generate_tag(state, key, 4, TINYJAMBU_ROUNDS(1024), c + mlen); + return 0; +} + +int tiny_jambu_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t state[TINY_JAMBU_STATE_SIZE]; + uint32_t key[4]; + unsigned char tag[TINY_JAMBU_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < TINY_JAMBU_TAG_SIZE) + return -1; + *mlen = clen - TINY_JAMBU_TAG_SIZE; + + /* Unpack the key */ + key[0] = le_load_word32(k); + key[1] = le_load_word32(k + 4); + key[2] = le_load_word32(k + 8); + key[3] = le_load_word32(k + 12); + + /* Set up the TinyJAMBU state with the key, nonce, and associated data */ + tiny_jambu_setup(state, key, 4, TINYJAMBU_ROUNDS(1024), npub); + tiny_jambu_process_ad(state, key, 4, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + tiny_jambu_decrypt(state, key, 4, TINYJAMBU_ROUNDS(1024), m, c, *mlen); + + /* Check the authentication tag */ + tiny_jambu_generate_tag(state, key, 4, TINYJAMBU_ROUNDS(1024), tag); + return aead_check_tag(m, *mlen, tag, c + *mlen, TINY_JAMBU_TAG_SIZE); +} + +int tiny_jambu_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t state[TINY_JAMBU_STATE_SIZE]; + uint32_t key[12]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + TINY_JAMBU_TAG_SIZE; + + /* Unpack the key and duplicate it to make the length a multiple of 4 */ + key[6] = key[0] = le_load_word32(k); + key[7] = key[1] = le_load_word32(k + 4); + key[8] = key[2] = le_load_word32(k + 8); + key[9] = key[3] = le_load_word32(k + 12); + key[10] = key[4] = le_load_word32(k + 16); + key[11] = key[5] = le_load_word32(k + 20); + + /* Set up the TinyJAMBU state with the key, nonce, and associated data */ + tiny_jambu_setup(state, key, 12, TINYJAMBU_ROUNDS(1152), npub); + tiny_jambu_process_ad(state, key, 12, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + tiny_jambu_encrypt(state, key, 12, TINYJAMBU_ROUNDS(1152), c, m, mlen); + + /* Generate the authentication tag */ + tiny_jambu_generate_tag(state, key, 12, TINYJAMBU_ROUNDS(1152), c + mlen); + return 0; +} + +int tiny_jambu_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t state[TINY_JAMBU_STATE_SIZE]; + uint32_t key[12]; + unsigned char tag[TINY_JAMBU_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < TINY_JAMBU_TAG_SIZE) + return -1; + *mlen = clen - TINY_JAMBU_TAG_SIZE; + + /* Unpack the key and duplicate it to make the length a multiple of 4 */ + key[6] = key[0] = le_load_word32(k); + key[7] = key[1] = le_load_word32(k + 4); + key[8] = key[2] = le_load_word32(k + 8); + key[9] = key[3] = le_load_word32(k + 12); + key[10] = key[4] = le_load_word32(k + 16); + key[11] = key[5] = le_load_word32(k + 20); + + /* Set up the TinyJAMBU state with the key, nonce, and associated data */ + tiny_jambu_setup(state, key, 12, TINYJAMBU_ROUNDS(1152), npub); + tiny_jambu_process_ad(state, key, 12, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + tiny_jambu_decrypt(state, key, 12, TINYJAMBU_ROUNDS(1152), m, c, *mlen); + + /* Check the authentication tag */ + tiny_jambu_generate_tag(state, key, 12, TINYJAMBU_ROUNDS(1152), tag); + return aead_check_tag(m, *mlen, tag, c + *mlen, TINY_JAMBU_TAG_SIZE); +} + +int tiny_jambu_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t state[TINY_JAMBU_STATE_SIZE]; + uint32_t key[8]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + TINY_JAMBU_TAG_SIZE; + + /* Unpack the key */ + key[0] = le_load_word32(k); + key[1] = le_load_word32(k + 4); + key[2] = le_load_word32(k + 8); + key[3] = le_load_word32(k + 12); + key[4] = le_load_word32(k + 16); + key[5] = le_load_word32(k + 20); + key[6] = le_load_word32(k + 24); + key[7] = le_load_word32(k + 28); + + /* Set up the TinyJAMBU state with the key, nonce, and associated data */ + tiny_jambu_setup(state, key, 8, TINYJAMBU_ROUNDS(1280), npub); + tiny_jambu_process_ad(state, key, 8, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + tiny_jambu_encrypt(state, key, 8, TINYJAMBU_ROUNDS(1280), c, m, mlen); + + /* Generate the authentication tag */ + tiny_jambu_generate_tag(state, key, 8, TINYJAMBU_ROUNDS(1280), c + mlen); + return 0; +} + +int tiny_jambu_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t state[TINY_JAMBU_STATE_SIZE]; + uint32_t key[8]; + unsigned char tag[TINY_JAMBU_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < TINY_JAMBU_TAG_SIZE) + return -1; + *mlen = clen - TINY_JAMBU_TAG_SIZE; + + /* Unpack the key */ + key[0] = le_load_word32(k); + key[1] = le_load_word32(k + 4); + key[2] = le_load_word32(k + 8); + key[3] = le_load_word32(k + 12); + key[4] = le_load_word32(k + 16); + key[5] = le_load_word32(k + 20); + key[6] = le_load_word32(k + 24); + key[7] = le_load_word32(k + 28); + + /* Set up the TinyJAMBU state with the key, nonce, and associated data */ + tiny_jambu_setup(state, key, 8, TINYJAMBU_ROUNDS(1280), npub); + tiny_jambu_process_ad(state, key, 8, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + tiny_jambu_decrypt(state, key, 8, TINYJAMBU_ROUNDS(1280), m, c, *mlen); + + /* Check the authentication tag */ + tiny_jambu_generate_tag(state, key, 8, TINYJAMBU_ROUNDS(1280), tag); + return aead_check_tag(m, *mlen, tag, c + *mlen, TINY_JAMBU_TAG_SIZE); +} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/tinyjambu.h b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/tinyjambu.h new file mode 100644 index 0000000..cb304ff --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/tinyjambu.h @@ -0,0 +1,270 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_TINYJAMBU_H +#define LWCRYPTO_TINYJAMBU_H + +#include "aead-common.h" + +/** + * \file tinyjambu.h + * \brief TinyJAMBU authenticated encryption algorithm. + * + * TinyJAMBU is a family of encryption algorithms that are built around a + * lightweight 128-bit permutation. There are three variants of TinyJAMBU + * with different key sizes: + * + * \li TinyJAMBU-128 with a 128-bit key, a 96-bit nonce, and a 64-bit tag. + * This is the primary member of the family. + * \li TinyJAMBU-192 with a 192-bit key, a 96-bit nonce, and a 64-bit tag. + * \li TinyJAMBU-256 with a 256-bit key, a 96-bit nonce, and a 64-bit tag. + * + * TinyJAMBU has one of the smallest RAM and flash memory footprints + * out of all the algorithms in this library. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for TinyJAMBU-128. + */ +#define TINY_JAMBU_128_KEY_SIZE 16 + +/** + * \brief Size of the key for TinyJAMBU-192. + */ +#define TINY_JAMBU_192_KEY_SIZE 24 + +/** + * \brief Size of the key for TinyJAMBU-256. + */ +#define TINY_JAMBU_256_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for all TinyJAMBU variants. + */ +#define TINY_JAMBU_TAG_SIZE 8 + +/** + * \brief Size of the nonce for all TinyJAMBU variants. + */ +#define TINY_JAMBU_NONCE_SIZE 12 + +/** + * \brief Meta-information block for the TinyJAMBU-128 cipher. + */ +extern aead_cipher_t const tiny_jambu_128_cipher; + +/** + * \brief Meta-information block for the TinyJAMBU-192 cipher. + */ +extern aead_cipher_t const tiny_jambu_192_cipher; + +/** + * \brief Meta-information block for the TinyJAMBU-256 cipher. + */ +extern aead_cipher_t const tiny_jambu_256_cipher; + +/** + * \brief Encrypts and authenticates a packet with TinyJAMBU-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa tiny_jambu_128_aead_decrypt() + */ +int tiny_jambu_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with TinyJAMBU-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa tiny_jambu_128_aead_encrypt() + */ +int tiny_jambu_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with TinyJAMBU-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 24 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa tiny_jambu_192_aead_decrypt() + */ +int tiny_jambu_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with TinyJAMBU-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 24 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa tiny_jambu_192_aead_encrypt() + */ +int tiny_jambu_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with TinyJAMBU-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 32 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa tiny_jambu_256_aead_decrypt() + */ +int tiny_jambu_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with TinyJAMBU-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 32 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa tiny_jambu_256_aead_encrypt() + */ +int tiny_jambu_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/aead-common.c b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/aead-common.h b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/api.h b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/api.h new file mode 100644 index 0000000..fd4ff9f --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 32 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 12 +#define CRYPTO_ABYTES 8 +#define CRYPTO_NOOVERLAP 1 diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/encrypt.c b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/encrypt.c new file mode 100644 index 0000000..357b9fe --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "tinyjambu.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return tiny_jambu_256_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return tiny_jambu_256_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-tinyjambu.c b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-tinyjambu.c new file mode 100644 index 0000000..7308718 --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-tinyjambu.c @@ -0,0 +1,66 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-tinyjambu.h" + +void tiny_jambu_permutation + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, unsigned rounds) +{ + uint32_t t1, t2, t3, t4; + unsigned round; + + /* Load the state into local variables */ + uint32_t s0 = state[0]; + uint32_t s1 = state[1]; + uint32_t s2 = state[2]; + uint32_t s3 = state[3]; + + /* Perform all permutation rounds. Each round consists of 128 steps, + * which can be performed 32 at a time plus a rotation. After four + * sets of 32 steps, the rotation order returns to the original position. + * So we can hide the rotations by doing 128 steps each round */ + for (round = 0; round < rounds; ++round) { + /* Get the key words to use during this round */ + const uint32_t *k = &(key[(round * 4) % key_words]); + + /* Perform the 128 steps of this round in groups of 32 */ + #define tiny_jambu_steps_32(s0, s1, s2, s3, offset) \ + do { \ + t1 = (s1 >> 15) | (s2 << 17); \ + t2 = (s2 >> 6) | (s3 << 26); \ + t3 = (s2 >> 21) | (s3 << 11); \ + t4 = (s2 >> 27) | (s3 << 5); \ + s0 ^= t1 ^ (~(t2 & t3)) ^ t4 ^ k[offset]; \ + } while (0) + tiny_jambu_steps_32(s0, s1, s2, s3, 0); + tiny_jambu_steps_32(s1, s2, s3, s0, 1); + tiny_jambu_steps_32(s2, s3, s0, s1, 2); + tiny_jambu_steps_32(s3, s0, s1, s2, 3); + } + + /* Store the local variables back to the state */ + state[0] = s0; + state[1] = s1; + state[2] = s2; + state[3] = s3; +} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-tinyjambu.h b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-tinyjambu.h new file mode 100644 index 0000000..f3bc599 --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-tinyjambu.h @@ -0,0 +1,72 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_TINYJAMBU_H +#define LW_INTERNAL_TINYJAMBU_H + +#include "internal-util.h" + +/** + * \file internal-tinyjambu.h + * \brief Internal implementation of the TinyJAMBU permutation. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the TinyJAMBU state in 32-bit words. + */ +#define TINY_JAMBU_STATE_SIZE 4 + +/** + * \brief Converts a number of steps into a number of rounds, where each + * round consists of 128 steps. + * + * \param steps The number of steps to perform; 384, 1024, 1152, or 1280. + * + * \return The number of rounds corresponding to \a steps. + */ +#define TINYJAMBU_ROUNDS(steps) ((steps) / 128) + +/** + * \brief Perform the TinyJAMBU permutation. + * + * \param state TinyJAMBU state to be permuted. + * \param key Points to the key words. + * \param key_words The number of words in the key. + * \param rounds The number of rounds to perform. + * + * The number of key words should be 4 for TinyJAMBU-128, 12 for TinyJAMBU-192, + * and 8 for TinuJAMBU-256. The TinyJAMBU-192 key is duplicated so that the + * \a key_words parameter is a multiple of 4. + */ +void tiny_jambu_permutation + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, unsigned rounds); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-util.h b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/tinyjambu.c b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/tinyjambu.c new file mode 100644 index 0000000..09fc41d --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/tinyjambu.c @@ -0,0 +1,487 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "tinyjambu.h" +#include "internal-tinyjambu.h" +#include + +aead_cipher_t const tiny_jambu_128_cipher = { + "TinyJAMBU-128", + TINY_JAMBU_128_KEY_SIZE, + TINY_JAMBU_NONCE_SIZE, + TINY_JAMBU_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + tiny_jambu_128_aead_encrypt, + tiny_jambu_128_aead_decrypt +}; + +aead_cipher_t const tiny_jambu_192_cipher = { + "TinyJAMBU-192", + TINY_JAMBU_192_KEY_SIZE, + TINY_JAMBU_NONCE_SIZE, + TINY_JAMBU_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + tiny_jambu_192_aead_encrypt, + tiny_jambu_192_aead_decrypt +}; + +aead_cipher_t const tiny_jambu_256_cipher = { + "TinyJAMBU-256", + TINY_JAMBU_256_KEY_SIZE, + TINY_JAMBU_NONCE_SIZE, + TINY_JAMBU_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + tiny_jambu_256_aead_encrypt, + tiny_jambu_256_aead_decrypt +}; + +/** + * \brief Set up the TinyJAMBU state with the key and the nonce. + * + * \param state TinyJAMBU state to be permuted. + * \param key Points to the key words. + * \param key_words The number of words in the key. + * \param rounds The number of rounds to perform to absorb the key. + * \param nonce Points to the nonce. + * + * \sa tiny_jambu_permutation() + */ +static void tiny_jambu_setup + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, unsigned rounds, const unsigned char *nonce) +{ + /* Initialize the state with the key */ + memset(state, 0, TINY_JAMBU_STATE_SIZE * sizeof(uint32_t)); + tiny_jambu_permutation(state, key, key_words, rounds); + + /* Absorb the three 32-bit words of the 96-bit nonce */ + state[1] ^= 0x10; /* Domain separator for the nonce */ + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= le_load_word32(nonce); + state[1] ^= 0x10; + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= le_load_word32(nonce + 4); + state[1] ^= 0x10; + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= le_load_word32(nonce + 8); +} + +/** + * \brief Processes the associated data for TinyJAMBU. + * + * \param state TinyJAMBU state to be permuted. + * \param key Points to the key words. + * \param key_words The number of words in the key. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void tiny_jambu_process_ad + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, const unsigned char *ad, unsigned long long adlen) +{ + /* Process as many full 32-bit words as we can */ + while (adlen >= 4) { + state[1] ^= 0x30; /* Domain separator for associated data */ + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= le_load_word32(ad); + ad += 4; + adlen -= 4; + } + + /* Handle the left-over associated data bytes, if any */ + if (adlen == 1) { + state[1] ^= 0x30; + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= ad[0]; + state[1] ^= 0x01; + } else if (adlen == 2) { + state[1] ^= 0x30; + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= le_load_word16(ad); + state[1] ^= 0x02; + } else if (adlen == 3) { + state[1] ^= 0x30; + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + state[3] ^= le_load_word16(ad) | (((uint32_t)(ad[2])) << 16); + state[1] ^= 0x03; + } +} + +/** + * \brief Encrypts the plaintext with TinyJAMBU to produce the ciphertext. + * + * \param state TinyJAMBU state to be permuted. + * \param key Points to the key words. + * \param key_words The number of words in the key. + * \param rounds The number of rounds to perform to process the plaintext. + * \param c Points to the ciphertext output buffer. + * \param m Points to the plaintext input buffer. + * \param mlen Length of the plaintext in bytes. + */ +static void tiny_jambu_encrypt + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, unsigned rounds, unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + uint32_t data; + + /* Process as many full 32-bit words as we can */ + while (mlen >= 4) { + state[1] ^= 0x50; /* Domain separator for message data */ + tiny_jambu_permutation(state, key, key_words, rounds); + data = le_load_word32(m); + state[3] ^= data; + data ^= state[2]; + le_store_word32(c, data); + c += 4; + m += 4; + mlen -= 4; + } + + /* Handle the left-over plaintext data bytes, if any */ + if (mlen == 1) { + state[1] ^= 0x50; + tiny_jambu_permutation(state, key, key_words, rounds); + data = m[0]; + state[3] ^= data; + state[1] ^= 0x01; + c[0] = (uint8_t)(state[2] ^ data); + } else if (mlen == 2) { + state[1] ^= 0x50; + tiny_jambu_permutation(state, key, key_words, rounds); + data = le_load_word16(m); + state[3] ^= data; + state[1] ^= 0x02; + data ^= state[2]; + c[0] = (uint8_t)data; + c[1] = (uint8_t)(data >> 8); + } else if (mlen == 3) { + state[1] ^= 0x50; + tiny_jambu_permutation(state, key, key_words, rounds); + data = le_load_word16(m) | (((uint32_t)(m[2])) << 16); + state[3] ^= data; + state[1] ^= 0x03; + data ^= state[2]; + c[0] = (uint8_t)data; + c[1] = (uint8_t)(data >> 8); + c[2] = (uint8_t)(data >> 16); + } +} + +/** + * \brief Decrypts the ciphertext with TinyJAMBU to produce the plaintext. + * + * \param state TinyJAMBU state to be permuted. + * \param key Points to the key words. + * \param key_words The number of words in the key. + * \param rounds The number of rounds to perform to process the ciphertext. + * \param m Points to the plaintext output buffer. + * \param c Points to the ciphertext input buffer. + * \param mlen Length of the plaintext in bytes. + */ +static void tiny_jambu_decrypt + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, unsigned rounds, unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + uint32_t data; + + /* Process as many full 32-bit words as we can */ + while (mlen >= 4) { + state[1] ^= 0x50; /* Domain separator for message data */ + tiny_jambu_permutation(state, key, key_words, rounds); + data = le_load_word32(c) ^ state[2]; + state[3] ^= data; + le_store_word32(m, data); + c += 4; + m += 4; + mlen -= 4; + } + + /* Handle the left-over ciphertext data bytes, if any */ + if (mlen == 1) { + state[1] ^= 0x50; + tiny_jambu_permutation(state, key, key_words, rounds); + data = (c[0] ^ state[2]) & 0xFFU; + state[3] ^= data; + state[1] ^= 0x01; + m[0] = (uint8_t)data; + } else if (mlen == 2) { + state[1] ^= 0x50; + tiny_jambu_permutation(state, key, key_words, rounds); + data = (le_load_word16(c) ^ state[2]) & 0xFFFFU; + state[3] ^= data; + state[1] ^= 0x02; + m[0] = (uint8_t)data; + m[1] = (uint8_t)(data >> 8); + } else if (mlen == 3) { + state[1] ^= 0x50; + tiny_jambu_permutation(state, key, key_words, rounds); + data = le_load_word16(c) | (((uint32_t)(c[2])) << 16); + data = (data ^ state[2]) & 0xFFFFFFU; + state[3] ^= data; + state[1] ^= 0x03; + m[0] = (uint8_t)data; + m[1] = (uint8_t)(data >> 8); + m[2] = (uint8_t)(data >> 16); + } +} + +/** + * \brief Generates the final authentication tag for TinyJAMBU. + * + * \param state TinyJAMBU state to be permuted. + * \param key Points to the key words. + * \param key_words The number of words in the key. + * \param rounds The number of rounds to perform to generate the tag. + * \param tag Buffer to receive the tag. + */ +static void tiny_jambu_generate_tag + (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, + unsigned key_words, unsigned rounds, unsigned char *tag) +{ + state[1] ^= 0x70; /* Domain separator for finalization */ + tiny_jambu_permutation(state, key, key_words, rounds); + le_store_word32(tag, state[2]); + state[1] ^= 0x70; + tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); + le_store_word32(tag + 4, state[2]); +} + +int tiny_jambu_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t state[TINY_JAMBU_STATE_SIZE]; + uint32_t key[4]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + TINY_JAMBU_TAG_SIZE; + + /* Unpack the key */ + key[0] = le_load_word32(k); + key[1] = le_load_word32(k + 4); + key[2] = le_load_word32(k + 8); + key[3] = le_load_word32(k + 12); + + /* Set up the TinyJAMBU state with the key, nonce, and associated data */ + tiny_jambu_setup(state, key, 4, TINYJAMBU_ROUNDS(1024), npub); + tiny_jambu_process_ad(state, key, 4, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + tiny_jambu_encrypt(state, key, 4, TINYJAMBU_ROUNDS(1024), c, m, mlen); + + /* Generate the authentication tag */ + tiny_jambu_generate_tag(state, key, 4, TINYJAMBU_ROUNDS(1024), c + mlen); + return 0; +} + +int tiny_jambu_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t state[TINY_JAMBU_STATE_SIZE]; + uint32_t key[4]; + unsigned char tag[TINY_JAMBU_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < TINY_JAMBU_TAG_SIZE) + return -1; + *mlen = clen - TINY_JAMBU_TAG_SIZE; + + /* Unpack the key */ + key[0] = le_load_word32(k); + key[1] = le_load_word32(k + 4); + key[2] = le_load_word32(k + 8); + key[3] = le_load_word32(k + 12); + + /* Set up the TinyJAMBU state with the key, nonce, and associated data */ + tiny_jambu_setup(state, key, 4, TINYJAMBU_ROUNDS(1024), npub); + tiny_jambu_process_ad(state, key, 4, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + tiny_jambu_decrypt(state, key, 4, TINYJAMBU_ROUNDS(1024), m, c, *mlen); + + /* Check the authentication tag */ + tiny_jambu_generate_tag(state, key, 4, TINYJAMBU_ROUNDS(1024), tag); + return aead_check_tag(m, *mlen, tag, c + *mlen, TINY_JAMBU_TAG_SIZE); +} + +int tiny_jambu_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t state[TINY_JAMBU_STATE_SIZE]; + uint32_t key[12]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + TINY_JAMBU_TAG_SIZE; + + /* Unpack the key and duplicate it to make the length a multiple of 4 */ + key[6] = key[0] = le_load_word32(k); + key[7] = key[1] = le_load_word32(k + 4); + key[8] = key[2] = le_load_word32(k + 8); + key[9] = key[3] = le_load_word32(k + 12); + key[10] = key[4] = le_load_word32(k + 16); + key[11] = key[5] = le_load_word32(k + 20); + + /* Set up the TinyJAMBU state with the key, nonce, and associated data */ + tiny_jambu_setup(state, key, 12, TINYJAMBU_ROUNDS(1152), npub); + tiny_jambu_process_ad(state, key, 12, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + tiny_jambu_encrypt(state, key, 12, TINYJAMBU_ROUNDS(1152), c, m, mlen); + + /* Generate the authentication tag */ + tiny_jambu_generate_tag(state, key, 12, TINYJAMBU_ROUNDS(1152), c + mlen); + return 0; +} + +int tiny_jambu_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t state[TINY_JAMBU_STATE_SIZE]; + uint32_t key[12]; + unsigned char tag[TINY_JAMBU_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < TINY_JAMBU_TAG_SIZE) + return -1; + *mlen = clen - TINY_JAMBU_TAG_SIZE; + + /* Unpack the key and duplicate it to make the length a multiple of 4 */ + key[6] = key[0] = le_load_word32(k); + key[7] = key[1] = le_load_word32(k + 4); + key[8] = key[2] = le_load_word32(k + 8); + key[9] = key[3] = le_load_word32(k + 12); + key[10] = key[4] = le_load_word32(k + 16); + key[11] = key[5] = le_load_word32(k + 20); + + /* Set up the TinyJAMBU state with the key, nonce, and associated data */ + tiny_jambu_setup(state, key, 12, TINYJAMBU_ROUNDS(1152), npub); + tiny_jambu_process_ad(state, key, 12, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + tiny_jambu_decrypt(state, key, 12, TINYJAMBU_ROUNDS(1152), m, c, *mlen); + + /* Check the authentication tag */ + tiny_jambu_generate_tag(state, key, 12, TINYJAMBU_ROUNDS(1152), tag); + return aead_check_tag(m, *mlen, tag, c + *mlen, TINY_JAMBU_TAG_SIZE); +} + +int tiny_jambu_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t state[TINY_JAMBU_STATE_SIZE]; + uint32_t key[8]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + TINY_JAMBU_TAG_SIZE; + + /* Unpack the key */ + key[0] = le_load_word32(k); + key[1] = le_load_word32(k + 4); + key[2] = le_load_word32(k + 8); + key[3] = le_load_word32(k + 12); + key[4] = le_load_word32(k + 16); + key[5] = le_load_word32(k + 20); + key[6] = le_load_word32(k + 24); + key[7] = le_load_word32(k + 28); + + /* Set up the TinyJAMBU state with the key, nonce, and associated data */ + tiny_jambu_setup(state, key, 8, TINYJAMBU_ROUNDS(1280), npub); + tiny_jambu_process_ad(state, key, 8, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + tiny_jambu_encrypt(state, key, 8, TINYJAMBU_ROUNDS(1280), c, m, mlen); + + /* Generate the authentication tag */ + tiny_jambu_generate_tag(state, key, 8, TINYJAMBU_ROUNDS(1280), c + mlen); + return 0; +} + +int tiny_jambu_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t state[TINY_JAMBU_STATE_SIZE]; + uint32_t key[8]; + unsigned char tag[TINY_JAMBU_TAG_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < TINY_JAMBU_TAG_SIZE) + return -1; + *mlen = clen - TINY_JAMBU_TAG_SIZE; + + /* Unpack the key */ + key[0] = le_load_word32(k); + key[1] = le_load_word32(k + 4); + key[2] = le_load_word32(k + 8); + key[3] = le_load_word32(k + 12); + key[4] = le_load_word32(k + 16); + key[5] = le_load_word32(k + 20); + key[6] = le_load_word32(k + 24); + key[7] = le_load_word32(k + 28); + + /* Set up the TinyJAMBU state with the key, nonce, and associated data */ + tiny_jambu_setup(state, key, 8, TINYJAMBU_ROUNDS(1280), npub); + tiny_jambu_process_ad(state, key, 8, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + tiny_jambu_decrypt(state, key, 8, TINYJAMBU_ROUNDS(1280), m, c, *mlen); + + /* Check the authentication tag */ + tiny_jambu_generate_tag(state, key, 8, TINYJAMBU_ROUNDS(1280), tag); + return aead_check_tag(m, *mlen, tag, c + *mlen, TINY_JAMBU_TAG_SIZE); +} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/tinyjambu.h b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/tinyjambu.h new file mode 100644 index 0000000..cb304ff --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/tinyjambu.h @@ -0,0 +1,270 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_TINYJAMBU_H +#define LWCRYPTO_TINYJAMBU_H + +#include "aead-common.h" + +/** + * \file tinyjambu.h + * \brief TinyJAMBU authenticated encryption algorithm. + * + * TinyJAMBU is a family of encryption algorithms that are built around a + * lightweight 128-bit permutation. There are three variants of TinyJAMBU + * with different key sizes: + * + * \li TinyJAMBU-128 with a 128-bit key, a 96-bit nonce, and a 64-bit tag. + * This is the primary member of the family. + * \li TinyJAMBU-192 with a 192-bit key, a 96-bit nonce, and a 64-bit tag. + * \li TinyJAMBU-256 with a 256-bit key, a 96-bit nonce, and a 64-bit tag. + * + * TinyJAMBU has one of the smallest RAM and flash memory footprints + * out of all the algorithms in this library. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for TinyJAMBU-128. + */ +#define TINY_JAMBU_128_KEY_SIZE 16 + +/** + * \brief Size of the key for TinyJAMBU-192. + */ +#define TINY_JAMBU_192_KEY_SIZE 24 + +/** + * \brief Size of the key for TinyJAMBU-256. + */ +#define TINY_JAMBU_256_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for all TinyJAMBU variants. + */ +#define TINY_JAMBU_TAG_SIZE 8 + +/** + * \brief Size of the nonce for all TinyJAMBU variants. + */ +#define TINY_JAMBU_NONCE_SIZE 12 + +/** + * \brief Meta-information block for the TinyJAMBU-128 cipher. + */ +extern aead_cipher_t const tiny_jambu_128_cipher; + +/** + * \brief Meta-information block for the TinyJAMBU-192 cipher. + */ +extern aead_cipher_t const tiny_jambu_192_cipher; + +/** + * \brief Meta-information block for the TinyJAMBU-256 cipher. + */ +extern aead_cipher_t const tiny_jambu_256_cipher; + +/** + * \brief Encrypts and authenticates a packet with TinyJAMBU-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa tiny_jambu_128_aead_decrypt() + */ +int tiny_jambu_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with TinyJAMBU-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa tiny_jambu_128_aead_encrypt() + */ +int tiny_jambu_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with TinyJAMBU-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 24 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa tiny_jambu_192_aead_decrypt() + */ +int tiny_jambu_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with TinyJAMBU-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 24 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa tiny_jambu_192_aead_encrypt() + */ +int tiny_jambu_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with TinyJAMBU-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 8 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 32 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa tiny_jambu_256_aead_decrypt() + */ +int tiny_jambu_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with TinyJAMBU-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 8 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 12 bytes in length. + * \param k Points to the 32 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa tiny_jambu_256_aead_encrypt() + */ +int tiny_jambu_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/wage/Implementations/crypto_aead/wageae128v1/rhys/aead-common.c b/wage/Implementations/crypto_aead/wageae128v1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/wage/Implementations/crypto_aead/wageae128v1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/wage/Implementations/crypto_aead/wageae128v1/rhys/aead-common.h b/wage/Implementations/crypto_aead/wageae128v1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/wage/Implementations/crypto_aead/wageae128v1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/wage/Implementations/crypto_aead/wageae128v1/rhys/api.h b/wage/Implementations/crypto_aead/wageae128v1/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/wage/Implementations/crypto_aead/wageae128v1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/wage/Implementations/crypto_aead/wageae128v1/rhys/encrypt.c b/wage/Implementations/crypto_aead/wageae128v1/rhys/encrypt.c new file mode 100644 index 0000000..0ed30f7 --- /dev/null +++ b/wage/Implementations/crypto_aead/wageae128v1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "wage.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return wage_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return wage_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/wage/Implementations/crypto_aead/wageae128v1/rhys/internal-util.h b/wage/Implementations/crypto_aead/wageae128v1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/wage/Implementations/crypto_aead/wageae128v1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/wage/Implementations/crypto_aead/wageae128v1/rhys/internal-wage.c b/wage/Implementations/crypto_aead/wageae128v1/rhys/internal-wage.c new file mode 100644 index 0000000..e9528c9 --- /dev/null +++ b/wage/Implementations/crypto_aead/wageae128v1/rhys/internal-wage.c @@ -0,0 +1,512 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-wage.h" + +/** + * \brief Number of rounds for the WAGE permutation. + */ +#define WAGE_NUM_ROUNDS 111 + +/** + * \brief Define WAGE_64BIT to use the 64-bit version of the WAGE core + * permutation. Undefine to use the 8-bit version instead. + */ +#define WAGE_64BIT 1 + +/** + * \brief RC0 and RC1 round constants for WAGE, interleaved with each other. + */ +static unsigned char const wage_rc[WAGE_NUM_ROUNDS * 2] = { + 0x7f, 0x3f, 0x1f, 0x0f, 0x07, 0x03, 0x01, 0x40, 0x20, 0x10, 0x08, 0x04, + 0x02, 0x41, 0x60, 0x30, 0x18, 0x0c, 0x06, 0x43, 0x21, 0x50, 0x28, 0x14, + 0x0a, 0x45, 0x62, 0x71, 0x78, 0x3c, 0x1e, 0x4f, 0x27, 0x13, 0x09, 0x44, + 0x22, 0x51, 0x68, 0x34, 0x1a, 0x4d, 0x66, 0x73, 0x39, 0x5c, 0x2e, 0x57, + 0x2b, 0x15, 0x4a, 0x65, 0x72, 0x79, 0x7c, 0x3e, 0x5f, 0x2f, 0x17, 0x0b, + 0x05, 0x42, 0x61, 0x70, 0x38, 0x1c, 0x0e, 0x47, 0x23, 0x11, 0x48, 0x24, + 0x12, 0x49, 0x64, 0x32, 0x59, 0x6c, 0x36, 0x5b, 0x2d, 0x56, 0x6b, 0x35, + 0x5a, 0x6d, 0x76, 0x7b, 0x3d, 0x5e, 0x6f, 0x37, 0x1b, 0x0d, 0x46, 0x63, + 0x31, 0x58, 0x2c, 0x16, 0x4b, 0x25, 0x52, 0x69, 0x74, 0x3a, 0x5d, 0x6e, + 0x77, 0x3b, 0x1d, 0x4e, 0x67, 0x33, 0x19, 0x4c, 0x26, 0x53, 0x29, 0x54, + 0x2a, 0x55, 0x6a, 0x75, 0x7a, 0x7d, 0x7e, 0x7f, 0x3f, 0x1f, 0x0f, 0x07, + 0x03, 0x01, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x41, 0x60, 0x30, 0x18, + 0x0c, 0x06, 0x43, 0x21, 0x50, 0x28, 0x14, 0x0a, 0x45, 0x62, 0x71, 0x78, + 0x3c, 0x1e, 0x4f, 0x27, 0x13, 0x09, 0x44, 0x22, 0x51, 0x68, 0x34, 0x1a, + 0x4d, 0x66, 0x73, 0x39, 0x5c, 0x2e, 0x57, 0x2b, 0x15, 0x4a, 0x65, 0x72, + 0x79, 0x7c, 0x3e, 0x5f, 0x2f, 0x17, 0x0b, 0x05, 0x42, 0x61, 0x70, 0x38, + 0x1c, 0x0e, 0x47, 0x23, 0x11, 0x48, 0x24, 0x12, 0x49, 0x64, 0x32, 0x59, + 0x6c, 0x36, 0x5b, 0x2d, 0x56, 0x6b, 0x35, 0x5a, 0x6d, 0x76, 0x7b, 0x3d, + 0x5e, 0x6f, 0x37, 0x1b, 0x0d, 0x46 +}; + +/** + * \brief Apply the WGP permutation to a 7-bit component. + * + * Warning: This is not constant cache. + */ +static unsigned char const wage_wgp[128] = { + 0x00, 0x12, 0x0a, 0x4b, 0x66, 0x0c, 0x48, 0x73, 0x79, 0x3e, 0x61, 0x51, + 0x01, 0x15, 0x17, 0x0e, 0x7e, 0x33, 0x68, 0x36, 0x42, 0x35, 0x37, 0x5e, + 0x53, 0x4c, 0x3f, 0x54, 0x58, 0x6e, 0x56, 0x2a, 0x1d, 0x25, 0x6d, 0x65, + 0x5b, 0x71, 0x2f, 0x20, 0x06, 0x18, 0x29, 0x3a, 0x0d, 0x7a, 0x6c, 0x1b, + 0x19, 0x43, 0x70, 0x41, 0x49, 0x22, 0x77, 0x60, 0x4f, 0x45, 0x55, 0x02, + 0x63, 0x47, 0x75, 0x2d, 0x40, 0x46, 0x7d, 0x5c, 0x7c, 0x59, 0x26, 0x0b, + 0x09, 0x03, 0x57, 0x5d, 0x27, 0x78, 0x30, 0x2e, 0x44, 0x52, 0x3b, 0x08, + 0x67, 0x2c, 0x05, 0x6b, 0x2b, 0x1a, 0x21, 0x38, 0x07, 0x0f, 0x4a, 0x11, + 0x50, 0x6a, 0x28, 0x31, 0x10, 0x4d, 0x5f, 0x72, 0x39, 0x16, 0x5a, 0x13, + 0x04, 0x3c, 0x34, 0x1f, 0x76, 0x1e, 0x14, 0x23, 0x1c, 0x32, 0x4e, 0x7b, + 0x24, 0x74, 0x7f, 0x3d, 0x69, 0x64, 0x62, 0x6f +}; + +/** + * \brief Evaluate the WAGE S-box three times in parallel. + * + * \param x6 The input values to the S-box. + * \return The output values from the S-box. + * + * This function directly evaluates the S-box in bit-sliced form + * using the algorithm from the specification. + */ +STATIC_INLINE uint32_t wage_sbox_parallel_3(uint32_t x6) +{ + uint32_t x0 = x6 >> 6; + uint32_t x1 = x6 >> 5; + uint32_t x2 = x6 >> 4; + uint32_t x3 = x6 >> 3; + uint32_t x4 = x6 >> 2; + uint32_t x5 = x6 >> 1; + x0 ^= (x2 & x3); x3 = ~x3; x3 ^= (x5 & x6); x5 = ~x5; x5 ^= (x2 & x4); + x6 ^= (x0 & x4); x4 = ~x4; x4 ^= (x5 & x1); x5 = ~x5; x5 ^= (x0 & x2); + x1 ^= (x6 & x2); x2 = ~x2; x2 ^= (x5 & x3); x5 = ~x5; x5 ^= (x6 & x0); + x3 ^= (x1 & x0); x0 = ~x0; x0 ^= (x5 & x4); x5 = ~x5; x5 ^= (x1 & x6); + x4 ^= (x3 & x6); x6 = ~x6; x6 ^= (x5 & x2); x5 = ~x5; x5 ^= (x3 & x1); + x2 ^= (x4 & x1); x1 = ~x1; x1 ^= (x5 & x0); x5 = ~x5; x5 ^= (x4 & x3); + x2 = ~x2; x4 = ~x4; + return ((x2 & 0x00010101U) << 6) ^ + ((x6 & 0x00010101U) << 5) ^ + ((x4 & 0x00010101U) << 4) ^ + ((x1 & 0x00010101U) << 3) ^ + ((x3 & 0x00010101U) << 2) ^ + ((x5 & 0x00010101U) << 1) ^ + (x0 & 0x00010101U); +} + +void wage_permute(unsigned char s[WAGE_STATE_SIZE]) +{ +#if defined(WAGE_64BIT) + const unsigned char *rc = wage_rc; + unsigned char round; + uint64_t x0, x1, x2, x3, x4; + uint32_t fb, temp; + + /* Load the state into 64-bit words. Each word will have up to eight + * 7-bit components with the MSB of each component fixed at zero. + * + * x0 = s[0] .. s[7] + * x1 = s[8] .. s[15] + * x2 = s[16] .. s[23] + * x3 = s[24] .. s[31] + * x4 = s[32] .. s[36] + */ + x0 = le_load_word64(s); + x1 = le_load_word64(s + 8); + x2 = le_load_word64(s + 16); + x3 = le_load_word64(s + 24); + x4 = le_load_word32(s + 32) | (((uint64_t)(s[36])) << 32); + + /* Perform all rounds 3 at a time to reduce the state rotation overhead */ + for (round = 0; round < (WAGE_NUM_ROUNDS / 3); ++round, rc += 6) { + /* Calculate the feedback value for the LFSR. + * + * fb = omega(s[0]) ^ s[6] ^ s[8] ^ s[12] ^ s[13] ^ s[19] ^ + * s[24] ^ s[26] ^ s[30] ^ s[31] ^ WGP(s[36]) ^ RC1[round] + * + * where omega(x) is (x >> 1) if the low bit of x is zero and + * (x >> 1) ^ 0x78 if the low bit of x is one. + */ + /* fb0 = omega(s[0]), fb1 = omega(s[1]), fb2 = omega(s[2]) */ + temp = (uint32_t)x0; + fb = (temp & 0x00010101U) << 6; + fb ^= (fb >> 1); + fb ^= (fb >> 2); + fb ^= (temp >> 1) & 0x003F3F3FU; + /* fb0 ^= s[6], fb1 ^= s[7], fb2 ^= s[8] */ + fb ^= (uint32_t)(x0 >> 48); + fb ^= ((uint32_t)x1) << 16; + /* fb0 ^= s[8], fb1 ^= s[9], fb2 ^= s[10] */ + fb ^= (uint32_t)x1; + /* fb0 ^= s[12], fb1 ^= s[13], fb2 ^= s[14] */ + fb ^= (uint32_t)(x1 >> 32); + /* fb0 ^= s[13], fb1 ^= s[14], fb2 ^= s[15] */ + fb ^= (uint32_t)(x1 >> 40); + /* fb0 ^= s[19], fb1 ^= s[20], fb2 ^= s[21] */ + fb ^= (uint32_t)(x2 >> 24); + /* fb0 ^= s[24], fb1 ^= s[25], fb2 ^= s[26] */ + fb ^= (uint32_t)x3; + /* fb0 ^= s[26], fb1 ^= s[27], fb2 ^= s[28] */ + fb ^= (uint32_t)(x3 >> 16); + /* fb0 ^= s[30], fb1 ^= s[31], fb2 ^= s[32] */ + fb ^= (uint32_t)(x3 >> 48); + fb ^= ((uint32_t)x4) << 16; + /* fb0 ^= s[31], fb1 ^= s[32], fb2 ^= s[33] */ + fb ^= (uint32_t)(x3 >> 56); + fb ^= ((uint32_t)x4) << 8; + /* fb0,1,2 ^= RC1 */ + temp = rc[1] | (((uint32_t)(rc[3])) << 8) | (((uint32_t)(rc[5])) << 16); + fb ^= temp; + /* fb0 ^= WGP(s[36]) */ + fb ^= wage_wgp[(uint8_t)(x4 >> 32)]; + /* fb1 ^= WGP(fb0) */ + fb ^= ((uint32_t)(wage_wgp[fb & 0xFF])) << 8; + /* fb2 ^= WGP(fb1) */ + fb ^= ((uint32_t)(wage_wgp[(fb >> 8) & 0xFF])) << 16; + + /* Apply the S-box and WGP permutation to certain components */ + /* s[5] ^= sbox[s[8]], s[6] ^= sbox[s[9]], s[7] ^= sbox[s[10]] */ + x0 ^= ((uint64_t)wage_sbox_parallel_3((uint32_t)x1)) << 40; + /* s[11] ^= sbox[s[15]], s[12] ^= sbox[s[16]], s[13] ^= sbox[s[17]] */ + x1 ^= ((uint64_t)wage_sbox_parallel_3 + ((uint32_t)((x1 >> 56) | (x2 << 8)))) << 24; + /* s[24] ^= sbox[s[27]], s[25] ^= sbox[s[28]], s[26] ^= sbox[s[29]] */ + x3 ^= (uint64_t)wage_sbox_parallel_3((uint32_t)(x3 >> 24)); + /* s[30] ^= sbox[s[34]], s[31] ^= sbox[s[35]], s[32] ^= sbox[s[36]] */ + temp = wage_sbox_parallel_3((uint32_t)(x4 >> 16)); + x3 ^= ((uint64_t)temp) << 48; + x4 ^= temp >> 16; + /* s[19] ^= WGP[s[18]] ^ RC0 */ + temp = (uint32_t)(x2 >> 16); /* s[18..21] */ + temp ^= ((uint32_t)(wage_wgp[temp & 0x7F])) << 8; + temp ^= ((uint32_t)(rc[0])) << 8; + /* s[20] ^= WGP[s[19]] ^ RC0 */ + temp ^= ((uint32_t)(wage_wgp[(temp >> 8) & 0x7F])) << 16; + temp ^= ((uint32_t)(rc[2])) << 16; + /* s[21] ^= WGP[s[20]] ^ RC0 */ + temp ^= ((uint32_t)(wage_wgp[(temp >> 16) & 0x7F])) << 24; + temp ^= ((uint32_t)(rc[4])) << 24; + temp &= 0x7F7F7F00U; + x2 = (x2 & 0xFFFF000000FFFFFFULL) | (((uint64_t)temp) << 16); + + /* Rotate the components of the state by 3 positions */ + x0 = (x0 >> 24) | (x1 << 40); + x1 = (x1 >> 24) | (x2 << 40); + x2 = (x2 >> 24) | (x3 << 40); + x3 = (x3 >> 24) | (x4 << 40); + x4 = (x4 >> 24) | (((uint64_t)(fb & 0x00FFFFFFU)) << 16); + } + + /* Save the words back to the state */ + le_store_word64(s, x0); + le_store_word64(s + 8, x1); + le_store_word64(s + 16, x2); + le_store_word64(s + 24, x3); + le_store_word32(s + 32, (uint32_t)x4); + s[36] = (unsigned char)(x4 >> 32); +#else /* 8-bit version of WAGE */ + const unsigned char *rc = wage_rc; + unsigned char round, index; + unsigned char fb0, fb1, fb2; + uint32_t temp; + + /* Perform all rounds 3 at a time to reduce the state rotation overhead */ + for (round = 0; round < (WAGE_NUM_ROUNDS / 3); ++round, rc += 6) { + /* Calculate the feedback value for the LFSR. + * + * fb = omega(s[0]) ^ s[6] ^ s[8] ^ s[12] ^ s[13] ^ s[19] ^ + * s[24] ^ s[26] ^ s[30] ^ s[31] ^ WGP(s[36]) ^ RC1[round] + * + * where omega(x) is (x >> 1) if the low bit of x is zero and + * (x >> 1) ^ 0x78 if the low bit of x is one. + */ + fb0 = (s[0] >> 1) ^ (0x78 & -(s[0] & 0x01)); + fb0 ^= s[6] ^ s[8] ^ s[12] ^ s[13] ^ s[19] ^ + s[24] ^ s[26] ^ s[30] ^ s[31] ^ rc[1]; + fb0 ^= wage_wgp[s[36]]; + fb1 = (s[1] >> 1) ^ (0x78 & -(s[1] & 0x01)); + fb1 ^= s[7] ^ s[9] ^ s[13] ^ s[14] ^ s[20] ^ + s[25] ^ s[27] ^ s[31] ^ s[32] ^ rc[3]; + fb1 ^= wage_wgp[fb0]; + fb2 = (s[2] >> 1) ^ (0x78 & -(s[2] & 0x01)); + fb2 ^= s[8] ^ s[10] ^ s[14] ^ s[15] ^ s[21] ^ + s[26] ^ s[28] ^ s[32] ^ s[33] ^ rc[5]; + fb2 ^= wage_wgp[fb1]; + + /* Apply the S-box and WGP permutation to certain components */ + temp = s[8] | (((uint32_t)(s[9])) << 8) | (((uint32_t)(s[10])) << 16); + temp = wage_sbox_parallel_3(temp); + s[5] ^= (unsigned char)temp; + s[6] ^= (unsigned char)(temp >> 8); + s[7] ^= (unsigned char)(temp >> 16); + temp = s[15] | (((uint32_t)(s[16])) << 8) | (((uint32_t)(s[17])) << 16); + temp = wage_sbox_parallel_3(temp); + s[11] ^= (unsigned char)temp; + s[12] ^= (unsigned char)(temp >> 8); + s[13] ^= (unsigned char)(temp >> 16); + s[19] ^= wage_wgp[s[18]] ^ rc[0]; + s[20] ^= wage_wgp[s[19]] ^ rc[2]; + s[21] ^= wage_wgp[s[20]] ^ rc[4]; + temp = s[27] | (((uint32_t)(s[28])) << 8) | (((uint32_t)(s[29])) << 16); + temp = wage_sbox_parallel_3(temp); + s[24] ^= (unsigned char)temp; + s[25] ^= (unsigned char)(temp >> 8); + s[26] ^= (unsigned char)(temp >> 16); + temp = s[34] | (((uint32_t)(s[35])) << 8) | (((uint32_t)(s[36])) << 16); + temp = wage_sbox_parallel_3(temp); + s[30] ^= (unsigned char)temp; + s[31] ^= (unsigned char)(temp >> 8); + s[32] ^= (unsigned char)(temp >> 16); + + /* Rotate the components of the state by 3 positions */ + for (index = 0; index < WAGE_STATE_SIZE - 3; ++index) + s[index] = s[index + 3]; + s[WAGE_STATE_SIZE - 3] = fb0; + s[WAGE_STATE_SIZE - 2] = fb1; + s[WAGE_STATE_SIZE - 1] = fb2; + } +#endif +} + +/* 7-bit components for the rate: 8, 9, 15, 16, 18, 27, 28, 34, 35, 36 */ + +void wage_absorb + (unsigned char s[WAGE_STATE_SIZE], const unsigned char data[8], + unsigned char domain) +{ + uint32_t temp; + temp = be_load_word32(data); + s[8] ^= (unsigned char)(temp >> 25); + s[9] ^= (unsigned char)((temp >> 18) & 0x7F); + s[15] ^= (unsigned char)((temp >> 11) & 0x7F); + s[16] ^= (unsigned char)((temp >> 4) & 0x7F); + s[18] ^= (unsigned char)((temp << 3) & 0x7F); + temp = be_load_word32(data + 4); + s[18] ^= (unsigned char)(temp >> 29); + s[27] ^= (unsigned char)((temp >> 22) & 0x7F); + s[28] ^= (unsigned char)((temp >> 15) & 0x7F); + s[34] ^= (unsigned char)((temp >> 8) & 0x7F); + s[35] ^= (unsigned char)((temp >> 1) & 0x7F); + s[36] ^= (unsigned char)((temp << 6) & 0x7F); + s[0] ^= domain; +} + +void wage_get_rate + (const unsigned char s[WAGE_STATE_SIZE], unsigned char data[8]) +{ + uint32_t temp; + temp = ((uint32_t)(s[8])) << 25; + temp |= ((uint32_t)(s[9])) << 18; + temp |= ((uint32_t)(s[15])) << 11; + temp |= ((uint32_t)(s[16])) << 4; + temp |= ((uint32_t)(s[18])) >> 3; + be_store_word32(data, temp); + temp = ((uint32_t)(s[18])) << 29; + temp |= ((uint32_t)(s[27])) << 22; + temp |= ((uint32_t)(s[28])) << 15; + temp |= ((uint32_t)(s[34])) << 8; + temp |= ((uint32_t)(s[35])) << 1; + temp |= ((uint32_t)(s[36])) >> 6; + be_store_word32(data + 4, temp); +} + +void wage_set_rate + (unsigned char s[WAGE_STATE_SIZE], const unsigned char data[8], + unsigned char domain) +{ + uint32_t temp; + temp = be_load_word32(data); + s[8] = (unsigned char)(temp >> 25); + s[9] = (unsigned char)((temp >> 18) & 0x7F); + s[15] = (unsigned char)((temp >> 11) & 0x7F); + s[16] = (unsigned char)((temp >> 4) & 0x7F); + s[18] = (unsigned char)((temp << 3) & 0x7F); + temp = be_load_word32(data + 4); + s[18] ^= (unsigned char)(temp >> 29); + s[27] = (unsigned char)((temp >> 22) & 0x7F); + s[28] = (unsigned char)((temp >> 15) & 0x7F); + s[34] = (unsigned char)((temp >> 8) & 0x7F); + s[35] = (unsigned char)((temp >> 1) & 0x7F); + s[36] = (unsigned char)(((temp << 6) & 0x40) ^ (s[36] & 0x3F)); + s[0] ^= domain; +} + +/** + * \brief Converts a 128-bit value into an array of 7-bit components. + * + * \param out Points to the output array of 7-bit components. + * \param in Points to the 128-bit value to convert. + */ +static void wage_128bit_to_components + (unsigned char out[19], const unsigned char *in) +{ + uint32_t temp; + temp = be_load_word32(in); + out[0] = (unsigned char)(temp >> 25); + out[1] = (unsigned char)((temp >> 18) & 0x7F); + out[2] = (unsigned char)((temp >> 11) & 0x7F); + out[3] = (unsigned char)((temp >> 4) & 0x7F); + out[4] = (unsigned char)((temp << 3) & 0x7F); + temp = be_load_word32(in + 4); + out[4] ^= (unsigned char)(temp >> 29); + out[5] = (unsigned char)((temp >> 22) & 0x7F); + out[6] = (unsigned char)((temp >> 15) & 0x7F); + out[7] = (unsigned char)((temp >> 8) & 0x7F); + out[8] = (unsigned char)((temp >> 1) & 0x7F); + out[18] = (unsigned char)((temp << 6) & 0x7F); + temp = be_load_word32(in + 8); + out[9] = (unsigned char)(temp >> 25); + out[10] = (unsigned char)((temp >> 18) & 0x7F); + out[11] = (unsigned char)((temp >> 11) & 0x7F); + out[12] = (unsigned char)((temp >> 4) & 0x7F); + out[13] = (unsigned char)((temp << 3) & 0x7F); + temp = be_load_word32(in + 12); + out[13] ^= (unsigned char)(temp >> 29); + out[14] = (unsigned char)((temp >> 22) & 0x7F); + out[15] = (unsigned char)((temp >> 15) & 0x7F); + out[16] = (unsigned char)((temp >> 8) & 0x7F); + out[17] = (unsigned char)((temp >> 1) & 0x7F); + out[18] ^= (unsigned char)((temp << 5) & 0x20); +} + +void wage_absorb_key + (unsigned char s[WAGE_STATE_SIZE], const unsigned char *key) +{ + unsigned char components[19]; + wage_128bit_to_components(components, key); + s[8] ^= components[0]; + s[9] ^= components[1]; + s[15] ^= components[2]; + s[16] ^= components[3]; + s[18] ^= components[4]; + s[27] ^= components[5]; + s[28] ^= components[6]; + s[34] ^= components[7]; + s[35] ^= components[8]; + s[36] ^= components[18] & 0x40; + wage_permute(s); + s[8] ^= components[9]; + s[9] ^= components[10]; + s[15] ^= components[11]; + s[16] ^= components[12]; + s[18] ^= components[13]; + s[27] ^= components[14]; + s[28] ^= components[15]; + s[34] ^= components[16]; + s[35] ^= components[17]; + s[36] ^= (components[18] << 1) & 0x40; + wage_permute(s); +} + +void wage_init + (unsigned char s[WAGE_STATE_SIZE], + const unsigned char *key, const unsigned char *nonce) +{ + unsigned char components[19]; + + /* Initialize the state with the key and nonce */ + wage_128bit_to_components(components, key); + s[0] = components[0]; + s[1] = components[2]; + s[2] = components[4]; + s[3] = components[6]; + s[4] = components[8]; + s[5] = components[10]; + s[6] = components[12]; + s[7] = components[14]; + s[8] = components[16]; + s[18] = components[18]; + s[19] = components[1]; + s[20] = components[3]; + s[21] = components[5]; + s[22] = components[7]; + s[23] = components[9]; + s[24] = components[11]; + s[25] = components[13]; + s[26] = components[15]; + s[27] = components[17]; + wage_128bit_to_components(components, nonce); + s[9] = components[1]; + s[10] = components[3]; + s[11] = components[5]; + s[12] = components[7]; + s[13] = components[9]; + s[14] = components[11]; + s[15] = components[13]; + s[16] = components[17]; + s[17] = components[15]; + s[18] ^= (components[18] >> 2); + s[28] = components[0]; + s[29] = components[2]; + s[30] = components[4]; + s[31] = components[6]; + s[32] = components[8]; + s[33] = components[10]; + s[34] = components[12]; + s[35] = components[14]; + s[36] = components[16]; + + /* Permute the state to absorb the key and nonce */ + wage_permute(s); + + /* Absorb the key again and permute the state */ + wage_absorb_key(s, key); +} + +void wage_extract_tag + (const unsigned char s[WAGE_STATE_SIZE], unsigned char tag[16]) +{ + unsigned char components[19]; + uint32_t temp; + + /* Extract the 7-bit components that make up the tag */ + for (temp = 0; temp < 9; ++temp) { + components[temp * 2] = s[28 + temp]; + components[temp * 2 + 1] = s[ 9 + temp]; + } + components[18] = (s[18] << 2) & 0x60; + + /* Convert from 7-bit component form back into bytes */ + temp = ((uint32_t)(components[0])) << 25; + temp |= ((uint32_t)(components[1])) << 18; + temp |= ((uint32_t)(components[2])) << 11; + temp |= ((uint32_t)(components[3])) << 4; + temp |= ((uint32_t)(components[4])) >> 3; + be_store_word32(tag, temp); + temp = ((uint32_t)(components[4])) << 29; + temp |= ((uint32_t)(components[5])) << 22; + temp |= ((uint32_t)(components[6])) << 15; + temp |= ((uint32_t)(components[7])) << 8; + temp |= ((uint32_t)(components[8])) << 1; + temp |= ((uint32_t)(components[9])) >> 6; + be_store_word32(tag + 4, temp); + temp = ((uint32_t)(components[9])) << 26; + temp |= ((uint32_t)(components[10])) << 19; + temp |= ((uint32_t)(components[11])) << 12; + temp |= ((uint32_t)(components[12])) << 5; + temp |= ((uint32_t)(components[13])) >> 2; + be_store_word32(tag + 8, temp); + temp = ((uint32_t)(components[13])) << 30; + temp |= ((uint32_t)(components[14])) << 23; + temp |= ((uint32_t)(components[15])) << 16; + temp |= ((uint32_t)(components[16])) << 9; + temp |= ((uint32_t)(components[17])) << 2; + temp |= ((uint32_t)(components[18])) >> 5; + be_store_word32(tag + 12, temp); +} diff --git a/wage/Implementations/crypto_aead/wageae128v1/rhys/internal-wage.h b/wage/Implementations/crypto_aead/wageae128v1/rhys/internal-wage.h new file mode 100644 index 0000000..a0d23d7 --- /dev/null +++ b/wage/Implementations/crypto_aead/wageae128v1/rhys/internal-wage.h @@ -0,0 +1,117 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_WAGE_H +#define LW_INTERNAL_WAGE_H + +#include "internal-util.h" + +/** + * \file internal-wage.h + * \brief Internal implementation of the WAGE permutation. + * + * References: https://uwaterloo.ca/communications-security-lab/lwc/wage + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the WAGE state in bytes. + * + * The state is 259 bits, divided into 37 7-bit components, one per byte. + */ +#define WAGE_STATE_SIZE 37 + +/** + * \brief Permutes the WAGE state. + * + * \param s The WAGE state to be permuted. + */ +void wage_permute(unsigned char s[WAGE_STATE_SIZE]); + +/** + * \brief Absorbs 8 bytes into the WAGE state. + * + * \param s The WAGE state to be permuted. + * \param data The data to be absorbed. + * \param domain The domain separator for the absorbed data. + */ +void wage_absorb + (unsigned char s[WAGE_STATE_SIZE], const unsigned char data[8], + unsigned char domain); + +/** + * \brief Gets the 8 bytes of the rate from the WAGE state. + * + * \param s The WAGE state to get the bytes from. + * \param data Points to the buffer to receive the extracted bytes. + */ +void wage_get_rate + (const unsigned char s[WAGE_STATE_SIZE], unsigned char data[8]); + +/** + * \brief Sets the 8 bytes of the rate in the WAGE state. + * + * \param s The WAGE state to set the rate in. + * \param data Points to the bytes to set into the rate. + * \param domain The domain separator for the rate data. + */ +void wage_set_rate + (unsigned char s[WAGE_STATE_SIZE], const unsigned char data[8], + unsigned char domain); + +/** + * \brief Absorbs 16 key bytes into the WAGE state. + * + * \param s The WAGE state to be permuted. + * \param key Points to the key data to be absorbed. + */ +void wage_absorb_key + (unsigned char s[WAGE_STATE_SIZE], const unsigned char *key); + +/** + * \brief Initializes the WAGE state with a key and nonce. + * + * \param s The WAGE state to be initialized. + * \param key Points to the 128-bit key. + * \param nonce Points to the 128-bit nonce. + */ +void wage_init + (unsigned char s[WAGE_STATE_SIZE], + const unsigned char *key, const unsigned char *nonce); + +/** + * \brief Extracts the 128-bit authentication tag from the WAGE state. + * + * \param s The WAGE state to extract the tag from. + * \param tag Points to the buffer to receive the extracted tag. + */ +void wage_extract_tag + (const unsigned char s[WAGE_STATE_SIZE], unsigned char tag[16]); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/wage/Implementations/crypto_aead/wageae128v1/rhys/wage.c b/wage/Implementations/crypto_aead/wageae128v1/rhys/wage.c new file mode 100644 index 0000000..374409b --- /dev/null +++ b/wage/Implementations/crypto_aead/wageae128v1/rhys/wage.c @@ -0,0 +1,168 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "wage.h" +#include "internal-wage.h" +#include + +aead_cipher_t const wage_cipher = { + "WAGE", + WAGE_KEY_SIZE, + WAGE_NONCE_SIZE, + WAGE_TAG_SIZE, + AEAD_FLAG_NONE, + wage_aead_encrypt, + wage_aead_decrypt +}; + +/** + * \brief Rate of absorbing data into the WAGE state in sponge mode. + */ +#define WAGE_RATE 8 + +/** + * \brief Processes associated data for WAGE. + * + * \param state Points to the WAGE state. + * \param pad Points to an 8-byte temporary buffer for handling padding. + * \param ad Points to the associated data. + * \param adlen Length of the associated data. + */ +static void wage_process_ad + (unsigned char state[WAGE_STATE_SIZE], unsigned char pad[WAGE_RATE], + const unsigned char *ad, unsigned long long adlen) +{ + unsigned temp; + + /* Process as many full blocks as possible */ + while (adlen >= WAGE_RATE) { + wage_absorb(state, ad, 0x40); + wage_permute(state); + ad += WAGE_RATE; + adlen -= WAGE_RATE; + } + + /* Pad and absorb the final block */ + temp = (unsigned)adlen; + memcpy(pad, ad, temp); + pad[temp] = 0x80; + memset(pad + temp + 1, 0, WAGE_RATE - temp - 1); + wage_absorb(state, pad, 0x40); + wage_permute(state); +} + +int wage_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[WAGE_STATE_SIZE]; + unsigned char block[WAGE_RATE]; + unsigned temp; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + WAGE_TAG_SIZE; + + /* Initialize the state and absorb the associated data */ + wage_init(state, k, npub); + if (adlen != 0) + wage_process_ad(state, block, ad, adlen); + + /* Encrypts the plaintext to produce the ciphertext */ + while (mlen >= WAGE_RATE) { + wage_get_rate(state, block); + lw_xor_block(block, m, WAGE_RATE); + wage_set_rate(state, block, 0x20); + wage_permute(state); + memcpy(c, block, WAGE_RATE); + c += WAGE_RATE; + m += WAGE_RATE; + mlen -= WAGE_RATE; + } + temp = (unsigned)mlen; + wage_get_rate(state, block); + lw_xor_block(block, m, temp); + block[temp] ^= 0x80; + wage_set_rate(state, block, 0x20); + wage_permute(state); + memcpy(c, block, temp); + + /* Generate and extract the authentication tag */ + wage_absorb_key(state, k); + wage_extract_tag(state, c + temp); + return 0; +} + +int wage_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[WAGE_STATE_SIZE]; + unsigned char block[WAGE_TAG_SIZE]; + unsigned char *mtemp = m; + unsigned temp; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < WAGE_TAG_SIZE) + return -1; + *mlen = clen - WAGE_TAG_SIZE; + + /* Initialize the state and absorb the associated data */ + wage_init(state, k, npub); + if (adlen != 0) + wage_process_ad(state, block, ad, adlen); + + /* Decrypts the ciphertext to produce the plaintext */ + clen -= WAGE_TAG_SIZE; + while (clen >= WAGE_RATE) { + wage_get_rate(state, block); + lw_xor_block(block, c, WAGE_RATE); + wage_set_rate(state, c, 0x20); + wage_permute(state); + memcpy(m, block, WAGE_RATE); + c += WAGE_RATE; + m += WAGE_RATE; + clen -= WAGE_RATE; + } + temp = (unsigned)clen; + wage_get_rate(state, block); + lw_xor_block_2_src(block + 8, block, c, temp); + memcpy(block, c, temp); + block[temp] ^= 0x80; + wage_set_rate(state, block, 0x20); + wage_permute(state); + memcpy(m, block + 8, temp); + + /* Generate and check the authentication tag */ + wage_absorb_key(state, k); + wage_extract_tag(state, block); + return aead_check_tag(mtemp, *mlen, block, c + temp, WAGE_TAG_SIZE); +} diff --git a/wage/Implementations/crypto_aead/wageae128v1/rhys/wage.h b/wage/Implementations/crypto_aead/wageae128v1/rhys/wage.h new file mode 100644 index 0000000..2a620c4 --- /dev/null +++ b/wage/Implementations/crypto_aead/wageae128v1/rhys/wage.h @@ -0,0 +1,127 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_WAGE_H +#define LWCRYPTO_WAGE_H + +#include "aead-common.h" + +/** + * \file wage.h + * \brief WAGE authenticated encryption algorithm. + * + * WAGE is an authenticated encryption algorithm that is built around the + * 259-bit WAGE permutation. The algorithm has a 128-bit key, a 128-bit + * nonce, and a 128-bit authentication tag. It is an evolution of the + * WG series of stream ciphers. + * + * References: https://uwaterloo.ca/communications-security-lab/lwc/wage + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for WAGE. + */ +#define WAGE_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for WAGE. + */ +#define WAGE_TAG_SIZE 16 + +/** + * \brief Size of the nonce for WAGE. + */ +#define WAGE_NONCE_SIZE 16 + +/** + * \brief Meta-information block for the WAGE cipher. + */ +extern aead_cipher_t const wage_cipher; + +/** + * \brief Encrypts and authenticates a packet with WAGE. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa wage_aead_decrypt() + */ +int wage_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with WAGE. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa wage_aead_encrypt() + */ +int wage_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/aead-common.c b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/aead-common.c new file mode 100644 index 0000000..84fc53a --- /dev/null +++ b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/aead-common.c @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "aead-common.h" + +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = (accum - 1) >> 8; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} + +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned size, int precheck) +{ + /* Set "accum" to -1 if the tags match, or 0 if they don't match */ + int accum = 0; + while (size > 0) { + accum |= (*tag1++ ^ *tag2++); + --size; + } + accum = ((accum - 1) >> 8) & precheck; + + /* Destroy the plaintext if the tag match failed */ + while (plaintext_len > 0) { + *plaintext++ &= accum; + --plaintext_len; + } + + /* If "accum" is 0, return -1, otherwise return 0 */ + return ~accum; +} diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/aead-common.h b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/aead-common.h new file mode 100644 index 0000000..2be95eb --- /dev/null +++ b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/aead-common.h @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_AEAD_COMMON_H +#define LWCRYPTO_AEAD_COMMON_H + +#include + +/** + * \file aead-common.h + * \brief Definitions that are common across AEAD schemes. + * + * AEAD stands for "Authenticated Encryption with Associated Data". + * It is a standard API pattern for securely encrypting and + * authenticating packets of data. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Encrypts and authenticates a packet with an AEAD scheme. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + */ +typedef int (*aead_cipher_encrypt_t) + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with an AEAD scheme. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - normally not used by AEAD schemes. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet. + * \param k Points to the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + */ +typedef int (*aead_cipher_decrypt_t) + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data. + * + * \param out Buffer to receive the hash output. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +typedef int (*aead_hash_t) + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a hashing operation. + * + * \param state Hash state to be initialized. + */ +typedef void (*aead_hash_init_t)(void *state); + +/** + * \brief Updates a hash state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + */ +typedef void (*aead_hash_update_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Returns the final hash value from a hashing operation. + * + * \param Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + */ +typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); + +/** + * \brief Aborbs more input data into an XOF state. + * + * \param state XOF state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa ascon_xof_init(), ascon_xof_squeeze() + */ +typedef void (*aead_xof_absorb_t) + (void *state, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Squeezes output data from an XOF state. + * + * \param state XOF state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + */ +typedef void (*aead_xof_squeeze_t) + (void *state, unsigned char *out, unsigned long long outlen); + +/** + * \brief No special AEAD features. + */ +#define AEAD_FLAG_NONE 0x0000 + +/** + * \brief The natural byte order of the AEAD cipher is little-endian. + * + * If this flag is not present, then the natural byte order of the + * AEAD cipher should be assumed to be big-endian. + * + * The natural byte order may be useful when formatting packet sequence + * numbers as nonces. The application needs to know whether the sequence + * number should be packed into the leading or trailing bytes of the nonce. + */ +#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 + +/** + * \brief Meta-information about an AEAD cipher. + */ +typedef struct +{ + const char *name; /**< Name of the cipher */ + unsigned key_len; /**< Length of the key in bytes */ + unsigned nonce_len; /**< Length of the nonce in bytes */ + unsigned tag_len; /**< Length of the tag in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ + aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ + +} aead_cipher_t; + +/** + * \brief Meta-information about a hash algorithm that is related to an AEAD. + * + * Regular hash algorithms should provide the "hash", "init", "update", + * and "finalize" functions. Extensible Output Functions (XOF's) should + * proivde the "hash", "init", "absorb", and "squeeze" functions. + */ +typedef struct +{ + const char *name; /**< Name of the hash algorithm */ + size_t state_size; /**< Size of the incremental state structure */ + unsigned hash_len; /**< Length of the hash in bytes */ + unsigned flags; /**< Flags for extra features */ + aead_hash_t hash; /**< All in one hashing function */ + aead_hash_init_t init; /**< Incremental hash/XOF init function */ + aead_hash_update_t update; /**< Incremental hash update function */ + aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ + aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ + aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ + +} aead_hash_algorithm_t; + +/** + * \brief Check an authentication tag in constant time. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + */ +int aead_check_tag + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len); + +/** + * \brief Check an authentication tag in constant time with a previous check. + * + * \param plaintext Points to the plaintext data. + * \param plaintext_len Length of the plaintext in bytes. + * \param tag1 First tag to compare. + * \param tag2 Second tag to compare. + * \param tag_len Length of the tags in bytes. + * \param precheck Set to -1 if previous check succeeded or 0 if it failed. + * + * \return Returns -1 if the tag check failed or 0 if the check succeeded. + * + * If the tag check fails, then the \a plaintext will also be zeroed to + * prevent it from being used accidentally by the application when the + * ciphertext was invalid. + * + * This version can be used to incorporate other information about the + * correctness of the plaintext into the final result. + */ +int aead_check_tag_precheck + (unsigned char *plaintext, unsigned long long plaintext_len, + const unsigned char *tag1, const unsigned char *tag2, + unsigned tag_len, int precheck); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/api.h b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/api.h new file mode 100644 index 0000000..b2f8a36 --- /dev/null +++ b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/encrypt.c b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/encrypt.c new file mode 100644 index 0000000..f7bb1b4 --- /dev/null +++ b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/encrypt.c @@ -0,0 +1,26 @@ + +#include "xoodyak.h" + +int crypto_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + return xoodyak_aead_encrypt + (c, clen, m, mlen, ad, adlen, nsec, npub, k); +} + +int crypto_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + return xoodyak_aead_decrypt + (m, mlen, nsec, c, clen, ad, adlen, npub, k); +} diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-util.h b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-util.h new file mode 100644 index 0000000..e79158c --- /dev/null +++ b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-util.h @@ -0,0 +1,557 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_UTIL_H +#define LW_INTERNAL_UTIL_H + +#include + +/* Figure out how to inline functions using this C compiler */ +#if defined(__STDC__) && __STDC_VERSION__ >= 199901L +#define STATIC_INLINE static inline +#elif defined(__GNUC__) || defined(__clang__) +#define STATIC_INLINE static __inline__ +#else +#define STATIC_INLINE static +#endif + +/* Try to figure out whether the CPU is little-endian or big-endian. + * May need to modify this to include new compiler-specific defines. + * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your + * compiler flags when you compile this library */ +#if defined(__x86_64) || defined(__x86_64__) || \ + defined(__i386) || defined(__i386__) || \ + defined(__AVR__) || defined(__arm) || defined(__arm__) || \ + defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ + defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ + (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ + defined(__LITTLE_ENDIAN__) +#define LW_UTIL_LITTLE_ENDIAN 1 +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ + defined(__BIG_ENDIAN__) +/* Big endian */ +#else +#error "Cannot determine the endianess of this platform" +#endif + +/* Helper macros to load and store values while converting endian-ness */ + +/* Load a big-endian 32-bit word from a byte buffer */ +#define be_load_word32(ptr) \ + ((((uint32_t)((ptr)[0])) << 24) | \ + (((uint32_t)((ptr)[1])) << 16) | \ + (((uint32_t)((ptr)[2])) << 8) | \ + ((uint32_t)((ptr)[3]))) + +/* Store a big-endian 32-bit word into a byte buffer */ +#define be_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 24); \ + (ptr)[1] = (uint8_t)(_x >> 16); \ + (ptr)[2] = (uint8_t)(_x >> 8); \ + (ptr)[3] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 32-bit word from a byte buffer */ +#define le_load_word32(ptr) \ + ((((uint32_t)((ptr)[3])) << 24) | \ + (((uint32_t)((ptr)[2])) << 16) | \ + (((uint32_t)((ptr)[1])) << 8) | \ + ((uint32_t)((ptr)[0]))) + +/* Store a little-endian 32-bit word into a byte buffer */ +#define le_store_word32(ptr, x) \ + do { \ + uint32_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + } while (0) + +/* Load a big-endian 64-bit word from a byte buffer */ +#define be_load_word64(ptr) \ + ((((uint64_t)((ptr)[0])) << 56) | \ + (((uint64_t)((ptr)[1])) << 48) | \ + (((uint64_t)((ptr)[2])) << 40) | \ + (((uint64_t)((ptr)[3])) << 32) | \ + (((uint64_t)((ptr)[4])) << 24) | \ + (((uint64_t)((ptr)[5])) << 16) | \ + (((uint64_t)((ptr)[6])) << 8) | \ + ((uint64_t)((ptr)[7]))) + +/* Store a big-endian 64-bit word into a byte buffer */ +#define be_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 56); \ + (ptr)[1] = (uint8_t)(_x >> 48); \ + (ptr)[2] = (uint8_t)(_x >> 40); \ + (ptr)[3] = (uint8_t)(_x >> 32); \ + (ptr)[4] = (uint8_t)(_x >> 24); \ + (ptr)[5] = (uint8_t)(_x >> 16); \ + (ptr)[6] = (uint8_t)(_x >> 8); \ + (ptr)[7] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 64-bit word from a byte buffer */ +#define le_load_word64(ptr) \ + ((((uint64_t)((ptr)[7])) << 56) | \ + (((uint64_t)((ptr)[6])) << 48) | \ + (((uint64_t)((ptr)[5])) << 40) | \ + (((uint64_t)((ptr)[4])) << 32) | \ + (((uint64_t)((ptr)[3])) << 24) | \ + (((uint64_t)((ptr)[2])) << 16) | \ + (((uint64_t)((ptr)[1])) << 8) | \ + ((uint64_t)((ptr)[0]))) + +/* Store a little-endian 64-bit word into a byte buffer */ +#define le_store_word64(ptr, x) \ + do { \ + uint64_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + (ptr)[2] = (uint8_t)(_x >> 16); \ + (ptr)[3] = (uint8_t)(_x >> 24); \ + (ptr)[4] = (uint8_t)(_x >> 32); \ + (ptr)[5] = (uint8_t)(_x >> 40); \ + (ptr)[6] = (uint8_t)(_x >> 48); \ + (ptr)[7] = (uint8_t)(_x >> 56); \ + } while (0) + +/* Load a big-endian 16-bit word from a byte buffer */ +#define be_load_word16(ptr) \ + ((((uint16_t)((ptr)[0])) << 8) | \ + ((uint16_t)((ptr)[1]))) + +/* Store a big-endian 16-bit word into a byte buffer */ +#define be_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)(_x >> 8); \ + (ptr)[1] = (uint8_t)_x; \ + } while (0) + +/* Load a little-endian 16-bit word from a byte buffer */ +#define le_load_word16(ptr) \ + ((((uint16_t)((ptr)[1])) << 8) | \ + ((uint16_t)((ptr)[0]))) + +/* Store a little-endian 16-bit word into a byte buffer */ +#define le_store_word16(ptr, x) \ + do { \ + uint16_t _x = (x); \ + (ptr)[0] = (uint8_t)_x; \ + (ptr)[1] = (uint8_t)(_x >> 8); \ + } while (0) + +/* XOR a source byte buffer against a destination */ +#define lw_xor_block(dest, src, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ ^= *_src++; \ + --_len; \ + } \ + } while (0) + +/* XOR two source byte buffers and put the result in a destination buffer */ +#define lw_xor_block_2_src(dest, src1, src2, len) \ + do { \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest++ = *_src1++ ^ *_src2++; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time */ +#define lw_xor_block_2_dest(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + *_dest2++ = (*_dest++ ^= *_src++); \ + --_len; \ + } \ + } while (0) + +/* XOR two byte buffers and write to a destination which at the same + * time copying the contents of src2 to dest2 */ +#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src1 = (src1); \ + const unsigned char *_src2 = (src2); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src2++; \ + *_dest2++ = _temp; \ + *_dest++ = *_src1++ ^ _temp; \ + --_len; \ + } \ + } while (0) + +/* XOR a source byte buffer against a destination and write to another + * destination at the same time. This version swaps the source value + * into the "dest" buffer */ +#define lw_xor_block_swap(dest2, dest, src, len) \ + do { \ + unsigned char *_dest2 = (dest2); \ + unsigned char *_dest = (dest); \ + const unsigned char *_src = (src); \ + unsigned _len = (len); \ + while (_len > 0) { \ + unsigned char _temp = *_src++; \ + *_dest2++ = *_dest ^ _temp; \ + *_dest++ = _temp; \ + --_len; \ + } \ + } while (0) + +/* Rotation macros for 32-bit arguments */ + +/* Generic left rotate */ +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1(a) (leftRotate((a), 1)) +#define leftRotate2(a) (leftRotate((a), 2)) +#define leftRotate3(a) (leftRotate((a), 3)) +#define leftRotate4(a) (leftRotate((a), 4)) +#define leftRotate5(a) (leftRotate((a), 5)) +#define leftRotate6(a) (leftRotate((a), 6)) +#define leftRotate7(a) (leftRotate((a), 7)) +#define leftRotate8(a) (leftRotate((a), 8)) +#define leftRotate9(a) (leftRotate((a), 9)) +#define leftRotate10(a) (leftRotate((a), 10)) +#define leftRotate11(a) (leftRotate((a), 11)) +#define leftRotate12(a) (leftRotate((a), 12)) +#define leftRotate13(a) (leftRotate((a), 13)) +#define leftRotate14(a) (leftRotate((a), 14)) +#define leftRotate15(a) (leftRotate((a), 15)) +#define leftRotate16(a) (leftRotate((a), 16)) +#define leftRotate17(a) (leftRotate((a), 17)) +#define leftRotate18(a) (leftRotate((a), 18)) +#define leftRotate19(a) (leftRotate((a), 19)) +#define leftRotate20(a) (leftRotate((a), 20)) +#define leftRotate21(a) (leftRotate((a), 21)) +#define leftRotate22(a) (leftRotate((a), 22)) +#define leftRotate23(a) (leftRotate((a), 23)) +#define leftRotate24(a) (leftRotate((a), 24)) +#define leftRotate25(a) (leftRotate((a), 25)) +#define leftRotate26(a) (leftRotate((a), 26)) +#define leftRotate27(a) (leftRotate((a), 27)) +#define leftRotate28(a) (leftRotate((a), 28)) +#define leftRotate29(a) (leftRotate((a), 29)) +#define leftRotate30(a) (leftRotate((a), 30)) +#define leftRotate31(a) (leftRotate((a), 31)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1(a) (rightRotate((a), 1)) +#define rightRotate2(a) (rightRotate((a), 2)) +#define rightRotate3(a) (rightRotate((a), 3)) +#define rightRotate4(a) (rightRotate((a), 4)) +#define rightRotate5(a) (rightRotate((a), 5)) +#define rightRotate6(a) (rightRotate((a), 6)) +#define rightRotate7(a) (rightRotate((a), 7)) +#define rightRotate8(a) (rightRotate((a), 8)) +#define rightRotate9(a) (rightRotate((a), 9)) +#define rightRotate10(a) (rightRotate((a), 10)) +#define rightRotate11(a) (rightRotate((a), 11)) +#define rightRotate12(a) (rightRotate((a), 12)) +#define rightRotate13(a) (rightRotate((a), 13)) +#define rightRotate14(a) (rightRotate((a), 14)) +#define rightRotate15(a) (rightRotate((a), 15)) +#define rightRotate16(a) (rightRotate((a), 16)) +#define rightRotate17(a) (rightRotate((a), 17)) +#define rightRotate18(a) (rightRotate((a), 18)) +#define rightRotate19(a) (rightRotate((a), 19)) +#define rightRotate20(a) (rightRotate((a), 20)) +#define rightRotate21(a) (rightRotate((a), 21)) +#define rightRotate22(a) (rightRotate((a), 22)) +#define rightRotate23(a) (rightRotate((a), 23)) +#define rightRotate24(a) (rightRotate((a), 24)) +#define rightRotate25(a) (rightRotate((a), 25)) +#define rightRotate26(a) (rightRotate((a), 26)) +#define rightRotate27(a) (rightRotate((a), 27)) +#define rightRotate28(a) (rightRotate((a), 28)) +#define rightRotate29(a) (rightRotate((a), 29)) +#define rightRotate30(a) (rightRotate((a), 30)) +#define rightRotate31(a) (rightRotate((a), 31)) + +/* Rotation macros for 64-bit arguments */ + +/* Generic left rotate */ +#define leftRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (64 - (bits))); \ + })) + +/* Generic right rotate */ +#define rightRotate_64(a, bits) \ + (__extension__ ({ \ + uint64_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (64 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_64(a) (leftRotate_64((a), 1)) +#define leftRotate2_64(a) (leftRotate_64((a), 2)) +#define leftRotate3_64(a) (leftRotate_64((a), 3)) +#define leftRotate4_64(a) (leftRotate_64((a), 4)) +#define leftRotate5_64(a) (leftRotate_64((a), 5)) +#define leftRotate6_64(a) (leftRotate_64((a), 6)) +#define leftRotate7_64(a) (leftRotate_64((a), 7)) +#define leftRotate8_64(a) (leftRotate_64((a), 8)) +#define leftRotate9_64(a) (leftRotate_64((a), 9)) +#define leftRotate10_64(a) (leftRotate_64((a), 10)) +#define leftRotate11_64(a) (leftRotate_64((a), 11)) +#define leftRotate12_64(a) (leftRotate_64((a), 12)) +#define leftRotate13_64(a) (leftRotate_64((a), 13)) +#define leftRotate14_64(a) (leftRotate_64((a), 14)) +#define leftRotate15_64(a) (leftRotate_64((a), 15)) +#define leftRotate16_64(a) (leftRotate_64((a), 16)) +#define leftRotate17_64(a) (leftRotate_64((a), 17)) +#define leftRotate18_64(a) (leftRotate_64((a), 18)) +#define leftRotate19_64(a) (leftRotate_64((a), 19)) +#define leftRotate20_64(a) (leftRotate_64((a), 20)) +#define leftRotate21_64(a) (leftRotate_64((a), 21)) +#define leftRotate22_64(a) (leftRotate_64((a), 22)) +#define leftRotate23_64(a) (leftRotate_64((a), 23)) +#define leftRotate24_64(a) (leftRotate_64((a), 24)) +#define leftRotate25_64(a) (leftRotate_64((a), 25)) +#define leftRotate26_64(a) (leftRotate_64((a), 26)) +#define leftRotate27_64(a) (leftRotate_64((a), 27)) +#define leftRotate28_64(a) (leftRotate_64((a), 28)) +#define leftRotate29_64(a) (leftRotate_64((a), 29)) +#define leftRotate30_64(a) (leftRotate_64((a), 30)) +#define leftRotate31_64(a) (leftRotate_64((a), 31)) +#define leftRotate32_64(a) (leftRotate_64((a), 32)) +#define leftRotate33_64(a) (leftRotate_64((a), 33)) +#define leftRotate34_64(a) (leftRotate_64((a), 34)) +#define leftRotate35_64(a) (leftRotate_64((a), 35)) +#define leftRotate36_64(a) (leftRotate_64((a), 36)) +#define leftRotate37_64(a) (leftRotate_64((a), 37)) +#define leftRotate38_64(a) (leftRotate_64((a), 38)) +#define leftRotate39_64(a) (leftRotate_64((a), 39)) +#define leftRotate40_64(a) (leftRotate_64((a), 40)) +#define leftRotate41_64(a) (leftRotate_64((a), 41)) +#define leftRotate42_64(a) (leftRotate_64((a), 42)) +#define leftRotate43_64(a) (leftRotate_64((a), 43)) +#define leftRotate44_64(a) (leftRotate_64((a), 44)) +#define leftRotate45_64(a) (leftRotate_64((a), 45)) +#define leftRotate46_64(a) (leftRotate_64((a), 46)) +#define leftRotate47_64(a) (leftRotate_64((a), 47)) +#define leftRotate48_64(a) (leftRotate_64((a), 48)) +#define leftRotate49_64(a) (leftRotate_64((a), 49)) +#define leftRotate50_64(a) (leftRotate_64((a), 50)) +#define leftRotate51_64(a) (leftRotate_64((a), 51)) +#define leftRotate52_64(a) (leftRotate_64((a), 52)) +#define leftRotate53_64(a) (leftRotate_64((a), 53)) +#define leftRotate54_64(a) (leftRotate_64((a), 54)) +#define leftRotate55_64(a) (leftRotate_64((a), 55)) +#define leftRotate56_64(a) (leftRotate_64((a), 56)) +#define leftRotate57_64(a) (leftRotate_64((a), 57)) +#define leftRotate58_64(a) (leftRotate_64((a), 58)) +#define leftRotate59_64(a) (leftRotate_64((a), 59)) +#define leftRotate60_64(a) (leftRotate_64((a), 60)) +#define leftRotate61_64(a) (leftRotate_64((a), 61)) +#define leftRotate62_64(a) (leftRotate_64((a), 62)) +#define leftRotate63_64(a) (leftRotate_64((a), 63)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_64(a) (rightRotate_64((a), 1)) +#define rightRotate2_64(a) (rightRotate_64((a), 2)) +#define rightRotate3_64(a) (rightRotate_64((a), 3)) +#define rightRotate4_64(a) (rightRotate_64((a), 4)) +#define rightRotate5_64(a) (rightRotate_64((a), 5)) +#define rightRotate6_64(a) (rightRotate_64((a), 6)) +#define rightRotate7_64(a) (rightRotate_64((a), 7)) +#define rightRotate8_64(a) (rightRotate_64((a), 8)) +#define rightRotate9_64(a) (rightRotate_64((a), 9)) +#define rightRotate10_64(a) (rightRotate_64((a), 10)) +#define rightRotate11_64(a) (rightRotate_64((a), 11)) +#define rightRotate12_64(a) (rightRotate_64((a), 12)) +#define rightRotate13_64(a) (rightRotate_64((a), 13)) +#define rightRotate14_64(a) (rightRotate_64((a), 14)) +#define rightRotate15_64(a) (rightRotate_64((a), 15)) +#define rightRotate16_64(a) (rightRotate_64((a), 16)) +#define rightRotate17_64(a) (rightRotate_64((a), 17)) +#define rightRotate18_64(a) (rightRotate_64((a), 18)) +#define rightRotate19_64(a) (rightRotate_64((a), 19)) +#define rightRotate20_64(a) (rightRotate_64((a), 20)) +#define rightRotate21_64(a) (rightRotate_64((a), 21)) +#define rightRotate22_64(a) (rightRotate_64((a), 22)) +#define rightRotate23_64(a) (rightRotate_64((a), 23)) +#define rightRotate24_64(a) (rightRotate_64((a), 24)) +#define rightRotate25_64(a) (rightRotate_64((a), 25)) +#define rightRotate26_64(a) (rightRotate_64((a), 26)) +#define rightRotate27_64(a) (rightRotate_64((a), 27)) +#define rightRotate28_64(a) (rightRotate_64((a), 28)) +#define rightRotate29_64(a) (rightRotate_64((a), 29)) +#define rightRotate30_64(a) (rightRotate_64((a), 30)) +#define rightRotate31_64(a) (rightRotate_64((a), 31)) +#define rightRotate32_64(a) (rightRotate_64((a), 32)) +#define rightRotate33_64(a) (rightRotate_64((a), 33)) +#define rightRotate34_64(a) (rightRotate_64((a), 34)) +#define rightRotate35_64(a) (rightRotate_64((a), 35)) +#define rightRotate36_64(a) (rightRotate_64((a), 36)) +#define rightRotate37_64(a) (rightRotate_64((a), 37)) +#define rightRotate38_64(a) (rightRotate_64((a), 38)) +#define rightRotate39_64(a) (rightRotate_64((a), 39)) +#define rightRotate40_64(a) (rightRotate_64((a), 40)) +#define rightRotate41_64(a) (rightRotate_64((a), 41)) +#define rightRotate42_64(a) (rightRotate_64((a), 42)) +#define rightRotate43_64(a) (rightRotate_64((a), 43)) +#define rightRotate44_64(a) (rightRotate_64((a), 44)) +#define rightRotate45_64(a) (rightRotate_64((a), 45)) +#define rightRotate46_64(a) (rightRotate_64((a), 46)) +#define rightRotate47_64(a) (rightRotate_64((a), 47)) +#define rightRotate48_64(a) (rightRotate_64((a), 48)) +#define rightRotate49_64(a) (rightRotate_64((a), 49)) +#define rightRotate50_64(a) (rightRotate_64((a), 50)) +#define rightRotate51_64(a) (rightRotate_64((a), 51)) +#define rightRotate52_64(a) (rightRotate_64((a), 52)) +#define rightRotate53_64(a) (rightRotate_64((a), 53)) +#define rightRotate54_64(a) (rightRotate_64((a), 54)) +#define rightRotate55_64(a) (rightRotate_64((a), 55)) +#define rightRotate56_64(a) (rightRotate_64((a), 56)) +#define rightRotate57_64(a) (rightRotate_64((a), 57)) +#define rightRotate58_64(a) (rightRotate_64((a), 58)) +#define rightRotate59_64(a) (rightRotate_64((a), 59)) +#define rightRotate60_64(a) (rightRotate_64((a), 60)) +#define rightRotate61_64(a) (rightRotate_64((a), 61)) +#define rightRotate62_64(a) (rightRotate_64((a), 62)) +#define rightRotate63_64(a) (rightRotate_64((a), 63)) + +/* Rotate a 16-bit value left by a number of bits */ +#define leftRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (16 - (bits))); \ + })) + +/* Rotate a 16-bit value right by a number of bits */ +#define rightRotate_16(a, bits) \ + (__extension__ ({ \ + uint16_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (16 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_16(a) (leftRotate_16((a), 1)) +#define leftRotate2_16(a) (leftRotate_16((a), 2)) +#define leftRotate3_16(a) (leftRotate_16((a), 3)) +#define leftRotate4_16(a) (leftRotate_16((a), 4)) +#define leftRotate5_16(a) (leftRotate_16((a), 5)) +#define leftRotate6_16(a) (leftRotate_16((a), 6)) +#define leftRotate7_16(a) (leftRotate_16((a), 7)) +#define leftRotate8_16(a) (leftRotate_16((a), 8)) +#define leftRotate9_16(a) (leftRotate_16((a), 9)) +#define leftRotate10_16(a) (leftRotate_16((a), 10)) +#define leftRotate11_16(a) (leftRotate_16((a), 11)) +#define leftRotate12_16(a) (leftRotate_16((a), 12)) +#define leftRotate13_16(a) (leftRotate_16((a), 13)) +#define leftRotate14_16(a) (leftRotate_16((a), 14)) +#define leftRotate15_16(a) (leftRotate_16((a), 15)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_16(a) (rightRotate_16((a), 1)) +#define rightRotate2_16(a) (rightRotate_16((a), 2)) +#define rightRotate3_16(a) (rightRotate_16((a), 3)) +#define rightRotate4_16(a) (rightRotate_16((a), 4)) +#define rightRotate5_16(a) (rightRotate_16((a), 5)) +#define rightRotate6_16(a) (rightRotate_16((a), 6)) +#define rightRotate7_16(a) (rightRotate_16((a), 7)) +#define rightRotate8_16(a) (rightRotate_16((a), 8)) +#define rightRotate9_16(a) (rightRotate_16((a), 9)) +#define rightRotate10_16(a) (rightRotate_16((a), 10)) +#define rightRotate11_16(a) (rightRotate_16((a), 11)) +#define rightRotate12_16(a) (rightRotate_16((a), 12)) +#define rightRotate13_16(a) (rightRotate_16((a), 13)) +#define rightRotate14_16(a) (rightRotate_16((a), 14)) +#define rightRotate15_16(a) (rightRotate_16((a), 15)) + +/* Rotate an 8-bit value left by a number of bits */ +#define leftRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (8 - (bits))); \ + })) + +/* Rotate an 8-bit value right by a number of bits */ +#define rightRotate_8(a, bits) \ + (__extension__ ({ \ + uint8_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (8 - (bits))); \ + })) + +/* Left rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define leftRotate1_8(a) (leftRotate_8((a), 1)) +#define leftRotate2_8(a) (leftRotate_8((a), 2)) +#define leftRotate3_8(a) (leftRotate_8((a), 3)) +#define leftRotate4_8(a) (leftRotate_8((a), 4)) +#define leftRotate5_8(a) (leftRotate_8((a), 5)) +#define leftRotate6_8(a) (leftRotate_8((a), 6)) +#define leftRotate7_8(a) (leftRotate_8((a), 7)) + +/* Right rotate by a specific number of bits. These macros may be replaced + * with more efficient ones on platforms that lack a barrel shifter */ +#define rightRotate1_8(a) (rightRotate_8((a), 1)) +#define rightRotate2_8(a) (rightRotate_8((a), 2)) +#define rightRotate3_8(a) (rightRotate_8((a), 3)) +#define rightRotate4_8(a) (rightRotate_8((a), 4)) +#define rightRotate5_8(a) (rightRotate_8((a), 5)) +#define rightRotate6_8(a) (rightRotate_8((a), 6)) +#define rightRotate7_8(a) (rightRotate_8((a), 7)) + +#endif diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-xoodoo.c b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-xoodoo.c new file mode 100644 index 0000000..f129833 --- /dev/null +++ b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-xoodoo.c @@ -0,0 +1,162 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-xoodoo.h" + +void xoodoo_permute(xoodoo_state_t *state) +{ + static uint16_t const rc[XOODOO_ROUNDS] = { + 0x0058, 0x0038, 0x03C0, 0x00D0, 0x0120, 0x0014, + 0x0060, 0x002C, 0x0380, 0x00F0, 0x01A0, 0x0012 + }; + uint8_t round; + uint32_t x00, x01, x02, x03; + uint32_t x10, x11, x12, x13; + uint32_t x20, x21, x22, x23; + uint32_t t1, t2; + + /* Load the state and convert from little-endian byte order */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x00 = state->S[0][0]; + x01 = state->S[0][1]; + x02 = state->S[0][2]; + x03 = state->S[0][3]; + x10 = state->S[1][0]; + x11 = state->S[1][1]; + x12 = state->S[1][2]; + x13 = state->S[1][3]; + x20 = state->S[2][0]; + x21 = state->S[2][1]; + x22 = state->S[2][2]; + x23 = state->S[2][3]; +#else + x00 = le_load_word32(state->B); + x01 = le_load_word32(state->B + 4); + x02 = le_load_word32(state->B + 8); + x03 = le_load_word32(state->B + 12); + x10 = le_load_word32(state->B + 16); + x11 = le_load_word32(state->B + 20); + x12 = le_load_word32(state->B + 24); + x13 = le_load_word32(state->B + 28); + x20 = le_load_word32(state->B + 32); + x21 = le_load_word32(state->B + 36); + x22 = le_load_word32(state->B + 40); + x23 = le_load_word32(state->B + 44); +#endif + + /* Perform all permutation rounds */ + for (round = 0; round < XOODOO_ROUNDS; ++round) { + /* Optimization ideas from the Xoodoo implementation here: + * https://github.com/XKCP/XKCP/tree/master/lib/low/Xoodoo/Optimized */ + + /* Step theta: Mix column parity */ + t1 = x03 ^ x13 ^ x23; + t2 = x00 ^ x10 ^ x20; + t1 = leftRotate5(t1) ^ leftRotate14(t1); + t2 = leftRotate5(t2) ^ leftRotate14(t2); + x00 ^= t1; + x10 ^= t1; + x20 ^= t1; + t1 = x01 ^ x11 ^ x21; + t1 = leftRotate5(t1) ^ leftRotate14(t1); + x01 ^= t2; + x11 ^= t2; + x21 ^= t2; + t2 = x02 ^ x12 ^ x22; + t2 = leftRotate5(t2) ^ leftRotate14(t2); + x02 ^= t1; + x12 ^= t1; + x22 ^= t1; + x03 ^= t2; + x13 ^= t2; + x23 ^= t2; + + /* Step rho-west: Plane shift */ + t1 = x13; + x13 = x12; + x12 = x11; + x11 = x10; + x10 = t1; + x20 = leftRotate11(x20); + x21 = leftRotate11(x21); + x22 = leftRotate11(x22); + x23 = leftRotate11(x23); + + /* Step iota: Add the round constant to the state */ + x00 ^= rc[round]; + + /* Step chi: Non-linear layer */ + x00 ^= (~x10) & x20; + x10 ^= (~x20) & x00; + x20 ^= (~x00) & x10; + x01 ^= (~x11) & x21; + x11 ^= (~x21) & x01; + x21 ^= (~x01) & x11; + x02 ^= (~x12) & x22; + x12 ^= (~x22) & x02; + x22 ^= (~x02) & x12; + x03 ^= (~x13) & x23; + x13 ^= (~x23) & x03; + x23 ^= (~x03) & x13; + + /* Step rho-east: Plane shift */ + x10 = leftRotate1(x10); + x11 = leftRotate1(x11); + x12 = leftRotate1(x12); + x13 = leftRotate1(x13); + t1 = leftRotate8(x22); + t2 = leftRotate8(x23); + x22 = leftRotate8(x20); + x23 = leftRotate8(x21); + x20 = t1; + x21 = t2; + } + + /* Convert back into little-endian and store to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0][0] = x00; + state->S[0][1] = x01; + state->S[0][2] = x02; + state->S[0][3] = x03; + state->S[1][0] = x10; + state->S[1][1] = x11; + state->S[1][2] = x12; + state->S[1][3] = x13; + state->S[2][0] = x20; + state->S[2][1] = x21; + state->S[2][2] = x22; + state->S[2][3] = x23; +#else + le_store_word32(state->B, x00); + le_store_word32(state->B + 4, x01); + le_store_word32(state->B + 8, x02); + le_store_word32(state->B + 12, x03); + le_store_word32(state->B + 16, x10); + le_store_word32(state->B + 20, x11); + le_store_word32(state->B + 24, x12); + le_store_word32(state->B + 28, x13); + le_store_word32(state->B + 32, x20); + le_store_word32(state->B + 36, x21); + le_store_word32(state->B + 40, x22); + le_store_word32(state->B + 44, x23); +#endif +} diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-xoodoo.h b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-xoodoo.h new file mode 100644 index 0000000..f6eddd8 --- /dev/null +++ b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-xoodoo.h @@ -0,0 +1,80 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_XOODOO_H +#define LW_INTERNAL_XOODOO_H + +#include "internal-util.h" + +/** + * \file internal-xoodoo.h + * \brief Internal implementation of the Xoodoo permutation. + * + * References: https://keccak.team/xoodyak.html + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Number of rows in the Xoodoo state. + */ +#define XOODOO_ROWS 3 + +/** + * \brief Number of columns in the Xoodoo state. + */ +#define XOODOO_COLS 4 + +/** + * \brief Number of rounds for the Xoodoo permutation. + */ +#define XOODOO_ROUNDS 12 + +/** + * \brief State information for the Xoodoo permutation. + */ +typedef union +{ + /** Words of the state */ + uint32_t S[XOODOO_ROWS][XOODOO_COLS]; + + /** Bytes of the state */ + uint8_t B[XOODOO_ROWS * XOODOO_COLS * sizeof(uint32_t)]; + +} xoodoo_state_t; + +/** + * \brief Permutes the Xoodoo state. + * + * \param state The Xoodoo state. + * + * The state will be in little-endian before and after the operation. + */ +void xoodoo_permute(xoodoo_state_t *state); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/xoodyak.c b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/xoodyak.c new file mode 100644 index 0000000..4ad4fce --- /dev/null +++ b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/xoodyak.c @@ -0,0 +1,321 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "xoodyak.h" +#include "internal-xoodoo.h" +#include + +aead_cipher_t const xoodyak_cipher = { + "Xoodyak", + XOODYAK_KEY_SIZE, + XOODYAK_NONCE_SIZE, + XOODYAK_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + xoodyak_aead_encrypt, + xoodyak_aead_decrypt +}; + +aead_hash_algorithm_t const xoodyak_hash_algorithm = { + "Xoodyak-Hash", + sizeof(xoodyak_hash_state_t), + XOODYAK_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + xoodyak_hash, + (aead_hash_init_t)xoodyak_hash_init, + (aead_hash_update_t)xoodyak_hash_absorb, + (aead_hash_finalize_t)xoodyak_hash_finalize, + (aead_xof_absorb_t)xoodyak_hash_absorb, + (aead_xof_squeeze_t)xoodyak_hash_squeeze +}; + +/** + * \brief Rate for absorbing data into the sponge state. + */ +#define XOODYAK_ABSORB_RATE 44 + +/** + * \brief Rate for squeezing data out of the sponge. + */ +#define XOODYAK_SQUEEZE_RATE 24 + +/** + * \brief Rate for absorbing and squeezing in hashing mode. + */ +#define XOODYAK_HASH_RATE 16 + +/** + * \brief Phase identifier for "up" mode, which indicates that a block + * permutation has just been performed. + */ +#define XOODYAK_PHASE_UP 0 + +/** + * \brief Phase identifier for "down" mode, which indicates that data has + * been absorbed but that a block permutation has not been done yet. + */ +#define XOODYAK_PHASE_DOWN 1 + +/** + * \brief Absorbs data into the Xoodoo permutation state. + * + * \param state Xoodoo permutation state. + * \param phase Points to the current phase, up or down. + * \param data Points to the data to be absorbed. + * \param len Length of the data to be absorbed. + */ +static void xoodyak_absorb + (xoodoo_state_t *state, uint8_t *phase, + const unsigned char *data, unsigned long long len) +{ + uint8_t domain = 0x03; + unsigned temp; + while (len > XOODYAK_ABSORB_RATE) { + if (*phase != XOODYAK_PHASE_UP) + xoodoo_permute(state); + lw_xor_block(state->B, data, XOODYAK_ABSORB_RATE); + state->B[XOODYAK_ABSORB_RATE] ^= 0x01; /* Padding */ + state->B[sizeof(state->B) - 1] ^= domain; + data += XOODYAK_ABSORB_RATE; + len -= XOODYAK_ABSORB_RATE; + domain = 0x00; + *phase = XOODYAK_PHASE_DOWN; + } + temp = (unsigned)len; + if (*phase != XOODYAK_PHASE_UP) + xoodoo_permute(state); + lw_xor_block(state->B, data, temp); + state->B[temp] ^= 0x01; /* Padding */ + state->B[sizeof(state->B) - 1] ^= domain; + *phase = XOODYAK_PHASE_DOWN; +} + +int xoodyak_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + xoodoo_state_t state; + uint8_t phase, domain; + unsigned temp; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + XOODYAK_TAG_SIZE; + + /* Initialize the state with the key */ + memcpy(state.B, k, XOODYAK_KEY_SIZE); + memset(state.B + XOODYAK_KEY_SIZE, 0, sizeof(state.B) - XOODYAK_KEY_SIZE); + state.B[XOODYAK_KEY_SIZE + 1] = 0x01; /* Padding */ + state.B[sizeof(state.B) - 1] = 0x02; /* Domain separation */ + phase = XOODYAK_PHASE_DOWN; + + /* Absorb the nonce and associated data */ + xoodyak_absorb(&state, &phase, npub, XOODYAK_NONCE_SIZE); + xoodyak_absorb(&state, &phase, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + domain = 0x80; + while (mlen > XOODYAK_SQUEEZE_RATE) { + state.B[sizeof(state.B) - 1] ^= domain; + xoodoo_permute(&state); + lw_xor_block_2_dest(c, state.B, m, XOODYAK_SQUEEZE_RATE); + state.B[XOODYAK_SQUEEZE_RATE] ^= 0x01; /* Padding */ + c += XOODYAK_SQUEEZE_RATE; + m += XOODYAK_SQUEEZE_RATE; + mlen -= XOODYAK_SQUEEZE_RATE; + domain = 0; + } + state.B[sizeof(state.B) - 1] ^= domain; + xoodoo_permute(&state); + temp = (unsigned)mlen; + lw_xor_block_2_dest(c, state.B, m, temp); + state.B[temp] ^= 0x01; /* Padding */ + c += temp; + + /* Generate the authentication tag */ + state.B[sizeof(state.B) - 1] ^= 0x40; /* Domain separation */ + xoodoo_permute(&state); + memcpy(c, state.B, XOODYAK_TAG_SIZE); + return 0; +} + +int xoodyak_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + xoodoo_state_t state; + uint8_t phase, domain; + unsigned temp; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < XOODYAK_TAG_SIZE) + return -1; + *mlen = clen - XOODYAK_TAG_SIZE; + + /* Initialize the state with the key */ + memcpy(state.B, k, XOODYAK_KEY_SIZE); + memset(state.B + XOODYAK_KEY_SIZE, 0, sizeof(state.B) - XOODYAK_KEY_SIZE); + state.B[XOODYAK_KEY_SIZE + 1] = 0x01; /* Padding */ + state.B[sizeof(state.B) - 1] = 0x02; /* Domain separation */ + phase = XOODYAK_PHASE_DOWN; + + /* Absorb the nonce and associated data */ + xoodyak_absorb(&state, &phase, npub, XOODYAK_NONCE_SIZE); + xoodyak_absorb(&state, &phase, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + domain = 0x80; + clen -= XOODYAK_TAG_SIZE; + while (clen > XOODYAK_SQUEEZE_RATE) { + state.B[sizeof(state.B) - 1] ^= domain; + xoodoo_permute(&state); + lw_xor_block_swap(m, state.B, c, XOODYAK_SQUEEZE_RATE); + state.B[XOODYAK_SQUEEZE_RATE] ^= 0x01; /* Padding */ + c += XOODYAK_SQUEEZE_RATE; + m += XOODYAK_SQUEEZE_RATE; + clen -= XOODYAK_SQUEEZE_RATE; + domain = 0; + } + state.B[sizeof(state.B) - 1] ^= domain; + xoodoo_permute(&state); + temp = (unsigned)clen; + lw_xor_block_swap(m, state.B, c, temp); + state.B[temp] ^= 0x01; /* Padding */ + c += temp; + + /* Check the authentication tag */ + state.B[sizeof(state.B) - 1] ^= 0x40; /* Domain separation */ + xoodoo_permute(&state); + return aead_check_tag(mtemp, *mlen, state.B, c, XOODYAK_TAG_SIZE); +} + +int xoodyak_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + xoodyak_hash_state_t state; + xoodyak_hash_init(&state); + xoodyak_hash_absorb(&state, in, inlen); + xoodyak_hash_squeeze(&state, out, XOODYAK_HASH_SIZE); + return 0; +} + +#define XOODYAK_HASH_MODE_INIT_ABSORB 0 +#define XOODYAK_HASH_MODE_ABSORB 1 +#define XOODYAK_HASH_MODE_SQUEEZE 2 + +#define xoodoo_hash_permute(state) \ + xoodoo_permute((xoodoo_state_t *)((state)->s.state)) + +void xoodyak_hash_init(xoodyak_hash_state_t *state) +{ + memset(state, 0, sizeof(xoodyak_hash_state_t)); + state->s.mode = XOODYAK_HASH_MODE_INIT_ABSORB; +} + +void xoodyak_hash_absorb + (xoodyak_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + uint8_t domain; + unsigned temp; + + /* If we were squeezing, then restart the absorb phase */ + if (state->s.mode == XOODYAK_HASH_MODE_SQUEEZE) { + xoodoo_hash_permute(state); + state->s.mode = XOODYAK_HASH_MODE_INIT_ABSORB; + state->s.count = 0; + } + + /* The first block needs a different domain separator to the others */ + domain = (state->s.mode == XOODYAK_HASH_MODE_INIT_ABSORB) ? 0x01 : 0x00; + + /* Absorb the input data into the state */ + while (inlen > 0) { + if (state->s.count >= XOODYAK_HASH_RATE) { + state->s.state[XOODYAK_HASH_RATE] ^= 0x01; /* Padding */ + state->s.state[sizeof(state->s.state) - 1] ^= domain; + xoodoo_hash_permute(state); + state->s.mode = XOODYAK_HASH_MODE_ABSORB; + state->s.count = 0; + domain = 0x00; + } + temp = XOODYAK_HASH_RATE - state->s.count; + if (temp > inlen) + temp = (unsigned)inlen; + lw_xor_block(state->s.state + state->s.count, in, temp); + state->s.count += temp; + in += temp; + inlen -= temp; + } +} + +void xoodyak_hash_squeeze + (xoodyak_hash_state_t *state, unsigned char *out, + unsigned long long outlen) +{ + uint8_t domain; + unsigned temp; + + /* If we were absorbing, then terminate the absorb phase */ + if (state->s.mode != XOODYAK_HASH_MODE_SQUEEZE) { + domain = (state->s.mode == XOODYAK_HASH_MODE_INIT_ABSORB) ? 0x01 : 0x00; + state->s.state[state->s.count] ^= 0x01; /* Padding */ + state->s.state[sizeof(state->s.state) - 1] ^= domain; + xoodoo_hash_permute(state); + state->s.mode = XOODYAK_HASH_MODE_SQUEEZE; + state->s.count = 0; + } + + /* Squeeze data out of the state */ + while (outlen > 0) { + if (state->s.count >= XOODYAK_HASH_RATE) { + /* Padding is always at index 0 for squeezing subsequent + * blocks because the number of bytes we have absorbed + * since the previous block was squeezed out is zero */ + state->s.state[0] ^= 0x01; + xoodoo_hash_permute(state); + state->s.count = 0; + } + temp = XOODYAK_HASH_RATE - state->s.count; + if (temp > outlen) + temp = (unsigned)outlen; + memcpy(out, state->s.state + state->s.count, temp); + state->s.count += temp; + out += temp; + outlen -= temp; + } +} + +void xoodyak_hash_finalize + (xoodyak_hash_state_t *state, unsigned char *out) +{ + xoodyak_hash_squeeze(state, out, XOODYAK_HASH_SIZE); +} diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/xoodyak.h b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/xoodyak.h new file mode 100644 index 0000000..f4777d5 --- /dev/null +++ b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/xoodyak.h @@ -0,0 +1,226 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_XOODYAK_H +#define LWCRYPTO_XOODYAK_H + +#include "aead-common.h" + +/** + * \file xoodyak.h + * \brief Xoodyak authenticated encryption algorithm. + * + * Xoodyak is an authenticated encryption and hash algorithm pair based + * around the 384-bit Xoodoo permutation that is similar in structure to + * Keccak but is more efficient than Keccak on 32-bit embedded devices. + * The Cyclist mode of operation is used to convert the permutation + * into a sponge for the higher-level algorithms. + * + * The Xoodyak encryption mode has a 128-bit key, a 128-bit nonce, + * and a 128-bit authentication tag. The Xoodyak hashing mode has a + * 256-bit fixed hash output and can also be used as an extensible + * output function (XOF). + * + * The Xoodyak specification describes a re-keying mechanism where the + * key for one packet is used to derive the key to use on the next packet. + * This provides some resistance against side channel attacks by making + * the session key a moving target. This library does not currently + * implement re-keying. + * + * References: https://keccak.team/xoodyak.html + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for Xoodyak. + */ +#define XOODYAK_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Xoodyak. + */ +#define XOODYAK_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Xoodyak. + */ +#define XOODYAK_NONCE_SIZE 16 + +/** + * \brief Size of the hash output for Xoodyak. + */ +#define XOODYAK_HASH_SIZE 32 + +/** + * \brief State information for Xoodyak incremental hashing modes. + */ +typedef union +{ + struct { + unsigned char state[48]; /**< Current hash state */ + unsigned char count; /**< Number of bytes in the current block */ + unsigned char mode; /**< Hash mode: absorb or squeeze */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} xoodyak_hash_state_t; + +/** + * \brief Meta-information block for the Xoodyak cipher. + */ +extern aead_cipher_t const xoodyak_cipher; + +/** + * \brief Meta-information block for the Xoodyak hash algorithm. + */ +extern aead_hash_algorithm_t const xoodyak_hash_algorithm; + +/** + * \brief Encrypts and authenticates a packet with Xoodyak. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa xoodyak_aead_decrypt() + */ +int xoodyak_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Xoodyak. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa xoodyak_aead_encrypt() + */ +int xoodyak_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with Xoodyak to generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * XOODYAK_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int xoodyak_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for a Xoodyak hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa xoodyak_hash_absorb(), xoodyak_hash_squeeze(), xoodyak_hash() + */ +void xoodyak_hash_init(xoodyak_hash_state_t *state); + +/** + * \brief Aborbs more input data into a Xoodyak hashing state. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa xoodyak_hash_init(), xoodyak_hash_squeeze() + */ +void xoodyak_hash_absorb + (xoodyak_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Squeezes output data from a Xoodyak hashing state. + * + * \param state Hash state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. + * + * \sa xoodyak_hash_init(), xoodyak_hash_absorb() + */ +void xoodyak_hash_squeeze + (xoodyak_hash_state_t *state, unsigned char *out, + unsigned long long outlen); + +/** + * \brief Returns the final hash value from a Xoodyak hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. + * + * \note This is a wrapper around xoodyak_hash_squeeze() for a fixed length + * of XOODYAK_HASH_SIZE bytes. + * + * \sa xoodyak_hash_init(), xoodyak_hash_absorb() + */ +void xoodyak_hash_finalize + (xoodyak_hash_state_t *state, unsigned char *out); + +#ifdef __cplusplus +} +#endif + +#endif -- libgit2 0.26.0